ingress是基于域名的网络转发资源,ingress 是对集群中服务的外部访问进行管理的 API 对象,典型的访问方式是 HTTP和HTTPS。
Ingress 可以提供负载均衡、SSL 和基于名称的虚拟托管。
必须具有 ingress 控制器【例如 ingress-nginx】才能满足 Ingress 的要求。仅创建 Ingress 资源无效。
ingress原理:动态的生成nginx配置文件(lua语言编写的)并使其生效,ingress就像是一个负载均衡(nginx服务器),反向代理k8s中的的多个service
在生产环境中常用的Ingress有Treafik、Nginx、HAProxy、Istio等
nginx ingress : 性能强
traefik :原生支持k8s
istio : 服务网格,服务流量的治理
Ingress 公开了从集群外部到集群内 services 的 HTTP 和 HTTPS 路由。 流量路由由 Ingress 资源上定义的规则控制。
可以将 Ingress 配置为提供服务外部可访问的 URL、负载均衡流量、 SSL / TLS,以及提供基于名称的虚拟主机。Ingress 控制器 通常负责通过负载均衡器来实现 Ingress,尽管它也可以配置边缘路由器或其他前端来帮助处理流量。
Ingress 不会公开任意端口或协议。若将 HTTP 和 HTTPS 以外的服务公开到 Internet 时,通常使用 Service.Type=NodePort 或者 Service.Type=LoadBalancer 类型的服务。详情如下图
1、下载部署文件
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml
2、修改镜像
sed -i 's#k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a#registry.cn-hangzhou.aliyuncs.com/k8sos/ingress-controller:v0.44.0#g'deploy.yaml
3、部署
[root@k8s-m-01 ~]# kubectl apply -f deploy.yaml
4、开始编辑ingress配置清单并部署
vim ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: service
servicePort: 80
[root@m01 ~]# kubectl apply -f ingress.yaml
#查看是否配置成功
[root@m01 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ingress <none> www.test.com 192.168.1.56 80 50s
#资源类型
kind: Ingress
#版本号
apiVersion: extensions/v1beta1
#元数据
metadata:
#名称
name: ingress-ingress
#命名空间
namespace: default
#注解
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
#指定域名
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: service
servicePort: 80
5、修改hosts解析
192.168.1.56 www.test.com
6、测试使用域名访问
[root@m01 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.106.156.132 <none> 80:30156/TCP,443:32452/TCP 28m
ingress-nginx-controller-admission ClusterIP 10.105.74.237 <none> 443/TCP 28m
网页访问
www.test.com:30156,出现页面即为成功
查看ingress是否安装成功
[root@m01 ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-ddljh 0/1 Completed 0 49m
ingress-nginx-admission-patch-ttp8c 0/1 Completed 0 49m
ingress-nginx-controller-796fb56fb5-gsngx 1/1 Running 0 49m
ingress可以改变随机端口为指定端口
示例:
使用https最重要的就是证书了,如下示例1
#创建证书
[root@m01 ~]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
#生成公钥
[root@m01 ~]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com
#部署证书
[root@m01 ~]# kubectl -n wordpress create secret tls ingress-tls --cert=tls.crt --key=tls.key
secret/ingress-tls created
#编辑ingress配置文件
[root@m01 ~]# vim ingress.yaml
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: “nginx”
spec:
tls:
- secretName: ingress-tls
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: service
servicePort: 80
#查看服务暴露的端口
[root@m01 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.106.156.132 80:30156/TCP,443:32452/TCP 3d22h
ingress-nginx-controller-admission ClusterIP 10.105.74.237 443/TCP 3d22h
#浏览器访问
浏览器输入https://www.test.com:32452
安装并部署
# 下载Ingress Nginx配置清单
[root@k8s-m-01 ~]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml
# 修改镜像
[root@k8s-m-01 ~]# s#registry.cn-qingdao.aliyuncs.com/yzl_test/k8s-ingress:v0.44.0#registry.cn-hangzhou.aliyuncs.com/k8sos/ingress-controller:v0.44.0#g' deploy.yaml
# 开始部署
[root@k8s-m-01 ~]# kubectl apply -f deploy.yaml
# 检查
[root@k8s-m-01 ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-g9brk 0/1 Completed 0 3d22h
ingress-nginx-admission-patch-tzlgf 0/1 Completed 0 3d22h
ingress-nginx-controller-8494fd5b55-wpf9g 1/1 Running 0 3d22h
部署证书
1、创建证书
[root@k8s-m-01 ~]# openssl genrsa -out tls.key 2048
[root@k8s-m-01 ~]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test-nginx.com
2、部署证书
[root@k8s-m-01 ~]# kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key
3、编写ingress配置清单
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- www.test-nginx.com
secretName: ingress-tls
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
4、部署并测试
[root@k8s-m-01 ~]# curl -k https://www.test-nginx.com:44490/
nginx ingress常用语法
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#service-upstream
# 域名重定向(不能重定向 / )
nginx.ingress.kubernetes.io/rewrite-target
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=nginx
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
# 设置ingress白名单
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.15.53,192.168.15.52
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
# 域名重定向
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
# 使用正则的方式匹配(支持的正则比较少)
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: https://www.baidu.com/s?wd=$1
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /search/(.+)
backend:
serviceName: wordpress-nginx
servicePort: 80
# nginx登录
https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: ingress-ingress-nginx-tls
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: www.test-nginx.com
http:
paths:
- path: /
backend:
serviceName: wordpress-nginx
servicePort: 80
问题:“https://192.168.13.13:10250/containerLogs/ingress-nginx/ingress-nginx-admission-create-sqcjj/create”: dial tcp 192.168.13.13:10250: connect: no route to host
问题分析:报错内容是没有主机或者路由,说明要么目标机器没开,要么端口没开,或者selinux和防火墙没关
问题解决:查看机器与端口都正常,那么就尝试关闭防火墙与selinux
#关闭防火墙
systemctl disable firewalld.service
#关闭selinux
sed -i ‘s#SELINUX=enforcing#SELINUX=disabled#g’ /etc/selinux/config