ingress总结
概念
k8s Ingress官网
https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/
Ingress是kubernetes API中的标准资源类型之一,ingress实现的功能是在应用层对客户端请求的host名称或请求的URL路径把请求转发到指定的service资源的规则,即用于将kubernetes集群外部的请求资源转发之集群内部的service,再被service转发之pod处理客户端的请求
Ingress-Controller部署
部署方法:https://kubernetes.github.io/ingress-nginx/deploy/
部署:
kubectl apply
kubectl apply -f
https://raw.githubusercontent.com/kubernetes/ingressnginx/controllerv1.3.0/deploy/static/provider/cloud/deploy.yamlGithub项目地址:https://github.com/kubernetes/ingress-nginx
[root@master ~] tar xf ingress-nginx-controller-v1.3.0.tar.gz
修改镜像
#备份当前deploy.yaml
[root@master ~] cp ingress-nginx-controller-v1.3.1/deploy/static/provider/cloud/deploy.yaml ingress-nginx-controller-v1.3.1/deploy/static/provider/cloud/deploy.yaml.origin
替换为如下镜像
[root@master ~] vim ingress-nginx-controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
# 更换后效果如下:
root@master1:/yaml/ingress-nginx-controller-v1.3.1/deploy/static/provider/cloud/ grep image: deploy.yaml
image: registry.cn-hangzhou.aliyuncs.com/liangxiaohui/ingress-nginx-controller:v1.3.0
image: registry.cn-hangzhou.aliyuncs.com/liangxiaohui/ingress-nginx-kube-webhook-certgen:v1.1.1
image: registry.cn-hangzhou.aliyuncs.com/liangxiaohui/ingress-nginx-kube-webhook-certgen:v1.1.1
修改ingress-controller的service配置
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
nodePort: 50080
- appProtocol: http #kubernetes v1.20 stable,appProtocol字段提供了一种为每个Service端口指定应用协议的方式,此字段的取值会被映射到对应的Endpoints
name: prometheus-metrics-port
port: 10254
protocol: TCP
targetPort: 10254 #ingress-nginx-controller内置的指标数据采集端口
nodePort: 61254
# - name: metrics-port
# port: 10254
# targetPort: 10254
# nodePort: 50254
# protocol: TCP
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
nodePort: 50443
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort
# 创建Ingress
[root@master ~]/ kubectl apply -f ingress-nginx-controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
查看创建的资源
创建测试环境
创建一个新的namespace,用来创建应用来验证ingress
[root@master10 .kube] kubectl create ns ingress-test
namespace/ingress-test created
[root@master10 .kube] kubectl config set-context --namespace ingress-test --current
Context "kubernetes-admin@kubernetes" modified.
创建deployment
[root@master10 .kube] kubectl create deployment web --image=nginx --replicas=2
deployment.apps/web created
为pod准备发布站点内容
[root@master1:~/yaml kubectl exec -it web-68bdbdcb94-bgdtz -- bash
[root@web-68bdbdcb94-bgdtz:/ echo web1 > /usr/share/nginx/html/index.html
[root@web-68bdbdcb94-bgdtz:/ mkdir /usr/share/nginx/html/test
[root@web-68bdbdcb94-bgdtz:/ echo test web1 > /usr/share/nginx/html/test/index.html
[root@master10 .kube] kubectl exec -it web-68bdbdcb94-wpxmp -- bash
[root@web-68bdbdcb94-wpxmp:/ echo web2 > /usr/share/nginx/html/index.html
[root@web-68bdbdcb94-wpxmp:/ mkdir /usr/share/nginx/html/test
[root@web-68bdbdcb94-wpxmp:/ echo test web2 > /usr/share/nginx/html/test/index.html
创建svc名称为web,类型为clusterip即可
root@master1:~/yaml vim service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: web
name: web
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
#nodePort: 30010
selector:
app: web
配置Ingress规则
虚拟主机,一个域名对应一个path
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx" #指定Ingress Controller的类型
nginx.ingress.kubernetes.io/use-regex: "true" #指定后面rules定义的path可以使用正则表达式
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" #连接超时时间,默认为5s
nginx.ingress.kubernetes.io/proxy-send-timeout: "600" #后端服务器回转数据超时时间,默认为60s
nginx.ingress.kubernetes.io/proxy-read-timeout: "600" #后端服务器响应超时时间,默认为60s
nginx.ingress.kubernetes.io/proxy-body-size: "50m" #客户端上传文件,最大大小,默认为20m
#nginx.ingress.kubernetes.io/rewrite-target: / #URL重写
nginx.ingress.kubernetes.io/app-root: /index.html
name: myingress
namespace: ingress-test
spec:
rules:
- host: www.test.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: www
port:
number: 80
- host: www.test1.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: lxh
port:
number: 80
一个域名对应对多个path
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
namespace: ingress-test
annotations:
kubernetes.io/ingress.class: "nginx" #指定Ingress Controller的类型
nginx.ingress.kubernetes.io/use-regex: "true" #指定后面rules定义的path可以使用正则表达式
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" #连接超时时间,默认为5s
nginx.ingress.kubernetes.io/proxy-send-timeout: "600" #后端服务器回转数据超时时间,默认为60s
nginx.ingress.kubernetes.io/proxy-read-timeout: "600" #后端服务器响应超时时间,默认为60s
nginx.ingress.kubernetes.io/proxy-body-size: "50m" #客户端上传文件,最大大小,默认为20m
#nginx.ingress.kubernetes.io/rewrite-target: / #URL重写
nginx.ingress.kubernetes.io/app-root: /index.html
spec:
rules:
- host: www.test.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
- path: /test
pathType: Prefix
backend:
service:
name: web
port:
number: 80
验证
单域名https域名访问
创建tls secret证书
创建类型为tls的secret为nginx提供https证书访问
#创建ca公钥和私钥
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.test.com'
#创建客户端公钥和私钥
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.test.com'
#ca签发客户端私钥生成证书
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
创建secret
root@deploy:~/secret kubectl create secret tls nginx-tls --cert=./server.crt --key=./server.key
root@master1:~/yaml/ cat https-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
namespace: ingress-test
annotations:
kubernetes.io/ingress.class: "nginx" #指定Ingress Controller的类型
nginx.ingress.kubernetes.io/ssl-redirect: 'true' #SSl重定向,即将http请求强制重定向至https,等于nginx中的全站https
nginx.ingress.kubernetes.io/use-regex: "true" #指定后面rules定义的path可以使用正则表达式
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" #连接超时时间,默认为5s
nginx.ingress.kubernetes.io/proxy-send-timeout: "600" #后端服务器回转数据超时时间,默认为60s
nginx.ingress.kubernetes.io/proxy-read-timeout: "600" #后端服务器响应超时时间,默认为60s
nginx.ingress.kubernetes.io/proxy-body-size: "50m" #客户端上传文件,最大大小,默认为20m
#nginx.ingress.kubernetes.io/rewrite-target: / #URL重写
nginx.ingress.kubernetes.io/app-root: /index.html
spec:
tls:
- hosts:
- www.test.com
secretName: nginx-tls
rules:
- host: www.test.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
- path: /test
pathType: Prefix
backend:
service:
name: web
port:
number: 80
验证
多域名https域名访问
创建www.test1.com的tls secret证书
再创建一个web2 deployment应用
root@master1:~/yaml/ kubectl create deployment web2 --image=nginx --replicas=2
创建站点文件
root@master1:~/yaml kubectl exec -it web2-5b894dcfd8-hljpv -- bash
root@web2-5b894dcfd8-hljpv:/ echo 'test2-web1' > /usr/share/nginx/html/index.html
root@web2-5b894dcfd8-hljpv:/ mkdir /usr/share/nginx/html/test2
bash: /usr/share/nginx/html/test/index.html: No such file or directory
root@web2-5b894dcfd8-hljpv:/ echo test2 web1 > /usr/share/nginx/html/test2/index.html
root@master1:~/yaml kubectl exec -it web2-5b894dcfd8-qwqsm -- bash
root@web2-5b894dcfd8-qwqsm:/ echo 'test2-web2' > /usr/share/nginx/html/index.html
root@web2-5b894dcfd8-qwqsm:/ mkdir /usr/share/nginx/html/test2
root@web2-5b894dcfd8-qwqsm:/ echo test2 web2 > /usr/share/nginx/html/test2/index.html
创建service
root@master1:~/yaml/ cat service2.yaml
apiVersion: v1
kind: Service
metadata:
labels:
app: web2
name: web2
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: web2
创建web2 的tls认证
#创建ca公钥和私钥
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.test1.com'
#创建客户端公钥和私钥
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.test1.com'
#ca签发客户端私钥生成证书
openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt创建web tls secret
root@deploy:~/secret kubectl create secret tls nginx-tls2 --cert=./server.crt --key=./server.key
部署针对应用pod的ingress反向代理
root@master1:~/yaml/ cat https-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
namespace: ingress-test
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
#nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/app-root: /index.html
spec:
tls:
- hosts:
- www.test.com
secretName: nginx-tls
- hosts:
- www.test1.com
secretName: nginx-tls2
rules:
- host: www.test.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
- path: /test
pathType: Prefix
backend:
service:
name: web
port:
number: 80
- host: www.test1.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web2
port:
number: 80
- path: /test
pathType: Prefix
backend:
service:
name: web2
port:
number: 80
验证
本文来自博客园,作者:PunchLinux,转载请注明原文链接:https://www.cnblogs.com/punchlinux/p/16677961.html
