kubernetes之Ingress介绍

吉松松

已于 2023-04-17 14:47:29 修改

阅读量420

点赞数

分类专栏： kubernetes 文章标签： kubernetes 运维 nginx

于 2023-04-17 10:58:54 首次发布

本文链接：https://blog.csdn.net/m0_37642477/article/details/130194974

版权

kubernetes 专栏收录该内容

20 篇文章 1 订阅

订阅专栏

Ingress

组成

ingress controller
　　将新加入的Ingress转化成Nginx的配置文件并使之生效
ingress服务
　　将Nginx的配置抽象成一个Ingress对象，每添加一个新的服务只需写一个新的Ingress的yaml文件即可

工作原理

1.ingress controller通过和kubernetes api交互，动态的去感知集群中ingress规则变化，
2.然后读取它，按照自定义的规则，规则就是写明了哪个域名对应哪个service，生成一段nginx配置，
3.再写到nginx-ingress-control的pod里，这个Ingress controller的pod里运行着一个Nginx服务，控制器会把生成的nginx配置
写入/etc/nginx.conf文件中，
4.然后reload一下使配置生效。以此达到域名分配置和动态更新的问题。

访问原理

Ingress-nginx与Service之间通过匹配serviceName绑定,Service相当于给外界提供访问pod的端口，如果不采用ingress-nginx，
那么是由kube-proxy实现4层代理，只能通过ip访问，所以由NodePort的类型将端口暴露。如果采用ingress-nginx相当于在Service
前面加了一层代理，访问会先经过ingress-nginx,这样Service的类型就不需要变更为NodePort

测试部署

ingress-nginx.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
data:
  proxy-body-size: 100M

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: tcp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
  name: udp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses/status
    verbs:
      - update

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---

apiVersion: apps/v1
#kind: Deployment
kind: DaemonSet
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  # replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: registry:5000/library/k8s/nginx-ingress-controller:0.25.0_x
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            # www-data -> 33
            runAsUser: 33
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - name: http
              containerPort: 80
              hostPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              hostPort: 443
              protocol: TCP
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10

---

ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
spec:
  rules:
    - host: www.aaa.com
      http:
        paths:
          - backend:
              serviceName: myapp
              servicePort: 80
            path: /

#serviceName对应service服务名
$ kubectl get svc
NAME         TYPE        CLUSTER-IP        EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   241.254.0.1       <none>        443/TCP   40m
myapp        ClusterIP   241.254.50.93     <none>        80/TCP    37m
$ kubectl get ingress
NAME      CLASS    HOSTS                     ADDRESS   PORTS   AGE
ingress   <none>   www.aaa.com                         80      25m

#做宿主机host文件
$ cat /etc/hosts
192.168.234.134 www.aaa.com
$ curl www.aaa.com/hostname.html
myapp-deploy-6d4bc5cc76-g7tqw
$ curl www.aaa.com/hostname.html
myapp-deploy-6d4bc5cc76-jg4xf

https部署测试

#自签发证书，可以使用下面的语句，也可以阅读自制https的博客
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/O=aaa/CN=*.aaa.com"

$ ll
总用量 8
-rw-r--r-- 1 root root 1131 9月  19 16:30 tls.crt
-rw-r--r-- 1 root root 1704 9月  19 16:30 tls.key

#导入证书文件到k8s secret（注意这边的nginx-test要和下面ingress.yaml文件中tls相对应）
$ kubectl create -n 名称空间(ingress.yaml所在名称空间，如果是default,可忽略) secret tls nginx-test --cert=tls.crt --key=tls.key
$ kubectl get secret
NAME                  TYPE                                  DATA   AGE
nginx-test            kubernetes.io/tls                     2      53m

#创建https的ingrss.yaml文件
$ cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false" #是否开启强制跳转,true/false,默认开启
spec:
  tls:
    - hosts:
        - www.aaa.com
      secretName: nginx-test
    #多域名配置
    #- hosts:
    #    - www.bbb.com
    #  secretName: nginx-bbb
  rules:
    - host: www.aaa.com
      http:
        paths:
          - backend:
              serviceName: myapp
              servicePort: 80
            path: /
    #- host: www.bbb.com
    #  http:
    #    paths:
    #      - backend:
    #          serviceName: myapp3
    #          servicePort: 80
    #        path: /

Ingress相关配置

通用配置

名称	描述	值
nginx.ingress.kubernetes.io/enable-access-log	对当前虚拟主机设置是否启用访问日志，默认为真	true 或 false
nginx.ingress.kubernetes.io/server-alias	为 Nginx 添加更多的主机名，同 Nginx 配置指令 server name	string
nginx.ingress.kubernetes.io/app-root	将当前虚拟主机根目录的访问 302 跳转到当前指定的路径	string
nginx.ingress.kubernetes.io/client-body-buffer-size	同 Nginx 配置指令 client_body_buffer_size	string
nginx.ingress.kubernetes.io/use-regex	指示在 Ingress 上定义的路径是否使用正则表达式默认值为 false	true 或 false
nginx.ingress.kubernetes.io/custom-http-errors	根据响应码状态定义为错误状态并跳转到设置的默认后端	[]int
nginx.ingress.kubernetes.io/default-backend	自定义默认后端的资源对象 Service 名称，当客户端的请求没有匹配的 Nginx 规则或响应错误时，将被转发到默认后端	string
nginx.ingress.kubernetes.io/whitelist-source-range	功能同 ConfigMap 配置键 whitelist-source-range	CIDR
nginx.ingress.kubernetes.io/permanent-redirect	设置永久重定向的目标地址	string
nginx.ingress.kubernetes.io/permanent-redirect-code	自定义永久重定向的响应码，默认为 301	number
nginx.ingress.kubernetes.io/temporal-redirect	设置临时重定向的目标地址	string
nginx.ingress.kubernetes.io/from-to-www-redirect	设置是否将当前虚拟主机子域名为 www 的请求跳转到当前主机域名	true 或 false
nginx.ingress.kubernetes.io/rewrite-target	同 Nginx 配置指令 rewrite	URI
nginx.ingress.kubernetes.io/enable-rewrite-log	同 Nginx 配置指令 rewrite log，默认为 false	true 或 false
nginx.ingress.kubernetes.io/mirror-uri	同 Nginx 配置指令 mirro	true 或 false
nginx.ingress.kubernetes.io/mirror-request-body	同 Nginx 配置指令 mirror_request_body，默认为 true	true 或 false

访问控制

名称	描述	值
nginx.ingress.kubernetes.io/limit-rate	访问流量速度限制，同 Nginx 配置指令 limit_rate	number
nginx.ingress.kubernetes.io/limit-rate-after	启用访问流量速度限制的最大值，同 Nginx 配置指令 limit_rate_after	number
nginx.ingress.kubernetes.io/limit-connections	节并发连接数限制，同 Nginx 配置指令 limit_conn	number
nginx.ingress.kubernetes.io/limit-rps	每秒请求频率限制，burst 参数为给定值的 5 倍，响应状态码由 ConfigMap 的 limit-req-status-code 设定	number
nginx.ingress.kubernetes.io/limit-rpm	每分钟请求频率限制，burst 参数为给定值的 5 倍，响应状态码由 ConfigMap 的 limit-req-status-code 设定	number
nginx.ingress.kubernetes.io/limit-whitelist	对以上限制设置基于 IP 的白名单	CIDR

认证管理
Nginx Ingress 提供了基本认证、摘要认证和外部认证 3 种方式，为被代理服务器提供认证支持。认证管理配置说明如下表所示

名称	描述	值
nginx.ingress.kubernetes.io/enable-global-auth	如果 ConfigMap 的 global-auth-url 被设置，Nginx 会将所有的请求重定向到提供身份验证的 URL，默认为 true	true 或 false
nginx.ingress.kubernetes.io/satisfy	同 Nginx 配置指令 satisfy	string
nginx.ingress.kubernetes.io/auth-type	设置 HTTP 认证类型，支持基本和摘要两种类型	basic 或 digest
nginx.ingress.kubernetes.io/auth-secret	指定关联资源对象 secret 的名称	string
nginx.ingress.kubernetes.io/auth-realm	设置基本认证的提示信息 auth_basic	string
nginx.ingress.kubernetes.io/auth-url	设置提供外部身份认证的 URL，由 Nginx 配置指令 auth_request 提供该功能	string
nginx.ingress.kubernetes.io/auth-signin	设置当外部认证返回 401 时跳转的 URL，通常为提示输入用户名和密码的 URL	string
nginx.ingress.kubernetes.io/auth-method	指定访问外部认证 URL 的 HTTP 方法，由 Nginx 配置指令 proxy_method 提供该功能	string
nginx.ingress.kubernetes.io/auth-request-redirect	设置发送给认证服务器请求头中 X-Auth-Request-Redirect 的值	string
nginx.ingress.kubernetes.io/auth-cache-key	启用认证缓存，并设置认证缓存的关键字	string
nginx.ingress.kubernetes.io/auth-cache-duration	基于响应码设置认证缓存的有效时间	string
nginx.ingress.kubernetes.io/auth-response-headers	设置认证请求完成后传递到真实后端的头信息	string
nginx.ingress.kubernetes.io/auth-snippet	可以自定义在外部认证指令区域添加 Nginx 配置指令	string

跨域访问

名称	描述	值
nginx.ingress.kubernetes.io/enable-cors	是否启用跨域访问支持，默认为 false	true 或 false
nginx.ingress.kubernetes.io/cors-allow-origin	允许跨域访问的域名，默认为 *，表示接受任意域名的访问	string
nginx.ingress.kubernetes.io/cors-allow-methods	允许跨域访问方法，默认为 GET、PUT、POST、DELETE、PATCH、OPTIONS	string
nginx.ingress.kubernetes.io/cors-allow-headers	允许跨域访问的请求头，默认为 DNT，X-CustomHeader、Keep-Alive、User-Agent、X-Requested-With、If-Modified-Since、Cache-Control、Content-Type、Authorization	string
nginx.ingress.kubernetes.io/cors-allow-credentials	设置在响应头中 Access-Control-Allow-Credentials 的值，设置是否允许客户端携带验证信息，如 cookie 等，默认为 true	true 或 false
nginx.ingress.kubernetes.io/cors-max-age	设置响应头中 Access-Control-Max-Age 的值，设置返回结果可以用于缓存的最长时间，默认为 1728000 秒	number

HTTPS配置

名称	描述	值
nginx.ingress.kubernetes.io/force-ssl-redirect	当客户端的 HTTPS 被外部集群进行 SSL 卸载（SSL offloading）时，仍将 HTTP 的请求强制跳转到 HTTPS 端口	true 或 false
nginx.ingress.kubernetes.io/ssl-redirect	设置当前虚拟主机支持 HTTPS 请求时，是否将 HTTP 的请求强制跳转到 HTTPS 端口，全局默认为 true	true 或 false
nginx.ingress.kubernetes.io/ssl-passthrough	设置是否启用 SSL 透传	true 或 false
nginx.ingress.kubernetes.io/auth-tls-secret	设置客户端证书的资源对象名称	string
nginx.ingress.kubernetes.io/ssl-ciphers	设置 TLS 用于协商使用的加密算法组合，同 Nginx 配置指令 ssl_ciphers	string
nginx.ingress.kubernetes.io/auth-tls-verify-client	是否启用客户端证书验证，同 Nginx 配置指令 ssl_verify_client	string
nginx.ingress.kubernetes.io/auth-tls-verify-depth	客户端证书链的验证深度同 Nginx 配置指令 ssl_verify_depth	number
nginx.ingress.kubernetes.io/auth-tls-error-page	设置客户端证书验证错误时的跳转页面	string
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream	指定证书是否传递到上游服务器	true 或 false
nginx.ingress.kubernetes.io/secure-verify-ca-secret	设置是否启用对被代理服务器的 SSL 证书验证功能	string