competeking 2020-05-31
Ingress-Nginx github 地址:https://github.com/kubernetes/ingress-nginxIngress-Nginx
官方网站:https://kubernetes.github.io/ingress-nginx/
通常情况下,Service 和 Pod 的 IP 仅可在集群内部访问。集群外部的请求需要通过负载均衡转发到 Service 在 Node 上暴露的 NodePort 上,然后再由 kube-proxy 通过边缘路由器 (edge router) 将其转发给相关的 Pod 或者丢弃。而 Ingress 就是为进入集群的请求提供路由规则的集合。
Ingress 可以给 Service 提供集群外部访问的 URL、负载均衡、SSL 终止、HTTP 路由等。为了配置这些 Ingress 规则,集群管理员需要部署一个 Ingress Controller,它监听 Ingress 和 Service 的变化,并根据规则配置负载均衡并提供访问入口。
mkdir -p /usr/local/docker/kubernetes/plugins/test/ingress cd /usr/local/docker/kubernetes/plugins/test/ingress wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml # 创建 deployment kubectl apply -f mandatory.yaml kubectl get deploy -n ingress-nginx kubectl get pod -n ingress-nginx # 查看描述pod修改为你自己的pod名字 kubectl describe pod nginx-ingress-controller-7fcf8df75d-5fbc6 -n ingress-nginx # 创建 service wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml kubectl apply -f service-nodeport.yaml # 查看 svc [ ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.100.49.226 <none> 80:30197/TCP,443:31898/TCP 28s
官方文档: https://kubernetes.github.io/ingress-nginx/examples
有nginx-svc-http代理两个nginx 的 pod,通过ingress-nginx代理使得www.nginx-svc-http.com代理到nginx-svc-http
vim svc-http.yml
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-deploy spec: replicas: 2 template: metadata: labels: app: nginx-http spec: containers: - name: nginx image: habor-repo.com/library/nginx:v1 imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: nginx-svc-http spec: selector: # 这里的labels匹配上面的 matchLabels 用来发现deployment app: nginx-http ports: - port: 8090 # 暴露的svc外部端口 targetPort: 80 # 容器内部端口 protocol: TCP --- apiVersion: extensions/v1beta1 kind: Ingress # 注意类型 metadata: name: nginx-ingress-http spec: rules: - host: www.nginx-svc-http.com # 主机域名 http: paths: - path: / backend: serviceName: nginx-svc-http # 上面的 service 的 metadata.name servicePort: 8090 # 上面service 的端口
配置访问端域名解析:
kubectl apply -f svc-http.yml kubectl get ingress # 查看ingress [ ingress]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE nginx-ingress-http www.nginx-svc-http.com 80 6s # 查看 ingress 的暴露端口 [ ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.100.49.226 <none> 80:30197/TCP,443:31898/TCP 28s # 浏览器访问 使用 http 端口 30197 http://www.nginx-svc-http.com:30197/
# 先创建 https 证书 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc" kubectl create secret tls tls-secret --key tls.key --cert tls.crt
vim svc-https.yaml
apiVersion: extensions/v1beta1 kind: Ingress # 注意类型 metadata: name: nginx-ingress-https spec: tls: - hosts: - www.nginx-svc-https.com secretName: tls-secret # 和上面生成证书 中的 tls-secret 保持一致 rules: - host: www.nginx-svc-https.com # 主机域名 http: paths: - path: / backend: serviceName: nginx-svc-http # 上面的 service 的 metadata.name servicePort: 8090 # 上面service 的端口
kubectl apply -f svc-https.yml # 查看ingress [ https]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE nginx-ingress-http www.nginx-svc-http.com 10.100.49.226 80 37m nginx-ingress-https www.nginx-svc-https.com 80, 443 12s # 查看 ingress 的暴露端口 [ ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.100.49.226 <none> 80:30197/TCP,443:31898/TCP 28s # 浏览器访问 使用 https 端口 31898 https://www.nginx-svc-https.com:31898/
yum install -y httpd htpasswd -c auth foo # 用户名 foo ,输入两次密码: 123456 kubectl create secret generic basic-auth --from-file=auth
vim basic-auth.yml
apiVersion: extensions/v1beta1 kind: Ingress # 注意类型 metadata: name: nginx-basic-auth annotations: # type of authentication nginx.ingress.kubernetes.io/auth-type: basic # name of the secret that contains the user/password definitions nginx.ingress.kubernetes.io/auth-secret: basic-auth # message to display with an appropriate context why the authentication is required nginx.ingress.kubernetes.io/auth-realm: ‘Authentication Required - foo‘ spec: rules: - host: www.nginx-basic-auth.com # 主机域名 http: paths: - path: / backend: serviceName: nginx-svc-http # 上面的 service 的 metadata.name servicePort: 8090 # 上面service 的端口
kubectl apply -f basic-auth.yml # 查看ingress [ https]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE nginx-basic-auth www.nginx-basic-auth.com 80 7s nginx-ingress-http www.nginx-svc-http.com 10.100.49.226 80 54m nginx-ingress-https www.nginx-svc-https.com 10.100.49.226 80, 443 17m # 查看 ingress 的暴露端口 [ ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.100.49.226 <none> 80:30197/TCP,443:31898/TCP 28s # 浏览器访问 使用 http 端口 30197 http://www.nginx-basic-auth.com:30197/ # 使用 https 端口 31898 https://www.nginx-basic-auth.com:31898/ # 输入用户名/密码 : foo/123456
名称 | 描述 | 值 |
---|---|---|
nginx.ingress.kubernetes.io/rewrite-target | 必须重定向流量的目标URI | 串 |
nginx.ingress.kubernetes.io/ssl-redirect | 指示位置部分是否仅可访问SSL(当Ingress包含证书时默认为True) | 布尔 |
nginx.ingress.kubernetes.io/force-ssl-redirect | 即使Ingress未启用TLS,也强制重定向到HTTPS | 布尔 |
nginx.ingress.kubernetes.io/app-root | 定义Controller必须重定向的应用程序根,如果它在‘/‘上下文中 | 串 |
nginx.ingress.kubernetes.io/use-regex | 指示Ingress上定义的路径是否使用正则表达式 | 布尔 |
vim rewrite.yml
apiVersion: extensions/v1beta1 kind: Ingress # 注意类型 metadata: name: nginx-rewrite annotations: # 跳转的目标域名 nginx.ingress.kubernetes.io/rewrite-target: www.nginx-basic-auth.com:30197 spec: rules: - host: www.jump.com # 拦截的域名 http: paths: - path: / backend: serviceName: nginx-svc-http # 上面的 service 的 metadata.name servicePort: 8090 # 上面service 的端口
kubectl apply -f rewrite.yml # 查看ingress [ https]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE nginx-basic-auth www.nginx-basic-auth.com 10.100.49.226 80 23m nginx-ingress-http www.nginx-svc-http.com 10.100.49.226 80 77m nginx-ingress-https www.nginx-svc-https.com 10.100.49.226 80, 443 40m nginx-rewrite www.nginx-basic-auth.com 80 5s # 查看 ingress 的暴露端口 [ ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.100.49.226 <none> 80:30197/TCP,443:31898/TCP 28s # 浏览器访问 使用 http 端口 会自动跳转到 basic-auth 页面 http://www.jump.com:30197