AI 助理
文档备案控制台
开发者社区 开发与运维 文章 正文

k8s-负载均衡流量(ingress-nginx)

2022-08-21 4019
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: ingress 介绍ingress 安装ingress 案例


Ingress介绍


Ingress将来自集群外部的 HTTP 和 HTTPS 路由暴露给集群 内的服务。流量路由由 Ingress

资源上定义的规则控制。


Ingress 其实就是从 Kuberenets 集群外部访问集群的一个入口,将外部的请求转发到集群内不同的 Service 上,其实就相当于 nginx、haproxy 等负载均衡代理服务器,但是只使用nginx这种方式有很大缺陷,每次有新服务加入的时候需要改nginx 配置,不可能让我们去手动更改或者滚动更新前端的nginx-pod,那我们再加上一个服务发现的工具比如consul,Ingress 实际上就是这样实现的,只是服务发现的功能自己实现了,不需要使用第三方的服务了,然后再加上一个域名规则定义,路由信息的刷新依靠 Ingress Controller 来提供。


下面简单示例:

其中 Ingress 将其所有流量发送到一个 Service:


image.png



image.png



Ingress 可以配置为向服务提供外部可访问的 URL、负载平衡流量、终止 SSL/TLS 并提供基 于名称的虚拟主机。

一个入口控制器负责履行入口,通常有一个负载均衡器,虽然它也可以 配置您的边缘路由器或额外的前端,以帮助处理流量。


Ingress 不会公开任意端口或协议。


向 Internet 公开 HTTP 和 HTTPS 以外的服务通常使用 Service.Type=NodePort 或 Service.Type=LoadBalancer 类型的服务。



服务的区别



service只能通过四层负载就是ip+端口的形式来暴露

  • NodePort:会占用集群机器的很多端口,当集群服务变多的时候,这个缺点就越发明显
  • LoadBalancer:每个Service都需要一个LB,比较麻烦和浪费资源,并且需要 k8s之外的负载均衡设备支持



ingress可以提供7层的负责对外暴露接口,而且可以调度不同的业务域,不同的url访问路径的业务流量。

  • Ingress:K8s 中的一个资源对象,作用是定义请求如何转发到 service 的规则
  • Ingress Controller:具体实现反向代理及负载均衡的程序,对Ingress定义的规则进行解析,根据配置的规则来实现请求转发,有很多种实现方式,如 Nginx、Contor、Haproxy等



工作原理


image.png



  • 用户编写 Ingress Service规则, 说明每个域名对应 K8s集群中的哪个Service
  • Ingress控制器会动态感知到 Ingress 服务规则的变化,然后生成一段对应的Nginx反向代理配置
  • Ingress控制器会将生成的Nginx配置写入到一个运行中的Nginx服务中,并动态更新
  • 然后客户端通过访问域名,实际上Nginx会将请求转发到具体的Pod中,到此就完成了整个请求的过程




ingress安装


使用阿里云容器镜像仓库方法


已经自建好阿里云镜像可以直接部署ingress-nginx


提前下载镜像

docker pull registry.cn-hangzhou.aliyuncs.com/yutao517/ingress_nginx_controller:v1.1.0
docker tag registry.cn-hangzhou.aliyuncs.com/yutao517/ingress_nginx_controller:v1.1.0  k8s.gcr.io/ingress-nginx/controller:v1.1.1
docker pull registry.cn-hangzhou.aliyuncs.com/yutao517/kube_webhook_certgen:v1.1.1
docker tag registry.cn-hangzhou.aliyuncs.com/yutao517/kube_webhook_certgen:v1.1.1  k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1


下载deploy.yaml文件


wget https://download.yutao.co/mirror/deploy.yaml




修改deploy.yaml文件

将文件中的,依赖 ingress_nginx_controller:v1.1.0 镜像的版本,修改 为 ingress_nginx_controller:v1.1.1



修改之后的配置

apiVersion: v1
kind: Namespace
metadata:  name: ingress-nginx
  labels:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
---# Source: ingress-nginx/templates/controller-serviceaccount.yamlapiVersion: v1
kind: ServiceAccount
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
automountServiceAccountToken: true---# Source: ingress-nginx/templates/controller-configmap.yamlapiVersion: v1
kind: ConfigMap
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:  allow-snippet-annotations: 'true'---# Source: ingress-nginx/templates/clusterrole.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
rules:  - apiGroups:      - ''    resources:      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
      - namespaces
    verbs:      - list
      - watch
  - apiGroups:      - ''    resources:      - nodes
    verbs:      - get
  - apiGroups:      - ''    resources:      - services
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - events
    verbs:      - create
      - patch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses/status
    verbs:      - update
  - apiGroups:      - networking.k8s.io
    resources:      - ingressclasses
    verbs:      - get
      - list
      - watch
---# Source: ingress-nginx/templates/clusterrolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/controller-role.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
rules:  - apiGroups:      - ''    resources:      - namespaces
    verbs:      - get
  - apiGroups:      - ''    resources:      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - services
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - networking.k8s.io
    resources:      - ingresses/status
    verbs:      - update
  - apiGroups:      - networking.k8s.io
    resources:      - ingressclasses
    verbs:      - get
      - list
      - watch
  - apiGroups:      - ''    resources:      - configmaps
    resourceNames:      - ingress-controller-leader
    verbs:      - get
      - update
  - apiGroups:      - ''    resources:      - configmaps
    verbs:      - create
  - apiGroups:      - ''    resources:      - events
    verbs:      - create
      - patch
---# Source: ingress-nginx/templates/controller-rolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/controller-service-webhook.yamlapiVersion: v1
kind: Service
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:  type: ClusterIP
  ports:    - name: https-webhook
      port: 443      targetPort: webhook
      appProtocol: https
  selector:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---# Source: ingress-nginx/templates/controller-service.yamlapiVersion: v1
kind: Service
metadata:  annotations:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:  type: NodePort
  externalTrafficPolicy: Local
  ipFamilyPolicy: SingleStack
  ipFamilies:    - IPv4
  ports:    - name: http
      port: 80      protocol: TCP
      targetPort: http
      appProtocol: http
    - name: https
      port: 443      protocol: TCP
      targetPort: https
      appProtocol: https
  selector:    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---# Source: ingress-nginx/templates/controller-deployment.yamlapiVersion: apps/v1
kind: Deployment
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:  selector:    matchLabels:      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10  minReadySeconds: 0  template:    metadata:      labels:        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:      dnsPolicy: ClusterFirst
      containers:        - name: controller
          image: k8s.gcr.io/ingress-nginx/controller:v1.1.1
          imagePullPolicy: IfNotPresent
          lifecycle:            preStop:              exec:                command:                  - /wait-shutdown
          args:            - /nginx-ingress-controller
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          securityContext:            capabilities:              drop:                - ALL
              add:                - NET_BIND_SERVICE
            runAsUser: 101            allowPrivilegeEscalation: true          env:            - name: POD_NAME
              valueFrom:                fieldRef:                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:            failureThreshold: 5            httpGet:              path: /healthz
              port: 10254              scheme: HTTP
            initialDelaySeconds: 10            periodSeconds: 10            successThreshold: 1            timeoutSeconds: 1          readinessProbe:            failureThreshold: 3            httpGet:              path: /healthz
              port: 10254              scheme: HTTP
            initialDelaySeconds: 10            periodSeconds: 10            successThreshold: 1            timeoutSeconds: 1          ports:            - name: http
              containerPort: 80              protocol: TCP
            - name: https
              containerPort: 443              protocol: TCP
            - name: webhook
              containerPort: 8443              protocol: TCP
          volumeMounts:            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true          resources:            requests:              cpu: 100m
              memory: 90Mi
      nodeSelector:        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300      volumes:        - name: webhook-cert
          secret:            secretName: ingress-nginx-admission
---# Source: ingress-nginx/templates/controller-ingressclass.yaml# We don't support namespaced ingressClass yet# So a ClusterRole and a ClusterRoleBinding is requiredapiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: nginx
  namespace: ingress-nginx
spec:  controller: k8s.io/ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml# before changing this value, check the required kubernetes version# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisitesapiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:      - apiGroups:          - networking.k8s.io
        apiVersions:          - v1
        operations:          - CREATE
          - UPDATE
        resources:          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:      - v1
    clientConfig:      service:        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /networking/v1/ingresses
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yamlapiVersion: v1
kind: ServiceAccount
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:  name: ingress-nginx-admission
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:  - apiGroups:      - admissionregistration.k8s.io
    resources:      - validatingwebhookconfigurations
    verbs:      - get
      - update
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:  name: ingress-nginx-admission
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:  - apiGroups:      - ''    resources:      - secrets
    verbs:      - get
      - create
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yamlapiVersion: batch/v1
kind: Job
metadata:  name: ingress-nginx-admission-create
  namespace: ingress-nginx
  annotations:    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:  template:    metadata:      name: ingress-nginx-admission-create
      labels:        helm.sh/chart: ingress-nginx-4.0.10
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.1.0        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:      containers:        - name: create
          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
          imagePullPolicy: IfNotPresent
          args:            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
          securityContext:            allowPrivilegeEscalation: false      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:        kubernetes.io/os: linux
      securityContext:        runAsNonRoot: true        runAsUser: 2000---# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yamlapiVersion: batch/v1
kind: Job
metadata:  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
  annotations:    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:    helm.sh/chart: ingress-nginx-4.0.10
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.1.0    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:  template:    metadata:      name: ingress-nginx-admission-patch
      labels:        helm.sh/chart: ingress-nginx-4.0.10
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.1.0        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:      containers:        - name: patch
          image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1
          imagePullPolicy: IfNotPresent
          args:            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:            - name: POD_NAMESPACE
              valueFrom:                fieldRef:                  fieldPath: metadata.namespace
          securityContext:            allowPrivilegeEscalation: false      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:        kubernetes.io/os: linux
      securityContext:        runAsNonRoot: true        runAsUser: 2000



创建ingress-nginx


kubectl apply -f deploy.yaml



成功之后


查看 ingress 相关service

image.png

查看ingress 相关pod

image.png


确保以上启动成功




ingress 简单案例



创建deployment



test1_deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:  name: dp-test-for-ingress
spec:  replicas: 1  selector:    matchLabels:      app: test1
  template:     metadata:       labels:         app: test1
     spec:      containers:      - image: nginx
        name: test
        ports:        - containerPort: 80        resources:          requests:            cpu: 1          limits:            cpu: 1---apiVersion: v1
kind: Service
metadata:   name: svc-test-for-ingress
spec:   ports:   - name: myngx
     port: 2280     targetPort: 80   selector:     app: test1
   type: NodePort


指定service的 type 类型为 NodePort



kubectl apply -f test1_deployment.yaml


查看service


kubectl get svc

image.png



创建ingress


rule-test.yaml


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: name: ing-test1
spec: rules: - host: test.bar.com
   http:    paths:    - pathType: Prefix
      path: "/"      backend:        service:         name: svc-test-for-ingress
         port:          number: 2280 ingressClassName: nginx   # 一定要指定ingressClassName

注意:


ingressClassName 一定要配置,如果不配置,创建的ingress的,无法找到class 和 无法分配Address


kubectl apply -f rule-test.yaml



查看ingress


kubectl get  ingress


image.png


image.png


外部访问



访问前需要配置


host 和 address 做映射

image.png


注意:


192.168.xx.xx:是宿主机的ip地址


test.bar.com:是ingress暴露的服务名,外部可以通过这个服务名访问



浏览器访问:


http://test.bar.com:32091/

image.png


注意:


访问时,使用NodeIP : NodePort 方式访问。 而NodeIP就是在/etc/hosts文件中配置的宿主机上的IP地址


访问时,使用的是ingress-nginx-controller这个service的NodePort端口号,即为:32091


image.png







ingress 使用


基于名称的虚拟托管 -根据域名访问


基于名称的虚拟主机支持将针对多个主机名的 HTTP 流量路由到同一 IP 地址上



image.png


ingress 配置


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test
spec:  ingressClassName: ingress1
  rules:  - host: foo.bar.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test1
            port:              number: 2180  - host: bar.foo.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test2
            port:              number: 2280


如果你创建的 Ingress 资源没有在 rules 中定义的任何 hosts,则可以匹配指向 Ingress 控 制器 IP 地址的任何网络流量,而无需基于名称的虚拟主机。




简单扇出



一个扇出(fanout)配置根据请求的 HTTP URI 将来自同一 IP 地址的流量路由到多个 Service。 Ingress 允许你将负载均衡器的数量降至最低。例如,这样的设置:


image.png



ingress 配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test11
spec:  ingressClassName: ingress1
  rules:  - host: test1.bar.com
    http:      paths:      - pathType: Prefix
        path: "/test1/"        backend:          service:            name: test1
            port:              number: 2180      - pathType: Prefix
        path: "/test2/"        backend:          service:            name: test1
            port:              number: 2180



ingress 暴露多个服务


rules 和 paths 是数组,可以配置多个



ignress 配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  name: test13
spec:  ingressClassName: ingress1
  rules:  - host: test1.bar.com
    http:      paths:      - pathType: Prefix
        path: "/test1/"        backend:          service:            name: test1
            port:              number: 2180      - pathType: Prefix
        path: "/test2/"        backend:          service:            name: test1
            port:              number: 2180  - host: test3.bar.com
    http:      paths:      - pathType: Prefix
        path: "/"        backend:          service:            name: test3
            port:              number: 2380



ingress-限流



ingress配置



apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:  annotations:    nginx.ingress.kubernetes.io/limit-rps: "1"  name: ratelimit
spec:  rules:  - host: test1.bar.com
    http:      paths:      - backend:          service:           name: test1
           port:             number: 2180        path: /
        pathType: Exact




Ingress 处理 TLS 传输




证书准备


以上介绍的消息都是基于 Http 协议,Https 协议需要配置相关证书;客户端创建到 Ingress 控制器的 TLS 连接时,控制器将终止 TLS 连接; 客户端与 Ingress 控制器之间是加密的,而 Ingress 控制器和 pod 之间没有加密;要使控制 器可以这样,需要将证书和私钥附加到 Ingress 中;


通过设定包含 TLS 私钥和证书的 Secret 来保护 Ingress。 Ingress 只支持单个 TLS 端口 443,并假定 TLS 连接终止于 Ingress 节点 (与 Service 及其 Pod 之间的流量都以明 文传输)。 如果 Ingress 中的 TLS 配置部分指定了不同的主机,那么它们将根据通过 SNI  TLS 扩展指定的主机名 (如果 Ingress 控制器支持 SNI)在同一端口上进行复用。 TLS  Secret 必须包含名为 tls.crt 和 tls.key 的键名。 这些数据包含用于 TLS 的证书和私钥



生成key

openssl genrsa -out tls.key 2048



生成秘钥


将域名加入秘钥中

openssl req -new -x509 -key tls.key -out tls.cert -days 360 -subj /CN=test.bar.com




secret 创建


将生成的两个文件创建 secret


kubectl create secret tls tls-secret --cert=tls.cert --key=tls.key
secret/tls-secret created



ingress创建



现在可以更新 Ingress 对象,以便它也接收 test.bar.com 的 HTTPS 请求


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: name: ing-test1
spec: tls: -hosts:  - test.bar.com
   secretName: tls-secret
 rules: - host: test.bar.com
   http:    paths:    - pathType: Prefix
      path: "/"      backend:        service:         name: svc-test-for-ingress
         port:          number: 2280 ingressClassName: nginx


tls 中指定相关证书 在 Ingress 中引用此 Secret 将会告诉 Ingress 控制器使用 TLS 加密从客户端到负载均衡 器的通道。


你需要确保创建的 TLS Secret 创建自包含 test.bar.com 的公用名称 (CN)的证书。 这里的公共名称也被称为全限定域名(FQDN)。


ingress 高可用



Ingress 控制器启动引导时使用一些适用于所有 Ingress 的负载均衡策略设置, 例如负载 均衡算法、后端权重方案和其他等。 更高级的负载均衡概念(例如持久会话、动态权重) 尚未通过 Ingress 公开。 你可以通过用于服务的负载均衡器来获取这些功能。 值得注意的是,尽管健康检查不是通过 Ingress 直接暴露的,在 Kubernetes 中存在并行的 概念,比如 就绪检查, 允许你实现相同的目的。


image.png


修改 Nginx-controller 服务类型



kubectl   edit svc -n ingress-nginx ingress-nginx-controller



image.png


kubectl get svc -n ingress-nginx ingress-nginx-controller
NAME TYPE CLUSTER-IP EXTERNAL-IP 
PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.20.97.114 192.168.56.251 
80:30493/TCP,443:30416/TCP 18h





















文章标签:
容器服务Kubernetes版
域名与网站
负载均衡
Perl
前端开发
容器
应用服务中间件
负载均衡
网络安全
数据安全/隐私保护
网络架构
Kubernetes
nginx
关键词:
负载均衡nginx
负载均衡流量
容器服务Kubernetes版负载均衡
k8s负载均衡
容器服务Kubernetes版ingress-nginx
相关实践学习
深入解析Docker容器化技术
Docker是一个开源的应用容器引擎,让开发者可以打包他们的应用以及依赖包到一个可移植的容器中,然后发布到任何流行的Linux机器上,也可以实现虚拟化,容器是完全使用沙箱机制,相互之间不会有任何接口。Docker是世界领先的软件容器平台。开发人员利用Docker可以消除协作编码时“在我的机器上可正常工作”的问题。运维人员利用Docker可以在隔离容器中并行运行和管理应用,获得更好的计算密度。企业利用Docker可以构建敏捷的软件交付管道,以更快的速度、更高的安全性和可靠的信誉为Linux和Windows Server应用发布新功能。 在本套课程中,我们将全面的讲解Docker技术栈,从环境安装到容器、镜像操作以及生产环境如何部署开发的微服务应用。本课程由黑马程序员提供。     相关的阿里云产品:容器服务 ACK 容器服务 Kubernetes 版(简称 ACK)提供高性能可伸缩的容器应用管理能力,支持企业级容器化应用的全生命周期管理。整合阿里云虚拟化、存储、网络和安全能力,打造云端最佳容器化应用运行环境。 了解产品详情: https://www.aliyun.com/product/kubernetes
游客tehculasawvxq
目录
相关文章
蓝易云
|
8月前
|
负载均衡 前端开发 应用服务中间件
Tomcat的负载均衡和动静分离(与nginx联动)
总的来说,负载均衡和动静分离是提高Web应用性能的两个重要手段。通过合理的配置和使用,我们可以让Web应用更好地服务于用户。
蓝易云
266 21
阿里云云原生
|
9月前
|
Kubernetes 安全 应用服务中间件
IngressNightmare:Ingress Nginx 再曝5个安全漏洞,可接管你的 K8s 集群
是否还记得 2022 年 K8s Ingress Nginx 披露了的 3 个高危安全漏洞(CVE-2021-25745, CVE-2021-25746, CVE-2021-25748),并在那一年宣布停止接收新功能 PR,专注修复并提升稳定性。
阿里云云原生
630 1
Echo_Wish
|
负载均衡 前端开发 应用服务中间件
负载均衡指南:Nginx与HAProxy的配置与优化
负载均衡指南:Nginx与HAProxy的配置与优化
Echo_Wish
778 3
爱吃龙利鱼
|
Kubernetes 应用服务中间件 nginx
k8s学习--YAML资源清单文件托管服务nginx
k8s学习--YAML资源清单文件托管服务nginx
爱吃龙利鱼
315 2
k8s学习--YAML资源清单文件托管服务nginx
爱吃龙利鱼
|
Kubernetes 监控 测试技术
k8s学习--基于Ingress-nginx实现灰度发布系统
k8s学习--基于Ingress-nginx实现灰度发布系统
爱吃龙利鱼
636 2
k8s学习--基于Ingress-nginx实现灰度发布系统
以山向海
|
弹性计算 负载均衡 网络安全
slb使用中流量转发不均
【10月更文挑战第23天】
以山向海
191 8
游客cxtb2yf2r55as
|
Kubernetes 负载均衡 网络协议
在K8S中,负载均衡器有何作用?
在K8S中,负载均衡器有何作用?
游客cxtb2yf2r55as
375 2
shiningrise
|
负载均衡 Kubernetes 区块链
随机密码生成器+阿里k8s负载均衡型服务加证书方法+移动终端设计+ico生成器等
随机密码生成器+阿里k8s负载均衡型服务加证书方法+移动终端设计+ico生成器等
shiningrise
214 1
爱吃龙利鱼
|
Kubernetes 负载均衡 应用服务中间件
k8s学习--ingress详细解释与应用(nginx ingress controller))
k8s学习--ingress详细解释与应用(nginx ingress controller))
爱吃龙利鱼
2456 0
八进智
|
3月前
|
人工智能 算法 调度
阿里云ACK托管集群Pro版共享GPU调度操作指南
本文介绍在阿里云ACK托管集群Pro版中,如何通过共享GPU调度实现显存与算力的精细化分配,涵盖前提条件、使用限制、节点池配置及任务部署全流程,提升GPU资源利用率,适用于AI训练与推理场景。
八进智
360 1

热门文章

最新文章

  • 1
    Nginx 作为反向代理优化要点proxy_buffering
  • 2
    Nginx里的root和alias的区别是什么?
  • 3
    nginx error日志 client intended to send too large body: 1434541 bytes 如何处理?
  • 4
    Nginx优化
  • 5
    Nginx代理浏览器可实时查看程序日志
  • 6
    nginx 日志
  • 7
    Nginx限流和黑名单配置
  • 8
    Nginx编译安装
  • 9
    centos下安装和卸载nginx
  • 10
    Flask+uwsgi+Nginx+Ubuntu部署
  • 1
    135_负载均衡:Redis缓存 - 提高缓存命中率的配置与最佳实践
    485
  • 2
    阿里云服务器带宽怎么选?巧用负载均衡节省带宽费用技巧与注意事项参考
    394
  • 3
    VMware Avi Load Balancer 31.1.2 发布 - 多云负载均衡平台
    149
  • 4
    VMware Avi Load Balancer 30.2.4 - 多云负载均衡平台
    208
  • 5
    不增加 GPU,首 Token 延迟下降50%|LLM 服务负载均衡的新实践
    624
  • 6
    电商API接口性能优化技术揭秘:缓存策略与负载均衡详解
    355
  • 7
    云原生之负载均衡策略
    163
  • 8
    A10 Thunder 6.0.5 - 应用交付与负载均衡
    225
  • 9
    A10 Thunder 5.2.1-P12 LTS - 应用交付与负载均衡
    151
  • 10
    LVS-DR模式、keepalived、Nginx与Tomcat合作,打造动静分离,高效负载均衡与高可用性
    349

    • 相关课程

    更多
  • 5分钟玩转阿里云容器服务
  • 阿里云 EMR on ACK 实战
  • 阿里云负载均衡SLB实战演练
  • LVS负载均衡实战
  • 超大流量网站的负载均衡
  • 负载均衡入门与产品使用指南

    • 相关电子书

    更多
  • ACK集群类型选择最佳实践
  • 容器服务重磅升级,打造高效安全、智能无界新平台
  • 《拥抱容器存储,使用阿里云容器服务 ACK +文件存储 NAS 构建现代化企业应用》
    • 下一篇
    基于JAVA的高校宿舍管理系统的设计与实现(论文+源码)_kaic