Ingress 就是定義規則來允許進入叢集的請求被轉發到叢集中對應服務上。通常所說的7層可以理解為它就是一個路由器，而反向代理就是有請求傳送過來，它會幫忙轉到可以處理這個請求的服務上去。

Ingress是配置模板，配置如何將請求轉發到服務的規則。Ingress-controller是控制器，對ingress定義的規則進行解析。請求來了，ingress物件會告訴Ingress-controller如何轉發請求。

Ingress-controller是一個統稱，有很多種，k8s官方維護的是ingress-nginx。對應的容器映象是 quay.io/kubernetes-ingress-controller/nginx-ingress-controller

這裡的Ingress-controller是作為pod來執行的。下面舉幾個例項進行驗證：

http訪問（訪問一個服務）：

這裡實現在本地主機的瀏覽器可以通過，域名+埠號，訪問一個service。效果如下。

這裡的主機如果是win系統，需要修改C:\\Windows\\System32\\drivers\\etc裡面的hosts檔案內容：135.251.206.137 www.k8smaster.com

這裡的主機如果是linux系統，需要修改/etc/hosts裡面的檔案內容：135.251.206.137 www.k8smaster.com

思路圖如下：

第一步：建立各個部署檔案

這個yaml包含了很多資源的建立，包括名稱空間，configmap，role，serviceaccout等。

apiVersion: v1kind: Namespace #建立一個叫做ingress-nginx的namespacemetadata: name: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMap #儲存通用的配置變數的apiVersion: v1metadata: name: nginx-configuration namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMapapiVersion: v1metadata: name: tcp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMapapiVersion: v1metadata: name: udp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---apiVersion: v1kind: ServiceAccount #服務賬戶針對Pod程序metadata: name: nginx-ingress-serviceaccount namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRole # ClusterRole定義可用於授予使用者對某一特定名稱空間，或者所有名稱空間中的secret（取決於其繫結方式）的讀訪問許可權metadata: name: nginx-ingress-clusterrole labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxrules: - apiGroups: - "" resources: #對應的資源 - configmaps  - endpoints - nodes - pods - secrets verbs: #採取的動作 - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses verbs: - get - list - watch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses/status verbs: - update---apiVersion: rbac.authorization.k8s.io/v1beta1kind: Role metadata: name: nginx-ingress-role namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxrules: - apiGroups: - "" resources: - configmaps - pods - secrets - namespaces verbs: - get - apiGroups: - "" resources: - configmaps resourceNames: # Defaults to "<election-id>-<ingress-class>" # Here: "<ingress-controller-leader>-<nginx>" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. - "ingress-controller-leader-nginx" verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resources: - endpoints verbs: - get---apiVersion: rbac.authorization.k8s.io/v1beta1kind: RoleBindingmetadata: name: nginx-ingress-role-nisa-binding namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-ingress-rolesubjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: nginx-ingress-clusterrole-nisa-binding labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-ingress-clusterrolesubjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx---apiVersion: apps/v1kind: Deploymentmetadata: name: nginx-ingress-controller namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxspec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: #將任何非標識metadata附加到物件 prometheus.io/port: "10254" prometheus.io/scrape: "true" spec: terminationGracePeriodSeconds: 300 #K8S給你程式留的最後的緩衝時間，來處理關閉之前的操作。 serviceAccountName: nginx-ingress-serviceaccount containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0 args: #指定一些引數 - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io securityContext: allowPrivilegeEscalation: true capabilities:  drop: - ALL  add: - NET_BIND_SERVICE # www-data -> 33 runAsUser: 33 env: - name: POD_NAME  valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE  valueFrom: fieldRef: fieldPath: metadata.namespace ports: #開放80和443兩個埠 - name: http  containerPort: 80 - name: https  containerPort: 443 livenessProbe: failureThreshold: 3 httpGet:  path: /healthz  port: 10254 #10254埠做了健康檢測  scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 readinessProbe: failureThreshold: 3 httpGet:  path: /healthz  port: 10254  scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 lifecycle: preStop:  exec: command: - /wait-shutdown

kubectl get pods -n ingress-nginx

kubectl -n ingress-nginx get pod | grep nginx-ingress-controller

第二步，建立SVC

這一步建立一個在ingress-nginx名稱空間，叫做ingress-nginx的service，它提供80的http服務和443的https服務。這個service的作用是引入外部流量。為了不讓service nodeport自動分配埠,需要手動指定nodeport。

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml[root@zr-k8s-master01 ~]# cat service-nodeport.yamlapiVersion: v1kind: Servicemetadata:  name: ingress-nginx  namespace: ingress-nginx  labels:    app.kubernetes.io/name: ingress-nginx    app.kubernetes.io/part-of: ingress-nginxspec:  type: NodePort  ports:    - name: http      port: 80      targetPort: 80      protocol: TCP    - name: https      port: 443      targetPort: 443      protocol: TCP  selector:    app.kubernetes.io/name: ingress-nginx    app.kubernetes.io/part-of: ingress-nginx ---

kubectl apply -f service-nodeport.yaml

如果要訪問80埠就是訪問30549埠。也可以檢視這個服務對應的公網IP地址，這裡是none的無頭服務。

第三步：入口http代理訪問

1,先建立一個普通的SVC：

這個svc是對後端pod的分組，如果後端pod發生變動,則ingress就會將變動資訊注入到,ingress controller管理的7層負載nginx的配置檔案中。這裡面有pod，開啟了80埠。

[root@zr-k8s-master01 ~]# cat ingress-http.yamlapiVersion: extensions/v1beta1kind: Deploymentmetadata:  name: nginx-dmspec:  replicas: 2  template:    metadata:      labels:        name: nginx    spec:      containers:      - name: nginx        image: ikubernetes/myapp:v1        imagePullPolicy: IfNotPresent        ports:        - containerPort: 80---apiVersion: v1kind: Service #標準的SVCmetadata:  name: nginx-svcspec:  ports:  - port: 80    targetPort: 80#暴露80埠對應pod的80埠    protocol: TCP  selector:name: nginx

kubectl apply -f ingress-http.yaml

kubectl get svc

curl 10.98.83.242這個時候是可以訪問到。

2,建立一個ingress給svc暴露出去

[root@zr-k8s-master01 ~]# cat ingress-http1.yamlapiVersion: extensions/v1beta1kind: Ingress#ingress型別給上面的SVC暴露出去metadata:  name: nginx-testspec:  rules:  - host: www.k8smaster.com    http:      paths:      - path: /        backend:          serviceName: nginx-svc#這裡可以看出這個ingress連結的就是上面的SVC          servicePort: 80

kubectl apply -f ingress-http1.yaml

kubectl get ingress

kubectl get svc

kubectl exec -n ingress-nginx -it nginx-ingress-controller-74b9fb6dd-jqkjh -- /bin/sh

可以進去看到ingress注入的資訊。

kubectl delete ingress nginx-test

http訪問（訪問二個服務）：

kubectl delete -f ingress-http.yaml

kubectl delete -f ingress-http1.yaml

kubectl delete -f service-nodeport.yaml

kubectl delete -f mandatory.yaml

這裡實現在本地主機的瀏覽器可以通過，域名+埠號，訪問二個service。效果如下：這裡的主機如果是win系統，需要修改C:\\Windows\\System32\\drivers\\etc裡面的hosts檔案內容：

135.251.206.137 www.k8smaster.com

135.251.206.137 www.k8snode.com

這裡的主機如果是linux系統，需要修改/etc/hosts裡面的檔案內容：

[root@k8s-master01 blueadmin]# cat /etc/hosts |grep 137

135.251.206.137 www.k8smaster.com

135.251.206.137 www.k8snode.com

第一步：建nginx-ingress-controller

kubectl apply -f mandatory.yaml

kubectl get pods -n ingress-nginx

第二步：建立SVC

kubectl apply -f service-nodeport.yaml

kubectl get svc -n ingress-nginx

第三步：普通svc和ingress

1,先建立兩個普通的SVC：

兩個svc就是名字和映象不同。

kubectl apply -f ingress-deployment1.yaml

kubectl apply -f ingress-deployment2.yaml

kubectl get pod -o wide

2,建立兩個ingress給svc暴露出去

分別定義了兩個域名:

www.k8smaster.com將訪問到 svc-1和www.k8snode.com將訪問到 svc-2。

kubectl apply -f ingressrule.yaml

kubectl delete -f ingress-deployment1.yaml

kubectl delete -f ingress-deployment2.yaml

kubectl delete -f ingressrule.yaml

https訪問（訪問一個服務）：第一步：建key

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"kubectl create secret tls tls-secret --key tls.key --cert tls.crt

第二步：建SVC

[root@zr-k8s-master01 https]# cat ../ingress-deployment3.yamlapiVersion: apps/v1kind: Deploymentmetadata:  name: deploy-3spec:  replicas: 2  selector:    matchLabels:      name: nginx3  template:    metadata:      labels:        name: nginx3    spec:      containers:      - name: nginx3        image: ikubernetes/myapp:v3        imagePullPolicy: IfNotPresent        ports:        - containerPort: 80---apiVersion: v1kind: Servicemetadata:  name: svc-3spec:  selector:    name: nginx3  ports:  - port: 80    targetPort: 80protocol: TCP kubectl apply -f ingress-deployment3.yaml

第三步：建ingress

[root@zr-k8s-master01 ingress]# cat https-ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata:  name: httpsspec:  tls:    - hosts:      - www.k8smasterhttps.com      secretName: tls-secret  rules:    - host: www.k8smasterhttps.com      http:        paths:        - path: /          backend:            serviceName: svc-3            servicePort: 80

kubectl apply -f https-ingress.yaml

Nginx 進行 BasicAuth

yum -y install httpd

htpasswd -c auth foo #網頁裡使用者名稱foo,密碼回車後自己設定

kubectl create secret generic basic-auth --from-file=auth

[root@zr-k8s-master01 ingress]# cat auth-ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata:  name: ingress-with-auth  annotations:    nginx.ingress.kubernetes.io/auth-type: basic    nginx.ingress.kubernetes.io/auth-secret: basic-auth    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'spec:  rules:  - host: www.k8smasterauth.com    http:      paths:      - path: /        backend:          serviceName: svc-1          servicePort: 80

kubectl apply -f auth-ingress.yaml

建立以後訪問http://www.k8smasterauth.com:30300/需要填入最開始設定的使用者名稱和密碼