Ingress为Kubernetes集群中的服务提供了入口,可以提供负载均衡、SSL终止和基于名称的虚拟主机,在生产环境中常用的Ingress有Treafik、Nginx、HAProxy、Istio等。在Kubernetesv 1.1版中添加的Ingress用于从集群外部到集群内部Service的HTTP和HTTPS路由,流量从Internet到Ingress再到Services最后到Pod上,通常情况下,Ingress部署在所有的Node节点上。Ingress可以配置提供服务外部访问的URL、负载均衡、终止SSL,并提供基于域名的虚拟主机。但Ingress不会暴露任意端口或协议。
[root@k8s-master ~]# wget https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.4.0/deploy/static/provider/baremetal/deploy.yaml
#修改deploy.yaml
[root@k8s-master ~]# cat deploy.yaml | grep image:
image: registry.cn-hangzhou.aliyuncs.com/k8sos/ingress-controller:v0.48.1 # 修改这个
image: docker.io/jettech/kube-webhook-certgen:v1.3.0
image: docker.io/jettech/kube-webhook-certgen:v1.3.0
③ # 应用创建名称空间资源
[root@k8s-master ~]# kubectl apply -f deploy.yaml
③ # 查看ingress-nginx命名空间下的镜像(命名空间可以随便定义 namespace是指定名称空间的)
[root@k8s-master ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-x9md8 0/1 Completed 0 20m
ingress-nginx-admission-patch-vvrks 0/1 Completed 2 20m
ingress-nginx-controller-749c575f56-sgttt 1/1 Running 0 20m
④ # 指定名称空间查看pod的状态
[root@k8s-master ~]# kubectl describe pod -n ingress-nginx ingress-nginx-controller-749c575f56-sgttt
⑤ # 查看svc资源的信息,看到ingress端口号80/443(公司内有钱可以买弹性公网IP使用)
[root@k8s-master ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.1.21.89 <none> 80:30919/TCP,443:32494/TCP 21m
ingress-nginx-controller-admission ClusterIP 10.1.255.118 <none> 443/TCP 21m
部署ingress服务
# 编写资源清单
[root@k8s-master ~]# vi ingress.yaml
# 定义pod资源
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
---
# 定义service资源
kind: Service
apiVersion: v1
metadata:
name: nginx
spec:
ports:
- port: 80
targetPort: 80
selector:
app: nginx
---
# 编写ingress资源清单
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: nginx
spec:
rules: # 定义规则
- host: www.test.com
http:
paths:
- backend:
serviceName: nginx # kubectl get svc命令可查看
servicePort: 80 # kubectl get svc命令可查看
path: / # 必填的选项,说明我要访问哪些域名(/说明所有的内容都访问到里面去)
以下为注解:
kubectl explain ingress.spec.rules.http.paths.pathType下的参数详解:
# Exact: 支持正则
# Prefix: 匹配头部(默认的类型)
# 查看本机ingree的版本号(编写ingree资源清单定义api版本号的时候需要和下面当前机器的一样,如若报错可切换到旁边的那个)
[root@k8s-master ~]# kubectl explain ingress
KIND: Ingress
VERSION: networking.k8s.io/v1 (extensions/v1beta1)
# 应用资源
[root@k8s-master ~]# kubectl apply -f ingress.yaml
# 查看pod的状态
[root@k8s-master ~]# kubectl get pods
nginx-6799fc88d8-5fw48 1/1 Running 0 97s
# 查看nginx的svc,并且访问svc可以访问
[root@k8s-master ~]# kubectl get svc
nginx ClusterIP 10.106.71.239 <none> 80/TCP 48m
[root@k8s-master ~]# curl 10.106.71.239
# 查看ingress的状态信息
[root@k8s-master ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
nginx <none> www.test.com 192.168.73.249 80 49m
# 查看ingress的端口号
[root@k8s-master ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.98.25.76 <none> 80:30566/TCP,443:31779/TCP 9m18s
# 用上面的ip进行本机hosts配置,浏览器访问(如若访问不通,hosts配置换另一台node节点的ip试试)
192.168.73.249 www.test.com # hosts配置
www.test.com:30566 # 浏览器访问
# 注:在配置一个服务,定义不同的域名使用同一个端口访问,还是能访问的通
结论:
nginx-ingress是将我们ingress配置转行成nginx,以后所有的服务都走nginx,然后nginx转发到对应的service里,然后通过域名区分,哪个域名对应哪个service,就区分服务了。所有的端口都走nginx-ingress的端口
ingress底层原理:使用nginx的反向代理来转发的
二、auth-base 认证
[root@k8s-master ~]# yum install httpd-tools -y
[root@k8s-master ~]# htpasswd -c auth bertwu
New password:
Re-type new password:
Adding password for user bertwu
[root@k8s-master ~]# kubectl create secret generic basic-auth --from-file=auth
root@k8s-master ~]# kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 12s
ingress使用auth-base是使用注解的方式,下面编写资源清单
# 定义pod资源
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
---
# 定义service资源
kind: Service
apiVersion: v1
metadata:
name: nginx
spec:
ports:
- port: 80
targetPort: 80
selector:
app: nginx
---
# 编写ingress资源清单
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: nginx
annotations: #ingress使用auth-base是使用注解的方式
nginx.ingress.kubernetes.io/auth-type: basic # 第一个注解使用的auth-base文件类型为basic类型
nginx.ingress.kubernetes.io/auth-secret: basic-auth # 第二个注解定义的是secret的名称
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required -SX' # 第三个是认证报错的提示信息
spec:
rules: # 定义规则
- host: www.test.com
http:
paths:
- backend:
serviceName: nginx # kubectl get svc命令可查看
servicePort: 80 # kubectl get svc命令可查看
path: / # 必填的选项,说明我要访问哪些域名(/说明所有的内容都访问到里面去)