Ingress
Service 的功能和运行机制的本质上就是一个由 kube-proxy 控制的四层负载均衡,在 TCP/IP 协议栈上转发流量
但在四层上的负载均衡功能还是太有限了,只能够依据 IP 地址和端口号做一些简单的判断和组合,而现在的绝大多数应用都是跑在七层的 HTTP/HTTPS 协议上的,有更多的高级路由条件,比如主机名、URI、请求头、证书等等,而这些在 TCP/IP 网络栈里是根本看不见的。
Service 比较适合代理集群内部的服务。如果想要把服务暴露到集群外部,就只能使用 NodePort 或者 LoadBalancer 这两种方式,而它们都缺乏足够的灵活性,难以管控,这就导致了一种很无奈的局面:我们的服务空有一身本领,却没有合适的机会走出去大展拳脚。
Kubernetes 就在七层上做负载均衡上引入一个对象不就可以了嘛。不过除了七层负载均衡,这个对象还应该承担更多的职责,也就是作为流量的总入口,统管集群的进出口数据,“扇入”“扇出”流量(也就是我们常说的“南北向”),让外部用户能够安全、顺畅、便捷地访问内部服务(图片来源):
这个 API 对象就顺理成章地被命名为 Ingress,意思就是集群内外边界上的入口。
Ingress Controller
Ingress 可以说是在七层上另一种形式的 Service,它同样会代理一些后端的 Pod,也有一些路由规则来定义流量应该如何分配、转发,只不过这些规则都使用的是 HTTP/HTTPS 协议。
Service 本身是没有服务能力的,它只是一些 iptables 规则,真正配置、应用这些规则的实际上是节点里的 kube-proxy 组件。如果没有 kube-proxy,Service 定义得再完善也没有用。
同样的,Ingress 也只是一些 HTTP 路由规则的集合,相当于一份静态的描述文件,真正要把这些规则在集群里实施运行,还需要有另外一个东西,这就是 Ingress Controller,它的作用就相当于 Service 的 kube-proxy,能够读取、应用 Ingress 规则,处理、调度流量。
老牌的反向代理和负载均衡软件是 Nginx ,从 Ingress Controller 的描述上我们也可以看到,HTTP 层面的流量管理、安全控制等功能其实就是经典的反向代理,而 Nginx 则是其中稳定性最好、性能最高的产品,所以它也理所当然成为了 Kubernetes 里应用得最广泛的 Ingress Controller。
IngressClass
最初 Kubernetes 认为一个集群里有一个 Ingress Controller,再给它配上许多不同的 Ingress 规则,应该就可以解决请求的路由和分发问题了。
但随着 Ingress 在实践中的大量应用,很多用户发现这种用法会带来一些问题,比如:
- 由于某些原因,项目组需要引入不同的 Ingress Controller,但 Kubernetes 不允许这样做;
- Ingress 规则太多,都交给一个 Ingress Controller 处理会让它不堪重负;
- 多个 Ingress 对象没有很好的逻辑分组方式,管理和维护成本很高;
- 集群里有不同的租户,他们对 Ingress 的需求差异很大甚至有冲突,无法部署在同一个 Ingress Controller 上。
所以,Kubernetes 就又提出了一个 Ingress Class 的概念,让它插在 Ingress 和 Ingress Controller 中间,作为流量规则和控制器的协调人,解除了 Ingress 和 Ingress Controller 的强绑定关系。
Kubernetes 用户可以转向管理 Ingress Class,用它来定义不同的业务逻辑分组,简化 Ingress 规则的复杂度。比如说,可以用 Class A 处理博客流量、Class B 处理短视频流量、Class C 处理购物流量。
这些 Ingress 和 Ingress Controller 彼此独立,不会发生冲突,所以上面的那些问题也就随着 Ingress Class 的引入迎刃而解了。
YAML 描述 Ingress/Ingress Class
命令 kubectl api-resources 查看它们的基本信息
kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
ingresses ing networking.k8s.io/v1 true Ingress
ingressclasses networking.k8s.io/v1 false IngressClass
Ingress 和 Ingress Class 的 apiVersion 都是“networking.k8s.io/v1”,而且 Ingress 有一个简写“ing”,但 是却没有Ingress Controller
因为 Ingress Controller 和其他两个对象不太一样,它不只是描述文件,是一个要实际干活、处理流量的应用程序,而应用程序在 Kubernetes 里早就有对象来管理了,那就是 Deployment 和 DaemonSet。
Ingress
Ingress 也是可以使用 kubectl create 来创建样板文件的,和 Service 类似,它也需要用两个附加参数:
- –class,指定 Ingress 从属的 Ingress Class 对象。
- –rule,指定路由规则,基本形式是“URI=Service”,也就是说是访问 HTTP 路径就转发到对应的 Service 对象,再由 Service 对象转发给后端的 Pod。
export out="--dry-run=client -o yaml"
kubectl create ing ngx-ing --rule="ngx.test/=ngx-svc:80" --class=ngx-ink $out
Ingress yaml文件内容
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ngx-ing
spec:
ingressClassName: ngx-ink
rules:
- host: ngx.test
http:
paths:
- path: /
pathType: Exact
backend:
service:
name: ngx-svc
port:
number: 80
Ingress Class
其实 Ingress Class 本身并没有什么实际的功能,只是起到联系 Ingress 和 Ingress Controller 的作用,所以它的定义非常简单,在“spec”里只有一个必需的字段“controller”,表示要使用哪个 Ingress Controller,具体的名字就要看实现文档了。
比如,如果我要用 Nginx 开发的 Ingress Controller,那么就要用名字“nginx.org/ingress-controller”:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: ngx-ink
spec:
controller: nginx.org/ingress-controller
Ingress 和 Service、Ingress Class 关系图
Kubernetes 使用 Ingress/Ingress Class
创建ingress-class.yml(把上面生成的内容copy进去)
touch ingress-class.yml
vim ingress-class.yml
创建ingress.yml(把上面生成的内容copy进去)
touch ingress.yml
vim ingress.yml
用 kubectl apply 创建对象
#创建ingress class对象
kubectl apply -f ingress-class.yml
#查看ingressclass对象的状态
kubectl get ingressclass
# 创建ingress 对象
kubectl apply -f ingress.yml
#查看ingress对象的状态
kubectl get ingress
# 查看Ingress 更详细的信息
kubectl describe ing ngx-ing
Ingress 对象的路由规则 Host/Path 就是在 YAML 里设置的域名“ngx.test/”,而且已经关联了之前创建的 Service 对象,还有 Service 后面的两个 Pod。
Ingress 里“Default backend”的错误表示找不到路由的时候,用来提供一个默认的后端服务,但不设置也不会有什么问题,所以大多数时候都可以忽略它。
Kubernetes 使用 Ingress Controller
Nginx Ingress Controller 以 Pod 的形式运行在 Kubernetes 里,所以同时支持 Deployment 和 DaemonSet 两种部署方式。
Nginx Ingress Controller 的安装略微麻烦一些,有很多个 YAML 需要执行:
ns-and-sa.yaml
apiVersion: v1
kind: Namespace
metadata:
name: nginx-ingress
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress
namespace: nginx-ingress
default-server-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: default-server-secret
namespace: nginx-ingress
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
nginx-config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-config
namespace: nginx-ingress
data:
rbac.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- list
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- watch
- get
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- k8s.nginx.org
resources:
- virtualservers
- virtualserverroutes
- globalconfigurations
- transportservers
- policies
verbs:
- list
- watch
- get
- apiGroups:
- k8s.nginx.org
resources:
- virtualservers/status
- virtualserverroutes/status
- policies/status
- transportservers/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- apiGroups:
- cis.f5.com
resources:
- ingresslinks
verbs:
- list
- watch
- get
- apiGroups:
- cert-manager.io
resources:
- certificates
verbs:
- list
- watch
- get
- update
- create
- delete
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nginx-ingress
subjects:
- kind: ServiceAccount
name: nginx-ingress
namespace: nginx-ingress
roleRef:
kind: ClusterRole
name: nginx-ingress
apiGroup: rbac.authorization.k8s.io
k8s.nginx.org_virtualservers.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: virtualservers.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: VirtualServer
listKind: VirtualServerList
plural: virtualservers
shortNames:
- vs
singular: virtualserver
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Current state of the VirtualServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.host
name: Host
type: string
- jsonPath: .status.externalEndpoints[*].ip
name: IP
type: string
- jsonPath: .status.externalEndpoints[*].ports
name: Ports
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: VirtualServer defines the VirtualServer resource.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VirtualServerSpec is the spec of the VirtualServer resource.
type: object
properties:
dos:
type: string
host:
type: string
http-snippets:
type: string
ingressClassName:
type: string
policies:
type: array
items:
description: PolicyReference references a policy by name and an optional namespace.
type: object
properties:
name:
type: string
namespace:
type: string
routes:
type: array
items:
description: Route defines a route.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
dos:
type: string
errorPages:
type: array
items:
description: ErrorPage defines an ErrorPage in a Route.
type: object
properties:
codes:
type: array
items:
type: integer
redirect:
description: ErrorPageRedirect defines a redirect for an ErrorPage.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ErrorPageReturn defines a return for an ErrorPage.
type: object
properties:
body:
type: string
code:
type: integer
headers:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
type:
type: string
location-snippets:
type: string
matches:
type: array
items:
description: Match defines a match.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
conditions:
type: array
items:
description: Condition defines a condition in a MatchRule.
type: object
properties:
argument:
type: string
cookie:
type: string
header:
type: string
value:
type: string
variable:
type: string
splits:
type: array
items:
description: Split defines a split.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
weight:
type: integer
path:
type: string
policies:
type: array
items:
description: PolicyReference references a policy by name and an optional namespace.
type: object
properties:
name:
type: string
namespace:
type: string
route:
type: string
splits:
type: array
items:
description: Split defines a split.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
weight:
type: integer
server-snippets:
type: string
tls:
description: TLS defines TLS configuration for a VirtualServer.
type: object
properties:
cert-manager:
description: CertManager defines a cert manager config for a TLS.
type: object
properties:
cluster-issuer:
type: string
common-name:
type: string
duration:
type: string
issuer:
type: string
issuer-group:
type: string
issuer-kind:
type: string
renew-before:
type: string
usages:
type: string
redirect:
description: TLSRedirect defines a redirect for a TLS.
type: object
properties:
basedOn:
type: string
code:
type: integer
enable:
type: boolean
secret:
type: string
upstreams:
type: array
items:
description: Upstream defines an upstream.
type: object
properties:
buffer-size:
type: string
buffering:
type: boolean
buffers:
description: UpstreamBuffers defines Buffer Configuration for an Upstream.
type: object
properties:
number:
type: integer
size:
type: string
client-max-body-size:
type: string
connect-timeout:
type: string
fail-timeout:
type: string
healthCheck:
description: HealthCheck defines the parameters for active Upstream HealthChecks.
type: object
properties:
connect-timeout:
type: string
enable:
type: boolean
fails:
type: integer
grpcService:
type: string
grpcStatus:
type: integer
headers:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
interval:
type: string
jitter:
type: string
mandatory:
type: boolean
passes:
type: integer
path:
type: string
persistent:
type: boolean
port:
type: integer
read-timeout:
type: string
send-timeout:
type: string
statusMatch:
type: string
tls:
description: UpstreamTLS defines a TLS configuration for an Upstream.
type: object
properties:
enable:
type: boolean
keepalive:
type: integer
lb-method:
type: string
max-conns:
type: integer
max-fails:
type: integer
name:
type: string
next-upstream:
type: string
next-upstream-timeout:
type: string
next-upstream-tries:
type: integer
ntlm:
type: boolean
port:
type: integer
queue:
description: UpstreamQueue defines Queue Configuration for an Upstream.
type: object
properties:
size:
type: integer
timeout:
type: string
read-timeout:
type: string
send-timeout:
type: string
service:
type: string
sessionCookie:
description: SessionCookie defines the parameters for session persistence.
type: object
properties:
domain:
type: string
enable:
type: boolean
expires:
type: string
httpOnly:
type: boolean
name:
type: string
path:
type: string
secure:
type: boolean
slow-start:
type: string
subselector:
type: object
additionalProperties:
type: string
tls:
description: UpstreamTLS defines a TLS configuration for an Upstream.
type: object
properties:
enable:
type: boolean
type:
type: string
use-cluster-ip:
type: boolean
status:
description: VirtualServerStatus defines the status for the VirtualServer resource.
type: object
properties:
externalEndpoints:
type: array
items:
description: ExternalEndpoint defines the IP and ports used to connect to this resource.
type: object
properties:
ip:
type: string
ports:
type: string
message:
type: string
reason:
type: string
state:
type: string
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
k8s.nginx.org_policies.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: policies.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: Policy
listKind: PolicyList
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
jsonPath: .status.state
name: State
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed.
type: object
properties:
accessControl:
description: AccessControl defines an access policy based on the source IP of a request.
type: object
properties:
allow:
type: array
items:
type: string
deny:
type: array
items:
type: string
egressMTLS:
description: EgressMTLS defines an Egress MTLS policy.
type: object
properties:
ciphers:
type: string
protocols:
type: string
serverName:
type: boolean
sessionReuse:
type: boolean
sslName:
type: string
tlsSecret:
type: string
trustedCertSecret:
type: string
verifyDepth:
type: integer
verifyServer:
type: boolean
ingressClassName:
type: string
ingressMTLS:
description: IngressMTLS defines an Ingress MTLS policy.
type: object
properties:
clientCertSecret:
type: string
verifyClient:
type: string
verifyDepth:
type: integer
jwt:
description: JWTAuth holds JWT authentication configuration.
type: object
properties:
realm:
type: string
secret:
type: string
token:
type: string
oidc:
description: OIDC defines an Open ID Connect policy.
type: object
properties:
authEndpoint:
type: string
clientID:
type: string
clientSecret:
type: string
jwksURI:
type: string
redirectURI:
type: string
scope:
type: string
tokenEndpoint:
type: string
rateLimit:
description: RateLimit defines a rate limit policy.
type: object
properties:
burst:
type: integer
delay:
type: integer
dryRun:
type: boolean
key:
type: string
logLevel:
type: string
noDelay:
type: boolean
rate:
type: string
rejectCode:
type: integer
zoneSize:
type: string
waf:
description: WAF defines an WAF policy.
type: object
properties:
apPolicy:
type: string
enable:
type: boolean
securityLog:
description: SecurityLog defines the security log of a WAF policy.
type: object
properties:
apLogConf:
type: string
enable:
type: boolean
logDest:
type: string
status:
description: PolicyStatus is the status of the policy resource
type: object
properties:
message:
type: string
reason:
type: string
state:
type: string
served: true
storage: true
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed.
type: object
properties:
accessControl:
description: AccessControl defines an access policy based on the source IP of a request.
type: object
properties:
allow:
type: array
items:
type: string
deny:
type: array
items:
type: string
egressMTLS:
description: EgressMTLS defines an Egress MTLS policy.
type: object
properties:
ciphers:
type: string
protocols:
type: string
serverName:
type: boolean
sessionReuse:
type: boolean
sslName:
type: string
tlsSecret:
type: string
trustedCertSecret:
type: string
verifyDepth:
type: integer
verifyServer:
type: boolean
ingressMTLS:
description: IngressMTLS defines an Ingress MTLS policy.
type: object
properties:
clientCertSecret:
type: string
verifyClient:
type: string
verifyDepth:
type: integer
jwt:
description: JWTAuth holds JWT authentication configuration.
type: object
properties:
realm:
type: string
secret:
type: string
token:
type: string
rateLimit:
description: RateLimit defines a rate limit policy.
type: object
properties:
burst:
type: integer
delay:
type: integer
dryRun:
type: boolean
key:
type: string
logLevel:
type: string
noDelay:
type: boolean
rate:
type: string
rejectCode:
type: integer
zoneSize:
type: string
served: true
storage: false
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
k8s.nginx.org_transportservers.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: transportservers.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: TransportServer
listKind: TransportServerList
plural: transportservers
shortNames:
- ts
singular: transportserver
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Current state of the TransportServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
jsonPath: .status.state
name: State
type: string
- jsonPath: .status.reason
name: Reason
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: TransportServer defines the TransportServer resource.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TransportServerSpec is the spec of the TransportServer resource.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
host:
type: string
ingressClassName:
type: string
listener:
description: TransportServerListener defines a listener for a TransportServer.
type: object
properties:
name:
type: string
protocol:
type: string
serverSnippets:
type: string
sessionParameters:
description: SessionParameters defines session parameters.
type: object
properties:
timeout:
type: string
streamSnippets:
type: string
upstreamParameters:
description: UpstreamParameters defines parameters for an upstream.
type: object
properties:
connectTimeout:
type: string
nextUpstream:
type: boolean
nextUpstreamTimeout:
type: string
nextUpstreamTries:
type: integer
udpRequests:
type: integer
udpResponses:
type: integer
upstreams:
type: array
items:
description: Upstream defines an upstream.
type: object
properties:
failTimeout:
type: string
healthCheck:
description: HealthCheck defines the parameters for active Upstream HealthChecks.
type: object
properties:
enable:
type: boolean
fails:
type: integer
interval:
type: string
jitter:
type: string
match:
description: Match defines the parameters of a custom health check.
type: object
properties:
expect:
type: string
send:
type: string
passes:
type: integer
port:
type: integer
timeout:
type: string
loadBalancingMethod:
type: string
maxConns:
type: integer
maxFails:
type: integer
name:
type: string
port:
type: integer
service:
type: string
status:
description: TransportServerStatus defines the status for the TransportServer resource.
type: object
properties:
message:
type: string
reason:
type: string
state:
type: string
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
k8s.nginx.org_virtualserverroutes.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: virtualserverroutes.k8s.nginx.org
spec:
group: k8s.nginx.org
names:
kind: VirtualServerRoute
listKind: VirtualServerRouteList
plural: virtualserverroutes
shortNames:
- vsr
singular: virtualserverroute
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Current state of the VirtualServerRoute. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
jsonPath: .status.state
name: State
type: string
- jsonPath: .spec.host
name: Host
type: string
- jsonPath: .status.externalEndpoints[*].ip
name: IP
type: string
- jsonPath: .status.externalEndpoints[*].ports
name: Ports
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: VirtualServerRoute defines the VirtualServerRoute resource.
type: object
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: VirtualServerRouteSpec is the spec of the VirtualServerRoute resource.
type: object
properties:
host:
type: string
ingressClassName:
type: string
subroutes:
type: array
items:
description: Route defines a route.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
dos:
type: string
errorPages:
type: array
items:
description: ErrorPage defines an ErrorPage in a Route.
type: object
properties:
codes:
type: array
items:
type: integer
redirect:
description: ErrorPageRedirect defines a redirect for an ErrorPage.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ErrorPageReturn defines a return for an ErrorPage.
type: object
properties:
body:
type: string
code:
type: integer
headers:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
type:
type: string
location-snippets:
type: string
matches:
type: array
items:
description: Match defines a match.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
conditions:
type: array
items:
description: Condition defines a condition in a MatchRule.
type: object
properties:
argument:
type: string
cookie:
type: string
header:
type: string
value:
type: string
variable:
type: string
splits:
type: array
items:
description: Split defines a split.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
weight:
type: integer
path:
type: string
policies:
type: array
items:
description: PolicyReference references a policy by name and an optional namespace.
type: object
properties:
name:
type: string
namespace:
type: string
route:
type: string
splits:
type: array
items:
description: Split defines a split.
type: object
properties:
action:
description: Action defines an action.
type: object
properties:
pass:
type: string
proxy:
description: ActionProxy defines a proxy in an Action.
type: object
properties:
requestHeaders:
description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy.
type: object
properties:
pass:
type: boolean
set:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
responseHeaders:
description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy.
type: object
properties:
add:
type: array
items:
description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive.
type: object
properties:
always:
type: boolean
name:
type: string
value:
type: string
hide:
type: array
items:
type: string
ignore:
type: array
items:
type: string
pass:
type: array
items:
type: string
rewritePath:
type: string
upstream:
type: string
redirect:
description: ActionRedirect defines a redirect in an Action.
type: object
properties:
code:
type: integer
url:
type: string
return:
description: ActionReturn defines a return in an Action.
type: object
properties:
body:
type: string
code:
type: integer
type:
type: string
weight:
type: integer
upstreams:
type: array
items:
description: Upstream defines an upstream.
type: object
properties:
buffer-size:
type: string
buffering:
type: boolean
buffers:
description: UpstreamBuffers defines Buffer Configuration for an Upstream.
type: object
properties:
number:
type: integer
size:
type: string
client-max-body-size:
type: string
connect-timeout:
type: string
fail-timeout:
type: string
healthCheck:
description: HealthCheck defines the parameters for active Upstream HealthChecks.
type: object
properties:
connect-timeout:
type: string
enable:
type: boolean
fails:
type: integer
grpcService:
type: string
grpcStatus:
type: integer
headers:
type: array
items:
description: Header defines an HTTP Header.
type: object
properties:
name:
type: string
value:
type: string
interval:
type: string
jitter:
type: string
mandatory:
type: boolean
passes:
type: integer
path:
type: string
persistent:
type: boolean
port:
type: integer
read-timeout:
type: string
send-timeout:
type: string
statusMatch:
type: string
tls:
description: UpstreamTLS defines a TLS configuration for an Upstream.
type: object
properties:
enable:
type: boolean
keepalive:
type: integer
lb-method:
type: string
max-conns:
type: integer
max-fails:
type: integer
name:
type: string
next-upstream:
type: string
next-upstream-timeout:
type: string
next-upstream-tries:
type: integer
ntlm:
type: boolean
port:
type: integer
queue:
description: UpstreamQueue defines Queue Configuration for an Upstream.
type: object
properties:
size:
type: integer
timeout:
type: string
read-timeout:
type: string
send-timeout:
type: string
service:
type: string
sessionCookie:
description: SessionCookie defines the parameters for session persistence.
type: object
properties:
domain:
type: string
enable:
type: boolean
expires:
type: string
httpOnly:
type: boolean
name:
type: string
path:
type: string
secure:
type: boolean
slow-start:
type: string
subselector:
type: object
additionalProperties:
type: string
tls:
description: UpstreamTLS defines a TLS configuration for an Upstream.
type: object
properties:
enable:
type: boolean
type:
type: string
use-cluster-ip:
type: boolean
status:
description: VirtualServerRouteStatus defines the status for the VirtualServerRoute resource.
type: object
properties:
externalEndpoints:
type: array
items:
description: ExternalEndpoint defines the IP and ports used to connect to this resource.
type: object
properties:
ip:
type: string
ports:
type: string
message:
type: string
reason:
type: string
referencedBy:
type: string
state:
type: string
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
执行上述yaml命令
kubectl apply -f ns-and-sa.yaml
kubectl apply -f rbac.yaml
kubectl apply -f nginx-config.yaml
kubectl apply -f default-server-secret.yaml
前两条命令为 Ingress Controller 创建了一个独立的名字空间“nginx-ingress”,还有相应的账号和权限,这是为了访问 apiserver 获取 Service、Endpoint 信息用的;
后两条则是创建了一个 ConfigMap 和 Secret,用来配置 HTTP/HTTPS 服务。
kubectl apply -f k8s.nginx.org_virtualservers.yaml
kubectl apply -f k8s.nginx.org_virtualserverroutes.yaml
kubectl apply -f k8s.nginx.org_transportservers.yaml
kubectl apply -f k8s.nginx.org_policies.yaml
默认情况下,需要为 VirtualServer, VirtualServerRoute, TransportServer and Policy 创建自定义资源的定义。否则,Ingress Controller Pod 将不会变为 Ready 状态。
如果要禁用该要求,请将 -enable-custom-resources 命令行参数配置为 Readyfalse 并跳过此部分。
ingress controller
部署 Ingress Controller可以从官网找Nginx 示例 YAML,然后适配自己的应用还必须要做几处小改动:
- metadata 里的 name 要改成自己的名字,比如 ngx-kic-dep。
- spec.selector 和 template.metadata.labels 也要修改成自己的名字,比如还是用 ngx-kic-dep。
- containers.image 可以改用 apline 版本,加快下载速度,比如 nginx/nginx-ingress:2.2-alpine。
- 最下面的 args 要加上 -ingress-class=ngx-ink,也就是前面创建的 Ingress Class 的名字,这是让 Ingress Controller 管理 Ingress 的关键。
ingress-controller yml如下:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ngx-kic-dep
namespace: nginx-ingress
spec:
replicas: 1
selector:
matchLabels:
app: ngx-kic-dep
template:
metadata:
labels:
app: ngx-kic-dep
app.kubernetes.io/name: nginx-ingress
spec:
serviceAccountName: nginx-ingress
automountServiceAccountToken: true
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- image: nginx/nginx-ingress:2.2-alpine
imagePullPolicy: IfNotPresent
name: nginx-ingress
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: readiness-port
containerPort: 8081
- name: prometheus
containerPort: 9113
readinessProbe:
httpGet:
path: /nginx-ready
port: readiness-port
periodSeconds: 1
resources:
requests:
cpu: "100m"
memory: "128Mi"
#limits:
# cpu: "1"
# memory: "1Gi"
securityContext:
allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
runAsUser: 101 #nginx
runAsNonRoot: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
- -ingress-class=ngx-ink
Ingress Controller、Ingress Class 、Ingress 、Service关系图
kubectl apply 创建Ingress Controller对象
kubectl apply -f ingress-controller.yml
注意 Ingress Controller 位于名字空间“nginx-ingress”,所以查看状态需要用“-n”参数显式指定,否则我们只能看到“default”名字空间里的 Pod:
kubectl get deploy -n nginx-ingress
kubectl get pod -n nginx-ingress
测试Ingress Controller效果
使用命令kubectl port-forward把本地的端口映射到 Kubernetes 集群的某个 Pod 里
本地的 8080 端口映射到了 Ingress Controller Pod 的 80 端口:
kubectl port-forward -n nginx-ingress ngx-kic-dep-6fbdd9546-8gmkf 8080:80 &
curl 发测试请求的时候需要注意,因为 Ingress 的路由规则是 HTTP 协议,所以就不能用 IP 地址的方式访问,必须要用域名、URI。
可以修改 /etc/hosts 来手工添加域名解析,也可以使用 --resolve 参数,指定域名的解析规则,比如在这里我就把“ngx.test”强制解析到“127.0.0.1”,也就是被 kubectl port-forward 转发的本地地址:
curl --resolve ngx.test:8080:127.0.0.1 http://ngx.test:8080
和Service 对比,虽然都是把请求转发到了集群内部的 Pod,但 Ingress 的路由规则不再是 IP 地址,而是 HTTP 协议里的域名、URI 等要素。