k8s—lngress服务
- 安装lngress
- 部署调度策略
- 创建后端节点与svc
- 域名访问ingeress-nginx
- Ingress TLS 配置
安装lngress
- 一种全局的、为了代理不同后端 Service 而设置的负载均衡服务,就是 Kubernetes 里的Ingress 服务。
- Ingress由两部分组成:Ingress controller和Ingress服务。
- Ingress Controller 会根据你定义的 Ingress 对象,提供对应的代理能力。业界常用的各种反向代理项目,比如 Nginx、HAProxy、Envoy、Traefik 等,都已经为Kubernetes 专门维护了对应的 Ingress Controller。
- ingress相当于一个7层的负载均衡器,是k8s对反向代理的一个抽象。大概的工作原理也确实类似于Nginx,可以理解成在 Ingress 里建立一个个映射规则 , ingress Controller 通过监听 Ingress这个api对象里的配置规则并转化成 Nginx 的配置(kubernetes声明式API和控制循环) , 然后对外部提供服务。ingress包括:ingress controller和ingress resources
- ingress controller:核心是一个deployment,实现方式有很多,比如nginx, Contour, Haproxy, trafik, Istio,需要编写的yaml有:Deployment, Service, ConfigMap, ServiceAccount(Auth),其中service的类型可以是NodePort或者LoadBalancer。
- ingress resources:这个就是一个类型为Ingress的k8s api对象了,这部分则是面向开发人员。
上传镜像
- kubectl apply -f deploy.yaml
- kubectl get pod
部署调度策略
[root@server1 pod]# cat ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
spec:
#tls:
#- hosts:
# - www1.westos.org
# secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: my-app
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
spec:
rules:
- host: www2.westos.org
http:
paths:
- path: /
backend:
serviceName: my-nginx
servicePort: 80
- kubectl apply -f ingress.yaml
- kubectl get ingress
创建后端节点与svc
[root@server1 pod]# cat deployment1.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mynginx-deployment
labels:
app: mynginx
spec:
replicas: 3
selector:
matchLabels:
app: mynginx
template:
metadata:
labels:
app: mynginx
spec:
containers:
- name: myapp
image: myapp:v2
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
labels:
app: myapp
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v1
- kubectl apply -f deployment1.yml
- kubectl get pod
两组标签创建两组对应的svc
[root@server1 pod]# kubectl apply -f svc1.yaml
service/my-app configured
service/my-nginx created
[root@server1 pod]# cat svc1.yaml
apiVersion: v1
kind: Service
metadata:
name: my-app
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: myapp
---
apiVersion: v1
kind: Service
metadata:
name: my-nginx
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: mynginx
[root@server1 pod]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
my-app ClusterIP 10.106.191.91 <none> 80/TCP 3h21m
my-nginx ClusterIP 10.107.203.248 <none> 80/TCP 62s
域名访问ingeress-nginx
修改ingress-nginx-controller配置
[root@server1 pod]# kubectl -n ingress-nginx edit svc ingress-nginx-controller
service/ingress-nginx-controller edited
看到loadbalancer分配ip 172.25.3.11
- kubectl -n ingress-nginx get svc
[root@server1 pod]# kubectl -n ingress-nginx get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.101.224.25 172.25.33.11 80:32754/TCP,443:30685/TCP 5h41m
ingress-nginx-controller-admission ClusterIP 10.96.75.180 <none> 443/TCP 5h41m
设置本地解析
vim /etc/hosts
172.25.33.11 www1.westos.org www2.westos.org
域名访问测试,访问到对应service
[root@foundation33 mnt]# curl www1.westos.org
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@foundation33 mnt]# curl www2.westos.org
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
负载均衡测试
Ingress TLS 配置
创建crt和key,然后生成secret
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
在ingress.yaml文件中,加入tsl配置:
[root@server1 pod]# cat ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: my-app
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
spec:
rules:
- host: www2.westos.org
http:
paths:
- path: /
backend:
serviceName: my-nginx
servicePort: 80
- kubectl apply -f ingress.yaml
- kubectl get secrets #查看创建的secret
- kubectl get secrets # 查看创建的secrets
- kubectl get ingress # 查看创建的ingress
- kubectl describe ingress # 查看ingress具体信息
测试80转443的https重定向:
ingress认证配置:
下载httpd-tools创建用户,生成secret - yum install -y httpd-tools
- htpasswd -c auth lht
- kubectl create secret generic basic-auth --from-file=auth
编辑ingress.yaml文件,加入认证:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - lht'
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: my-app
servicePort: 80
- kubectl apply -f ingress.yaml 应用文件
- kubectl describe ingress
网页测试:
ingress地址重写
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - lht'
nginx.ingress.kubernetes.io/app-root: /hostname.html
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: my-app
servicePort: 80
- kubectl apply -f ingress.yaml 应用文件
- kubectl describe ingress
查看信息,地址重写已经加入:
测试:
访问www1.westos.org时,会转到 https://www1.westos.org/hostname.html