4.5、Ingress

通常情况下,Service 和 Pod 的 IP 仅可在集群内部访问。集群外部的请求需要通过负载均衡转发到 Service 在 Node 上暴露的 NodePort 上,然后再由 kube-proxy 通过边缘路由器 (edge router) 将其转发给相关的 Pod 或者丢弃。而 Ingress 就是为进入集群的请求提供路由规则的集合。

Ingress 可以给 Service 提供集群外部访问的 URL、负载均衡、SSL 终止、HTTP 路由等。为了配置这些 Ingress 规则,集群管理员需要部署一个 Ingress Controller,它监听 Ingress 和 Service 的变化,并根据规则配置负载均衡并提供访问入口。

4.5.1、安装ingress-nginx

mkdir -p /usr/local/docker/kubernetes/plugins/test/ingress
cd /usr/local/docker/kubernetes/plugins/test/ingress

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml

# 创建 deployment 
kubectl apply -f mandatory.yaml

kubectl get deploy -n ingress-nginx
kubectl get pod -n ingress-nginx

# 查看描述pod修改为你自己的pod名字
kubectl describe pod nginx-ingress-controller-7fcf8df75d-5fbc6 -n ingress-nginx

# 创建 service
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
kubectl apply -f service-nodeport.yaml

# 查看 svc 
[root@k8s-master ingress]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.100.49.226   <none>        80:30197/TCP,443:31898/TCP   28s

例子

官方文档: https://kubernetes.github.io/ingress-nginx/examples

http代理

有nginx-svc-http代理两个nginx 的 pod,通过ingress-nginx代理使得www.nginx-svc-http.com代理到nginx-svc-http

vim svc-http.yml

apiVersion: extensions/v1beta1
kind: Deployment 
metadata:
  name: nginx-deploy
spec:
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx-http
    spec:
      containers:
      - name: nginx
        image: habor-repo.com/library/nginx:v1
        imagePullPolicy: IfNotPresent 
        ports:
        - name: http 
          containerPort: 80 
---
apiVersion: v1
kind: Service 
metadata:
  name: nginx-svc-http
spec:
  selector: # 这里的labels匹配上面的 matchLabels 用来发现deployment
    app: nginx-http
  ports:
  - port: 8090 # 暴露的svc外部端口
    targetPort: 80 # 容器内部端口
    protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress # 注意类型  
metadata:
  name: nginx-ingress-http
spec:
  rules:
    - host: www.nginx-svc-http.com # 主机域名
      http:
        paths:
        - path: /
          backend:
            serviceName: nginx-svc-http # 上面的 service 的 metadata.name
            servicePort: 8090 # 上面service 的端口

配置访问端域名解析:

kubectl apply -f svc-http.yml

kubectl get ingress

# 查看ingress 
[root@k8s-master ingress]# kubectl get ingress
NAME                 HOSTS                    ADDRESS         PORTS   AGE
nginx-ingress-http   www.nginx-svc-http.com                   80      6s

# 查看 ingress 的暴露端口 
[root@k8s-master ingress]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.100.49.226   <none>        80:30197/TCP,443:31898/TCP   28s

# 浏览器访问 使用 http 端口 30197
http://www.nginx-svc-http.com:30197/
https代理
# 先创建 https 证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt

vim svc-https.yaml

apiVersion: extensions/v1beta1
kind: Ingress # 注意类型  
metadata:
  name: nginx-ingress-https
spec:
  tls:
  - hosts:
    - www.nginx-svc-https.com
    secretName: tls-secret # 和上面生成证书 中的 tls-secret 保持一致
  rules:
    - host: www.nginx-svc-https.com # 主机域名
      http:
        paths:
        - path: /
          backend:
            serviceName: nginx-svc-http # 上面的 service 的 metadata.name
            servicePort: 8090 # 上面service 的端口
kubectl apply -f svc-https.yml

# 查看ingress 
[root@k8s-master https]# kubectl get ingress
NAME                  HOSTS                     ADDRESS         PORTS     AGE
nginx-ingress-http    www.nginx-svc-http.com    10.100.49.226   80        37m
nginx-ingress-https   www.nginx-svc-https.com                   80, 443   12s

# 查看 ingress 的暴露端口 
[root@k8s-master ingress]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.100.49.226   <none>        80:30197/TCP,443:31898/TCP   28s

# 浏览器访问 使用 https 端口 31898
https://www.nginx-svc-https.com:31898/
basic auth
yum install -y httpd
htpasswd -c auth foo # 用户名 foo ,输入两次密码: 123456 
kubectl create secret generic basic-auth --from-file=auth

vim basic-auth.yml

apiVersion: extensions/v1beta1
kind: Ingress # 注意类型  
metadata:
  name: nginx-basic-auth
  annotations:
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
  rules:
  - host: www.nginx-basic-auth.com # 主机域名
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx-svc-http # 上面的 service 的 metadata.name
          servicePort: 8090 # 上面service 的端口
kubectl apply -f basic-auth.yml

# 查看ingress 
[root@k8s-master https]# kubectl get ingress
NAME                  HOSTS                      ADDRESS         PORTS     AGE
nginx-basic-auth      www.nginx-basic-auth.com                   80        7s
nginx-ingress-http    www.nginx-svc-http.com     10.100.49.226   80        54m
nginx-ingress-https   www.nginx-svc-https.com    10.100.49.226   80, 443   17m

# 查看 ingress 的暴露端口 
[root@k8s-master ingress]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.100.49.226   <none>        80:30197/TCP,443:31898/TCP   28s

# 浏览器访问 使用 http 端口 30197
http://www.nginx-basic-auth.com:30197/
# 使用 https 端口 31898
https://www.nginx-basic-auth.com:31898/
# 输入用户名/密码 : foo/123456
转发

名称

描述


nginx.ingress.kubernetes.io/rewrite-target

必须重定向流量的目标URI


nginx.ingress.kubernetes.io/ssl-redirect

指示位置部分是否仅可访问SSL(当Ingress包含证书时默认为True)

布尔

nginx.ingress.kubernetes.io/force-ssl-redirect

即使Ingress未启用TLS,也强制重定向到HTTPS

布尔

nginx.ingress.kubernetes.io/app-root

定义Controller必须重定向的应用程序根,如果它在'/'上下文中


nginx.ingress.kubernetes.io/use-regex

指示Ingress上定义的路径是否使用正则表达式

布尔

vim rewrite.yml

apiVersion: extensions/v1beta1
kind: Ingress # 注意类型  
metadata:
  name: nginx-rewrite
  annotations:
    # 跳转的目标域名
    nginx.ingress.kubernetes.io/rewrite-target: www.nginx-basic-auth.com:30197
spec:
  rules:
  - host: www.jump.com # 拦截的域名
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx-svc-http # 上面的 service 的 metadata.name
          servicePort: 8090 # 上面service 的端口
kubectl apply -f rewrite.yml

# 查看ingress 
[root@k8s-master https]# kubectl get ingress
NAME                  HOSTS                      ADDRESS         PORTS     AGE
nginx-basic-auth      www.nginx-basic-auth.com   10.100.49.226   80        23m
nginx-ingress-http    www.nginx-svc-http.com     10.100.49.226   80        77m
nginx-ingress-https   www.nginx-svc-https.com    10.100.49.226   80, 443   40m
nginx-rewrite         www.nginx-basic-auth.com                   80        5s

# 查看 ingress 的暴露端口 
[root@k8s-master ingress]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.100.49.226   <none>        80:30197/TCP,443:31898/TCP   28s

# 浏览器访问 使用 http 端口 会自动跳转到 basic-auth 页面
http://www.jump.com:30197