Ingress 就是定義規則來允許進入叢集的請求被轉發到叢集中對應服務上。通常所說的7層可以理解為它就是一個路由器,而反向代理就是有請求傳送過來,它會幫忙轉到可以處理這個請求的服務上去。
Ingress是配置模板,配置如何將請求轉發到服務的規則。Ingress-controller是控制器,對ingress定義的規則進行解析。請求來了,ingress物件會告訴Ingress-controller如何轉發請求。
Ingress-controller是一個統稱,有很多種,k8s官方維護的是ingress-nginx。對應的容器映象是 quay.io/kubernetes-ingress-controller/nginx-ingress-controller
這裡的Ingress-controller是作為pod來執行的。下面舉幾個例項進行驗證:
http訪問(訪問一個服務):這裡實現在本地主機的瀏覽器可以通過,域名+埠號,訪問一個service。效果如下。
這裡的主機如果是win系統,需要修改C:\\Windows\\System32\\drivers\\etc裡面的hosts檔案內容:135.251.206.137 www.k8smaster.com
這裡的主機如果是linux系統,需要修改/etc/hosts裡面的檔案內容:135.251.206.137 www.k8smaster.com
思路圖如下:
第一步:建立各個部署檔案這個yaml包含了很多資源的建立,包括名稱空間,configmap,role,serviceaccout等。
apiVersion: v1kind: Namespace #建立一個叫做ingress-nginx的namespacemetadata: name: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMap #儲存通用的配置變數的apiVersion: v1metadata: name: nginx-configuration namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMapapiVersion: v1metadata: name: tcp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---kind: ConfigMapapiVersion: v1metadata: name: udp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---apiVersion: v1kind: ServiceAccount #服務賬戶針對Pod程序metadata: name: nginx-ingress-serviceaccount namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRole # ClusterRole定義可用於授予使用者對某一特定名稱空間,或者所有名稱空間中的secret(取決於其繫結方式)的讀訪問許可權metadata: name: nginx-ingress-clusterrole labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxrules: - apiGroups: - "" resources: #對應的資源 - configmaps - endpoints - nodes - pods - secrets verbs: #採取的動作 - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses verbs: - get - list - watch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses/status verbs: - update---apiVersion: rbac.authorization.k8s.io/v1beta1kind: Role metadata: name: nginx-ingress-role namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxrules: - apiGroups: - "" resources: - configmaps - pods - secrets - namespaces verbs: - get - apiGroups: - "" resources: - configmaps resourceNames: # Defaults to "<election-id>-<ingress-class>" # Here: "<ingress-controller-leader>-<nginx>" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. - "ingress-controller-leader-nginx" verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resources: - endpoints verbs: - get---apiVersion: rbac.authorization.k8s.io/v1beta1kind: RoleBindingmetadata: name: nginx-ingress-role-nisa-binding namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-ingress-rolesubjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx---apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: nginx-ingress-clusterrole-nisa-binding labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-ingress-clusterrolesubjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx---apiVersion: apps/v1kind: Deploymentmetadata: name: nginx-ingress-controller namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxspec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: #將任何非標識metadata附加到物件 prometheus.io/port: "10254" prometheus.io/scrape: "true" spec: terminationGracePeriodSeconds: 300 #K8S給你程式留的最後的緩衝時間,來處理關閉之前的操作。 serviceAccountName: nginx-ingress-serviceaccount containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0 args: #指定一些引數 - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io securityContext: allowPrivilegeEscalation: true capabilities: drop: - ALL add: - NET_BIND_SERVICE # www-data -> 33 runAsUser: 33 env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace ports: #開放80和443兩個埠 - name: http containerPort: 80 - name: https containerPort: 443 livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 #10254埠做了健康檢測 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 lifecycle: preStop: exec: command: - /wait-shutdown
kubectl get pods -n ingress-nginx
kubectl -n ingress-nginx get pod | grep nginx-ingress-controller
第二步,建立SVC這一步建立一個在ingress-nginx名稱空間,叫做ingress-nginx的service,它提供80的http服務和443的https服務。這個service的作用是引入外部流量。為了不讓service nodeport自動分配埠,需要手動指定nodeport。
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml[root@zr-k8s-master01 ~]# cat service-nodeport.yamlapiVersion: v1kind: Servicemetadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxspec: type: NodePort ports: - name: http port: 80 targetPort: 80 protocol: TCP - name: https port: 443 targetPort: 443 protocol: TCP selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx ---
kubectl apply -f service-nodeport.yaml
如果要訪問80埠就是訪問30549埠。也可以檢視這個服務對應的公網IP地址,這裡是none的無頭服務。
第三步:入口http代理訪問1,先建立一個普通的SVC:
這個svc是對後端pod的分組,如果後端pod發生變動,則ingress就會將變動資訊注入到,ingress controller管理的7層負載nginx的配置檔案中。這裡面有pod,開啟了80埠。
[root@zr-k8s-master01 ~]# cat ingress-http.yamlapiVersion: extensions/v1beta1kind: Deploymentmetadata: name: nginx-dmspec: replicas: 2 template: metadata: labels: name: nginx spec: containers: - name: nginx image: ikubernetes/myapp:v1 imagePullPolicy: IfNotPresent ports: - containerPort: 80---apiVersion: v1kind: Service #標準的SVCmetadata: name: nginx-svcspec: ports: - port: 80 targetPort: 80#暴露80埠對應pod的80埠 protocol: TCP selector:name: nginx
kubectl apply -f ingress-http.yaml
kubectl get svc
curl 10.98.83.242這個時候是可以訪問到。
2,建立一個ingress給svc暴露出去
[root@zr-k8s-master01 ~]# cat ingress-http1.yamlapiVersion: extensions/v1beta1kind: Ingress#ingress型別給上面的SVC暴露出去metadata: name: nginx-testspec: rules: - host: www.k8smaster.com http: paths: - path: / backend: serviceName: nginx-svc#這裡可以看出這個ingress連結的就是上面的SVC servicePort: 80
kubectl apply -f ingress-http1.yaml
kubectl get ingress
kubectl get svc
kubectl exec -n ingress-nginx -it nginx-ingress-controller-74b9fb6dd-jqkjh -- /bin/sh
可以進去看到ingress注入的資訊。
kubectl delete ingress nginx-test
http訪問(訪問二個服務):kubectl delete -f ingress-http.yaml
kubectl delete -f ingress-http1.yaml
kubectl delete -f service-nodeport.yaml
kubectl delete -f mandatory.yaml
這裡實現在本地主機的瀏覽器可以通過,域名+埠號,訪問二個service。效果如下:這裡的主機如果是win系統,需要修改C:\\Windows\\System32\\drivers\\etc裡面的hosts檔案內容:
135.251.206.137 www.k8smaster.com
135.251.206.137 www.k8snode.com
這裡的主機如果是linux系統,需要修改/etc/hosts裡面的檔案內容:
[root@k8s-master01 blueadmin]# cat /etc/hosts |grep 137
135.251.206.137 www.k8smaster.com
135.251.206.137 www.k8snode.com
第一步:建nginx-ingress-controllerkubectl apply -f mandatory.yaml
kubectl get pods -n ingress-nginx
第二步:建立SVCkubectl apply -f service-nodeport.yaml
kubectl get svc -n ingress-nginx
第三步:普通svc和ingress1,先建立兩個普通的SVC:
兩個svc就是名字和映象不同。
kubectl apply -f ingress-deployment1.yaml
kubectl apply -f ingress-deployment2.yaml
kubectl get pod -o wide
2,建立兩個ingress給svc暴露出去
分別定義了兩個域名:
www.k8smaster.com將訪問到 svc-1和www.k8snode.com將訪問到 svc-2。
kubectl apply -f ingressrule.yaml
kubectl delete -f ingress-deployment1.yaml
kubectl delete -f ingress-deployment2.yaml
kubectl delete -f ingressrule.yaml
https訪問(訪問一個服務):第一步:建keyopenssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"kubectl create secret tls tls-secret --key tls.key --cert tls.crt
第二步:建SVC
[root@zr-k8s-master01 https]# cat ../ingress-deployment3.yamlapiVersion: apps/v1kind: Deploymentmetadata: name: deploy-3spec: replicas: 2 selector: matchLabels: name: nginx3 template: metadata: labels: name: nginx3 spec: containers: - name: nginx3 image: ikubernetes/myapp:v3 imagePullPolicy: IfNotPresent ports: - containerPort: 80---apiVersion: v1kind: Servicemetadata: name: svc-3spec: selector: name: nginx3 ports: - port: 80 targetPort: 80protocol: TCP kubectl apply -f ingress-deployment3.yaml
第三步:建ingress
[root@zr-k8s-master01 ingress]# cat https-ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata: name: httpsspec: tls: - hosts: - www.k8smasterhttps.com secretName: tls-secret rules: - host: www.k8smasterhttps.com http: paths: - path: / backend: serviceName: svc-3 servicePort: 80
kubectl apply -f https-ingress.yaml
Nginx 進行 BasicAuthyum -y install httpd
htpasswd -c auth foo #網頁裡使用者名稱foo,密碼回車後自己設定
kubectl create secret generic basic-auth --from-file=auth
[root@zr-k8s-master01 ingress]# cat auth-ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata: name: ingress-with-auth annotations: nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'spec: rules: - host: www.k8smasterauth.com http: paths: - path: / backend: serviceName: svc-1 servicePort: 80
kubectl apply -f auth-ingress.yaml
建立以後訪問http://www.k8smasterauth.com:30300/需要填入最開始設定的使用者名稱和密碼