k8s-负载均衡流量(ingress-nginx)

本文涉及的产品
网络型负载均衡 NLB,每月750个小时 15LCU
传统型负载均衡 CLB,每月750个小时 15LCU
.cn 域名,1个 12个月
简介: ingress 介绍ingress 安装ingress 案例


Ingress介绍


Ingress将来自集群外部的 HTTP 和 HTTPS 路由暴露给集群 内的服务。流量路由由 Ingress

资源上定义的规则控制。


Ingress 其实就是从 Kuberenets 集群外部访问集群的一个入口,将外部的请求转发到集群内不同的 Service 上,其实就相当于 nginx、haproxy 等负载均衡代理服务器,但是只使用nginx这种方式有很大缺陷,每次有新服务加入的时候需要改nginx 配置,不可能让我们去手动更改或者滚动更新前端的nginx-pod,那我们再加上一个服务发现的工具比如consul,Ingress 实际上就是这样实现的,只是服务发现的功能自己实现了,不需要使用第三方的服务了,然后再加上一个域名规则定义,路由信息的刷新依靠 Ingress Controller 来提供。


下面简单示例:

其中 Ingress 将其所有流量发送到一个 Service:


image.png



image.png



Ingress 可以配置为向服务提供外部可访问的 URL、负载平衡流量、终止 SSL/TLS 并提供基 于名称的虚拟主机。

一个入口控制器负责履行入口,通常有一个负载均衡器,虽然它也可以 配置您的边缘路由器或额外的前端,以帮助处理流量。


Ingress 不会公开任意端口或协议。


向 Internet 公开 HTTP 和 HTTPS 以外的服务通常使用 Service.Type=NodePort 或 Service.Type=LoadBalancer 类型的服务。



服务的区别



service只能通过四层负载就是ip+端口的形式来暴露

  • NodePort:会占用集群机器的很多端口,当集群服务变多的时候,这个缺点就越发明显
  • LoadBalancer:每个Service都需要一个LB,比较麻烦和浪费资源,并且需要 k8s之外的负载均衡设备支持



ingress可以提供7层的负责对外暴露接口,而且可以调度不同的业务域,不同的url访问路径的业务流量。

  • Ingress:K8s 中的一个资源对象,作用是定义请求如何转发到 service 的规则
  • Ingress Controller:具体实现反向代理及负载均衡的程序,对Ingress定义的规则进行解析,根据配置的规则来实现请求转发,有很多种实现方式,如 Nginx、Contor、Haproxy等



工作原理


image.png



  • 用户编写 Ingress Service规则, 说明每个域名对应 K8s集群中的哪个Service
  • Ingress控制器会动态感知到 Ingress 服务规则的变化,然后生成一段对应的Nginx反向代理配置
  • Ingress控制器会将生成的Nginx配置写入到一个运行中的Nginx服务中,并动态更新
  • 然后客户端通过访问域名,实际上Nginx会将请求转发到具体的Pod中,到此就完成了整个请求的过程




ingress安装


使用阿里云容器镜像仓库方法


已经自建好阿里云镜像可以直接部署ingress-nginx


提前下载镜像

docker pull registry.cn-hangzhou.aliyuncs.com/yutao517/ingress_nginx_controller:v1.1.0
docker tag registry.cn-hangzhou.aliyuncs.com/yutao517/ingress_nginx_controller:v1.1.0  k8s.gcr.io/ingress-nginx/controller:v1.1.1
docker pull registry.cn-hangzhou.aliyuncs.com/yutao517/kube_webhook_certgen:v1.1.1
docker tag registry.cn-hangzhou.aliyuncs.com/yutao517/kube_webhook_certgen:v1.1.1  k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1


下载deploy.yaml文件


wget https://download.yutao.co/mirror/deploy.yaml




修改deploy.yaml文件

将文件中的,依赖 ingress_nginx_controller:v1.1.0 镜像的版本,修改 为 ingress_nginx_controller:v1.1.1



修改之后的配置

apiVersion: v1
kind: Namespace
metadata:  name: ingress-nginx
  labels:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
---# Source: ingress-nginx/templates/controller-serviceaccount.yamlapiVersion: v1
kind: ServiceAccount
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
automountServiceAccountToken: true---# Source: ingress-nginx/templates/controller-configmap.yamlapiVersion: v1
kind: ConfigMap
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:  allow-snippet-annotations: 'true'---# Source: ingress-nginx/templates/clusterrole.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
rules:  - apiGroups:      - ''    resources:      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
      - namespaces
    verbs:      - list
      - watch
  - apiGroups:      - ''    resources:      - nodes
    verbs:      - get
  - apiGroups:      - ''    resources:      - services
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - events
    verbs:      - create
      - patch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses/status
    verbs:      - update
  - apiGroups:      - networking.k8s.io
    resources:      - ingressclasses
    verbs:      - get
      - list
      - watch
---# Source: ingress-nginx/templates/clusterrolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/controller-role.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
rules:  - apiGroups:      - ''    resources:      - namespaces
    verbs:      - get
  - apiGroups:      - ''    resources:      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - services
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses/status
    verbs:      - update
  - apiGroups:      - networking.k8s.io
    resources:      - ingressclasses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - configmaps
    resourceNames:      - ingress-controller-leader
    verbs:      - get
      - update
  - apiGroups:      - ''    resources:      - configmaps
    verbs:      - create
  - apiGroups:      - ''    resources:      - events
    verbs:      - create
      - patch
---# Source: ingress-nginx/templates/controller-rolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/controller-service-webhook.yamlapiVersion: v1
kind: Service
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:  type: ClusterIP
  ports:    - name: https-webhook
      port: 443      targetPort: webhook
      appProtocol: https
  selector:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---# Source: ingress-nginx/templates/controller-service.yamlapiVersion: v1
kind: Service
metadata:  annotations:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:  type: NodePort
  externalTrafficPolicy: Local
  ipFamilyPolicy: SingleStack
  ipFamilies:    - IPv4
  ports:    - name: http
      port: 80      protocol: TCP
      targetPort: http
      appProtocol: http
    - name: https
      port: 443      protocol: TCP
      targetPort: https
      appProtocol: https
  selector:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---# Source: ingress-nginx/templates/controller-deployment.yamlapiVersion: apps/v1
kind: Deployment
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:  selector:    matchLabels:      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10  minReadySeconds: 0  template:    metadata:      labels:        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:      dnsPolicy: ClusterFirst
      containers:        - name: controller
          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1
          imagePullPolicy: IfNotPresent
          lifecycle:            preStop:              exec:                command:                  - /wait-shutdown
          args:            - /nginx-ingress-controller
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          securityContext:            capabilities:              drop:                - ALL
              add:                - NET_BIND_SERVICE
            runAsUser: 101            allowPrivilegeEscalation: true          env:            - name: POD_NAME
              valueFrom:                fieldRef:                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:            failureThreshold: 5            httpGet:              path: /healthz
              port: 10254              scheme: HTTP
            initialDelaySeconds: 10            periodSeconds: 10            successThreshold: 1            timeoutSeconds: 1          readinessProbe:            failureThreshold: 3            httpGet:              path: /healthz
              port: 10254              scheme: HTTP
            initialDelaySeconds: 10            periodSeconds: 10            successThreshold: 1            timeoutSeconds: 1          ports:            - name: http
              containerPort: 80              protocol: TCP
            - name: https
              containerPort: 443              protocol: TCP
            - name: webhook
              containerPort: 8443              protocol: TCP
          volumeMounts:            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true          resources:            requests:              cpu: 100m
              memory: 90Mi
      nodeSelector:        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300      volumes:        - name: webhook-cert
          secret:            secretName: ingress-nginx-admission
---# Source: ingress-nginx/templates/controller-ingressclass.yaml# We don't support namespaced ingressClass yet# So a ClusterRole and a ClusterRoleBinding is requiredapiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: nginx
  namespace: ingress-nginx
spec:  controller: k8s.io/ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml# before changing this value, check the required kubernetes version# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisitesapiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:      - apiGroups:          - networking.k8s.io
        apiVersions:          - v1
        operations:          - CREATE
          - UPDATE
        resources:          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:      - v1
    clientConfig:      service:        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /networking/v1/ingresses
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yamlapiVersion: v1
kind: ServiceAccount
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:  name: ingress-nginx-admission
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:  - apiGroups:      - admissionregistration.k8s.io
    resources:      - validatingwebhookconfigurations
    verbs:      - get
      - update
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:  name: ingress-nginx-admission
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:  - apiGroups:      - ''    resources:      - secrets
    verbs:      - get
      - create
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yamlapiVersion: batch/v1
kind: Job
metadata:  name: ingress-nginx-admission-create
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:  template:    metadata:      name: ingress-nginx-admission-create
      labels:        helm.sh/chart: ingress-nginx-4.0.10
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.1.0        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:      containers:        - name: create
          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
          imagePullPolicy: IfNotPresent
          args:            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
          securityContext:            allowPrivilegeEscalation: false      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:        kubernetes.io/os: linux
      securityContext:        runAsNonRoot: true        runAsUser: 2000---# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yamlapiVersion: batch/v1
kind: Job
metadata:  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
  annotations:    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:  template:    metadata:      name: ingress-nginx-admission-patch
      labels:        helm.sh/chart: ingress-nginx-4.0.10
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.1.0        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:      containers:        - name: patch
          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
          imagePullPolicy: IfNotPresent
          args:            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
          securityContext:            allowPrivilegeEscalation: false      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:        kubernetes.io/os: linux
      securityContext:        runAsNonRoot: true        runAsUser: 2000



创建ingress-nginx


kubectl apply -f deploy.yaml



成功之后


查看 ingress 相关service

image.png

查看ingress 相关pod

image.png


确保以上启动成功




ingress 简单案例



创建deployment



test1_deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:  name: dp-test-for-ingress
spec:  replicas: 1  selector:    matchLabels:      app: test1
  template:     metadata:       labels:         app: test1
     spec:      containers:      - image: nginx
        name: test
        ports:        - containerPort: 80        resources:          requests:            cpu: 1          limits:            cpu: 1---apiVersion: v1
kind: Service
metadata:   name: svc-test-for-ingress
spec:   ports:   - name: myngx
     port: 2280     targetPort: 80   selector:     app: test1
   type: NodePort


指定service的 type 类型为 NodePort



kubectl apply -f test1_deployment.yaml


查看service


kubectl get svc

image.png



创建ingress


rule-test.yaml


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: name: ing-test1
spec: rules: - host: test.bar.com
   http:    paths:    - pathType: Prefix
      path: "/"      backend:        service:         name: svc-test-for-ingress
         port:          number: 2280 ingressClassName: nginx   # 一定要指定ingressClassName

注意:


ingressClassName 一定要配置,如果不配置,创建的ingress的,无法找到class 和 无法分配Address


kubectl apply -f rule-test.yaml



查看ingress


kubectl get  ingress


image.png


image.png


外部访问



访问前需要配置


host 和 address 做映射

image.png


注意:


192.168.xx.xx:是宿主机的ip地址


test.bar.com:是ingress暴露的服务名,外部可以通过这个服务名访问



浏览器访问:


http://test.bar.com:32091/

image.png


注意:


访问时,使用NodeIP : NodePort 方式访问。 而NodeIP就是在/etc/hosts文件中配置的宿主机上的IP地址


访问时,使用的是ingress-nginx-controller这个service的NodePort端口号,即为:32091


image.png







ingress 使用


基于名称的虚拟托管 -根据域名访问


基于名称的虚拟主机支持将针对多个主机名的 HTTP 流量路由到同一 IP 地址上



image.png


ingress 配置


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test
spec:  ingressClassName: ingress1
  rules:  - host: foo.bar.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test1
            port:              number: 2180  - host: bar.foo.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test2
            port:              number: 2280


如果你创建的 Ingress 资源没有在 rules 中定义的任何 hosts,则可以匹配指向 Ingress 控 制器 IP 地址的任何网络流量,而无需基于名称的虚拟主机。




简单扇出



一个扇出(fanout)配置根据请求的 HTTP URI 将来自同一 IP 地址的流量路由到多个 Service。 Ingress 允许你将负载均衡器的数量降至最低。例如,这样的设置:


image.png



ingress 配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test11
spec:  ingressClassName: ingress1
  rules:  - host: test1.bar.com
    http:      paths:      - pathType: Prefix
        path: "/test1/"        backend:          service:            name: test1
            port:              number: 2180      - pathType: Prefix
        path: "/test2/"        backend:          service:            name: test1
            port:              number: 2180



ingress 暴露多个服务


rules 和 paths 是数组,可以配置多个



ignress 配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test13
spec:  ingressClassName: ingress1
  rules:  - host: test1.bar.com
    http:      paths:      - pathType: Prefix
        path: "/test1/"        backend:          service:            name: test1
            port:              number: 2180      - pathType: Prefix
        path: "/test2/"        backend:          service:            name: test1
            port:              number: 2180  - host: test3.bar.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test3
            port:              number: 2380



ingress-限流



ingress配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  annotations:    nginx.ingress.kubernetes.io/limit-rps: "1"  name: ratelimit
spec:  rules:  - host: test1.bar.com
    http:      paths:      - backend:          service:           name: test1
           port:             number: 2180        path: /
        pathType: Exact




Ingress 处理 TLS 传输




证书准备


以上介绍的消息都是基于 Http 协议,Https 协议需要配置相关证书;客户端创建到 Ingress 控制器的 TLS 连接时,控制器将终止 TLS 连接; 客户端与 Ingress 控制器之间是加密的,而 Ingress 控制器和 pod 之间没有加密;要使控制 器可以这样,需要将证书和私钥附加到 Ingress 中;


通过设定包含 TLS 私钥和证书的 Secret 来保护 Ingress。 Ingress 只支持单个 TLS 端口 443,并假定 TLS 连接终止于 Ingress 节点 (与 Service 及其 Pod 之间的流量都以明 文传输)。 如果 Ingress 中的 TLS 配置部分指定了不同的主机,那么它们将根据通过 SNI  TLS 扩展指定的主机名 (如果 Ingress 控制器支持 SNI)在同一端口上进行复用。 TLS  Secret 必须包含名为 tls.crt 和 tls.key 的键名。 这些数据包含用于 TLS 的证书和私钥



生成key

openssl genrsa -out tls.key 2048



生成秘钥


将域名加入秘钥中

openssl req -new -x509 -key tls.key -out tls.cert -days 360 -subj /CN=test.bar.com




secret 创建


将生成的两个文件创建 secret


kubectl create secret tls tls-secret --cert=tls.cert --key=tls.key
secret/tls-secret created



ingress创建



现在可以更新 Ingress 对象,以便它也接收 test.bar.com 的 HTTPS 请求


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: name: ing-test1
spec: tls: -hosts:  - test.bar.com
   secretName: tls-secret
 rules: - host: test.bar.com
   http:    paths:    - pathType: Prefix
      path: "/"      backend:        service:         name: svc-test-for-ingress
         port:          number: 2280 ingressClassName: nginx


tls 中指定相关证书 在 Ingress 中引用此 Secret 将会告诉 Ingress 控制器使用 TLS 加密从客户端到负载均衡 器的通道。


你需要确保创建的 TLS Secret 创建自包含 test.bar.com 的公用名称 (CN)的证书。 这里的公共名称也被称为全限定域名(FQDN)。


ingress 高可用



Ingress 控制器启动引导时使用一些适用于所有 Ingress 的负载均衡策略设置, 例如负载 均衡算法、后端权重方案和其他等。 更高级的负载均衡概念(例如持久会话、动态权重) 尚未通过 Ingress 公开。 你可以通过用于服务的负载均衡器来获取这些功能。 值得注意的是,尽管健康检查不是通过 Ingress 直接暴露的,在 Kubernetes 中存在并行的 概念,比如 就绪检查, 允许你实现相同的目的。


image.png


修改 Nginx-controller 服务类型



kubectl   edit svc -n ingress-nginx ingress-nginx-controller



image.png


kubectl get svc -n ingress-nginx ingress-nginx-controller
NAME TYPE CLUSTER-IP EXTERNAL-IP 
PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.20.97.114 192.168.56.251 
80:30493/TCP,443:30416/TCP 18h





















相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
相关文章
|
23天前
|
负载均衡 前端开发 应用服务中间件
负载均衡指南:Nginx与HAProxy的配置与优化
负载均衡指南:Nginx与HAProxy的配置与优化
43 3
|
1月前
|
弹性计算 负载均衡 网络安全
slb使用中流量转发不均
【10月更文挑战第23天】
46 8
|
2月前
|
Kubernetes 应用服务中间件 nginx
k8s学习--YAML资源清单文件托管服务nginx
k8s学习--YAML资源清单文件托管服务nginx
k8s学习--YAML资源清单文件托管服务nginx
|
2月前
|
Kubernetes 监控 测试技术
k8s学习--基于Ingress-nginx实现灰度发布系统
k8s学习--基于Ingress-nginx实现灰度发布系统
131 2
k8s学习--基于Ingress-nginx实现灰度发布系统
|
2月前
|
Kubernetes 负载均衡 网络协议
在K8S中,负载均衡器有何作用?
在K8S中,负载均衡器有何作用?
|
2月前
|
负载均衡 Kubernetes 区块链
随机密码生成器+阿里k8s负载均衡型服务加证书方法+移动终端设计+ico生成器等
随机密码生成器+阿里k8s负载均衡型服务加证书方法+移动终端设计+ico生成器等
61 1
|
2月前
|
Kubernetes 应用服务中间件 nginx
k8s学习--Traffic Shifting 流量接入
k8s学习--Traffic Shifting 流量接入
|
2月前
|
Kubernetes 负载均衡 应用服务中间件
k8s学习--ingress详细解释与应用(nginx ingress controller))
k8s学习--ingress详细解释与应用(nginx ingress controller))
373 0
|
2月前
|
Kubernetes 负载均衡 网络协议
k8s学习--负载均衡器matelLB的详细解释与安装
k8s学习--负载均衡器matelLB的详细解释与安装
176 0
|
1天前
|
Kubernetes 网络协议 应用服务中间件
Kubernetes Ingress:灵活的集群外部网络访问的利器
《Kubernetes Ingress:集群外部访问的利器-打造灵活的集群网络》介绍了如何通过Ingress实现Kubernetes集群的外部访问。前提条件是已拥有Kubernetes集群并安装了kubectl工具。文章详细讲解了Ingress的基本组成(Ingress Controller和资源对象),选择合适的版本,以及具体的安装步骤,如下载配置文件、部署Nginx Ingress Controller等。此外,还提供了常见问题的解决方案,例如镜像下载失败的应对措施。最后,通过部署示例应用展示了Ingress的实际使用方法。
14 2