ingress总结
概念
k8s Ingress官网
https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/
Ingress是kubernetes API中的标准资源类型之一,ingress实现的功能是在应用层对客户端请求的host名称或请求的URL路径把请求转发到指定的service资源的规则,即用于将kubernetes集群外部的请求资源转发之集群内部的service,再被service转发之pod处理客户端的请求
Ingress-Controller部署
部署方法:https://kubernetes.github.io/ingress-nginx/deploy/
部署:
kubectl apply
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingressnginx/controllerv1.3.0/deploy/static/provider/cloud/deploy.yaml
Github项目地址:https://github.com/kubernetes/ingress-nginx
[root@master ~] tar xf ingress-nginx-controller-v1.3.0.tar.gz
修改镜像
#备份当前deploy.yaml [root@master ~] cp ingress-nginx-controller-v1.3.1/deploy/static/provider/cloud/deploy.yaml ingress-nginx-controller-v1.3.1/deploy/static/provider/cloud/deploy.yaml.origin
替换为如下镜像
[root@master ~] vim ingress-nginx-controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml # 更换后效果如下: root@master1:/yaml/ingress-nginx-controller-v1.3.1/deploy/static/provider/cloud/ grep image: deploy.yaml image: registry.cn-hangzhou.aliyuncs.com/liangxiaohui/ingress-nginx-controller:v1.3.0 image: registry.cn-hangzhou.aliyuncs.com/liangxiaohui/ingress-nginx-kube-webhook-certgen:v1.1.1 image: registry.cn-hangzhou.aliyuncs.com/liangxiaohui/ingress-nginx-kube-webhook-certgen:v1.1.1
修改ingress-controller的service配置
spec: ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - appProtocol: http name: http port: 80 protocol: TCP targetPort: http nodePort: 50080 - appProtocol: http #kubernetes v1.20 stable,appProtocol字段提供了一种为每个Service端口指定应用协议的方式,此字段的取值会被映射到对应的Endpoints name: prometheus-metrics-port port: 10254 protocol: TCP targetPort: 10254 #ingress-nginx-controller内置的指标数据采集端口 nodePort: 61254 # - name: metrics-port # port: 10254 # targetPort: 10254 # nodePort: 50254 # protocol: TCP - appProtocol: https name: https port: 443 protocol: TCP targetPort: https nodePort: 50443 selector: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx type: NodePort # 创建Ingress [root@master ~]/ kubectl apply -f ingress-nginx-controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
查看创建的资源
创建测试环境
创建一个新的namespace,用来创建应用来验证ingress
[root@master10 .kube] kubectl create ns ingress-test namespace/ingress-test created [root@master10 .kube] kubectl config set-context --namespace ingress-test --current Context "kubernetes-admin@kubernetes" modified.
创建deployment
[root@master10 .kube] kubectl create deployment web --image=nginx --replicas=2 deployment.apps/web created
为pod准备发布站点内容
[root@master1:~/yaml kubectl exec -it web-68bdbdcb94-bgdtz -- bash [root@web-68bdbdcb94-bgdtz:/ echo web1 > /usr/share/nginx/html/index.html [root@web-68bdbdcb94-bgdtz:/ mkdir /usr/share/nginx/html/test [root@web-68bdbdcb94-bgdtz:/ echo test web1 > /usr/share/nginx/html/test/index.html [root@master10 .kube] kubectl exec -it web-68bdbdcb94-wpxmp -- bash [root@web-68bdbdcb94-wpxmp:/ echo web2 > /usr/share/nginx/html/index.html [root@web-68bdbdcb94-wpxmp:/ mkdir /usr/share/nginx/html/test [root@web-68bdbdcb94-wpxmp:/ echo test web2 > /usr/share/nginx/html/test/index.html
创建svc名称为web,类型为clusterip即可
root@master1:~/yaml vim service.yaml apiVersion: v1 kind: Service metadata: labels: app: web name: web spec: ports: - port: 80 protocol: TCP targetPort: 80 #nodePort: 30010 selector: app: web
配置Ingress规则
虚拟主机,一个域名对应一个path
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: "nginx" #指定Ingress Controller的类型 nginx.ingress.kubernetes.io/use-regex: "true" #指定后面rules定义的path可以使用正则表达式 nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" #连接超时时间,默认为5s nginx.ingress.kubernetes.io/proxy-send-timeout: "600" #后端服务器回转数据超时时间,默认为60s nginx.ingress.kubernetes.io/proxy-read-timeout: "600" #后端服务器响应超时时间,默认为60s nginx.ingress.kubernetes.io/proxy-body-size: "50m" #客户端上传文件,最大大小,默认为20m #nginx.ingress.kubernetes.io/rewrite-target: / #URL重写 nginx.ingress.kubernetes.io/app-root: /index.html name: myingress namespace: ingress-test spec: rules: - host: www.test.com http: paths: - path: / pathType: Prefix backend: service: name: www port: number: 80 - host: www.test1.com http: paths: - path: / pathType: Prefix backend: service: name: lxh port: number: 80
一个域名对应对多个path
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myingress namespace: ingress-test annotations: kubernetes.io/ingress.class: "nginx" #指定Ingress Controller的类型 nginx.ingress.kubernetes.io/use-regex: "true" #指定后面rules定义的path可以使用正则表达式 nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" #连接超时时间,默认为5s nginx.ingress.kubernetes.io/proxy-send-timeout: "600" #后端服务器回转数据超时时间,默认为60s nginx.ingress.kubernetes.io/proxy-read-timeout: "600" #后端服务器响应超时时间,默认为60s nginx.ingress.kubernetes.io/proxy-body-size: "50m" #客户端上传文件,最大大小,默认为20m #nginx.ingress.kubernetes.io/rewrite-target: / #URL重写 nginx.ingress.kubernetes.io/app-root: /index.html spec: rules: - host: www.test.com http: paths: - path: / pathType: Prefix backend: service: name: web port: number: 80 - path: /test pathType: Prefix backend: service: name: web port: number: 80
验证
单域名https域名访问
创建tls secret证书
创建类型为tls的secret为nginx提供https证书访问
#创建ca公钥和私钥 openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.test.com' #创建客户端公钥和私钥 openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.test.com' #ca签发客户端私钥生成证书 openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
创建secret
root@deploy:~/secret kubectl create secret tls nginx-tls --cert=./server.crt --key=./server.key
root@master1:~/yaml/ cat https-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myingress namespace: ingress-test annotations: kubernetes.io/ingress.class: "nginx" #指定Ingress Controller的类型 nginx.ingress.kubernetes.io/ssl-redirect: 'true' #SSl重定向,即将http请求强制重定向至https,等于nginx中的全站https nginx.ingress.kubernetes.io/use-regex: "true" #指定后面rules定义的path可以使用正则表达式 nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" #连接超时时间,默认为5s nginx.ingress.kubernetes.io/proxy-send-timeout: "600" #后端服务器回转数据超时时间,默认为60s nginx.ingress.kubernetes.io/proxy-read-timeout: "600" #后端服务器响应超时时间,默认为60s nginx.ingress.kubernetes.io/proxy-body-size: "50m" #客户端上传文件,最大大小,默认为20m #nginx.ingress.kubernetes.io/rewrite-target: / #URL重写 nginx.ingress.kubernetes.io/app-root: /index.html spec: tls: - hosts: - www.test.com secretName: nginx-tls rules: - host: www.test.com http: paths: - path: / pathType: Prefix backend: service: name: web port: number: 80 - path: /test pathType: Prefix backend: service: name: web port: number: 80
验证
多域名https域名访问
创建www.test1.com的tls secret证书
再创建一个web2 deployment应用
root@master1:~/yaml/ kubectl create deployment web2 --image=nginx --replicas=2
创建站点文件
root@master1:~/yaml kubectl exec -it web2-5b894dcfd8-hljpv -- bash root@web2-5b894dcfd8-hljpv:/ echo 'test2-web1' > /usr/share/nginx/html/index.html root@web2-5b894dcfd8-hljpv:/ mkdir /usr/share/nginx/html/test2 bash: /usr/share/nginx/html/test/index.html: No such file or directory root@web2-5b894dcfd8-hljpv:/ echo test2 web1 > /usr/share/nginx/html/test2/index.html root@master1:~/yaml kubectl exec -it web2-5b894dcfd8-qwqsm -- bash root@web2-5b894dcfd8-qwqsm:/ echo 'test2-web2' > /usr/share/nginx/html/index.html root@web2-5b894dcfd8-qwqsm:/ mkdir /usr/share/nginx/html/test2 root@web2-5b894dcfd8-qwqsm:/ echo test2 web2 > /usr/share/nginx/html/test2/index.html
创建service
root@master1:~/yaml/ cat service2.yaml apiVersion: v1 kind: Service metadata: labels: app: web2 name: web2 spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: web2
创建web2 的tls认证
#创建ca公钥和私钥 openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.test1.com' #创建客户端公钥和私钥 openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.test1.com' #ca签发客户端私钥生成证书 openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
创建web tls secret
root@deploy:~/secret kubectl create secret tls nginx-tls2 --cert=./server.crt --key=./server.key
部署针对应用pod的ingress反向代理
root@master1:~/yaml/ cat https-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myingress namespace: ingress-test annotations: kubernetes.io/ingress.class: "nginx" nginx.ingress.kubernetes.io/ssl-redirect: 'true' nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "600" nginx.ingress.kubernetes.io/proxy-read-timeout: "600" nginx.ingress.kubernetes.io/proxy-body-size: "50m" #nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/app-root: /index.html spec: tls: - hosts: - www.test.com secretName: nginx-tls - hosts: - www.test1.com secretName: nginx-tls2 rules: - host: www.test.com http: paths: - path: / pathType: Prefix backend: service: name: web port: number: 80 - path: /test pathType: Prefix backend: service: name: web port: number: 80 - host: www.test1.com http: paths: - path: / pathType: Prefix backend: service: name: web2 port: number: 80 - path: /test pathType: Prefix backend: service: name: web2 port: number: 80
验证
本文来自博客园,作者:PunchLinux,转载请注明原文链接:https://www.cnblogs.com/punchlinux/p/16677961.html
分类:
kubernetes
标签:
第六周
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 【杭电多校比赛记录】2025“钉耙编程”中国大学生算法设计春季联赛(1)