Ingresss
是一种全局的、为了代理不同后端 Service 而设置的负载均衡服务。Ingress由两部分组成:Ingress controller
和Ingress
服务。
Ingress Controller
会根据你定义的 Ingress
对象,提供对应的代理能力。业界常用的各种反向代理项目,比如 Nginx、HAProxy、Envoy、Traefik
等,都已经为Kubernetes
专门维护了对应的Ingress Controller
。
安装Ingress
首先,拉取镜像或导入镜像并上传至私有仓库。
应用配置文件部署ingress,文件在官方网站获取
应用ingress controller定义文件
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml
应用ingress-service定义文件
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
kubeclt apply -f deploy.yaml
部署调度策略
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
spec:
rules:
- host: www1.westos.org #指定my-app svc
http:
paths:
- path: /
backend:
serviceName: my-app
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
spec:
rules:
- host: www2.westos.org #指定my-nginx svc
http:
paths:
- path: /
backend:
serviceName: my-nginx
servicePort: 80
kubectl apply -f ingress.yaml
创建后端节点与svc
vim deployment
kubectl apply -f deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mynginx-deployment
labels:
app: mynginx # 对应版本v2
spec:
replicas: 3
selector:
matchLabels:
app: mynginx
template:
metadata:
labels:
app: mynginx
spec:
containers:
- name: myapp
image: myapp:v2
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
labels:
app: myapp # 对应版本v1
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v1
根据两组标签创建两组对应的svc
vim svc.yaml
kubectl apply -f svc.yaml
apiVersion: v1
kind: Service
metadata:
name: my-app #指定标签myapp
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: myapp
---
apiVersion: v1
kind: Service
metadata:
name: my-nginx #指定标签mynginx
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: mynginx
修改ingress中SVC工作方式
这一步基于之前loadbalance配置,若未完成无法继续。
kubectl edit -n ingress-nginx svc ingress-nginx-controller
查看svc状态
测试
在局域网下主机配置地址解析 将ingress中定义的域名解析至 loadbalance获取的地址
vim /etc/hosts
访问域名测试,不同地址访问解析至不同版本号
两个域名都支持负载均衡
TLS 配置
创建证书与密钥
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
向ingress文件中添加tls模块并应用
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations:
nginx.ingress.kubernetes.io/app-root: /hostname.html # 将访问的根目录改为/hostname.html文件 此规则会被重写规则覆盖
nginx.ingress.kubernetes.io/rewrite-target: /$2 #重写网页
nginx.ingress.kubernetes.io/auth-type: basic #用户认证
nginx.ingress.kubernetes.io/auth-secret: basic-auth #用户认证
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - westos' #用户认证
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /westos(/|$)(.*) #匹配westos关键字 将后接的字符串返回至 $2处
backend:
serviceName: my-app
servicePort: 80
https规则应用成功
测试80转443的https重定向:
用户认证加入后
登陆网页
测试网页
测试重写策略,自动取westos后的内容