k8s ingress-nginx
ingress-nginx
基于域名7层代理
1.安装
# 仓库下载
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm pull ingress-nginx/ingress-nginx
# 导入ningress-nginx
[root@master 2、ingress-nginx]# tree -l
.
├── chart
│ └── ingress-nginx-4.8.3.tgz
└── image
├── ingress-nginx-kube-webhook-certgen-v20231011-8b53cabe0.tar
└── registry.k8s.io-ingress-nginx-controller-v1.9.4.tar
scp image/* root@node1/root/
scp image/* root@node2/root/
docker load -i ingress-nginx-kube-webhook-certgen-v20231011-8b53cabe0.tar
docker load -i registry.k8s.io-ingress-nginx-controller-v1.9.4.tar
[root@master 2、ingress-nginx]# cd chart/
[root@master chart]# tar -zxvf ingress-nginx-4.8.3.tgz
#修改values.yaml
# hostNetwork 值为 True 表示跟主机网络共用
# dnsPolicy值改为ClusterFirstWithHostNet 集群优先 采用主机网络模式
# kind类型改为DaemonSet 保证每个节点都有一个pod运行,高可用
# 关闭所有镜像的digest 保证不会重新获取ingress-nginx
# ingressClassResource.default=true
#创建命名空间
[root@master ingress-nginx]# kubectl create ns ingress
namespace/ingress created
[root@master ingress-nginx]# helm install ingress-nginx -n ingress . -f values.yaml
NAME: ingress-nginx
LAST DEPLOYED: Sun Sep 1 11:31:39 2024
NAMESPACE: ingress
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace ingress get services -o wide -w ingress-nginx-controller'
An example Ingress that makes use of the controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: foo
spec:
ingressClassName: nginx
rules:
- host: www.example.com
http:
paths:
- pathType: Prefix
backend:
service:
name: exampleService
port:
number: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
[root@master ingress-nginx]# kubectl get pod -n ingress
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-jjgrc 1/1 Running 0 44s
ingress-nginx-controller-lnfgk 1/1 Running 0 44s
# 安装成功
实验1-ingress-nginx http代理
vim 01-http.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-httpproxy-www1
spec:
replicas: 2
selector:
matchLabels:
hostname: www1
template:
metadata:
labels:
hostname: www1
spec:
containers:
- name: nginx
image: wangyanglinux/myapp:v1.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: ingress-httpproxy-www1
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
hostname: www1
---
apiVersion: networking.k8s.io/v1
kind: Ingress # 类别
metadata:
name: ingress-httpproxy-www1 # ingress名字
spec:
ingressClassName: nginx # ingress类名
rules: # 规则区间
- host: www1.noziroh.com # 主机名
http: # 基于http协议
paths:
- path: / # 匹配路径为根路径
pathType: Prefix # 基本匹配
backend: # 后端基于svc提供服务
service:
name: ingress-httpproxy-www1 # svc名字
port:
number: 80 # svc提供的端口
[root@master test]# kubectl get pods -n ingress
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-jjgrc 1/1 Running 0 20m
ingress-nginx-controller-lnfgk 1/1 Running 0 20m
[root@master test]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-httpproxy-www1 ClusterIP 10.6.91.37 <none> 80/TCP 5m36s
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 11d
[root@master test]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-httpproxy-www1 nginx www1.noziroh.com 80 4m6s
[root@master test]# kubectl get pod -n ingress -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-controller-jjgrc 1/1 Running 0 24m 10.0.17.102 node2 <none> <none>
ingress-nginx-controller-lnfgk 1/1 Running 0 24m 10.0.17.101 node1 <none> <none>
[root@master test]# curl 10.0.17.101
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
# client主机添加域名
[root@master test]# echo 10.0.17.101 www1.noziroh.com >> /etc/host
[root@master test]# curl www1.noziroh.com
www.xinxianghf.com | hello MyAPP | version v1.0
[root@master test]# curl www1.noziroh.com/hostname.html
ingress-httpproxy-www1-7999cbf8d7-tk489
[root@master test]# sed -i "s/www1/www2/g" 02-http-www2.yaml
[root@master test]# sed -i "s/v1.0/v2.0/g" 02-http-www2.yaml
[root@master test]# echo "10.0.17.102 www2.noziroh.com" >> /etc/hosts
[root@master test]# curl www2.noziroh.com
www.xinxianghf.com | hello MyAPP | version v2.0
实验2-ingress-nginx https代理
deployment、Service、Ingress Yaml 文件
# 创建对应的证书和资料
[root@master https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
.+.+...+...+..+..................+...+.+...+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+.........+....+.........+........+....+...+......+.....+.........+.+..+..........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+.........+.........+..........+..+.......+..+....+..+....+...+..+......+..........+..+.+..+....+.....+....+......+.....+.........+.+.....+.+........+.......+........+......+.+.................+.............+..+..........+......+............+...+..+...+....+.....+......+....+...+...+.........+..+.+...+..+.......+......+.....+.+..............................+...........+....+......+..+.......+.........+.........+............+.....+....+..+.......+...+..+......+.......+...+.....+.+...........+....+.....+..........+..............+....+.....+.+...........+...+.+.....+.......+.................+.+..............+......+.+.....+......+...+.+.......................+...+....+.....+...+...+....+.........+..+...+....+......+.....+.........+.+.....+....+.....+......+..........+...........+...+.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+......+..........+...+.....+.+..+....+...........+...+....+..+.+........+..........+.....+....+..+.+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.........+...+.........+.+.....+............+..........+......+.....+............+.......+..+.+...+.....+.+.....+....+..+...+.........+......+....+...+..............+.+..+...............+......+.+........+.......+.........+...........+...+...+...............+.......+...+.....+..........+...+......+..............+....+...........+......+...............+.+..+.+......+...+............+...+...............+..+....+......+........+...+...+..........+......+......+...+....................+.+........+.............+...+.....+....+.....+.+.....................+......+...+..+...+......+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
[root@master https]# ls
tls.crt tls.key
# 封装证书和私钥到secrect对象里
[root@master https]# kubectl create secret tls ingress-nginx-tls --key tls.key --cert tls.crt
secret/ingress-nginx-tls created
[root@master https]# kubectl get secrets ingress-nginx-tls
NAME TYPE DATA AGE
ingress-nginx-tls kubernetes.io/tls 2 74s
vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-httpproxy-ssl
spec:
replicas: 2
selector:
matchLabels:
hostname: ssl
template:
metadata:
labels:
hostname: ssl
spec:
containers:
- name: nginx
image: wangyanglinux/myapp:v3.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: ingress-httpproxy-ssl
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
hostname: ssl
vim ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-httpproxy-ssl
namespace: default
annotations: # 声明
nginx.ingress.kubernetes.io/ssl-redirect: "true" # key:value https强制开启
spec:
ingressClassName: nginx
rules: # 规则
- host: ssl.noziroh.com # 定义主机域名
http: # 后端http协议
paths: # 路径
- path: /
pathType: Prefix
backend:
service:
name: ingress-httpproxy-ssl
port:
number: 80
tls: # 声明tls区域 确认以上有哪些主机需要https访问
- hosts:
- ssl.noziroh.com
secretName: ingress-nginx-tls # 证书提供文件
[root@master https]# kubectl apply -f deployment.yaml
deployment.apps/ingress-httpproxy-ssl created
service/ingress-httpproxy-ssl created
[root@master https]# kubectl apply -f ingress.yaml
ingress.networking.k8s.io/ingress-httpproxy-ssl created
[root@master https]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-httpproxy-ssl-67bbd9f7c7-4lqsv 1/1 Running 0 40s 10.244.104.40 node2 <none> <none>
ingress-httpproxy-ssl-67bbd9f7c7-ckdtg 1/1 Running 0 40s 10.244.104.41 node2 <none> <none>
[root@master https]# kubectl get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
ingress-httpproxy-ssl ClusterIP 10.3.154.30 <none> 80/TCP 69s hostname=ssl
[root@master https]# kubectl get ingress -o wide
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-httpproxy-ssl nginx ssl.noziroh.com 80, 443 101s
[root@master https]# echo 10.0.17.101 ssl.noziroh.com >> /etc/hosts
https://ssl.noziroh.com
Ingress BasicAuth 代理
http 认证文件创建
基于用户密码进行nginx访问
$ dnf -y install httpd-tools
$ htpasswd -c auth noziroh
$ kubectl create secret generic ingress-basic-auth --from-file=auth
[root@master auth]# htpasswd -c auth noziroh
New password:
Re-type new password:
Adding password for user noziroh
[root@master auth]# kubectl create secret generic ingress-basic-auth --from-file=auth
secret/ingress-basic-auth created
vim ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-with-auth
annotations: # 声明
nginx.ingress.kubernetes.io/auth-type: basic # 开启基础认证
nginx.ingress.kubernetes.io/auth-secret: ingress-basic-auth # 认证的数据文件名字
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - noziroh' # 认证输出的提示信息
spec:
ingressClassName: nginx
rules:
- host: auth.noziroh.com
http:
paths:
- path: /
pathType: ImplementationSpecific # 由ingress控制器本身处理
backend:
service:
name: ingress-httpproxy-auth
port:
number: 80
vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-httpproxy-auth
spec:
replicas: 2
selector:
matchLabels:
hostname: auth
template:
metadata:
labels:
hostname: auth
spec:
containers:
- name: nginx
image: wangyanglinux/myapp:v4.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: ingress-httpproxy-auth
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
hostname: auth
[root@master auth]# echo 10.0.17.101 auth.noziroh.com >> /etc/hosts
#浏览器访问输入
# 账号:noziroh
# 密码:root
nginx-ingress 域名重定向
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: redirect.noziroh.com
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com # 指定重定向目标地址
nginx.ingress.kubernetes.io/permanent-redirect-code: '301' # 重定向代码 301临时跳转
spec:
ingressClassName: "nginx"
rules:
- host: redirect.noziroh.com # 当前主机名
http:
echo 10.0.17.101 redirect.noziroh.com >> /etc/hosts
[root@master redirect]# curl redirect.noziroh.com -I
HTTP/1.1 301 Moved Permanently
Date: Sun, 01 Sep 2024 07:14:01 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.baidu.com
Ingress-nginx 重写
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rew.noziroh.com
namespace: default
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2 # 重写的地址 根下重写路径第二个分组
spec:
ingressClassName: "nginx"
rules:
- host: rew.noziroh.com
http:
paths:
- path: /api(/|$)(.*) # 正则表达式 .* 代表所有 (/|$)代表匹配/或末尾
pathType: ImplementationSpecific # 基于当前控制器
backend:
service:
name: ingress-httpproxy-rew # 需要与svc名字相同
port:
number: 80
vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-httpproxy-rew
spec:
replicas: 2
selector:
matchLabels:
hostname: rew
template:
metadata:
labels:
hostname: rew
spec:
containers:
- name: nginx
image: wangyanglinux/myapp:v5.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: ingress-httpproxy-rew
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
hostname: rew
~
[root@master rewrite]# kubectl apply -f deployment.yaml
deployment.apps/ingress-httpproxy-rew created
service/ingress-httpproxy-rew created
echo 10.0.17.101 rew.noziroh.com >> /etc/hosts
- Rewrite与Redirect的基本概念
- Rewrite:通常指的是URL重写,是服务器内部对请求URL的一种处理机制。它可以在不改变客户端请求URL的情况下,将请求映射到服务器上的另一个资源逻辑上。
- Redirect:即重定向,是服务器向客户端发送一个指令,告诉客户端去访问另一个URL。这会导致客户端的浏览器地址栏发生变化,并重新发起对新URL的请求。
- Rewrite与Redirect在URL处理上的区别
- Rewrite:是在服务器内部进行的,客户端的浏览器地址栏不会发生变化。它主要用于隐藏实际的URL结构,提高网站的安全性、可读性或实现URL的友好化。
- Redirect:是服务器与客户端之间的交互,客户端的浏览器地址栏会显示新的URL。它主要用于处理URL的变更、临时或永久地移动页面、处理404错误等场景。
- Rewrite与Redirect在服务器与浏览器交互上的差异
- Rewrite:由于是在服务器内部进行,所以浏览器和服务器之间只发生一次交互。服务器直接处理请求,并将结果返回给浏览器,浏览器不知道URL已经被重写。
- Redirect:服务器会向浏览器发送一个重定向指令(通常是HTTP状态码301或302),浏览器接收到指令后,会自动发起对新URL的请求。这意味着浏览器和服务器之间会发生两次交互:第一次是原始请求,第二次是对重定向后URL的请求。
- Rewrite与Redirect在SEO中的应用与影响
- Rewrite:对于SEO来说,URL重写可以帮助实现URL的友好化,提高网站的可读性和用户体验。同时,它还可以帮助隐藏网站的内部结构,防止竞争对手通过URL猜测网站的内容。但是,如果重写规则设置不当,可能会导致搜索引擎无法正确抓取和索引网站内容。
- Redirect:重定向在SEO中扮演着重要角色。当网站页面发生移动或删除时,使用重定向可以确保搜索引擎和用户能够找到新的页面位置。永久重定向(301)会告诉搜索引擎原页面已经永久移动到新位置,并更新搜索引擎索引;临时重定向(302)则用于临时性地更改页面位置,不会更新搜索引擎索引。正确使用重定向可以避免因页面变更而导致的流量损失和排名下降
Ingress-nginx 默认错误后端
安装ingress-nginx时配置
#helm卸载ingress-nginx命令
helm uninstall ingress-nginx -n ingress
# 或修改value.yaml文件后upgrade
vim value.yaml
defaultBackend:
enabled: true
name: defaultbackend
image:
registry: docker.io
image: wangyanglinux/tools
tag: "errweb1.0"
port: 80
[root@master ingress-nginx]# helm upgrade --install ingress-nginx -n ingress . -f values.yamlRelease "ingress-nginx" has been upgraded. Happy Helming!
NAME: ingress-nginx
LAST DEPLOYED: Sun Sep 1 16:00:47 2024
NAMESPACE: ingress
STATUS: deployed
REVISION: 3
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace ingress get services -o wide -w ingress-nginx-controller'
An example Ingress that makes use of the controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: foo
spec:
ingressClassName: nginx
rules:
- host: www.example.com
http:
paths:
- pathType: Prefix
backend:
service:
name: exampleService
port:
number: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
[root@master ingress-nginx]# kubectl get pod -n ingress
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-96hg7 1/1 Running 0 2m44s
ingress-nginx-controller-mnncd 1/1 Running 0 2m11s
ingress-nginx-defaultbackend-774db5d85d-dswfk 1/1 Running 0 2m57s
Ingress-nginx 定制错误后端(单独申明错误后端)
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: errcode
name: errcode
spec:
replicas: 1
selector:
matchLabels:
app: errcode
template:
metadata:
labels:
app: errcode
spec:
containers:
- image: wangyanglinux/tools:errweb1.0
name: tools
---
apiVersion: v1
kind: Service
metadata:
labels:
app: errcode
name: errcode
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: errcode
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: errtest
name: errtest
spec:
replicas: 1
selector:
matchLabels:
app: errtest
template:
metadata:
labels:
app: errtest
spec:
containers:
- image: wangyanglinux/myapp:v1.0
name: tools
---
apiVersion: v1
kind: Service
metadata:
labels:
app: errtest
name: errtest
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: errtest
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: err.noziroh.com
namespace: default
annotations:
nginx.ingress.kubernetes.io/default-backend: 'errcode' # 指定当前后端为errcode
nginx.ingress.kubernetes.io/custom-http-errors: "404,415" # 指定当前错误码 若404 415 使用定制页
spec:
rules:
- host: err.noziroh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: errtest
port:
number: 80
echo 10.0.17.101 err.noziroh.com >> /etc/hosts
# 访问err.noziroh.com
# 访问err.noziroh.com/123123123123
ingress-nginx 匹配请求头 snippet
模拟移动端与电脑端访问同一域名转发到不同服务
# 修改ingress控制器配置
kubectl edit cm ingress-nginx-controller -n ingress
data:
allow-snippet-annotations: "true"
[root@master test]# kubectl get pod -n ingress
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-96hg7 1/1 Running 1 (3h31m ago) 3h41m
ingress-nginx-controller-mnncd 1/1 Running 2 (173m ago) 3h41m
ingress-nginx-defaultbackend-774db5d85d-nmgdd 1/1 Running 0 174m
# nginx修改后不触发重载
# 需要删除后自动重建
[root@master test]# kubectl delete -n ingress pod --all
pod "ingress-nginx-controller-96hg7" deleted
pod "ingress-nginx-controller-mnncd" deleted
pod "ingress-nginx-defaultbackend-774db5d85d-nmgdd" deleted
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: snippet
name: snippet
spec:
replicas: 1
selector:
matchLabels:
app: snippet
template:
metadata:
labels:
app: snippet
spec:
containers:
- image: wangyanglinux/myapp:v1.0
name: tools
---
apiVersion: v1
kind: Service
metadata:
labels:
app: snippet
name: snippet
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: snippet
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: snippet.noziroh.com
namespace: default
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
set $agentflag 0;
if ($http_user_agent ~* "(Android|IPhone)") {
set $agentflag 1;
}
if ($agentflag = 1) {
return 302 http://www.baidu.com;
}
spec:
rules:
- host: snippet.noziroh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: snippet
port:
number: 80
echo 10.0.17.101 snippet.noziroh.com >> /etc/hosts
$ curl snippet.noziroh.com
[root@master snippet]# curl snippet.noziroh.com
www.xinxianghf.com | hello MyAPP | version v1.0
$ curl snippet.noziroh.com -H 'User-Agent: Android' -I
[root@master snippet]# curl snippet.noziroh.com -H 'User-Agent: Android' -I
HTTP/1.1 302 Moved Temporarily
Date: Sun, 01 Sep 2024 11:53:29 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: http://www.baidu.com
ingress-nginx 黑白名单
黑名单
配置方案
- Annotations:支队指定ingress生效
- ConfigMap:全局生效
- 同事配置Annotations和ConfigMap,一般Annotations生效,ConfigMap不生效,因为Annotations优先级高
黑白名单区别
- 白名单默认拒绝所有,只允许配置的地址访问
- 黑名单不允许该地址访问所有
配置方法
- 黑名单使用ConfigMap配置
- 白名单建议Annotations配置
1、configmap 添加黑名单
$ kubectl edit cm ingress-nginx-controller -n ingress
data:
allow-snippet-annotations: "true"
block-cidrs: 10.0.17.101
kubectl delete pod -n ingress --all
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test
name: test-deploy
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- image: wangyanglinux/myapp:v1.0
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: test
name: test-svc
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: test
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test.noziroh.com
spec:
rules:
- host: test.noziroh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-svc
port:
number: 80
Annotations 添加黑名单
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: black
name: black-deploy
spec:
replicas: 1
selector:
matchLabels:
app: black
template:
metadata:
labels:
app: black
spec:
containers:
- image: wangyanglinux/myapp:v1.0
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: black
name: black-svc
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: black
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/server-snippet: |-
deny 10.0.17.100;
allow all;
name: black.noziroh.com
spec:
rules:
- host: black.noziroh.com
http:
paths:
- pathType: Prefix
backend:
service:
name: black-svc
port:
number: 80
path: /
白名单
Configmap 设置白名单
kubectl edit cm ingress-nginx-controller -n ingress
apiVersion: v1
data:
allow-snippet-annotations: "true"
whitelist-source-range: 10.0.17.101
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test
name: test-deploy
spec:
replicas: 1
selector:
matchLabels:
app: test
template:
metadata:
labels:
app: test
spec:
containers:
- image: wangyanglinux/myapp:v1.0
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: test
name: test-svc
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: test
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test.noziroh.com
spec:
rules:
- host: test.noziroh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: test-svc
port:
number: 80
annotations 添加白名单
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: white
name: white-deploy
spec:
replicas: 1
selector:
matchLabels:
app: white
template:
metadata:
labels:
app: white
spec:
containers:
- image: wangyanglinux/myapp:v1.0
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: white
name: white-svc
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: white
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.17.101
name: white.noziroh.com
spec:
rules:
- host: white.noziroh.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: white-svc
port:
number: 80
ingress-nginx速率限制
基本测试
限速降低后端压力,限制单个IP访问速率防止共计使用rate limit
Annotations标记
nginx.ingress.kubernetes.io/limit-rps: 限制每秒连接,单IP
nginx.ingress.kubernetes.io/limit-rpm: 限制每分钟连接,单IP
nginx.ingress.kubernetes.io/limit-rate: 限制每秒传输速度,单位k 需要开启proxy-buffering
nginx.ingress.kubernetes.io/limit-whitelist:速率限制白名单
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: speed
name: speed-deploy
spec:
replicas: 1
selector:
matchLabels:
app: speed
template:
metadata:
labels:
app: speed
spec:
containers:
- image: wangyanglinux/myapp:v1.0
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: speed
name: speed-svc
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: speed
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: speed.noziroh.com
namespace: default
spec:
rules:
- host: speed.noziroh.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: speed-svc
port:
number: 80
yum install -y httpd-tools
ab -c 10 -n 100 http://speed.noziroh.com/ | grep requests
# -c 并发数 -n 请求数
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: speed.noziroh.com
namespace: default
annotations:
nginx.ingress.kubernetes.io/limit-connections: "1" # 并发数为1
spec:
rules:
- host: speed.noziroh.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: speed-svc
port:
number: 80
ingress-nginx 灰度发布(金丝雀部署)
1.创建v1版本ingress
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: v1
name: v1-deploy
spec:
replicas: 10
selector:
matchLabels:
app: v1
template:
metadata:
labels:
app: v1
spec:
containers:
- image: wangyanglinux/myapp:v1.0
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: v1
name: v1-svc
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: v1
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: v1.noziroh.com
namespace: default
spec:
rules:
- host: svc.noziroh.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: v1-svc
port:
number: 80
2.创建一个 v2 版本的 ingress 金丝雀
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: v2
name: v1-deploy
spec:
replicas: 10
selector:
matchLabels:
app: v2
template:
metadata:
labels:
app: v2
spec:
containers:
- image: wangyanglinux/myapp:v2.0
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: v2
name: v2-svc
spec:
ports:
- name: 80-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: v2
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: v2.noziroh.com
namespace: default
annotations: # 声明
nginx.ingress.kubernetes.io/canary: "true" # 进行金丝雀部署
nginx.ingress.kubernetes.io/canary-weight: "10" # 部署权重10%
spec:
rules:
- host: svc.noziroh.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: v2-svc
port:
number: 80
3.测试
for i in {1..100};do curl svc.noziroh.com >> sum;done
cat sum | sort | uniq -c
ingress-nginx 代理后端 HTTPS 服务
nginx为集群内部提供负载均时使用https访问或代理
kubernetes-dashboard使用的就是https
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: proxyhttps
name: proxyhttps-deploy
spec:
replicas: 1
selector:
matchLabels:
app: proxyhttps
template:
metadata:
labels:
app: proxyhttps
spec:
containers:
- image: wangyanglinux/tools:httpsv1
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: proxyhttps
name: proxyhttps-svc
spec:
ports:
- name: 443-443
port: 443
protocol: TCP
targetPort: 443
selector:
app: proxyhttps
type: ClusterIP
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS # 声明后端应用使用https协议
name: proxyhttps.noziroh.com
namespace: default
spec:
rules:
- host: proxyhttps.noziroh.com
http:
paths:
- backend:
service:
name: proxyhttps-svc
port:
number: 443
path: /
pathType: ImplementationSpecific
ingress-nginx四层代理
1.tcp
$ kubectl edit -n ingress ingress-nginx-controller
spec:
containers:
- args: # 启动配置
- /nginx-ingress-controller
- --tcp-services-configmap=$(POD_NAMESPACE)/nginx-ingress-tcp-configmap # 指定的ConfigMap对象会读取 转换成4层负载均衡配置文件
创建ConfigMap对象
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ingress-tcp-configmap
namespace: ingress
data:
"9000": "default/proxyhttps-svc:443" # 4层负载均衡格式 default攻坚下有一个proxyhttps的svc端口为443 四层负载到当前nginx的9000端口
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: proxyhttps
name: proxyhttps-deploy
spec:
replicas: 1
selector:
matchLabels:
app: proxyhttps
template:
metadata:
labels:
app: proxyhttps
spec:
containers:
- image: wangyanglinux/tools:httpsv1
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: proxyhttps
name: proxyhttps-svc
spec:
ports:
- name: 443-443
port: 443
protocol: TCP
targetPort: 443
selector:
app: proxyhttps
type: ClusterIP
curl https://10.0.17.101:9000
2.udp
kubectl edit ds -n ingress ingress-nginx-controller
spec:
containers:
- args:
- /nginx-ingress-controller
- --udp-services-configmap=$(POD_NAMESPACE)/nginx-ingress-udp-configmap
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-ingress-udp-configmap
namespace: ingress
data:
"53": "kube-system/kube-dns:53"
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: proxyhttps
name: proxyhttps-deploy
spec:
replicas: 1
selector:
matchLabels:
app: proxyhttps
template:
metadata:
labels:
app: proxyhttps
spec:
containers:
- image: wangyanglinux/tools:httpsv1
name: myapp
---
apiVersion: v1
kind: Service
metadata:
labels:
app: proxyhttps
name: proxyhttps-svc
spec:
ports:
- name: 53
port: 53
protocol: UDP
targetPort: 53
selector:
app: proxyhttps
type: ClusterIP
ingress-nginx 开启链路追踪
#官方部署示例文件
https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml
kubectl edit cm ingress-nginx-controller -n ingress
apiVersion: v1
data:
allow-snippet-annotations: "true"
enable-opentracing: "true" #开启链路追踪
jaeger-collector-host: jaeger-agent.default.svc.cluster.local # 链路追踪的svc名称
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx