k8s ingress限流、重写、https、认证

限流

配置

复制代码
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/limit-connections: "10"
    nginx.ingress.kubernetes.io/limit-rps: "5"
    nginx.ingress.kubernetes.io/limit-rate: 1m
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port: 
              number: 80
复制代码
  1. nginx.ingress.kubernetes.io/limit-connections: 限制每个 IP 地址最大连接数为 10。
  2. nginx.ingress.kubernetes.io/limit-rps: 限制每秒请求数 (RPS) 为 5。
  3. nginx.ingress.kubernetes.io/limit-rate: 限制每个连接的最大传输速率为 1 MB/s。

这些注解将应用于 Ingress 规则的所有路径,对应的 NGINX 配置如下:

limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=limit_per_ip_req:10m rate=5r/s;
limit_rate 1m;

超过限制,返回503

Nginx 进行 BasicAuth

下载tools工具包

[root@master ingress]# yum -y install httpd-tools
htpasswd -c auth foo   //创建foo用户
kubectl create secret generic basic-auth --from-file=auth   //创建secret

创建ingress

复制代码
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-with-auth
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic   //需要后端开始认证模块
    nginx.ingress.kubernetes.io/auth-secret: basic-auth  //secret 名称
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'  //欢迎信息
spec:
  rules:
  - host: foo2.bar.com
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx-svc
          servicePort: 80
复制代码

Nginx 重写

资源清单

复制代码
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-nginx-rewrite
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: http://www.baidu.com
spec:
  rules:
  - host: rewrite.magedu.com
    http:          //下面这块可以不用写了
      paths:
      - path: / 
        backend:
          serviceName: rtnb-nginx-service
          servicePort: 80
复制代码

6.2 测试,可以看到跳转到了指定网页

开启请求路径重写

官网文档:https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/

 配置

用户请求/testpath重写为 /

复制代码
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx-example
  rules:
  - host: app.test.com
    http:
      paths:
      - path: /testpath   
        pathType: Prefix
        backend:
          service:
            name: test
            port:
              number: 80
复制代码

Ingress  HTTPS 代理访问

制作证书以及secret

# 创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=magedu-nginx-service/O=magedu-nginx-service"
# k8s创建secret
kubectl create secret tls tls-secret --key tls.key --cert tls.crt

ssl域名类型的域名

复制代码
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress_magedu-nginx-service
spec:
  tls:
    - hosts:
      - www.magedu.com
      secretName: tls-secret
  rules:
    - host: www.magedu.com
      http:
        paths:
        - path: /
          backend:
            serviceName: magedu-nginx-service
            servicePort: 80
复制代码

查看端口

]# kubectl  get svc -A
NAMESPACE              NAME                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
default                kubernetes                  ClusterIP   10.96.0.1        <none>        443/TCP                      4d18h
ingress-nginx          ingress-nginx               NodePort    10.98.53.31      <none>        80:32280/TCP,443:30022/TCP   2d16h

查看ingress

]# kubectl  get ingress -n linux39
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME                           CLASS    HOSTS                           ADDRESS   PORTS     AGE
ingress-magedu-nginx-service   <none>   www.magedu.com,www.magedu.com             80, 443   112m

测试访问

配置多域名的TLS

创建证书配置文件

复制代码
openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -days 5000 -out ca.crt -subj "/CN=magedu.com"

openssl genrsa -out ingress.key 2048

openssl req  -new -key  ingress.key   -out ingress.csr -subj "/CN=magedu.com"     -config openssl.cnf    # 保证TLS证书包含相应的host全限定域名在/CN

openssl x509 -req -in ingress.csr  -CA ca.crt -CAkey ca.key  -CAcreateserial -out ingress.crt -days 5000 -extensions v3_req -extfile openssl.cnf
复制代码

openssl.cnf

复制代码
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = nginx.magedu.com   # 多个域名设置
DNS.2 = tomcat.magedu.com
复制代码

创建secret

kubectl  create secret tls mage-tomcat --key ingress.key --cert ingress.crt

ingress配置清单

复制代码
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-magedu-nginx-service
  namespace: linux39
spec:
  tls:
    - hosts:
      - magedu.com
      secretName: mage-tomcat
  rules:
    - host: nginx.magedu.com
      http:
        paths:
        - path: /
          backend:
            serviceName: magedu-nginx-service
            servicePort: 80
    - host: tomcat.magedu.com
      http:
        paths:
        - path: /myapp
          backend:
            serviceName: linux39-tomcat-app1-service
            servicePort: 80
复制代码

更多注解

?
1
2
3
4
5
6
7
8
annotations: {}
  # kubernetes.io/ingress.class: nginx
  # kubernetes.io/tls-acme: "true"
  # kubernetes.io/ingress.allow-http: "false"
  # kubernetes.io/ingress.global-static-ip-name: ""
  # nginx.ingress.kubernetes.io/secure-backends: "true"
  # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0

 

posted @   不会跳舞的胖子  阅读(73)  评论(0编辑  收藏  举报
点击右上角即可分享
微信分享提示