Ingress的概述
我们知道Service可以为集群外部客户端提供内部资源的访问,当我们将Service的类型设置为NodePort时,集群外部客户端即可通过访问任意工作节点的IP地址+Service虚拟出来的端口即可访问到后端的Pod。Service还提供了负载均衡的效果,通过算法依次将请求分发给后端的Pod去处理。
Ingress也是供集群外部访问的一种方式。Ingress通过关联一个Service对象,然后Service通过关联一组Pod,以此来达到Ingress关联Pod。实现集群外部客户端只需要输入Ingress定义好的域名即可访问Service下的多个Pod,这样就省去了接连输入工作的节点的IP地址+端口号访问Pod了
Ingress 和 Service 的区别
- Ingress供集群外部访问最本质也是通过NodePort来实现的,Ingress和Service是对应的,Ingress代理的是Service,且Ingress是七层负载,客户端可通过域名的方式来访问到Service下的Pod。例:域名www.abc.com对应Service下的svc-1(存在多个Pod),域名www.def.com对应Service下的svc-2
(存在多个Pod),这样,客户端只需要输入对应的域名即可访问到指定的Service了
ingress由ingress controller 和 ingress服务组成
注:部署Ingress服务需满足Ingress控制器,否则无法实现Ingress服务,仅创建Ingress资源无效Ingress就相当于一个nginx代理服务器,在所有的服务之前加入一个nginx服务,可以实现的功能有:反向代理 http https认证 用户认证域名重定向等功能
Ingress的部署
Ingress-nginx的官方网站
https://kubernetes.github.io/ingress-nginx/ Ingress-nginx GitHub地址
https://github.com/kubernetes/ingress-nginx
测试环境
主机 | IP地址 |
master | 192.168.1.100 |
node1 | 192.168.1.200 |
node2 | 192.168.1.250 |
Ingress环境相关组件包:
链接:https://pan.baidu.com/s/1dcOJHOeFSRR4DScWqU79DQ 提取码:2lsc
搭建过程如下
安装Ingress-nginx-controller控制器
提前下载好我所共享的文件并上传到服务器上
[root@master ingress]# ls
mandatory.yaml nginx-images-controller-0.30.0.tar service-nodeport.yaml
[root@master ingress]# docker load -i nginx-images-controller-0.30.0.tar //导入镜像
[root@master ingress]# kubectl apply -f mandatory.yaml
[root@master ingress]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
查看状态是否正常
[root@master ingress]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-jw8ch 1/1 Running 0 46s
[root@master ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.97.182.154 <none> 80:32279/TCP,443:30612/TCP 52sdeploy-myapp1.yaml的创建
[root@master myapp]# vi deploy-myapp1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-myapp
spec:
replicas: 4
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: wangyanglinux/myapp:v1
ports:
- containerPort: 80
--- #表示分隔操作
apiVersion: v1
kind: Service
metadata:
name: svc-1
spec:
type: ClusterIP
selector:
app: myapp
ports:
- port: 80
targetPort: 80
[root@master myapp]# kubectl apply -f deploy-myapp1.yaml启动测试
[root@master myapp]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deploy-myapp-7999b8c59c-6kx4f 1/1 Running 0 14m 10.244.2.2 node2 <none> <none>
deploy-myapp-7999b8c59c-rc8kg 1/1 Running 0 14m 10.244.1.4 node1 <none> <none>
deploy-myapp-7999b8c59c-vhgkg 1/1 Running 0 14m 10.244.1.3 node1 <none> <none>
deploy-myapp-7999b8c59c-xj2h5 1/1 Running 0 14m 10.244.1.2 node1 <none> <none>
[root@master myapp]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 47h
svc-1 ClusterIP 10.110.249.210 <none> 80/TCP 9m43sdeploy-myapp2.yaml的创建
[root@master myapp]# vi deploy-myapp2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-myapp1
spec:
replicas: 4
selector:
matchLabels:
app: myapp1
template:
metadata:
labels:
app: myapp1
spec:
containers:
- name: myapp1
image: wangyanglinux/myapp:v2 //版本为v2版
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-2
spec:
type: ClusterIP
selector:
app: myapp1
ports:
- port: 80
targetPort: 80
[root@master myapp]# kubectl apply -f deploy-myapp2.yamlIngress HTTP代理访问测试
创建Ingress-deploy.yaml文件
[root@master myapp]# vi ingress-deploy.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
spec:
rules:
- host: www.abc.com
http:
paths:
- path: /
backend:
serviceName: svc-1
servicePort: 80
- host: www.def.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80查看运行效果
[root@master myapp]# kubectl get ingress -o wide
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-myapp <none> www.abc.com,www.def.com 10.97.182.154 80 4m17s浏览器访问测试
提前修改好Windows系统上的hosts文件,便于解析用:
192.168.1.100 www.abc.com www.def.com
Ingress HTTPS代理访问测试
前期准备(生成证书)
https是加密访问的一种,需要用到证书相关的服务
[root@master myapp]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=MOST/CN=zhang/emailAddress=ca@test.com"
Generating a 2048 bit RSA private key
............................................+++
....................+++
writing new private key to 'tls.key'
[root@master myapp]# kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created修改以上的ingress-deploy.yaml文件
[root@master myapp]# vi ingress-deploy.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
spec:
tls: #添加这一些内容即可
- hosts:
- www.abc.com
- www.def.com
secretName: tls-secret
rules:
- host: www.abc.com
http:
paths:
- path: /
backend:
serviceName: svc-1
servicePort: 80
- host: www.def.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
[root@master myapp]# kubectl apply -f ingress-deploy.yaml浏览器访问测试
Ingress 实现BasicAuth认证
准备工作
[root@master myapp]# yum install -y httpd
[root@master myapp]# htpasswd -c auth foo
New password:
Re-type new password:
Adding password for user foo
[root@master myapp]# kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created修改以上的ingress-deploy.yaml文件
[root@master myapp]# vi ingress-deploy.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations: #添加这一行的信息即可
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
tls:
- hosts:
- www.abc.com
- www.def.com
secretName: tls-secret
rules:
- host: www.abc.com
http:
paths:
- path: /
backend:
serviceName: svc-1
servicePort: 80
- host: www.def.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
[root@master myapp]# kubectl apply -f ingress-deploy.yaml浏览器访问测试
登录成功后如下
Ingress 重定向
修改以上的ingress-deploy.yaml文件
[root@master myapp]# vi ingress-deploy.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
annotations: #这里定义的是最终访问的地址,就是重定向的地址
nginx.ingress.kubernetes.io/rewrite-target: https://www.abc.com
nginx.ingress.kubernetes.io/rewrite-target: https://www.def.com
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
tls:
- hosts:
- www.abc.com
- www.def.com
secretName: tls-secret
rules:
- host: www.1.com #这里是浏览器访问的地址,访问这个地址就会重定向到上面我们制定的指定当中去
http:
paths:
- path: /
backend:
serviceName: svc-1
servicePort: 80
- host: www.2.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
[root@master myapp]# kubectl apply -f ingress-deploy.yaml浏览器访问测试
记得修改Windows的hosts文件添加如下信息
192.168.1.100 www.1.com www.2.com
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
