ingress详解

ingress

ingress是基于域名的网络转发资源,ingress 是对集群中服务的外部访问进行管理的 API 对象,典型的访问方式是 HTTP和HTTPS。
Ingress 可以提供负载均衡、SSL 和基于名称的虚拟托管。

必须具有 ingress 控制器【例如 ingress-nginx】才能满足 Ingress 的要求。仅创建 Ingress 资源无效。

ingress原理:动态的生成nginx配置文件(lua语言编写的)并使其生效,ingress就像是一个负载均衡(nginx服务器),反向代理k8s中的的多个service

在生产环境中常用的Ingress有Treafik、Nginx、HAProxy、Istio等
nginx ingress : 性能强
traefik :原生支持k8s
istio : 服务网格,服务流量的治理

Ingress 公开了从集群外部到集群内 services 的 HTTP 和 HTTPS 路由。 流量路由由 Ingress 资源上定义的规则控制。

可以将 Ingress 配置为提供服务外部可访问的 URL、负载均衡流量、 SSL / TLS,以及提供基于名称的虚拟主机。Ingress 控制器 通常负责通过负载均衡器来实现 Ingress,尽管它也可以配置边缘路由器或其他前端来帮助处理流量。

Ingress 不会公开任意端口或协议。若将 HTTP 和 HTTPS 以外的服务公开到 Internet 时,通常使用 Service.Type=NodePort 或者 Service.Type=LoadBalancer 类型的服务。详情如下图

ingress架构图

ingress详解_第1张图片
ingress详解_第2张图片
ingress详解_第3张图片

部署ingress nginx

1、下载部署文件
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml

2、修改镜像
sed -i 's#k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a#registry.cn-hangzhou.aliyuncs.com/k8sos/ingress-controller:v0.44.0#g'deploy.yaml

3、部署
[root@k8s-m-01 ~]# kubectl apply -f deploy.yaml 

4、开始编辑ingress配置清单并部署
vim ingress.yaml

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: ingress-ingress
  namespace: default 
  annotations:  
    kubernetes.io/ingress.class: "nginx"
spec:  
  rules:    
    - host: www.test.com      
      http:        
        paths:          
          - path: /            
            backend:              
              serviceName: service              
              servicePort: 80

[root@m01 ~]# kubectl apply -f ingress.yaml 

#查看是否配置成功
[root@m01 ~]# kubectl get ingress
NAME              CLASS    HOSTS          ADDRESS        PORTS   AGE
ingress-ingress   <none>   www.test.com   192.168.1.56   80      50s

#资源类型
kind: Ingress
#版本号
apiVersion: extensions/v1beta1
#元数据
metadata:
#名称
  name: ingress-ingress
#命名空间
  namespace: default 
#注解
  annotations:  
    kubernetes.io/ingress.class: "nginx"

spec:  
rules:  
#指定域名  
- host: www.test.com      
  http:        
    paths:          
      - path: /            
        backend:              
          serviceName: service              
          servicePort: 80


5、修改hosts解析
192.168.1.56 www.test.com 

6、测试使用域名访问
[root@m01 ~]#  kubectl get svc -n ingress-nginx 
NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.106.156.132   <none>        80:30156/TCP,443:32452/TCP   28m
ingress-nginx-controller-admission   ClusterIP   10.105.74.237    <none>        443/TCP                      28m

网页访问
www.test.com:30156,出现页面即为成功

查看ingress是否安装成功
[root@m01 ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-ddljh 0/1 Completed 0 49m
ingress-nginx-admission-patch-ttp8c 0/1 Completed 0 49m
ingress-nginx-controller-796fb56fb5-gsngx 1/1 Running 0 49m

ingress可以改变随机端口为指定端口
示例:

使用ingress部署https服务

使用https最重要的就是证书了,如下示例1
#创建证书
[root@m01 ~]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
#生成公钥
[root@m01 ~]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com

#部署证书
[root@m01 ~]# kubectl -n wordpress create secret tls ingress-tls --cert=tls.crt --key=tls.key
secret/ingress-tls created

#编辑ingress配置文件
[root@m01 ~]# vim ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: “nginx”
spec:
tls:
- secretName: ingress-tls
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: service
servicePort: 80
#查看服务暴露的端口
[root@m01 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.106.156.132 80:30156/TCP,443:32452/TCP 3d22h
ingress-nginx-controller-admission ClusterIP 10.105.74.237 443/TCP 3d22h

#浏览器访问
浏览器输入https://www.test.com:32452

安装并部署

# 下载Ingress Nginx配置清单
[root@k8s-m-01 ~]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml

# 修改镜像
[root@k8s-m-01 ~]# s#registry.cn-qingdao.aliyuncs.com/yzl_test/k8s-ingress:v0.44.0#registry.cn-hangzhou.aliyuncs.com/k8sos/ingress-controller:v0.44.0#g' deploy.yaml

# 开始部署
[root@k8s-m-01 ~]# kubectl apply -f deploy.yaml

# 检查
[root@k8s-m-01 ~]# kubectl get pods -n ingress-nginx 
NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create-g9brk        0/1     Completed   0          3d22h
ingress-nginx-admission-patch-tzlgf         0/1     Completed   0          3d22h
ingress-nginx-controller-8494fd5b55-wpf9g   1/1     Running     0          3d22h

部署证书

1、创建证书
[root@k8s-m-01 ~]# openssl genrsa -out tls.key 2048
[root@k8s-m-01 ~]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test-nginx.com

2、部署证书
[root@k8s-m-01 ~]# kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key

3、编写ingress配置清单
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: ingress-ingress-nginx-tls
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - hosts: 
        - www.test-nginx.com
      secretName: ingress-tls
  rules:
    - host: www.test-nginx.com
      http:
        paths:
          - path: /
            backend:
              serviceName: wordpress-nginx
              servicePort: 80

4、部署并测试
[root@k8s-m-01 ~]# curl -k https://www.test-nginx.com:44490/

nginx ingress常用语法

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#service-upstream


# 域名重定向(不能重定向 / )
nginx.ingress.kubernetes.io/rewrite-target

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: ingress-ingress-nginx-tls
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=nginx
spec:
  rules:
    - host: www.test-nginx.com
      http:
        paths:
          - path: /
            backend:
              serviceName: wordpress-nginx
              servicePort: 80
              
# 设置ingress白名单
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: ingress-ingress-nginx-tls
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.15.53,192.168.15.52
spec:
  rules:
    - host: www.test-nginx.com
      http:
        paths:
          - path: /
            backend:
              serviceName: wordpress-nginx
              servicePort: 80

# 域名重定向
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: ingress-ingress-nginx-tls
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
spec:
  rules:
    - host: www.test-nginx.com
      http:
        paths:
          - path: /
            backend:
              serviceName: wordpress-nginx
              servicePort: 80

# 使用正则的方式匹配(支持的正则比较少)
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: ingress-ingress-nginx-tls
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=$1
spec:
  rules:
    - host: www.test-nginx.com
      http:
        paths:
          - path: /search/(.+)
            backend:
              serviceName: wordpress-nginx
              servicePort: 80
     
     
# nginx登录
https://kubernetes.github.io/ingress-nginx/examples/auth/basic/


kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: ingress-ingress-nginx-tls
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
  rules:
    - host: www.test-nginx.com
      http:
        paths:
          - path: /
            backend:
              serviceName: wordpress-nginx
              servicePort: 80

问题:“https://192.168.13.13:10250/containerLogs/ingress-nginx/ingress-nginx-admission-create-sqcjj/create”: dial tcp 192.168.13.13:10250: connect: no route to host

问题分析:报错内容是没有主机或者路由,说明要么目标机器没开,要么端口没开,或者selinux和防火墙没关

问题解决:查看机器与端口都正常,那么就尝试关闭防火墙与selinux

#关闭防火墙
systemctl disable firewalld.service

#关闭selinux
sed -i ‘s#SELINUX=enforcing#SELINUX=disabled#g’ /etc/selinux/config

你可能感兴趣的:(doker+k8s)