一、 ingress nginx
1、两个核心概念:
# ingress:
kubernetes中的一个对象,作用是`定义请求如何转发到service的规则`
# ingress controller:
`具体实现反向代理及负载均衡的程序`,对ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如Nginx, Contour, Haproxy等等
2、Ingress(以Nginx为例)的工作原理如下:
1. 用户编写Ingress规则,`说明哪个域名对应kubernetes集群中的哪个Service`
2. Ingress`控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置`
3. Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新
4. 到此为止,其实真正在工作的就是一个Nginx了,内部配置了用户定义的请求转发规则
官网:https://kubernetes.github.io/ingress-nginx/
3、准备工作
#1.下载 nginx ingress(属于外部网络资源,不是集群内部资源,所以需要安装)
[root@k8s-master1 ~]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml
如果报错无法建立ssl连接,请执行
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml --no-check-certificate
查看需要的镜像:
[root@k8s-master-01 ~]# cat deploy.yaml |grep image
#2.修改镜像
[root@k8s-master1 ~]# sed -i 's#k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a#registry.cn-hangzhou.aliyuncs.com/k8sos/ingress-controller:v0.44.0#g' deploy.yaml
#3.部署
[root@k8s-master1 ~]# kubectl apply -f deploy.yaml
#查看ingress的pod
[root@k8s-master-01 plusin]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-fddhv 0/1 Completed 0 11m
ingress-nginx-admission-patch-smg2p 0/1 Completed 0 11m
ingress-nginx-controller-944f8df68-pdhrs 1/1 Running 0 11m
#查看对应svc对应的ingress,显示nodeport。
[root@k8s-master-01 plusin]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.111.248.0 <none> 80:30287/TCP,443:31004/TCP 14m
ingress-nginx-controller-admission ClusterIP 10.105.122.35 <none> 443/TCP 14m
测试
[root@k8s-master-01 mnt]# kubectl apply -f ingress-http.yaml
deployment.apps/nginx-dm created
service/nginx-svc created
#查看svc
[root@k8s-master-01 mnt]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
baidu ExternalName <none> www.baidu.com <none> 23h
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 10d
myapp NodePort 10.96.174.205 <none> 80:32179/TCP 32h
myapp-headless ClusterIP None <none> 80/TCP 31h
nginx-svc ClusterIP 10.99.46.132 <none> 80/TCP 53s
#直接curl svc即可访问到后端的pod
[root@k8s-master-01 mnt]# curl 10.99.46.132
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master-01 mnt]# curl 10.99.46.132
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master-01 mnt]# curl 10.99.46.132
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master-01 mnt]# curl 10.99.46.132
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master-01 mnt]# curl 10.99.46.132
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
部署的pod以及svc
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dm
spec:
replicas: 2
selector:
matchLabels:
name: nginx
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: nginx
image: wangyanglinux/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
selector:
name: nginx
ports:
- port: 80
targetPort: 80
protocol: TCP
部署的ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default #与部署证书-n default指定相同
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: svc-test
servicePort: 80
- host: www.abc.com #添加以下内容
http:
paths:
- path: /
backend:
serviceName: svc-release
servicePort: 80
验证
[root@k8s-master-01 mnt]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test.com,www.abc.com 80 27s
基于TLS的Ingress(测试访问nginx)======》https访问
#1.创建HTTPS 证书
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com
#2.部署证书
kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-test
spec:
replicas: 2
selector:
matchLabels:
name: nginx-test
template:
metadata:
labels:
name: nginx-test
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-test
spec:
selector:
name: nginx-test
ports:
- port: 80
targetPort: 80
protocol: TCP
---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- www.test-nginx.com
secretName: ingress-tls
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: svc-test
servicePort: 80
nginx认证登录
官网:https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
imagePullPolicy: IfNotPresent
image: nginx
---
kind: Service
apiVersion: v1
metadata:
name: nginx
spec:
ports:
- port: 80
targetPort: 80
name: http
selector:
app: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
ingressClassName: nginx
rules:
- host: foo.bar.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
查看
[root@k8s-master-01 mnt]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-7cf7d6dbc8-6mxfl 1/1 Running 0 7m32s
[root@k8s-master-01 mnt]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 17d
nginx ClusterIP 10.103.3.55 <none> 80/TCP 7m37s
[root@k8s-master-01 mnt]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.108.34.77 <none> 80:32035/TCP,443:30441/TCP 2d1h
ingress-nginx-controller-admission ClusterIP 10.106.38.15 <none> 443/TCP 2d1h
[root@k8s-master-01 mnt]# kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 11m
default-token-hd5m9 kubernetes.io/service-account-token 3 17d
ingress-tls kubernetes.io/tls 2 38h
[root@k8s-master-01 mnt]# kubectl get secrets basic-auth -o yaml
apiVersion: v1
data:
auth: Zm9vOiRhcHIxJFhURnpIaWN0JElNVUtWd2Vsejd0Rm4vdHlHNG9uei4K
kind: Secret
metadata:
creationTimestamp: "2021-12-22T06:29:28Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:auth: {}
f:type: {}
manager: kubectl-create
operation: Update
time: "2021-12-22T06:29:28Z"
name: basic-auth
namespace: default
resourceVersion: "291491"
uid: bf4bcb7e-b92f-40a7-922f-adbf553da165
type: Opaque
[root@k8s-master-01 mnt]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-with-auth nginx foo.bar.com 192.168.15.32 80 7m50s
注意:`ingress必须分配一个address地址,才能访问。`
secret补充
secret用于保存铭感信息,比如密码、ssh-key、令牌等等
存储格式:K/V键值对
使用方式:环境变量和挂载(volumes)
密文方式:base64
创建方式:命令行创建和配置清单
使用场景:
opaque:通用自定义数据,base64编码
kubernetes.io/service-account-token:用于存储SA用户认证信息
kubernetes.io/dockerconfigjson:用户存储docker仓库认证信息
kubernetes.io/tls:用于tls通讯模式认证信息
kubernetes.io/ssh-auth:用于ssh认证信息
bootstrap.kubernetes.io/token:启动引导token
nginx重写
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dm
spec:
replicas: 2
selector:
matchLabels:
name: nginx-dm
template:
metadata:
labels:
name: nginx-dm
spec:
containers:
- name: nginx
image: wangyanglinux/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-dm
spec:
selector:
name: nginx-dm
ports:
- port: 80
targetPort: 80
protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default #与部署证书-n default指定相同
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: abc.test.com
http:
paths:
- path: /
backend:
serviceName: nginx-dm
servicePort: 80
配置跳转重定向
#1.修改配置清单(以nginx为例)
[root@k8s-master1 ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress-tset-test
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: http://abc.test.com:32035 #指定重定向的域名(百度网址)
spec:
rules:
- host: ccc.aaa.com
http:
paths:
- path: /
backend:
serviceName: nginx-dm
servicePort: 80
查看
[root@k8s-master-01 mnt]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> abc.test.com 192.168.15.32 80 12m
ingress-ingress-tset-test <none> ccc.aaa.com 192.168.15.32 80 7m41s
ingress-with-auth nginx foo.bar.com 192.168.15.32 80 9h
[root@k8s-master-01 mnt]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.108.34.77 <none> 80:32035/TCP,443:30441/TCP 2d10h
ingress-nginx-controller-admission ClusterIP 10.106.38.15 <none> 443/TCP 2d10h
[root@k8s-master-01 mnt]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 18d
nginx ClusterIP 10.103.3.55 <none> 80/TCP 9h
nginx-dm ClusterIP 10.108.239.10 <none> 80/TCP 15m