文章目录
- 一、Ingress介绍
- 1、两个核心概念:
- 2、Ingress(以Nginx为例)的工作原理如下:
- 二、Ingress nginx(基于域名的网络转发资源)
- 1.部署ingress访问nginx(使用一个域名)
- 2.部署ingress访问nginx(使用两个不同域名相同的端口号)
- 3、ingress nginx工作原理
- 1、从ingress到pod的流程
- 2、控制器、service以及ingress管理pod的方式是什么?
- 三、基于TLS的Ingress(测试访问nginx)======》https访问
- ingress常用用法官网:
- 测试http
- 测试https
- 四、ingress加密部署word press案例
- 五、ingress常用用法
- 1.域名重定向(不能重定向到 /)
- 2.限速设置
- 3.设置ingress白名单
- 4.永久重定向
- 5.永久重定向码
- 6.代理HTTP版本
- 7.启用访问日志
- 8.SSL密码
- 9.使用正则的方式匹配(支持的正则比较少)
- 10.nginx登录
- 11.使用auth功能
一、Ingress介绍
在前面课程中已经提到,Service对集群之外暴露服务的主要方式有两种:NotePort和LoadBalancer
,但是这两种方式,都有一定的缺点:
# NodePort方式的缺点是会占用很多集群机器的端口,那么当集群服务变多的时候,这个缺点就愈发明显
# LB方式的缺点是每个service需要一个LB,浪费、麻烦,并且需要kubernetes之外设备的支持
基于这种现状,kubernetes提供了Ingress资源对象
,Ingress只需要一个NodePort或者一个LB就可以满足暴露多个Service的需求。工作机制大致如下图表示:
实际上,Ingress
相当于一个7层的负载均衡器,是kubernetes对反向代理的一个抽象,它的工作原理类似于Nginx,可以理解成在Ingress里建立诸多映射规则
,Ingress Controller
通过监听这些配置规则并转化成Nginx的反向代理配置 , 然后对外部提供服务。
1、两个核心概念:
# ingress:
kubernetes中的一个对象,作用是`定义请求如何转发到service的规则`
# ingress controller:
`具体实现反向代理及负载均衡的程序`,对ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如Nginx, Contour, Haproxy等等
2、Ingress(以Nginx为例)的工作原理如下:
1. 用户编写Ingress规则,`说明哪个域名对应kubernetes集群中的哪个Service`
2. Ingress`控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置`
3. Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新
4. 到此为止,其实真正在工作的就是一个Nginx了,内部配置了用户定义的请求转发规则
二、Ingress nginx(基于域名的网络转发资源)
Ingress
为Kubernetes集群中的服务提供了入口,可以提供负载均衡、SSL终止和基于名称的虚拟主机,在生产环境中常用的Ingress
有Treafik(原生支持k8s)
、Nginx(性能强)、HAProxy、Istio
(服务网络,服务流量的治理)等。在Kubernetesv 1.1版中添加的Ingress用于从集群外部到集群内部Service的HTTP和HTTPS路由,流量从Internet到Ingress再到Services最后到Pod上
,通常情况下,Ingress部署在所有的Node节点上。Ingress可以配置提供服务外部访问的URL、负载均衡、终止SSL,并提供基于域名的虚拟主机。但Ingress
不会暴露任意端口或协议。
官网:https://kubernetes.github.io/ingress-nginx/
1.部署ingress访问nginx(使用一个域名)
#1.下载 nginx ingress(属于外部网络资源,不是集群内部资源,所以需要安装)
[root@k8s-master1 ~]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml
如果报错无法建立ssl连接,请执行
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml --no-check-certificate
查看需要的镜像:
[root@k8s-master-01 ~]# cat deploy.yaml |grep image
#2.修改镜像
[root@k8s-master1 ~]# sed -i 's#k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a#registry.cn-hangzhou.aliyuncs.com/k8sos/ingress-controller:v0.44.0#g' deploy.yaml
#3.部署
[root@k8s-master1 ~]# kubectl apply -f deploy.yaml
#4.开始编辑ingress配置清单并部署
[root@k8s-master1 ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx" #使用nginx反向代理ingress,可更换成Treafik或Istio
spec:
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: service
servicePort: 80
[root@k8s-master1 ~]# kubectl apply -f ingress.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/ingress-ingress created
#5.查看ingress
[root@k8s-master1 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test.com 192.168.12.12 80 49s
#6.修改主机host文件解析
192.168.12.11 www.test.com
#7.浏览器测试使用域名访问www.test.com:32708
[root@k8s-master1 ~]# kubectl get svc -n ingress-nginx #查看端口号32708
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.96.60.88 <none> 80:32708/TCP,443:32731/TCP 17m
ingress-nginx-controller-admission ClusterIP 10.106.141.57 <none> 443/TCP 17m
#扩展:查看是否部署ingress nginx成功
[root@k8s-master1 ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-tfgck 0/1 Completed 0 91m #状态为完成是正常的,因为是定时任务
ingress-nginx-admission-patch-v5xjd 0/1 Completed 0 91m
ingress-nginx-controller-57dc855f79-p9nx9 1/1 Running 0 91m #显示正在运行就证明部署成功
2.部署ingress访问nginx(使用两个不同域名相同的端口号)
使用两个域名
指向同一个服务nginx
#1.编辑test.yaml文件
[root@k8s-master1 ~]# vim test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
---
apiVersion: v1
kind: service
metadata:
name: test-svc
spec:
selector:
app: nginx
ports:
- name: http
port: 80
targetPort: 80
#2.部署test
[root@k8s-master1 ~]# kubectl apply -f test.yaml
deployment.apps/test unchanged
service/test-svc created
#3.查看test-svc的集群IP 10.111.116.174
[root@k8s-master1 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
baidu ExternalName <none> www.aliyun.com <none> 28h
headless-svc ClusterIP None <none> 80/TCP 10h
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 7d14h
service ClusterIP 10.109.114.72 <none> 80/TCP 8h
test-svc ClusterIP 10.111.116.174 <none> 80/TCP 42s
#4.通过集群IP内网访问
[root@k8s-master1 ~]# curl 10.111.116.174
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#5.修改ingress添加域名
[root@k8s-master1 ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: service
servicePort: 80
- host: www.abc.com #添加以下内容
http:
paths:
- path: /
backend:
serviceName: test-svc
servicePort: 80
#6.部署ingress
[root@k8s-master1 ~]# kubectl apply -f ingress.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/ingress-ingress configured
#7.查看ingress(此时已有两个域名)
[root@k8s-master1 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test.com,www.abc.com 192.168.12.12 80 44m
#8.修改主机host文件,浏览器通过域名访问(实现不同域名通过相同的端口号访问nginx)
192.168.12.11 www.test.com www.abc.com
3、ingress nginx工作原理
实时将ingress转换成nginx配置,并使其生效,从而使nginx代理pod
1.部署完ingress配置清单,会实时生成nginx配置
进入nginx容器
[root@k8s-master1 ~]# kubectl exec -it -n ingress-nginx ingress-nginx-controller-57dc855f79-p9nx9 -- bash
bash-5.1$ cd /etc/nginx/ #切换到配置文件
bash-5.1$ ls -l
-rw-r--r-- 1 www-data www-data 21420 Apr 2 11:47 nginx.conf
bash-5.1$ vi nginx.conf #查看配置文件内容
## start server www.test.com
server {
server_name www.test.com ; #ingress自动实时生成nginx配置文件
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "default"; #以下都是通过变量定义
set $ingress_name "ingress-ingress";
set $service_name "service";
set $service_port "80";
set $location_path "/";
set $global_rate_limit_exceeding n;
rewrite_by_lua_block {
lua_ingress.rewrite({
force_ssl_redirect = false,
ssl_redirect = true,
2.nginx ingress通过`headless service(因为不需要提供集群内部IP,所以选择无头service)`对外提供端口服务连接到后端的pod
3.相当于`通过nginx反向代理到后端pod`,因为nginx ingress也是部署在集群内部的,只需要给nginx开一个端口,其他集群服务就不需要端口,`让nginx对外提供端口,内部反向代理到后端pod即可`
# 3、修改ingress-nginx 端口
[root@k8s-m-01 ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.102.90.34 <none> 80:32130/TCP,443:30236/TCP 53m
ingress-nginx-controller-admission ClusterIP 10.111.226.153 <none> 443/TCP 53m
[root@k8s-m-01 ingress]# kubectl edit svc -n ingress-nginx
nodePort: 32130 #端口可以修改
port: 80
protocol: TCP
targetPort: http
- name: https
nodePort: 30236 #端口可以修改
1、从ingress到pod的流程
ingress —> endprints(HeadLess Service) —> pod
2、控制器、service以及ingress管理pod的方式是什么?
控制器 —> 通过标签
Service —> endPoints
ingress —> endpoints
三、基于TLS的Ingress(测试访问nginx)======》https访问
ingress常用用法官网:
https://kubernetes.github.io/ingress-nginx/user-guide/basic-usage/
#1.创建HTTPS 证书
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com
#2.部署证书
kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key
#3.编辑ingress.yaml文件并部署
[root@k8s-master1 ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default #与部署证书-n default指定相同
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- secretName: ingress-tls #添加证书
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: test-svc
servicePort: 80
[root@k8s-master1 ~]# kubectl apply -f ingress.yaml #部署ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/ingress-ingress created
#4.查看端口号443:32731
[root@k8s-master1 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.96.60.88 <none> 80:32708/TCP,443:32731/TCP 9h
ingress-nginx-controller-admission ClusterIP 10.106.141.57 <none> 443/TCP 9h
#5.查看部署状态(只要HOSTS和ADDRESS有值证明部署成功可以测试访问了)
[root@k8s-master1 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test.com 192.168.12.11 80, 443 53s
#6查看详情
kubectl describe ingress test-ingress
#7.配置主机host文件并浏览器域名访问
192.168.12.12 www.test.com
测试http
1、部署服务(Deployment + Service)
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress
spec:
replicas: 1
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
spec:
containers:
- name: php
image: alvinos/php:wordpress-v2
- name: nginx
image: alvinos/nginx:wordpress-v2
---
apiVersion: v1
kind: Service
metadata:
name: wordpress
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: wordpress
2、编写ingress配置清单(见下文)
- 配置清单
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
测试https
1、创建证书
[root@k8s-m-01 ~]# openssl genrsa -out tls.key 2048
[root@k8s-m-01 ~]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test-nginx.com
2、部署证书
[root@k8s-m-01 ~]# kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key
3、编写ingress配置清单(见下文)
4、部署并测试
[root@k8s-m-01 ~]# curl -k https://www.test-nginx.com:44490/
- 配置清单
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- www.test-nginx.com
secretName: ingress-tls
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
四、ingress加密部署word press案例
#1.创建HTTPS 证书
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com #这里的域名要与ingress配置清单里的主机名相同
#2.编辑word press的配置清单及部署
[root@k8s-master1 ~]# vim wp-gdx.yaml
#部署mysql的命名空间
apiVersion: v1
kind: Namespace
metadata:
name: mysql
---
#定位mysql的service
kind: Service
apiVersion: v1
metadata:
name: mysql
namespace: mysql
spec:
ports:
- name: http
port: 3306
targetPort: 3306
selector:
app: mysql
---
#部署mysql
apiVersion: apps/v1
kind: Deployment
metadata:
name: name-mysql
namespace: mysql
spec:
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: 18954354671/lnmp-mysql-wp:v2
---
apiVersion: v1
kind: Namespace
metadata:
name: wordpress
---
apiVersion: v1
kind: Service
metadata:
name: wordpress
namespace: wordpress
spec:
type: NodePort
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
nodePort: 30080
- name: https
port: 443
targetPort: 443
selector:
app: wordpress
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: wordpress
namespace: wordpress
spec:
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
spec:
containers:
- name: php
image: 18954354671/lnmp-php-wp:v2
- name: nginx
image: 18954354671/lnmp-nginx-wp:v2
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: wordpress
namespace: wordpress #部署证书时 -n 指定的命名空间名称
spec:
tls:
- secretName: ingress-tls #添加证书
rules:
- host: www.wp.local #与创建证书结尾域名相同
http:
paths:
- path: /
backend:
serviceName: wordpress
servicePort: 80
#3.部署证书
kubectl -n wordpress create secret tls ingress-tls --cert=tls.crt --key=tls.key #此处-n后边接的是ingress命名空间
#4.查看端口号(443:32731)
[root@k8s-master1 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.96.60.88 <none> 80:32708/TCP,443:32731/TCP 11h
ingress-nginx-controller-admission ClusterIP 10.106.141.57 <none> 443/TCP 11h
#5.查看ingress部署状态
[root@k8s-master1 ~]# kubectl get ingress -n wordpress
NAME CLASS HOSTS ADDRESS PORTS AGE
wordpress <none> www.wp.local 192.168.12.12 80, 443 44m
#6.配置主机host文件并访问
192.168.12.11 www.wp.local
#注:可直接使用https://www.wp.local:32731/wp-admin/install.php 访问
五、ingress常用用法
官网: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#service-upstream
有两种方式:
1、注解(aonotations) : 当前ingress生效
2、configMap : 全局ingress生效
1.域名重定向(不能重定向到 /)
#1.修改配置清单(以nginx为例)
[root@k8s-master1 ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=nginx #指定重定向的域名(百度网址)
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: test-svc
servicePort: 80
#2.部署ingress
[root@k8s-master1 ~]# kubectl apply -f ingress.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/ingress-ingress created
#3.查看端口(32708)
[root@k8s-master1 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.96.60.88 <none> 80:32708/TCP,443:32731/TCP 16h
ingress-nginx-controller-admission ClusterIP 10.106.141.57 <none> 443/TCP 16h
#4.查看域名
[root@k8s-master1 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test-nginx.com 80 14s
#5.配置主机host文件并访问
192.168.12.11 www.test-nginx.com
访问:www.test-nginx.com:32708 自动重定向到百度
2.限速设置
定义连接和传输速率的限制用于减轻DDoS攻击 (在配置清单里 kubernetes.io/ingress.class: "nginx"下边一行齐头写入)
#1.nginx.ingress.kubernetes.io/limit-connections:允许从单个IP地址进行并发连接的数量。超过此限制时返回 503 错误。
#2.nginx.ingress.kubernetes.io/limit-rps:每秒接受来自给定 IP 的请求数量。爆破限制设置为此限制乘以爆破乘数,默认乘数为 5。当客户超过此限制时,将返回限制-重新q-状态代码:503。
#3.nginx.ingress.kubernetes.io/limit-rpm:每分钟接受来自给定 IP 的请求数量。爆破限制设置为此限制乘以爆破乘数,默认乘数为 5。当客户超过此限制时,将返回限制-重新q-状态代码:503。
#4.nginx.ingress.kubernetes.io/limit-burst-multiplier:爆裂大小限制速率的乘数。默认爆破乘数为 5,此注释覆盖默认乘数。当客户超过此限制时,将返回限制-重新q-状态代码:503。
#5.nginx.ingress.kubernetes.io/limit-rate-after:初始千字节数,之后对给定连接的进一步响应传输将受到率限制。此功能必须与启用代理缓冲一起使用。
#6.nginx.ingress.kubernetes.io/limit-rate:允许发送到给定连接的每秒千字节数。零值禁用率限制。此功能必须与启用代理缓冲一起使用。
#7.nginx.ingress.kubernetes.io/limit-whitelist:客户端 IP 源范围将排除在费率限制之外。该值是CIDR的逗号分离列表。
如果您在单个入口规则中指定多个注释,则在顺序中应用限制,limit-connectionslimit-rpmlimit-rps
3.设置ingress白名单
通过注释指定允许的客户端 IP 源范围 (多个IP用逗号隔开)
#1.修改配置清单
[root@k8s-master1 ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
#nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=nginx
nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.12.11,192.168.12.12 #白名单内没有指定192.168.11.13允许访问
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: test-svc
servicePort: 80
#2.部署ingress
[root@k8s-master1 ~]# kubectl apply -f ingress.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/ingress-ingress created
#3.查看端口(32708)
[root@k8s-master1 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.96.60.88 <none> 80:32708/TCP,443:32731/TCP 16h
ingress-nginx-controller-admission ClusterIP 10.106.141.57 <none> 443/TCP 16h
#4.查看域名
[root@k8s-master1 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test-nginx.com 80 14s
#5.配置主机host文件并访问
192.168.12.13 www.test-nginx.com
访问:www.test-nginx.com:32708 被拒绝===》因为被ingress白名单拦截
在主机的是可以ping通的
4.永久重定向
允许返回永久重定向(返回代码 301),而不是向上游发送数据。
例如,将所有内容重定向到 Google。nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com
#1.修改配置清单
[root@k8s-master1 ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com #可以直接跟重定向的域名
#nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=nginx
#nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.12.11,192.168.12.12
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: test-svc
servicePort: 80
#2.部署ingress
[root@k8s-master1 ~]# kubectl apply -f ingress.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/ingress-ingress created
#3.查看端口(32708)
[root@k8s-master1 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.96.60.88 <none> 80:32708/TCP,443:32731/TCP 16h
ingress-nginx-controller-admission ClusterIP 10.106.141.57 <none> 443/TCP 16h
#4.查看域名
[root@k8s-master1 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test-nginx.com 80 14s
#5.配置主机host文件并访问
192.168.12.11 www.test-nginx.com
访问:www.test-nginx.com:32708 重定向到百度
5.永久重定向码
允许您修改用于永久重定向的状态代码。例如,将返回您的永久重定向与308。nginx.ingress.kubernetes.io/permanent-redirect-code: '308'
#1.修改配置清单
[root@k8s-master1 ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
nginx.ingress.kubernetes.io/permanent-redirect-code: '308' #将308状态码重定向到百度
#nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=nginx
#nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.12.11,192.168.12.12
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: test-svc
servicePort: 80
#2.部署ingress
[root@k8s-master1 ~]# kubectl apply -f ingress.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/ingress-ingress created
#3.查看端口(32708)
[root@k8s-master1 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.96.60.88 <none> 80:32708/TCP,443:32731/TCP 16h
ingress-nginx-controller-admission ClusterIP 10.106.141.57 <none> 443/TCP 16h
#4.查看域名
[root@k8s-master1 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test-nginx.com 80 14s
#5.配置主机host文件并访问
192.168.12.11 www.test-nginx.com
访问:www.test-nginx.com:32708
6.代理HTTP版本
设置 Nginx 反向代理用于与后端通信的proxy_http_version
。 默认情况下,此设置为"1.1"
nginx.ingress.kubernetes.io/proxy-http-version: "1.0"
7.启用访问日志
默认情况下启用了访问日志,但在某些情况下,可能需要禁用给定入口的访问日志。
#1. 默认情况下启用了访问日志,但在某些情况下,可能需要禁用给定入口的访问日志。
nginx.ingress.kubernetes.io/enable-access-log: "true" #启用访问日志
#2.默认情况下未启用重写日志。在某些情况下,可能需要启用 NGINX 重写日志。请注意,重写日志将发送到通知级别的error_log文件。
nginx.ingress.kubernetes.io/enable-rewrite-log: "true" #启用重写日志
#3.开启跟踪可以通过 ConfigMap 在全球范围内启用或禁用,但有时需要将其覆盖才能启用或禁用特定入口(例如关闭外部健康检查端点的跟踪)
nginx.ingress.kubernetes.io/enable-opentracing: "true" #启用开放跟踪
#4.要将非标准标题添加到具有字符串值的上游请求中,可以使用以下注释:X-Forwarded-Prefix
nginx.ingress.kubernetes.io/x-forwarded-prefix: "/path" #X转发前缀标题
8.SSL密码
#1.使用此注释将在服务器级别设置指令。此配置对主机中的所有路径都是活跃的。ssl_ciphers
nginx.ingress.kubernetes.io/ssl-ciphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" #启用ssl密码
#2.以下注释将在服务器级别设置指令。此配置指定在使用 SSLv3 和 TLS 协议时,服务器密码应优先于客户端密码。ssl_prefer_server_ciphers
nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers: "true" #启用ssl密码
9.使用正则的方式匹配(支持的正则比较少)
#1.修改配置清单
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=$1 #增加变量
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /search/(.+) #匹配所有
backend:
serviceName: wordpress-nginx
servicePort: 80
#2.部署步骤与上文同步此处省略
#3.配置主机host测试访问
192.168.12.11 www.test-nginx.com
访问:www.test-nginx.com:32708/search/kubernetes
#1.定义以下入口
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress-3
annotations:
nginx.ingress.kubernetes.io/use-regex: "true" #开启正则
spec:
rules:
- host: test.com
http:
paths:
- path: /foo/bar/bar
backend:
serviceName: test
servicePort: 80
- path: /foo/bar/[A-Z0-9]{3}
backend:
serviceName: test
servicePort: 80
#2.入口控制器将在服务器的 NGINX 模板中定义以下位置块(按此顺序):test.com
location ~* "^/foo/bar/[A-Z0-9]{3}" {
...
}
location ~* "^/foo/bar/bar" {
...
}
10.nginx登录
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
11.使用auth功能
# 1、下载软件
[root@k8s-m-01 ingress]# yum -y install httpd-tools
# 2、生成密码
[root@k8s-m-01 ingress]# htpasswd -c auth mm
New password:
Re-type new password:
Adding password for user mm
# 3、创建secret,把密码文件放置于集群中
[root@k8s-m-01 ingress]# kubectl create secret generic basic-auth --from-file=auth
# 4、编写注解,使用auth功能
[root@k8s-m-01 ingress]# vim ingress1.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: test-svc
spec:
selector:
matchLabels:
app: test-svc
template:
metadata:
labels:
app: test-svc
spec:
containers:
- name: nginx
imagePullPolicy: IfNotPresent
image: nginx
---
kind: Service
apiVersion: v1
metadata:
name: test-svc
spec:
ports:
- port: 80
targetPort: 80
#nodePort: 38080
name: http
selector:
app: test-svc
type: NodePort
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-svc-ingress
annotations: #这行注释必须有这
nginx.ingress.kubernetes.io/auth-type: basic #使用kubernetes模块
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "在线发牌!"
spec:
rules:
- host: "www.test.com"
http:
paths:
- backend:
service:
name: test-svc
port:
number: 80
path: "/"
pathType: Prefix
#5.部署ingress
[root@k8s-m-01 ~]# kubectl apply -f ingress.yaml
#6.查看端口(32130)
[root@k8s-m-01 ingress]# kubectl get svc -n ingress-nginx
[root@k8s-m-01 ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.102.90.34 <none> 80:32130/TCP,443:30236/TCP 4h44m
ingress-nginx-controller-admission ClusterIP 10.111.226.153 <none> 443/TCP 443/TCP
#7.查看域名
[root@k8s-m-01 ingress]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
test-svc-ingress <none> www.test.com 192.168.15.112 80 11m
#8.配置主机host文件并访问
192.168.15.111 www.test-nginx.com