Ingress 为您提供七层负载均衡能力,通过 ROS 模板安装的 Kubernetes 高可用集群默认支持 Ingress。
简单的路由服务
通过以下命令创建一个简单的 Ingress,所有对 /svc 路径的访问都会被路由到名为 Nginx 的服务。
- [backcolor=transparent]root@master [backcolor=transparent]# cat <<EOF | kubectl create -f -
- [backcolor=transparent]apiVersion[backcolor=transparent]:[backcolor=transparent] extensions[backcolor=transparent]/[backcolor=transparent]v1beta1
- [backcolor=transparent]kind[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Ingress
- [backcolor=transparent]metadata[backcolor=transparent]:
- [backcolor=transparent] name[backcolor=transparent]:[backcolor=transparent] simple
- [backcolor=transparent]spec[backcolor=transparent]:
- [backcolor=transparent] rules[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] http[backcolor=transparent]:
- [backcolor=transparent] paths[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]svc
- [backcolor=transparent] backend[backcolor=transparent]:
- [backcolor=transparent] serviceName[backcolor=transparent]:[backcolor=transparent] nginx
- [backcolor=transparent] servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
- [backcolor=transparent]EOF
- [backcolor=transparent]root@master [backcolor=transparent]# kubectl get ing
- [backcolor=transparent]NAME HOSTS ADDRESS PORTS AGE
- [backcolor=transparent]simple [backcolor=transparent]*[backcolor=transparent] [backcolor=transparent]101.37[backcolor=transparent].[backcolor=transparent]192.211[backcolor=transparent] [backcolor=transparent]80[backcolor=transparent] [backcolor=transparent]11s
现在访问
http://101.37.192.211/svc 即可访问到 Nginx 服务。
基于域名的简单扇出路由
如果您有多个域名对外提供不同的服务,您可以生成如下的配置达到一个简单的基于域名的扇出效果。
- [backcolor=transparent]root@master [backcolor=transparent]# cat <<EOF | kubectl create -f -
- [backcolor=transparent]apiVersion[backcolor=transparent]:[backcolor=transparent] extensions[backcolor=transparent]/[backcolor=transparent]v1beta1
- [backcolor=transparent]kind[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Ingress
- [backcolor=transparent]metadata[backcolor=transparent]:
- [backcolor=transparent] name[backcolor=transparent]:[backcolor=transparent] simple[backcolor=transparent]-[backcolor=transparent]fanout
- [backcolor=transparent]spec[backcolor=transparent]:
- [backcolor=transparent] rules[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] host[backcolor=transparent]:[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]bar[backcolor=transparent].[backcolor=transparent]com
- [backcolor=transparent] http[backcolor=transparent]:
- [backcolor=transparent] paths[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]foo
- [backcolor=transparent] backend[backcolor=transparent]:
- [backcolor=transparent] serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc1
- [backcolor=transparent] servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]bar
- [backcolor=transparent] backend[backcolor=transparent]:
- [backcolor=transparent] serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc2
- [backcolor=transparent] servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] host[backcolor=transparent]:[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]example[backcolor=transparent].[backcolor=transparent]com
- [backcolor=transparent] http[backcolor=transparent]:
- [backcolor=transparent] paths[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]film
- [backcolor=transparent] backend[backcolor=transparent]:
- [backcolor=transparent] serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc3
- [backcolor=transparent] servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80[backcolor=transparent]
- [backcolor=transparent]EOF
- [backcolor=transparent]root@master [backcolor=transparent]# kubectl get ing
- [backcolor=transparent]NAME HOSTS ADDRESS PORTS AGE
- [backcolor=transparent]simple[backcolor=transparent]-[backcolor=transparent]fanout [backcolor=transparent]*[backcolor=transparent] [backcolor=transparent]101.37[backcolor=transparent].[backcolor=transparent]192.211[backcolor=transparent] [backcolor=transparent]80[backcolor=transparent] [backcolor=transparent]11s
这时您可以通过
http://foo.bar.com/foo 访问到 http-svc1 服务;通过
http://foo.bar.com/bar 访问到 http-svc2 服务;通过
http://foo.example.com/film 访问到 http-svc3 服务。
[backcolor=transparent]注意:
- 如果是生产环境,您需要将您的这个域名指向上面返回的 ADDRESS 101.37.192.211。
- 如果是测试环境测试,您可以修改 hosts 文件添加一条域名映射规则。
-
[backcolor=transparent]
101.37[backcolor=transparent]
.[backcolor=transparent]
192.211[backcolor=transparent]
foo[backcolor=transparent]
.[backcolor=transparent]
bar[backcolor=transparent]
.[backcolor=transparent]
com
- [backcolor=transparent]101.37[backcolor=transparent].[backcolor=transparent]192.211[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]example[backcolor=transparent].[backcolor=transparent]com
配置安全的路由服务
支持多证书管理,为您的服务提供安全防护。
准备您的服务证书。
如果没有证书,可以通过下面的方法生成测试证书。
[backcolor=transparent]注意:域名与您的 Ingress 配置要一致。
[backcolor=transparent]root@master [backcolor=transparent]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"
上面命令会生成一个证书文件 tls.crt、一个私钥文件 tls.key。
然后用该证书和私钥创建一个名为 foo.bar 的 Kubernetes Secret。创建 Ingress 时需要引用这个 Secret。
- [backcolor=transparent]root@master [backcolor=transparent]# kubectl create secret tls foo.bar --key tls.key --cert tls.crt
创建一个安全的 Ingress 服务。
- [backcolor=transparent]root@master [backcolor=transparent]# cat <<EOF | kubectl create -f -
- [backcolor=transparent]apiVersion[backcolor=transparent]:[backcolor=transparent] extensions[backcolor=transparent]/[backcolor=transparent]v1beta1
- [backcolor=transparent]kind[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Ingress
- [backcolor=transparent]metadata[backcolor=transparent]:
- [backcolor=transparent] name[backcolor=transparent]:[backcolor=transparent] tls[backcolor=transparent]-[backcolor=transparent]fanout
- [backcolor=transparent]spec[backcolor=transparent]:
- [backcolor=transparent] tls[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] hosts[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]bar[backcolor=transparent].[backcolor=transparent]com
- [backcolor=transparent] secretName[backcolor=transparent]:[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]bar
- [backcolor=transparent] rules[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] host[backcolor=transparent]:[backcolor=transparent] foo[backcolor=transparent].[backcolor=transparent]bar[backcolor=transparent].[backcolor=transparent]com
- [backcolor=transparent] http[backcolor=transparent]:
- [backcolor=transparent] paths[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]foo
- [backcolor=transparent] backend[backcolor=transparent]:
- [backcolor=transparent] serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc1
- [backcolor=transparent] servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]bar
- [backcolor=transparent] backend[backcolor=transparent]:
- [backcolor=transparent] serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc2
- [backcolor=transparent] servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
- [backcolor=transparent]EOF
- [backcolor=transparent]root@master [backcolor=transparent]# kubectl get ing
- [backcolor=transparent]NAME HOSTS ADDRESS PORTS AGE
- [backcolor=transparent]tls[backcolor=transparent]-[backcolor=transparent]fanout [backcolor=transparent]*[backcolor=transparent] [backcolor=transparent]101.37[backcolor=transparent].[backcolor=transparent]192.211[backcolor=transparent] [backcolor=transparent]80[backcolor=transparent] [backcolor=transparent]11s
按照 [backcolor=transparent]基于域名的简单扇出路由 中的注意事项,配置 hosts 文件或者设置域名来访问该 tls 服务。
您可以通过
http://foo.bar.com/foo 访问到 http-svc1 服务;通过
http://foo.bar.com/bar 访问到 http-svc2 服务。
您也可以通过 HTTP 的方式访问该 HTTPS 的服务。Ingress 默认对配置了 HTTPS 的 HTTP 访问重定向到 HTTPS 上面。所以访问
http://foo.bar.com/foo 会被自动重定向到
https://foo.bar.com/foo。
通过 Kubernetes Web UI 部署 Ingress
将下面的 yml code 保存到 nginx-ingress.yml 文件中。[backcolor=transparent]apiVersion[backcolor=transparent]:[backcolor=transparent] extensions[backcolor=transparent]/[backcolor=transparent]v1beta1- [backcolor=transparent]kind[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Ingress
- [backcolor=transparent]metadata[backcolor=transparent]:
- [backcolor=transparent] name[backcolor=transparent]:[backcolor=transparent] simple
- [backcolor=transparent]spec[backcolor=transparent]:
- [backcolor=transparent] rules[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] http[backcolor=transparent]:
- [backcolor=transparent] paths[backcolor=transparent]:
- [backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] path[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]/[backcolor=transparent]svc
- [backcolor=transparent] backend[backcolor=transparent]:
- [backcolor=transparent] serviceName[backcolor=transparent]:[backcolor=transparent] http[backcolor=transparent]-[backcolor=transparent]svc
- [backcolor=transparent] servicePort[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]80
登录 Kubernetes Web UI。
有关如何访问 Kubernetes Web UI,参见
访问 Kubernetes Web UI。
单击 [backcolor=transparent]CREATE 创建应用。
单击 [backcolor=transparent]Upload a YAML or JSON file。选择刚才保存的 nginx-svc.yml 文件
单击 [backcolor=transparent]DEPLOY。
这样就创建了一个 Ingress 的七层代理路由到 http-svc 服务上。
在 Kubernetes Web UI 上定位到 default 命名空间,选择 Ingress 资源。
可以看到您刚刚创建的 Ingress 资源及其访问地址
http://101.37.178.224/svc。
打开浏览器输入该地址即可访问刚刚创建的 http-svc 服务。