Ingress简介
在Kubernetes中,服务和Pod的IP地址仅可以在集群网络内部使用,对于集群外的应用是不可见的。为了使外部的应用能够访问集群内的服务,在Kubernetes 目前提供了以下几种方案:
NodePort
LoadBalancer(负载均衡)
Ingress(入口)
Ingress 组成
ingress controller
将新加入的Ingress转化成Nginx的配置文件并使之生效
ingress服务
将Nginx的配置抽象成一个Ingress对象,每添加一个新的服务只需写一个新的Ingress的yaml文件即可
ingress工作原理
- ingress controller通过和kubernetes api交互,动态的去感知集群中ingress规则变化,
- 然后读取它,按照自定义的规则,规则就是写明了哪个域名对应哪个service,生成一段nginx配置
- 再写到nginx-ingress-control的pod里,这个Ingress controller的pod里运行着一个Nginx服务,控制器会把生成的nginx配置写入/etc/nginx.conf文件中
- 然后reload一下使配置生效。以此达到域名分配置和动态更新的问题
Ingress 可以解决什么问题
1.动态配置服务
如果按照传统方式, 当新增加一个服务时, 我们可能需要在流量入口加一个反向代理指向我们新的k8s服务. 而如果用了Ingress, 只需要配置好这个服务, 当服务启动时, 会自动注册到Ingress的中, 不需要而外的操作.
2.减少不必要的端口暴露
配置过k8s的都清楚, 第一步是要关闭防火墙的, 主要原因是k8s的很多服务会以NodePort方式映射出去, 这样就相当于给宿主机打了很多孔, 既不安全也不优雅. 而Ingress可以避免这个问题, 除了Ingress自身服务可能需要映射出去, 其他服务都不要用NodePort方式
一、实验需求:
资源 | 条件 |
---|---|
deployment1 | nginx镜像,replicas:3 |
deploument2 | httpd镜像,replicas:4 |
service1 | 绑定deployment1 |
service2 | 绑定deployment2 |
//这里我们写两个yaml文件deployment和svc写成一个
[root@master yaml]# vim deployment1.yaml
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: deploy1
spec:
replicas: 3
template:
metadata:
labels:
app: test1
spec:
containers:
- name: test1
image: nginx
ports:
- containerPort: 80
---
kind: Service
apiVersion: v1
metadata:
name: svc1
spec:
selector:
app: test1
ports:
- protocol: TCP
port: 80
targetPort: 80
[root@master yaml]# vim deployment2.yaml
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: deploy2
spec:
replicas: 4
template:
metadata:
labels:
app: test2
spec:
containers:
- name: test2
image: httpd
ports:
- containerPort: 80
---
kind: Service
apiVersion: v1
metadata:
name: svc2
spec:
selector:
app: test2
ports:
- protocol: TCP
port: 80
targetPort: 80
二、部署Ingress
//部署Ingress-controller.可以在GitHub上找到,这里我们部署的是Ingress:0.35.0版本
//这里我们可以先保存Ingress的yaml文件,可以查看都做了什么,也方便我们后期管理
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.35.0/deploy/static/provider/baremetal/deploy.yaml
//这里使用的镜像,是国外的镜像,需要科学上网获得
这里我使用提前准备好的ingress.yaml
[root@master yaml]# ls
deployment1.yaml deployment2.yaml deploy.yaml
[root@master yaml]# vim deploy.yaml
...
329 spec:
330 hostNetwork: true //这里添加字段
331 dnsPolicy: ClusterFirst
332 containers:
333 - name: controller334 image: quay.io/kubernetes-ingress-controller/nginx-ingress-c ontroller:0.30.0
335 imagePullPolicy: IfNotPresent
336 lifecycle:
337 preStop:
338 exec:
339 command:
340 - /wait-shutdown
...
运行
[root@master yaml]# kubectl apply -f deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created
[root@master yaml]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-vtwk8 0/1 Completed 0 5m36s
ingress-nginx-admission-patch-np2jk 0/1 Completed 0 5m36s
ingress-nginx-controller-674c958759-nrp98 1/1 Running 0 5m46s
[root@master yaml]