Ingress

发表于 | 分类于

Ingress 简介

k8s 暴露服务 可以通过 LoadBalance service, NodePort service, Ingress

Ingress 目前只工作在 7层网络

Ingress : 其实就是一组基于 DNS 名称或 URL 路径把请求转发至指定的service资源的规则。(将 nginx 配置抽象出来 成为 ingress 对象,不用修改 配置文件,直接改yaml 文件然后创建/更新就可以了)

Ingress Controller : 其实是一个可以根据 Ingress 对象和被代理后端 Service 的变化,来自动进行更新的 Nginx 负载均衡器。

Ingress Controller 会根据 Ingress 对象定义的内容,生成 一份对应的 nginx 配置文件,并使用这个配置文件 启动一个 nginx 服务。一旦 Ingress 对象被更新, Ingress Controller 就会更新这个配置文件。

外部请求首先到达 Ingress ControllerIngress Controller 根据 Ingress 的路由规则,查找到对应的 Service ,进而通过 Endpoint 查询到 PodIP 地址,然后将请求转发给 Pod

使用 ingress-nginx

官网 : https://kubernetes.github.io/ingress-nginx/deploy/

github : https://github.com/kubernetes/ingress-nginx

ingress 规则中 annotations 可以开启 nginx 的部分功能

安装 ingress-control

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[root@k8s01 ~]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.40.1/deploy/static/provider/baremetal/deploy.yaml
##  https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml (nodeport 版) 最新版,按需修改镜像
## 需要修改 deploy.yaml , eg : 镜像 imwl/ingress-nginx-controller:v0.40.1(同步的官方镜像)。

[root@k8s01 ~]# kubectl apply -f deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created

Ingress HTTP 代理访问

test-Ingress01.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: imwl/myapp:v2
        ports:
        - name: http
          containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: myapp02
  namespace: default
spec:
  selector:
    app: myapp
  ports:
  - targetPort: 80
    port: 80

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: example-ingress
  annotations:  # 可以开启 nginx 的部分功能,无需重启
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: master.k8s.com
    http:
      paths:
      - path: /
        backend:
          serviceName: myapp02
          servicePort: 80

Ingress HTTPS 代理访问

创建证书,以及 cert 存储方式

1
2
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc /O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt

deployment、Service、Ingress Yaml 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:  
  name: nginx-test
spec:
  tls:
    - host: 
      - master.k8s01.com
      secretName: tls-secret  
  rules:    
    - host: master.k8s01.com     
      http:        
        paths:        
        - path: /          
          backend:            
            serviceName: nginx-svc            
            servicePort: 80

Nginx 进行 BasicAuth

1
2
3
yum -y install httpd
htpasswd -c auth foo
kubectl create secret generic basic-auth --from-file=auth
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

apiVersion: extensions/v1beta1
kind: Ingress
metadata:  
  name: ingress-with-auth
  annotations:    
    nginx.ingress.kubernetes.io/auth-type: basic    
    nginx.ingress.kubernetes.io/auth-secret: basic-auth    
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:  
  rules:    
    - host: foo2.bar.com     
      http:        
        paths:        
        - path: /          
          backend:            
            serviceName: nginx-svc            
            servicePort: 80

Nginx 进行重写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
apiVersion: extensions/v1beta1
kind: Ingress
metadata:  
  name: nginx-test
  annotations:    
    nginx.ingress.kubernetes.io/rewrite-target: http://foo.bar.com:31795/hostname.htm
spec:  
  rules:    
    - host: foo10.bar.com      
      http:        
        paths:        
        - path: /          
          backend:            
            serviceName: nginx-svc            
            servicePort: 80

k8s>1.19 设置

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-myserviceb
spec:
  rules:
  - host: myserviceb.foo.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: myserviceb
            port:
              name: https-dashboard