Service详解
一. Service介绍
- 在kubernetes中,pod是应用程序的载体,可以通过pod的ip来访问应用程序,但是pod的ip地址不是固定的,意味着不方便直接采用pod的ip对服务进行访问
- 为了解决这个问题,kubernetes提供了Service资源,Service会对提供同一个服务的多个pod进行聚合,并且提供一个统一的入口地址。
- 通过访问Service的入口地址就能访问到后面的pod服务。
- 通过deploy创建有标签的pod,又通过标签选择器来控制pod,service通过标签选择器来选择有相同类型标签的pod
- Service在很多情况下只是一个概念,真正起作用的其实是kube-proxy服务进程,每个Node节点上都运行着一个kube-proxy服务进程
- 当创建Service的时候会通过api-server向etcd写入创建的service的信息,而kube-proxy会基于监听的机制发现这种Service的变动,然后它会将最新的Service信息转换成对应的访问规则。
- 首先要创建service,向apiserver发起请求,apiserver向etcd写入信息,kube-proxy发现apiserver向etcd写入信息,kube-proxy向node节点写规则
## 10.97.97.97:80 是service提供的访问入口
## 当访问这个入口的时候,可以发现后面有三个pod的服务在等待调用,
## kube-#proxy会基于rr(轮询)的策略,将请求分发到其中一个pod上去
## 这个规则会同时在集群内的所有节点上都生成,所以在任何一个节点上访问都可以。
[root@node1 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.97.97.97:80 rr
-> 10.244.1.39:80 Masq 1 0 0
-> 10.244.1.40:80 Masq 1 0 0
-> 10.244.2.33:80 Masq 1 0 0
1. kube-proxy目前支持三种工作模式
1.1 userspace 模式
- 用户空间模式下,kube-proxy会为每一个Service创建一个监听端口,发向Cluster IP的请求被Iptables规则重定向到kube-proxy监听的端口上,kube-proxy根据LB算法选择一个提供服务的Pod并和其建立链接,以将请求转发到Pod上。
- 该模式下,kube-proxy充当了一个四层负责均衡器的角色。
- 由于kube-proxy运行在userspace中,在进行转发处理时会增加内核和用户空间之间的数据拷贝,虽然比较稳定,但是效率比较低。
- apiserver告诉kube-proxy要创建service,kube-proxy通过集群IP加规则,去访问,转发到pod上去
1.2 iptables 模式
-
iptables模式下,kube-proxy为service后端的每个Pod创建对应的iptables规则,直接将发向Cluster IP的请求重定向到一个Pod IP。
-
该模式下kube-proxy不承担四层负责均衡器的角色,只负责创建iptables规则。
-
该模式的优点是较userspace模式效率更高,但不能提供灵活的LB策略,当后端Pod不可用时也无法进行重试。
1.3 ipvs 模式
- ipvs模式和iptables类似,kube-proxy监控Pod的变化并创建相应的ipvs规则。
- ipvs相对iptables转发效率更高,ipvs支持更多的LB算法。
# 此模式必须安装ipvs内核模块,否则会降级为iptables
[root@k8s-master ~]# kubectl api-resources|grep cm
configmaps cm v1 true ConfigMap
cm 配置管理器/配置映射
# 开启ipvs,# 修改mode: "ipvs"
[root@k8s-master ~]# kubectl edit configmaps kube-proxy -n kube-system
configmap/kube-proxy edited
[root@k8s-master ~]#
mode: "ipvs"
查看标签:k8s-app=kube-proxy
[root@k8s-master ~]# kubectl get pods -n kube-system --show-labels|grep k8s-app=kube-proxy
kube-proxy-65lcn 1/1 Running 12 (64m ago) 9d controller-revision-hash=dd4c999cf,k8s-app=kube-proxy,pod-template-generation=1
kube-proxy-lw4z2 1/1 Running 12 (63m ago) 8d controller-revision-hash=dd4c999cf,k8s-app=kube-proxy,pod-template-generation=1
kube-proxy-zskvf 1/1 Running 13 (63m ago) 8d controller-revision-hash=dd4c999cf,k8s-app=kube-proxy,pod-template-generation=1
[root@k8s-master ~]#
[root@k8s-master ~]# kubectl delete pod -l k8s-app=kube-proxy -n kube-system
pod "kube-proxy-65lcn" deleted
pod "kube-proxy-lw4z2" deleted
pod "kube-proxy-zskvf" deleted
[root@k8s-node1 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.17.0.1:30514 rr
TCP 172.17.0.1:31876 rr
TCP 192.168.232.132:30514 rr
TCP 192.168.232.132:31876 rr
TCP 10.96.0.1:443 rr
-> 192.168.232.128:6443 Masq 1 0 0
TCP 10.96.0.10:53 rr
-> 10.244.0.26:53 Masq 1 0 0
-> 10.244.0.27:53 Masq 1 0 0
TCP 10.96.0.10:9153 rr
-> 10.244.0.26:9153 Masq 1 0 0
-> 10.244.0.27:9153 Masq 1 0 0
TCP 10.99.32.163:80 rr
TCP 10.111.65.78:80 rr
TCP 10.244.1.0:30514 rr
TCP 10.244.1.0:31876 rr
UDP 10.96.0.10:53 rr
-> 10.244.0.26:53 Masq 1 0 0
-> 10.244.0.27:53 Masq 1 0 0
[root@k8s-node1 ~]#
二. Service类型
1. Service的资源清单文件
kind: Service # 资源类型
apiVersion: v1 # 资源版本
metadata: # 元数据
name: service # 资源名称
namespace: dev # 命名空间
spec: # 描述
selector: # 标签选择器,用于确定当前service代理哪些pod
app: nginx
type: # Service类型,指定service的访问方式
clusterIP: # 虚拟服务的ip地址
sessionAffinity: # session亲和性,支持ClientIP、None两个选项
ports: # 端口信息
- protocol: TCP
port: 3017 # service端口
targetPort: 5003 # pod端口
nodePort: 31122 # 主机端口
- ClusterIP:默认值,它是Kubernetes系统自动分配的虚拟IP,只能在集群内部访问
- NodePort:将Service通过指定的Node上的端口暴露给外部,通过此方法,就可以在集群外部访问服务
- LoadBalancer:使用外接负载均衡器完成到服务的负载分发,注意此模式需要外部云环境支持
- 自己在外搭建lb
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-qVNBBlrn-1663253772842)(C:/Users/Administrator/AppData/Roaming/Typora/typora-user-images/image-20220915174454779.png)]
- ExternalName: 把集群外部的服务引入集群内部,直接使用
三. Service使用
1. 实验环境准备
-
在使用service之前,首先利用Deployment创建出3个pod,注意要为pod设置
app=nginx-pod
的标签 -
创建文件
[root@k8s-master manifest]# cat deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: pc-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx-pod
template:
metadata:
labels:
app: nginx-pod
spec:
containers:
- name: nginx
image: nginx:1.17.1
ports:
- containerPort: 80
[root@k8s-master manifest]#
- 运行
[root@k8s-master manifest]# kubectl apply -f deployment.yaml
deployment.apps/pc-deployment created
[root@k8s-master manifest]#
# 查看pod详情
[root@k8s-master manifest]# kubectl get -f deployment.yaml
NAME READY UP-TO-DATE AVAILABLE AGE
pc-deployment 3/3 3 3 17s
[root@k8s-master manifest]# kubectl get -f deployment.yaml -o wide
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
pc-deployment 3/3 3 3 36s nginx nginx:1.17.1 app=nginx-pod
[root@k8s-master manifest]#
[root@k8s-master manifest]# kubectl get pods -n dev -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pc-deployment-66d5c85c96-6qj82 1/1 Running 0 61s 10.244.2.114 k8s-node2 <none> <none>
pc-deployment-66d5c85c96-dc7gr 1/1 Running 0 61s 10.244.1.100 k8s-node1 <none> <none>
pc-deployment-66d5c85c96-v8829 1/1 Running 0 61s 10.244.2.113 k8s-node2 <none> <none>
[root@k8s-master manifest]#
# 为了方便后面的测试,修改下三台nginx的
[root@k8s-master ~]# kubectl exec -itn dev pc-deployment-66d5c85c96-6qj82 -- /bin/sh
# echo "page 111" > /usr/share/nginx/html/index.html # exit
[root@k8s-master ~]# kubectl exec -itn dev pc-deployment-66d5c85c96-dc7gr -- /bin/sh
# echo "page 222" > /usr/share/nginx/html/index.html
# exit
[root@k8s-master ~]# kubectl exec -itn dev pc-deployment-66d5c85c96-v8829 -- /bin/sh
# echo "page 333" > /usr/share/nginx/html/index.html
# exit
[root@k8s-master ~]#
#修改完毕之后,访问测试
[root@k8s-master ~]# curl 10.244.2.114
page 111
[root@k8s-master ~]# curl 10.244.1.100
page 222
[root@k8s-master ~]# curl 10.244.2.113
page 333
[root@k8s-master ~]#
2. ClusterIP类型的Service
- 创建service文件
[root@k8s-master manifest]# cat service-clusterip.yaml
apiVersion: v1
kind: Service
metadata:
name: service-clusterip
namespace: dev
spec:
selector:
app: nginx-pod
type: ClusterIP
ports:
- port: 80 # Service端口
targetPort: 80 # pod端口
[root@k8s-master manifest]#
- 运行service
# 创建service
[root@k8s-master manifest]# kubectl apply -f service-clusterip.yaml
service/service-clusterip created
[root@k8s-master manifest]#
# 查看service
[root@k8s-master manifest]# kubectl get -f service-clusterip.yaml
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service-clusterip ClusterIP 10.98.207.217 <none> 80/TCP 20s
[root@k8s-master manifest]# kubectl get svc -n dev -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service-clusterip ClusterIP 10.98.207.217 <none> 80/TCP 40s app=nginx-pod
[root@k8s-master manifest]#
# 查看service的详细信息
# 在这里有一个Endpoints列表,里面就是当前service可以负载到的服务入口
[root@k8s-master manifest]# kubectl describe svc service-clusterip -n dev
Name: service-clusterip
Namespace: dev
Labels: <none>
Annotations: <none>
Selector: app=nginx-pod
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.98.207.217
IPs: 10.98.207.217
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.244.1.100:80,10.244.2.113:80,10.244.2.114:80//这几个ip后端的rs或者pod所拥有的ip,这些ip会发生变化,重建pod
Session Affinity: None
Events: <none>
[root@k8s-master manifest]#
# 查看ipvs的映射规则
[root@k8s-master ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.98.207.217:80 rr
-> 10.244.1.100:80 Masq 1 0 0
-> 10.244.2.113:80 Masq 1 0 0
-> 10.244.2.114:80 Masq 1 0 0
# 访问 10.98.207.217:80 观察效果
[root@k8s-master manifest]# kubectl get svc -n dev -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service-clusterip ClusterIP 10.98.207.217 <none> 80/TCP 95s app=nginx-pod
[root@k8s-master manifest]# curl 10.98.207.217
page 111
[root@k8s-master manifest]# curl 10.98.207.217
page 333
[root@k8s-master manifest]# curl 10.98.207.217
page 222
[root@k8s-master manifest]# curl 10.98.207.217
page 111
[root@k8s-master manifest]# curl 10.98.207.217
page 333
[root@k8s-master manifest]# curl 10.98.207.217
page 222
[root@k8s-master manifest]#
3. Endpoint
-
Endpoint是kubernetes中的一个资源对象,存储在etcd中,用来记录一个service对应的所有pod的访问地址,它是根据service配置文件中selector描述产生的。
-
一个Service由一组Pod组成,这些Pod通过Endpoints暴露出来,Endpoints是实现实际服务的端点集合。
-
service和pod之间的联系是通过endpoints实现的
-
Endpoint就像rs,会随着pod的变化而变化,service会读取endpoint的信息
[root@k8s-master ~]# kubectl get endpoints -n dev -o wide
NAME ENDPOINTS AGE
service-clusterip 10.244.1.100:80,10.244.2.113:80,10.244.2.114:80 17m
[root@k8s-master ~]#
4. 负载分发策略
-
对Service的访问被分发到了后端的Pod上去,目前kubernetes提供了两种负载分发策略:
- 如果不定义,默认使用kube-proxy的策略,比如随机、轮询
- 基于客户端地址的会话保持模式,即来自同一个客户端发起的所有请求都会转发到固定的一个Pod上
-
此模式可以使在spec中添加
sessionAffinity:ClientIP
选项 -
sessionAffinity 会话亲和,会话保持
# 查看ipvs的映射规则【rr 轮询】
grep -A 3 过滤下面3行
[root@k8s-master manifest]# ipvsadm -Ln|grep -A 3 '10.98.207.217'
TCP 10.98.207.217:80 rr
-> 10.244.1.100:80 Masq 1 0 0
-> 10.244.2.113:80 Masq 1 0 0
-> 10.244.2.114:80 Masq 1 0 0
[root@k8s-master manifest]#
# 循环访问测试
[root@k8s-master ~]# while true;do curl 10.98.207.217:80; sleep 2; done;
page 111
page 333
page 222
page 111
page 333
page 222
page 111
^C
[root@k8s-master ~]#
# 修改分发策略----sessionAffinity:ClientIP
[root@k8s-master manifest]# cat service-clusterip.yaml
apiVersion: v1
kind: Service
metadata:
name: service-clusterip
namespace: dev
spec:
sessionAffinity: ClientIP
selector:
app: nginx-pod
type: ClusterIP
ports:
- port: 80 # Service端口
targetPort: 80 # pod端口
[root@k8s-master manifest]#
[root@k8s-master manifest]# kubectl delete -f service-clusterip.yaml
service "service-clusterip" deleted
[root@k8s-master manifest]# kubectl apply -f service-clusterip.yaml
service/service-clusterip created
[root@k8s-master manifest]#
# 查看ipvs规则【persistent 代表持久】
[root@k8s-master manifest]# kubectl get svc -n dev
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service-clusterip ClusterIP 10.111.98.171 <none> 80/TCP 55s
[root@k8s-master manifest]# ipvsadm -Ln|grep -A 3 '10.111.98.171'
TCP 10.111.98.171:80 rr persistent 10800
-> 10.244.1.100:80 Masq 1 0 0
-> 10.244.2.113:80 Masq 1 0 0
-> 10.244.2.114:80 Masq 1 0 0
[root@k8s-master manifest]#
# 循环访问测试
[root@k8s-master ~]# while true;do curl 10.111.98.171; sleep 2; done;page 111
page 111
page 111
page 111
^C
[root@k8s-master ~]#
[root@k8s-master manifest]# ipvsadm -Ln|grep -A 3 '10.111.98.171'
TCP 10.111.98.171:80 rr persistent 10800
-> 10.244.1.100:80 Masq 1 0 0
-> 10.244.2.113:80 Masq 1 0 0
-> 10.244.2.114:80 Masq 1 0 11
[root@k8s-master manifest]#
# 删除service
[root@k8s-master manifest]# kubectl delete -f service-clusterip.yaml
service "service-clusterip" deleted
5. HeadLiness类型的Service
- 在某些场景中,开发人员可能不想使用Service提供的负载均衡功能,而希望自己来控制负载均衡策略
- 针对这种情况,kubernetes提供了HeadLiness Service,这类Service不会分配Cluster IP,如果想要访问service,只能通过service的域名进行查询。
5.1 创建service-headliness.yaml
[root@k8s-master manifest]# cat service-headliness.yaml
apiVersion: v1
kind: Service
metadata:
name: service-headliness
namespace: dev
spec:
selector:
app: nginx-pod
clusterIP: None # 将clusterIP设置为None,即可创建headliness Service,自动分配
type: ClusterIP
ports:
- port: 80
targetPort: 80
[root@k8s-master manifest]#
- 运行
# 创建service
[root@k8s-master manifest]# kubectl apply -f service-headliness.yaml
service/service-headliness created
[root@k8s-master manifest]#
# 获取service, 发现CLUSTER-IP未分配
[root@k8s-master manifest]# kubectl get svc service-headliness -n dev -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service-headliness ClusterIP None <none> 80/TCP 28s app=nginx-pod
[root@k8s-master manifest]# kubectl get -f service-headliness.yamlNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service-headliness ClusterIP None <none> 80/TCP 35s
[root@k8s-master manifest]#
# 查看service详情
[root@k8s-master manifest]# kubectl describe svc service-headliness -n dev
Name: service-headliness
Namespace: dev
Labels: <none>
Annotations: <none>
Selector: app=nginx-pod
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: None
IPs: None
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.244.1.100:80,10.244.2.113:80,10.244.2.114:80
Session Affinity: None
Events: <none>
[root@k8s-master manifest]#
# 查看域名的解析情况
[root@k8s-master ~]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
pc-deployment-66d5c85c96-6qj82 1/1 Running 0 59m
pc-deployment-66d5c85c96-dc7gr 1/1 Running 0 59m
pc-deployment-66d5c85c96-v8829 1/1 Running 0 59m
[root@k8s-master ~]# kubectl exec -itn dev pc-deployment-66d5c85c96-6qj82 -- /bin/sh
# cat /etc/resolv.conf
search dev.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.96.0.10
options ndots:5
#
没有dig命令
- 没有dig命令,新增一个pod
[root@k8s-master manifest]# cat deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: pc-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx-pod
template:
metadata:
labels:
app: nginx-pod
spec:
containers:
- name: b1
image: busybox:latest
command: ["/bin/sleep","6000"]
- name: nginx
image: nginx:1.17.1
ports:
- containerPort: 80
[root@k8s-master manifest]#
[root@k8s-master manifest]# kubectl apply -f deployment.yaml
deployment.apps/pc-deployment created
[root@k8s-master manifest]# kubectl get pods -n dev
NAME READY STATUS RESTARTS AGE
pc-deployment-854fc846fb-2h9h9 2/2 Running 0 18s
pc-deployment-854fc846fb-4skbc 2/2 Running 0 18s
pc-deployment-854fc846fb-6r8rl 2/2 Running 0 18s
[root@k8s-master manifest]# kubectl get -f deployment.yaml
NAME READY UP-TO-DATE AVAILABLE AGE
pc-deployment 3/3 3 3 21s
[root@k8s-master manifest]#
[root@k8s-master manifest]# cat service-headliness.yaml
apiVersion: v1
kind: Service
metadata:
name: service-headliness
namespace: dev
spec:
selector:
app: nginx-pod
clusterIP: None # 将clusterIP设置为None,即可创建headliness Service
type: ClusterIP
ports:
- port: 80
targetPort: 80
[root@k8s-master manifest]# kubectl apply -f service-headliness.yaml
service/service-headliness created
[root@k8s-master manifest]#
[root@k8s-master manifest]# kubectl exec -itn dev pc-deployment-854fc846fb-2h9h9 -c b1 -- /bin/sh
/ # cat /etc/resolv.confsearch dev.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.96.0.10
options ndots:5
/ # nslookup service-headliness.dev.svc.cluster.local
Server: 10.96.0.10
Address: 10.96.0.10:53
*** Can't find service-headliness.dev.svc.cluster.local: No answer
/ #
6. NodePort类型的Service
- 在之前的样例中,创建的Service的ip地址只有集群内部才可以访问
- 如果希望将Service暴露给集群外部使用,那么就要使用到另外一种类型的Service,称为NodePort类型。
- NodePort的工作原理其实就是将service的端口映射到Node的一个端口上,然后就可以通过
NodeIp:NodePort
来访问service了。
6.1 创建service-nodeport.yaml
[root@k8s-master manifest]# cat service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: service-nodeport
namespace: dev
spec:
selector:
app: nginx-pod
type: NodePort # service类型
ports:
- port: 80
nodePort: 30002 # 指定绑定的node的端口(默认的取值范围是:30000-32767), 如果不指定,会默认分配
targetPort: 80
- 运行service
# 创建service
[root@k8s-master manifest]# kubectl apply -f service-nodeport.yaml
service/service-nodeport created
# 查看service
[root@k8s-master manifest]# kubectl get -f service-nodeport.yaml
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service-nodeport NodePort 10.110.181.129 <none> 80:30002/TCP 9s
[root@k8s-master manifest]# kubectl get -f service-nodeport.yaml -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service-nodeport NodePort 10.110.181.129 <none> 80:30002/TCP 52s app=nginx-pod
[root@k8s-master manifest]#
# 接下来可以通过电脑主机的浏览器去访问集群中任意一个nodeip的30002端口,即可访问到pod
- 访问:http://192.168.232.128:30002/
7. LoadBalancer类型的Service
- LoadBalancer和NodePort很相似,目的都是向外部暴露一个端口
- 区别在于LoadBalancer会在集群的外部再来做一个负载均衡设备,而这个设备需要外部环境支持的,外部服务发送到这个设备上的请求,会被设备负载之后转发到集群中。
- LB:lvs,nginx,haproxy
- 用户通过vip访问到负载均衡设备,lb设备转发到节点端口号上去,service在转发到目标的设备上去。
8. ExternalName类型的Service
- ExternalName类型的Service用于引入集群外部的服务
- 它通过
externalName
属性指定外部一个服务的地址,然后在集群内部访问此service就可以访问到外部的服务了。
8.1 创建service-externalname.yaml
[root@k8s-master manifest]# cat service-externalname.yaml
apiVersion: v1
kind: Service
metadata:
name: service-externalname
namespace: dev
spec:
type: ExternalName # service类型
externalName: www.baidu.com #改成ip地址也可以
[root@k8s-master manifest]#
- 运行
# 创建service
[root@k8s-master manifest]# kubectl apply -f service-externalname.yaml
service/service-externalname created
[root@k8s-master manifest]# kubectl get -f service-externalname.yaml -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service-externalname ExternalName <none> www.baidu.com <none> 31s <none>
# 域名解析
# 域名解析
[root@k8s-master01 ~]# dig @10.96.0.10 service-externalname.dev.svc.cluster.local
service-externalname.dev.svc.cluster.local. 30 IN CNAME www.baidu.com.
www.baidu.com. 30 IN CNAME www.a.shifen.com.
www.a.shifen.com. 30 IN A 39.156.66.18
www.a.shifen.com. 30 IN A 39.156.66.14
四. Ingress介绍
1. Service对集群之外暴露服务的主要方式有两种
- NotePort
- LoadBalancer
1.1 两种方式的缺点:
- NodePort方式的缺点是会占用很多集群机器的端口,那么当集群服务变多的时候,这个缺点就愈发明显(集群服务变多,使用的端口号也变多,导致端口号不够用)
- LB方式的缺点是每个service需要一个LB,浪费、麻烦,并且需要kubernetes之外设备的支持
1.2 基于这种现状,kubernetes提供了Ingress资源对象,Ingress只需要一个NodePort或者一个LB就可以满足暴露多个Service的需求
- 工作机制大致如下图表示:
-
客户端通过访问ingress访问service,客户端访问ingress,ingress转发到service
-
实际上,Ingress相当于一个7层的负载均衡器,是kubernetes对反向代理的一个抽象
-
它的工作原理类似于Nginx,可以理解成在Ingress里建立诸多映射规则,Ingress Controller通过监听这些配置规则并转化成Nginx的反向代理配置 , 然后对外部提供服务
-
在这里有两个核心概念:
- ingress:kubernetes中的一个对象,作用是定义请求如何转发到service的规则
- ingress controller(ingress 控制器):具体实现反向代理及负载均衡的程序,对ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如Nginx, Contour, Haproxy等等
-
Ingress(以Nginx为例)的工作原理如下:
- 用户编写Ingress规则,说明哪个域名对应kubernetes集群中的哪个Service
- Ingress控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置
- Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新
- 到此为止,其实真正在工作的就是一个Nginx了,内部配置了用户定义的请求转发规则
- ingress service写规则,控制器通过k8s api感知规则,通过规则转发到nginx的代理(pod,做负载均衡的),nginx代理通过service转发到后端的pod
2. Ingress使用
2.1 环境准备
2.1.1 搭建ingress环境
# 创建文件夹
[root@k8s-master ~]# mkdir ingress-controller
[root@k8s-master ~]# cd ingress-controller
# 获取ingress-nginx,本次案例使用的是1.31版本
# 修改deploy.yaml文件中的仓库
# 修改quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
# 为dyrnq/ingress-nginx-controller:v1.3.1
[root@k8s-master ingress-controller]# grep image deploy.yaml
image: dyrnq/ingress-nginx-controller:v1.3.1
imagePullPolicy: IfNotPresent
image: dyrnq/kube-webhook-certgen:v1.3.0
imagePullPolicy: IfNotPresent
image: dyrnq/kube-webhook-certgen:v1.3.0
imagePullPolicy: IfNotPresent
[root@k8s-master ingress-controller]#
# 创建ingress-nginx
[root@k8s-master ingress-controller]# kubectl apply -f deploy.yaml
# 查看ingress-nginx
[root@k8s-master ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-zrp92 0/1 Completed 0 49s
ingress-nginx-admission-patch-s2fj5 0/1 Completed 0 49s
ingress-nginx-controller-5dbc974cb-frg8k 1/1 Running 0 49s
# 查看service
[root@k8s-master ingress-controller]# kubectl get svc -n ingress-nginxNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.98.68.101 <none> 80:31313/TCP,443:32641/TCP 44s
ingress-nginx-controller-admission ClusterIP 10.99.52.229 <none> 443/TCP 44s
[root@k8s-master ingress-controller]#
- 文件如下
[root@k8s-master ~]# cat ingress-controller/deploy.yaml
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-controller-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: dyrnq/ingress-nginx-controller:v1.3.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: dyrnq/kube-webhook-certgen:v1.3.0
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: dyrnq/kube-webhook-certgen:v1.3.0
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.1
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
2.1.2 准备service和pod
- 创建tomcat-nginx.yaml
[root@k8s-master ingress-controller]# cat tomcat-nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx-pod
template:
metadata:
labels:
app: nginx-pod
spec:
containers:
- name: nginx
image: nginx:1.17.1
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: tomcat-pod
template:
metadata:
labels:
app: tomcat-pod
spec:
containers:
- name: tomcat
image: tomcat:8.5-jre10-slim
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: dev
spec:
selector:
app: nginx-pod
type: ClusterIP
ports:
- port: 80
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: tomcat-service
namespace: dev
spec:
selector:
app: tomcat-pod
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
[root@k8s-master ingress-controller]#
- 运行
# 创建
[root@k8s-master ingress-controller]# kubectl apply -f tomcat-nginx.yaml
deployment.apps/nginx-deployment created
deployment.apps/tomcat-deployment created
service/nginx-service created
service/tomcat-service created
[root@k8s-master ingress-controller]#
# 查看
[root@k8s-master ingress-controller]# kubectl get svc -n devNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-service ClusterIP 10.100.3.46 <none> 80/TCP 74s
tomcat-service ClusterIP 10.100.176.2 <none> 8080/TCP 74s
[root@k8s-master ingress-controller]# kubectl get -f tomcat-nginx.yaml
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/nginx-deployment 3/3 3 3 83s
deployment.apps/tomcat-deployment 3/3 3 3 83s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/nginx-service ClusterIP 10.100.3.46 <none> 80/TCP 83s
service/tomcat-service ClusterIP 10.100.176.2 <none> 8080/TCP 83s
[root@k8s-master ingress-controller]#
3. Http代理
- 创建ingress-http.yaml
[root@k8s-master ingress-controller]# cat ingress-http.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-http
namespace: dev
spec:
rules:
- host: nginx.mushuang.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service
port:
number: 80
- host: tomcat.mushuang.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-service
port:
number: 8080
[root@k8s-master ingress-controller]#
- 运行
# 创建
[root@k8s-master ingress-controller]# kubectl apply -f ingress-http.yaml
ingress.networking.k8s.io/ingress-http created
# 查看
[root@k8s-master ingress-controller]# kubectl get -f ingress-http.yaml
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-http <none> nginx.mushuang.com,tomcat.mushuang.com 80 7s
[root@k8s-master ingress-controller]# kubectl get ing ingress-http -n dev
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-http <none> nginx.mushuang.com,tomcat.mushuang.com 80 2m8s
[root@k8s-master ingress-controller]#
# 查看详情
[root@k8s-master ingress-controller]# kubectl describe ing ingress-http -n dev
Name: ingress-http
Labels: <none>
Namespace: dev
Address:
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
nginx.mushuang.com
/ nginx-service:80 (10.244.1.117:80,10.244.2.131:80,10.244.2.133:80)
tomcat.mushuang.com
/ tomcat-service:8080 (10.244.1.115:8080,10.244.1.116:8080,10.244.2.132:8080)
Annotations: <none>
Events: <none>
[root@k8s-master ingress-controller]#
# 接下来,在本地电脑上配置host文件,解析上面的两个域名到192.168.232.128(master)上
# 然后,就可以分别访问tomcat.mushuang.com:32240 和 nginx.mushuang.com:32240 查看效果了
4. Https代理
- 创建证书
# 生成证书
[root@k8s-master ~]# mkdir crt
[root@k8s-master ~]# cd crt/
[root@k8s-master crt]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=HB/L=WH/O=nginx/CN=mushuang.com"
Generating a RSA private key
...................+++++
................................................+++++
writing new private key to 'tls.key'
-----
# 创建密钥
[root@k8s-master crt]# kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created
[root@k8s-master crt]#