k8s ingress限流、重写、https、认证
限流
配置
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/limit-connections: "10" nginx.ingress.kubernetes.io/limit-rps: "5" nginx.ingress.kubernetes.io/limit-rate: 1m spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: example-service port: number: 80
nginx.ingress.kubernetes.io/limit-connections
: 限制每个 IP 地址最大连接数为 10。nginx.ingress.kubernetes.io/limit-rps
: 限制每秒请求数 (RPS) 为 5。nginx.ingress.kubernetes.io/limit-rate
: 限制每个连接的最大传输速率为 1 MB/s。
这些注解将应用于 Ingress 规则的所有路径,对应的 NGINX 配置如下:
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; limit_req_zone $binary_remote_addr zone=limit_per_ip_req:10m rate=5r/s; limit_rate 1m;
超过限制,返回503
Nginx 进行 BasicAuth
下载tools工具包
[root@master ingress]# yum -y install httpd-tools
htpasswd -c auth foo //创建foo用户
kubectl create secret generic basic-auth --from-file=auth //创建secret
创建ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
nginx.ingress.kubernetes.io/auth-type: basic //需要后端开始认证模块
nginx.ingress.kubernetes.io/auth-secret: basic-auth //secret 名称
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo' //欢迎信息
spec:
rules:
- host: foo2.bar.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
Nginx 重写
资源清单
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-nginx-rewrite
annotations:
nginx.ingress.kubernetes.io/rewrite-target: http://www.baidu.com
spec:
rules:
- host: rewrite.magedu.com
http: //下面这块可以不用写了
paths:
- path: /
backend:
serviceName: rtnb-nginx-service
servicePort: 80
6.2 测试,可以看到跳转到了指定网页
开启请求路径重写
官网文档:https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/
配置
用户请求/testpath重写为 /
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx-example
rules:
- host: app.test.com
http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80
Ingress HTTPS 代理访问
制作证书以及secret
# 创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=magedu-nginx-service/O=magedu-nginx-service" # k8s创建secret
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
ssl域名类型的域名
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress_magedu-nginx-service
spec:
tls:
- hosts:
- www.magedu.com
secretName: tls-secret
rules:
- host: www.magedu.com
http:
paths:
- path: /
backend:
serviceName: magedu-nginx-service
servicePort: 80
查看端口
]# kubectl get svc -A
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 4d18h
ingress-nginx ingress-nginx NodePort 10.98.53.31 <none> 80:32280/TCP,443:30022/TCP 2d16h
查看ingress
]# kubectl get ingress -n linux39
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-magedu-nginx-service <none> www.magedu.com,www.magedu.com 80, 443 112m
测试访问
配置多域名的TLS
创建证书配置文件
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 5000 -out ca.crt -subj "/CN=magedu.com"
openssl genrsa -out ingress.key 2048
openssl req -new -key ingress.key -out ingress.csr -subj "/CN=magedu.com" -config openssl.cnf # 保证TLS证书包含相应的host全限定域名在/CN
openssl x509 -req -in ingress.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ingress.crt -days 5000 -extensions v3_req -extfile openssl.cnf
openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = nginx.magedu.com # 多个域名设置
DNS.2 = tomcat.magedu.com
创建secret
kubectl create secret tls mage-tomcat --key ingress.key --cert ingress.crt
ingress配置清单
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-magedu-nginx-service namespace: linux39 spec: tls: - hosts: - magedu.com secretName: mage-tomcat rules: - host: nginx.magedu.com http: paths: - path: / backend: serviceName: magedu-nginx-service servicePort: 80 - host: tomcat.magedu.com http: paths: - path: /myapp backend: serviceName: linux39-tomcat-app1-service servicePort: 80
更多注解
1 2 3 4 5 6 7 8 | annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # kubernetes.io/ingress.allow-http: "false" # kubernetes.io/ingress.global-static-ip-name: "" # nginx.ingress.kubernetes.io/secure-backends: "true" # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 |
越学越感到自己的无知
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 使用C#创建一个MCP客户端
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· ollama系列1:轻松3步本地部署deepseek,普通电脑可用
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· 按钮权限的设计及实现
2022-05-30 Zabbix Serevr基于主动模式实现监控Linux服务器