Ingress介绍
- 简介
Kubernetes 通过 kube-proxy 服务实现了 Service 的对外发布及负载均衡,它的各种方式都是基于传输层实现的。在实际的互联网应用场景中,不仅要实现单纯的转发,还有更加细致的策略需求,如果使用真正的负载均衡器更会增加操作的灵活性和转发性能。
基于以上需求,Kubernetes 引入了资源对象 Ingress,Ingress 为 Service 提供了可直接被集群外部访问的虚拟主机、负载均衡、SSL 代理、HTTP 路由等应用层转发功能。
- 原理
Nginx Ingress 由资源对象 Ingress、Ingress 控制器、Nginx 三部分组成,Ingress 控制器用以将 Ingress 资源实例组装成 Nginx 配置文件(nginx.conf),并重新加载 Nginx 使变更的配置生效。当它监听到 Service 中 Pod 变化时通过动态变更的方式实现 Nginx 上游服务器组配置的变更,无须重新加载 Nginx 进程。工作原理如下图所示。(简而言之就是contoller会自动将nginx的转发策略这些配置同步到nginx的配置文件中并即时生效)
-
优点
1、可以做七层代理
2、可以实现一个节点端口转发多个服务
3、nginx做中间件性能更好
4、ingress-controller检测服务的转发规则并同步到nginx的配置文件中,无需重启nginx服务,业务影响小
Ingress-nginx部署
- 下载部署的ingress-nginx的yaml文件
https://github.com/kubernetes/ingress-nginx/blob/nginx-0.30.0/deploy/static/mandatory.yaml
-
修改yaml文件
- nginx-ingress-controller部署方式Deployment改成DaemonSet
- 添加容忍度(部署在master节点)
- 添加hostNetwork :true (可以用节点的80和443端口)
- service去掉 (backend的不用管)
-
apply部署
[root@ranchar ingress]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-6f949b98f9-6r9pd 1/1 Running 1 32h
nginx-ingress-controller-8mbbf 1/1 Running 1 2d5h
nginx-ingress-controller-ldprm 1/1 Running 2 2d5h
nginx-ingress-controller-mrqcs 1/1 Running 2 2d5h
测试配置
- http测试
1、准备deployment和svc资源
kubectl create deployment nginx --image=nginx:latest --dry-run -o yaml >nginx.yaml
kubectl expose deployment nginx --port=80 --target-port=80 --type=ClusterIP --dry-run -o yaml >nginx-svc.yaml
kubectl create ns dev
2、两个文件合并整理如下
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:latest
name: nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx
name: nginx
namespace: dev
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: ClusterIP
3、配置ingress资源
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx
namespace: dev
spec:
rules:
- host: nginx.test.com
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
4、所有资源配置好后并部署,本机配置hosts文件
[root@ranchar ingress]# kubectl get all -n dev
NAME READY STATUS RESTARTS AGE
pod/nginx-55649fd747-6fssf 1/1 Running 0 32h
pod/nginx-55649fd747-6ssgh 1/1 Running 2 2d5h
pod/nginx-55649fd747-h4q6s 1/1 Running 0 32h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/nginx ClusterIP 10.43.113.91 <none> 80/TCP 4m50s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/nginx 3/3 3 3 2d5h
NAME DESIRED CURRENT READY AGE
replicaset.apps/nginx-55649fd747 3 3 3 2d5h
5、网页访问配置的域名测试
- https测试
1、https需要配置自签证书
openssl genrsa -out nginx.key 2048
openssl req -new -x509 -key nginx.key -out nginx.crt -subj /C=CN/ST=Beijing/L=Chongqing/O=nginx/CN=nginx.test.com
kubectl create secret tls nginx-tls --cert=nginx.crt --key=nginx.key
[root@ranchar ingress]# kubectl get secret
NAME TYPE DATA AGE
default-token-6hv8r kubernetes.io/service-account-token 3 7d8h
nginx-tls kubernetes.io/tls 2 32h
2、配置service和ingress资源并部署
apiVersion: v1
kind: Service
metadata:
name: nginxhttps
namespace: dev
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-https
namespace: dev
spec:
rules:
- host: nginx.test.com
http:
paths:
- path: /
backend:
serviceName: nginxhttps
servicePort: 80
tls:
- hosts:
- nginx.test.com
secretName: nginx-tls
[root@ranchar ingress]# kubectl get all -n dev
NAME READY STATUS RESTARTS AGE
pod/nginx-55649fd747-6fssf 1/1 Running 0 32h
pod/nginx-55649fd747-6ssgh 1/1 Running 2 2d5h
pod/nginx-55649fd747-h4q6s 1/1 Running 0 32h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/nginxhttps ClusterIP 10.43.57.64 <none> 80/TCP 15s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/nginx 3/3 3 3 2d5h
NAME DESIRED CURRENT READY AGE
replicaset.apps/nginx-55649fd747 3 3 3 2d5h
3、本地浏览器访问测试