备案控制台
探索云世界
开发者社区 开发与运维 文章 正文

k8s-负载均衡流量(ingress-nginx)

2022-08-21 2088
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: ingress 介绍ingress 安装ingress 案例


Ingress介绍


Ingress将来自集群外部的 HTTP 和 HTTPS 路由暴露给集群 内的服务。流量路由由 Ingress

资源上定义的规则控制。


Ingress 其实就是从 Kuberenets 集群外部访问集群的一个入口,将外部的请求转发到集群内不同的 Service 上,其实就相当于 nginx、haproxy 等负载均衡代理服务器,但是只使用nginx这种方式有很大缺陷,每次有新服务加入的时候需要改nginx 配置,不可能让我们去手动更改或者滚动更新前端的nginx-pod,那我们再加上一个服务发现的工具比如consul,Ingress 实际上就是这样实现的,只是服务发现的功能自己实现了,不需要使用第三方的服务了,然后再加上一个域名规则定义,路由信息的刷新依靠 Ingress Controller 来提供。


下面简单示例:

其中 Ingress 将其所有流量发送到一个 Service:


image.png



image.png



Ingress 可以配置为向服务提供外部可访问的 URL、负载平衡流量、终止 SSL/TLS 并提供基 于名称的虚拟主机。

一个入口控制器负责履行入口,通常有一个负载均衡器,虽然它也可以 配置您的边缘路由器或额外的前端,以帮助处理流量。


Ingress 不会公开任意端口或协议。


向 Internet 公开 HTTP 和 HTTPS 以外的服务通常使用 Service.Type=NodePort 或 Service.Type=LoadBalancer 类型的服务。



服务的区别



service只能通过四层负载就是ip+端口的形式来暴露

  • NodePort:会占用集群机器的很多端口,当集群服务变多的时候,这个缺点就越发明显
  • LoadBalancer:每个Service都需要一个LB,比较麻烦和浪费资源,并且需要 k8s之外的负载均衡设备支持



ingress可以提供7层的负责对外暴露接口,而且可以调度不同的业务域,不同的url访问路径的业务流量。

  • Ingress:K8s 中的一个资源对象,作用是定义请求如何转发到 service 的规则
  • Ingress Controller:具体实现反向代理及负载均衡的程序,对Ingress定义的规则进行解析,根据配置的规则来实现请求转发,有很多种实现方式,如 Nginx、Contor、Haproxy等



工作原理


image.png



  • 用户编写 Ingress Service规则, 说明每个域名对应 K8s集群中的哪个Service
  • Ingress控制器会动态感知到 Ingress 服务规则的变化,然后生成一段对应的Nginx反向代理配置
  • Ingress控制器会将生成的Nginx配置写入到一个运行中的Nginx服务中,并动态更新
  • 然后客户端通过访问域名,实际上Nginx会将请求转发到具体的Pod中,到此就完成了整个请求的过程




ingress安装


使用阿里云容器镜像仓库方法


已经自建好阿里云镜像可以直接部署ingress-nginx


提前下载镜像

docker pull registry.cn-hangzhou.aliyuncs.com/yutao517/ingress_nginx_controller:v1.1.0
docker tag registry.cn-hangzhou.aliyuncs.com/yutao517/ingress_nginx_controller:v1.1.0  k8s.gcr.io/ingress-nginx/controller:v1.1.1
docker pull registry.cn-hangzhou.aliyuncs.com/yutao517/kube_webhook_certgen:v1.1.1
docker tag registry.cn-hangzhou.aliyuncs.com/yutao517/kube_webhook_certgen:v1.1.1  k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1


下载deploy.yaml文件


wget https://download.yutao.co/mirror/deploy.yaml




修改deploy.yaml文件

将文件中的,依赖 ingress_nginx_controller:v1.1.0 镜像的版本,修改 为 ingress_nginx_controller:v1.1.1



修改之后的配置

apiVersion: v1
kind: Namespace
metadata:  name: ingress-nginx
  labels:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
---# Source: ingress-nginx/templates/controller-serviceaccount.yamlapiVersion: v1
kind: ServiceAccount
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
automountServiceAccountToken: true---# Source: ingress-nginx/templates/controller-configmap.yamlapiVersion: v1
kind: ConfigMap
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:  allow-snippet-annotations: 'true'---# Source: ingress-nginx/templates/clusterrole.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
rules:  - apiGroups:      - ''    resources:      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
      - namespaces
    verbs:      - list
      - watch
  - apiGroups:      - ''    resources:      - nodes
    verbs:      - get
  - apiGroups:      - ''    resources:      - services
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - events
    verbs:      - create
      - patch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses/status
    verbs:      - update
  - apiGroups:      - networking.k8s.io
    resources:      - ingressclasses
    verbs:      - get
      - list
      - watch
---# Source: ingress-nginx/templates/clusterrolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/controller-role.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
rules:  - apiGroups:      - ''    resources:      - namespaces
    verbs:      - get
  - apiGroups:      - ''    resources:      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - services
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses/status
    verbs:      - update
  - apiGroups:      - networking.k8s.io
    resources:      - ingressclasses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - configmaps
    resourceNames:      - ingress-controller-leader
    verbs:      - get
      - update
  - apiGroups:      - ''    resources:      - configmaps
    verbs:      - create
  - apiGroups:      - ''    resources:      - events
    verbs:      - create
      - patch
---# Source: ingress-nginx/templates/controller-rolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/controller-service-webhook.yamlapiVersion: v1
kind: Service
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:  type: ClusterIP
  ports:    - name: https-webhook
      port: 443      targetPort: webhook
      appProtocol: https
  selector:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---# Source: ingress-nginx/templates/controller-service.yamlapiVersion: v1
kind: Service
metadata:  annotations:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:  type: NodePort
  externalTrafficPolicy: Local
  ipFamilyPolicy: SingleStack
  ipFamilies:    - IPv4
  ports:    - name: http
      port: 80      protocol: TCP
      targetPort: http
      appProtocol: http
    - name: https
      port: 443      protocol: TCP
      targetPort: https
      appProtocol: https
  selector:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---# Source: ingress-nginx/templates/controller-deployment.yamlapiVersion: apps/v1
kind: Deployment
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:  selector:    matchLabels:      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10  minReadySeconds: 0  template:    metadata:      labels:        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:      dnsPolicy: ClusterFirst
      containers:        - name: controller
          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1
          imagePullPolicy: IfNotPresent
          lifecycle:            preStop:              exec:                command:                  - /wait-shutdown
          args:            - /nginx-ingress-controller
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          securityContext:            capabilities:              drop:                - ALL
              add:                - NET_BIND_SERVICE
            runAsUser: 101            allowPrivilegeEscalation: true          env:            - name: POD_NAME
              valueFrom:                fieldRef:                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:            failureThreshold: 5            httpGet:              path: /healthz
              port: 10254              scheme: HTTP
            initialDelaySeconds: 10            periodSeconds: 10            successThreshold: 1            timeoutSeconds: 1          readinessProbe:            failureThreshold: 3            httpGet:              path: /healthz
              port: 10254              scheme: HTTP
            initialDelaySeconds: 10            periodSeconds: 10            successThreshold: 1            timeoutSeconds: 1          ports:            - name: http
              containerPort: 80              protocol: TCP
            - name: https
              containerPort: 443              protocol: TCP
            - name: webhook
              containerPort: 8443              protocol: TCP
          volumeMounts:            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true          resources:            requests:              cpu: 100m
              memory: 90Mi
      nodeSelector:        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300      volumes:        - name: webhook-cert
          secret:            secretName: ingress-nginx-admission
---# Source: ingress-nginx/templates/controller-ingressclass.yaml# We don't support namespaced ingressClass yet# So a ClusterRole and a ClusterRoleBinding is requiredapiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: nginx
  namespace: ingress-nginx
spec:  controller: k8s.io/ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml# before changing this value, check the required kubernetes version# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisitesapiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:      - apiGroups:          - networking.k8s.io
        apiVersions:          - v1
        operations:          - CREATE
          - UPDATE
        resources:          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:      - v1
    clientConfig:      service:        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /networking/v1/ingresses
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yamlapiVersion: v1
kind: ServiceAccount
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:  name: ingress-nginx-admission
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:  - apiGroups:      - admissionregistration.k8s.io
    resources:      - validatingwebhookconfigurations
    verbs:      - get
      - update
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:  name: ingress-nginx-admission
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:  - apiGroups:      - ''    resources:      - secrets
    verbs:      - get
      - create
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yamlapiVersion: batch/v1
kind: Job
metadata:  name: ingress-nginx-admission-create
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:  template:    metadata:      name: ingress-nginx-admission-create
      labels:        helm.sh/chart: ingress-nginx-4.0.10
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.1.0        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:      containers:        - name: create
          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
          imagePullPolicy: IfNotPresent
          args:            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
          securityContext:            allowPrivilegeEscalation: false      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:        kubernetes.io/os: linux
      securityContext:        runAsNonRoot: true        runAsUser: 2000---# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yamlapiVersion: batch/v1
kind: Job
metadata:  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
  annotations:    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:  template:    metadata:      name: ingress-nginx-admission-patch
      labels:        helm.sh/chart: ingress-nginx-4.0.10
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.1.0        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:      containers:        - name: patch
          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
          imagePullPolicy: IfNotPresent
          args:            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
          securityContext:            allowPrivilegeEscalation: false      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:        kubernetes.io/os: linux
      securityContext:        runAsNonRoot: true        runAsUser: 2000



创建ingress-nginx


kubectl apply -f deploy.yaml



成功之后


查看 ingress 相关service

image.png

查看ingress 相关pod

image.png


确保以上启动成功




ingress 简单案例



创建deployment



test1_deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:  name: dp-test-for-ingress
spec:  replicas: 1  selector:    matchLabels:      app: test1
  template:     metadata:       labels:         app: test1
     spec:      containers:      - image: nginx
        name: test
        ports:        - containerPort: 80        resources:          requests:            cpu: 1          limits:            cpu: 1---apiVersion: v1
kind: Service
metadata:   name: svc-test-for-ingress
spec:   ports:   - name: myngx
     port: 2280     targetPort: 80   selector:     app: test1
   type: NodePort


指定service的 type 类型为 NodePort



kubectl apply -f test1_deployment.yaml


查看service


kubectl get svc

image.png



创建ingress


rule-test.yaml


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: name: ing-test1
spec: rules: - host: test.bar.com
   http:    paths:    - pathType: Prefix
      path: "/"      backend:        service:         name: svc-test-for-ingress
         port:          number: 2280 ingressClassName: nginx   # 一定要指定ingressClassName

注意:


ingressClassName 一定要配置,如果不配置,创建的ingress的,无法找到class 和 无法分配Address


kubectl apply -f rule-test.yaml



查看ingress


kubectl get  ingress


image.png


image.png


外部访问



访问前需要配置


host 和 address 做映射

image.png


注意:


192.168.xx.xx:是宿主机的ip地址


test.bar.com:是ingress暴露的服务名,外部可以通过这个服务名访问



浏览器访问:


http://test.bar.com:32091/

image.png


注意:


访问时,使用NodeIP : NodePort 方式访问。 而NodeIP就是在/etc/hosts文件中配置的宿主机上的IP地址


访问时,使用的是ingress-nginx-controller这个service的NodePort端口号,即为:32091


image.png







ingress 使用


基于名称的虚拟托管 -根据域名访问


基于名称的虚拟主机支持将针对多个主机名的 HTTP 流量路由到同一 IP 地址上



image.png


ingress 配置


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test
spec:  ingressClassName: ingress1
  rules:  - host: foo.bar.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test1
            port:              number: 2180  - host: bar.foo.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test2
            port:              number: 2280


如果你创建的 Ingress 资源没有在 rules 中定义的任何 hosts,则可以匹配指向 Ingress 控 制器 IP 地址的任何网络流量,而无需基于名称的虚拟主机。




简单扇出



一个扇出(fanout)配置根据请求的 HTTP URI 将来自同一 IP 地址的流量路由到多个 Service。 Ingress 允许你将负载均衡器的数量降至最低。例如,这样的设置:


image.png



ingress 配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test11
spec:  ingressClassName: ingress1
  rules:  - host: test1.bar.com
    http:      paths:      - pathType: Prefix
        path: "/test1/"        backend:          service:            name: test1
            port:              number: 2180      - pathType: Prefix
        path: "/test2/"        backend:          service:            name: test1
            port:              number: 2180



ingress 暴露多个服务


rules 和 paths 是数组,可以配置多个



ignress 配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test13
spec:  ingressClassName: ingress1
  rules:  - host: test1.bar.com
    http:      paths:      - pathType: Prefix
        path: "/test1/"        backend:          service:            name: test1
            port:              number: 2180      - pathType: Prefix
        path: "/test2/"        backend:          service:            name: test1
            port:              number: 2180  - host: test3.bar.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test3
            port:              number: 2380



ingress-限流



ingress配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  annotations:    nginx.ingress.kubernetes.io/limit-rps: "1"  name: ratelimit
spec:  rules:  - host: test1.bar.com
    http:      paths:      - backend:          service:           name: test1
           port:             number: 2180        path: /
        pathType: Exact




Ingress 处理 TLS 传输




证书准备


以上介绍的消息都是基于 Http 协议,Https 协议需要配置相关证书;客户端创建到 Ingress 控制器的 TLS 连接时,控制器将终止 TLS 连接; 客户端与 Ingress 控制器之间是加密的,而 Ingress 控制器和 pod 之间没有加密;要使控制 器可以这样,需要将证书和私钥附加到 Ingress 中;


通过设定包含 TLS 私钥和证书的 Secret 来保护 Ingress。 Ingress 只支持单个 TLS 端口 443,并假定 TLS 连接终止于 Ingress 节点 (与 Service 及其 Pod 之间的流量都以明 文传输)。 如果 Ingress 中的 TLS 配置部分指定了不同的主机,那么它们将根据通过 SNI  TLS 扩展指定的主机名 (如果 Ingress 控制器支持 SNI)在同一端口上进行复用。 TLS  Secret 必须包含名为 tls.crt 和 tls.key 的键名。 这些数据包含用于 TLS 的证书和私钥



生成key

openssl genrsa -out tls.key 2048



生成秘钥


将域名加入秘钥中

openssl req -new -x509 -key tls.key -out tls.cert -days 360 -subj /CN=test.bar.com




secret 创建


将生成的两个文件创建 secret


kubectl create secret tls tls-secret --cert=tls.cert --key=tls.key
secret/tls-secret created



ingress创建



现在可以更新 Ingress 对象,以便它也接收 test.bar.com 的 HTTPS 请求


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: name: ing-test1
spec: tls: -hosts:  - test.bar.com
   secretName: tls-secret
 rules: - host: test.bar.com
   http:    paths:    - pathType: Prefix
      path: "/"      backend:        service:         name: svc-test-for-ingress
         port:          number: 2280 ingressClassName: nginx


tls 中指定相关证书 在 Ingress 中引用此 Secret 将会告诉 Ingress 控制器使用 TLS 加密从客户端到负载均衡 器的通道。


你需要确保创建的 TLS Secret 创建自包含 test.bar.com 的公用名称 (CN)的证书。 这里的公共名称也被称为全限定域名(FQDN)。


ingress 高可用



Ingress 控制器启动引导时使用一些适用于所有 Ingress 的负载均衡策略设置, 例如负载 均衡算法、后端权重方案和其他等。 更高级的负载均衡概念(例如持久会话、动态权重) 尚未通过 Ingress 公开。 你可以通过用于服务的负载均衡器来获取这些功能。 值得注意的是,尽管健康检查不是通过 Ingress 直接暴露的,在 Kubernetes 中存在并行的 概念,比如 就绪检查, 允许你实现相同的目的。


image.png


修改 Nginx-controller 服务类型



kubectl   edit svc -n ingress-nginx ingress-nginx-controller



image.png


kubectl get svc -n ingress-nginx ingress-nginx-controller
NAME TYPE CLUSTER-IP EXTERNAL-IP 
PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.20.97.114 192.168.56.251 
80:30493/TCP,443:30416/TCP 18h





















文章标签:
容器服务Kubernetes版
域名
负载均衡
Perl
前端开发
容器
应用服务中间件
负载均衡
网络安全
数据安全/隐私保护
网络架构
Kubernetes
nginx
关键词:
负载均衡k8s
容器服务Kubernetes版负载均衡
容器服务Kubernetes版 Nginx
k8s Nginx
负载均衡流量
相关实践学习
容器服务Serverless版ACK Serverless 快速入门:在线魔方应用部署和监控
通过本实验,您将了解到容器服务Serverless版ACK Serverless 的基本产品能力,即可以实现快速部署一个在线魔方应用,并借助阿里云容器服务成熟的产品生态,实现在线应用的企业级监控,提升应用稳定性。
云原生实践公开课
课程大纲 开篇:如何学习并实践云原生技术 基础篇: 5 步上手 Kubernetes 进阶篇:生产环境下的 K8s 实践 相关的阿里云产品:容器服务 ACK 容器服务 Kubernetes 版(简称 ACK)提供高性能可伸缩的容器应用管理能力,支持企业级容器化应用的全生命周期管理。整合阿里云虚拟化、存储、网络和安全能力,打造云端最佳容器化应用运行环境。 了解产品详情: https://www.aliyun.com/product/kubernetes
游客tehculasawvxq
目录
相关文章
蓝易云
|
2月前
|
Kubernetes 应用服务中间件 nginx
百度搜索:蓝易云【使用Kubernetes部署Nginx应用教程】
现在,你已经成功在Kubernetes集群上部署了Nginx应用。通过访问Service的外部IP地址,你可以访问Nginx服务。
蓝易云
42 4
1977312910698247
|
4月前
|
Kubernetes Docker 容器
k8s安装Ingress-Nginx
首先,需要匹配Ingress-nginx版本和kubernetes版本。 在[https://github.com/kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx)可以找到,如下图所示: 笔者用的k8s版本是v1.21.2,需要安装Ingress-nginx的v1.3.1版本,下载如下文件:
1977312910698247
520 0
东风微鸣技术博客
|
2月前
|
Kubernetes 应用服务中间件 nginx
K8S Pod Sidecar 应用场景之一 - 加入 NGINX Sidecar 做反代和 web 服务器
K8S Pod Sidecar 应用场景之一 - 加入 NGINX Sidecar 做反代和 web 服务器
东风微鸣技术博客
37 1
一只牛博
|
2月前
|
负载均衡 监控 应用服务中间件
Nginx负载均衡:你的网站流量翻倍利器
Nginx负载均衡:你的网站流量翻倍利器
一只牛博
43 0
cheems~
|
3月前
|
Kubernetes 容器
Kubernetes—安装2022新版ingress-nginx步骤
Kubernetes—安装2022新版ingress-nginx步骤
cheems~
113 0
鱼找水需要时间
|
3月前
|
Kubernetes 负载均衡 监控
Kubernetes高可用集群二进制部署(一)主机准备和负载均衡器安装
Kubernetes高可用集群二进制部署(一)主机准备和负载均衡器安装
鱼找水需要时间
96 0
网络豆
|
4月前
|
域名解析 弹性计算 负载均衡
阿里云——超大流量网站的负载均衡
阿里云——超大流量网站的负载均衡
网络豆
99 0
晚风_END
|
4月前
|
Kubernetes Cloud Native Java
云原生|kubernetes|ingress-nginx插件部署(kubernetes-1.23和最新版controller-1.6.4)
云原生|kubernetes|ingress-nginx插件部署(kubernetes-1.23和最新版controller-1.6.4)
晚风_END
278 0
晚风_END
|
4月前
|
Kubernetes Cloud Native 开发工具
云原生|kubernetes|helm3 自定义离线安装部署ingress-nginx
云原生|kubernetes|helm3 自定义离线安装部署ingress-nginx
晚风_END
142 0
晚风_END
|
4月前
|
Kubernetes 应用服务中间件 nginx
云原生|kubernetes|ingress-nginx插件部署以及简单的应用(修订版---适用于kubernetes-1.18-1.21)
云原生|kubernetes|ingress-nginx插件部署以及简单的应用(修订版---适用于kubernetes-1.18-1.21)
晚风_END
89 0

热门文章

最新文章

  • 1
    阿里云ECS服务器上从零开始搭建nginx服务器
  • 2
    Nginx配置详解Docker部署Nginx使用Nginx部署vue前端项目
  • 3
    如何在阿里云服务器快速搭建部署Nginx环境
  • 4
    linxu安装nginx
  • 5
    http转为https,ssl证书安装及nginx配置
  • 6
    Nginx学习使用
  • 7
    LNMP详解(九)——Nginx虚拟IP实战
  • 8
    Nginx正向代理域名的配置
  • 9
    Nginx+Promtail+Loki+Grafana Nginx日志展示
  • 10
    nginx配置https和直接访问静态文件的方式
  • 1
    如何通过计算巢在ACK集群上使用Istio服务网格
    34
  • 2
    Docker容器管理
    35
  • 3
    云原生K8S场景自动化响应ECS系统事件
    121
  • 4
    云计算中的容器化技术:Docker与Kubernetes的实践
    115
  • 5
    934.【kubernetes】kubeadm版本更新证书
    50
  • 6
    TCP 中的 Delay ACK 和 Nagle 算法
    33
  • 7
    K8S基于NFS来动态创建PV【亲测可用】
    73
  • 8
    深入浅出:使用Docker容器化部署Python Web应用
    93
  • 9
    深入探讨 Prometheus 在 Kubernetes 上的部署和实战操作
    204
  • 10
    K8S客户端二 使用Rancher部署服务
    91

    • 相关课程

    更多
  • 体验-Kubernetes 对象及资源规范
  • 阿里云K8S微服务部署案例
  • 阿里云负载均衡SLB实战演练
  • LVS负载均衡实战
  • 超大流量网站的负载均衡
  • 负载均衡入门与产品使用指南

    • 相关电子书

    更多
  • 《应用型负载均衡ALB产品解读》
  • 阿里云网络-SLB负载均衡产品介绍
  • 负载均衡SLB热点问题解答

    • 相关实验场景

    更多
  • 在ACK Serverless中部署Stable Diffusion应用
  • 基于 ACK Serverless 解锁你家萌宠的 AI 形象
  • 基于ACK Serverless实现容器应用弹性伸缩
  • 使用ACK Serverless容器化部署大语言模型FastChat
  • 使用SLB+2ECS+NAS,部署电商web网站的高可用架构
  • 基于云原生网关MSE-Higress插件实现WAF防护能力

    • 推荐镜像

    更多
  • kubernetes
  • pouch
  • CloudFoundry
    • 下一篇
    部署LAMP环境(Alibaba Cloud Linux 3)