一、Service概念
Service:一个Pod的逻辑分组,一种可以访问它们的策略 —— 通常称为微服务。这一组Pod能够被Service访问到,通常是通过Label Selector
Service能够提供负载均衡的能力,但是在使用上有以下限制:只提供 4 层负载均衡能力,而没有 7 层功能
二、代理模式
在 Kubernetes 集群中,每个 Node 运行一个kube-proxy进程。kube-proxy负责为Service实现了一种VIP(虚拟 IP)的形式,而不是ExternalName的形式。
在 Kubernetes v1.0 版本,代理完全在 userspace。在Kubernetes v1.1 版本,新增了 iptables 代理,但并不是默认的运行模式。从 Kubernetes v1.2 起,默认就是iptables 代理。在 Kubernetes v1.8.0-beta.0 中,添加了 ipvs 代理在 Kubernetes 1.14 版本开始默认使用ipvs 代理
在 Kubernetes v1.0 版本,Service是 “4层”(TCP/UDP over IP)概念。在 Kubernetes v1.1 版本,新增了Ingress API(beta 版),用来表示 “7层”(HTTP)服务
2.1、userspace 代理模式
2.2、iptables 代理模式
2.3、ipvs 代理模式
这种模式,kube-proxy 会监视 Kubernetes Service对象和Endpoints,调用netlink接口以相应地创建ipvs 规则并定期与 Kubernetes Service对象和Endpoints对象同步 ipvs 规则,以确保 ipvs 状态与期望一致。访问服务时,流量将被重定向到其中一个后端 Pod
与 iptables 类似,ipvs 于 netfilter 的 hook 功能,但使用哈希表作为底层数据结构并在内核空间中工作。这意味着 ipvs 可以更快地重定向流量,并且在同步代理规则时具有更好的性能。此外,ipvs 为负载均衡算法提供了更多选项,例如:
- rr:轮询调度
- lc:最小连接数
- dh:目标哈希
- sh:源哈希
- sed:最短期望延迟
- nq:不排队调度
三、Service类型
Service 在 K8s 中有以下四种类型
3.1、ClusterIp
默认类型,自动分配一个仅 Cluster 内部可以访问的虚拟 IP
clusterIP 主要在每个 node 节点使用 iptables(ipvs),将发向 clusterIP 对应端口的数据,转发到 kube-proxy 中。然后 kube-proxy 自己内部实现有负载均衡的方法,并可以查询到这个 service 下对应 pod 的地址和端口,进而把数据转发给对应的 pod 的地址和端口
为了实现图上的功能,主要需要以下几个组件的协同工作:
- apiserver 用户通过kubectl命令向apiserver发送创建service的命令,apiserver接收到请求后将数据存储到etcd中
- kubernetes的每个节点中都有一个叫做kube-porxy的进程,这个进程负责感知service,pod的变化,并将变化的信息写入本地的iptables规则中
- iptables 使用NAT等技术将virtualIP的流量转至endpoint中
#创建deployment [root@k8s-master01 service]# cat myapp-deploy.yaml apiVersion: apps/v1 kind: Deployment metadata: name: myapp-deploy namespace: default spec: replicas: 3 selector: matchLabels: app: myapp release: stable template: metadata: labels: app: myapp release: stable env: test spec: containers: - name: myapp image: hub.dianchou.com/library/myapp:v1 imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 [root@k8s-master01 service]# kubectl create -f myapp-deploy.yaml deployment.apps/myapp-deploy created [root@k8s-master01 service]# kubectl get deployment NAME READY UP-TO-DATE AVAILABLE AGE myapp-deploy 3/3 3 3 8s [root@k8s-master01 service]# kubectl get rs NAME DESIRED CURRENT READY AGE myapp-deploy-7cb48b56d7 3 3 3 11s [root@k8s-master01 service]# kubectl get pod NAME READY STATUS RESTARTS AGE myapp-deploy-7cb48b56d7-9g2zm 1/1 Running 0 16s myapp-deploy-7cb48b56d7-dxtbz 1/1 Running 0 16s myapp-deploy-7cb48b56d7-gw4jn 1/1 Running 0 16s [root@k8s-master01 service]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES myapp-deploy-7cb48b56d7-9g2zm 1/1 Running 0 23s 10.244.1.137 k8s-node01 <none> <none> myapp-deploy-7cb48b56d7-dxtbz 1/1 Running 0 23s 10.244.1.138 k8s-node01 <none> <none> myapp-deploy-7cb48b56d7-gw4jn 1/1 Running 0 23s 10.244.2.140 k8s-node02 <none> <none> [root@k8s-master01 service]# curl 10.244.1.137 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> #创建service [root@k8s-master01 service]# cat myapp-service.yaml apiVersion: v1 kind: Service metadata: name: myapp namespace: default spec: type: ClusterIP selector: app: myapp release: stable ports: - name: http port: 80 targetPort: 80 [root@k8s-master01 service]# kubectl create -f myapp-service.yaml service/myapp created [root@k8s-master01 service]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h myapp ClusterIP 10.98.224.21 <none> 80/TCP 30s [root@k8s-master01 service]# curl 10.98.224.21 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> [root@k8s-master01 service]# curl 10.98.224.21/hostname.html myapp-deploy-7cb48b56d7-dxtbz [root@k8s-master01 service]# curl 10.98.224.21/hostname.html myapp-deploy-7cb48b56d7-9g2zm [root@k8s-master01 service]# curl 10.98.224.21/hostname.html myapp-deploy-7cb48b56d7-gw4jn
特殊:Headless Service
有时不需要或不想要负载均衡,以及单独的 Service IP 。遇到这种情况,可以通过指定 ClusterIP(spec.clusterIP) 的值为 “None” 来创建 Headless Service 。这类 Service 并不会分配 Cluster IP, kube-proxy 不会处理它们,而且平台也不会为它们进行负载均衡和路由
[root@k8s-master01 service]# cat myapp-svc-headless.yaml apiVersion: v1 kind: Service metadata: name: myapp-headless namespace: default spec: selector: app: myapp clusterIP: "None" ports: - port: 80 targetPort: 80 [root@k8s-master01 service]# kubectl create -f myapp-svc-headless.yaml service/myapp-headless created [root@k8s-master01 service]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h myapp ClusterIP 10.98.224.21 <none> 80/TCP 8m51s myapp-headless ClusterIP None <none> 80/TCP 5s #通过dns进行域名解析 [root@k8s-master01 service]# kubectl get pod -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES coredns-5c98db65d4-6vgp6 1/1 Running 2 31h 10.244.0.7 k8s-master01 <none> <none> coredns-5c98db65d4-8zbqt 1/1 Running 2 31h 10.244.0.6 k8s-master01 <none> <none> etcd-k8s-master01 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none> kube-apiserver-k8s-master01 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none> kube-controller-manager-k8s-master01 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none> kube-flannel-ds-amd64-m769r 1/1 Running 1 30h 10.0.0.20 k8s-node01 <none> <none> kube-flannel-ds-amd64-sjwph 1/1 Running 1 30h 10.0.0.21 k8s-node02 <none> <none> kube-flannel-ds-amd64-z76v7 1/1 Running 1 30h 10.0.0.11 k8s-master01 <none> <none> kube-proxy-4g57j 1/1 Running 1 30h 10.0.0.20 k8s-node01 <none> <none> kube-proxy-qd4xm 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none> kube-proxy-x66cd 1/1 Running 2 30h 10.0.0.21 k8s-node02 <none> <none> kube-scheduler-k8s-master01 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none> #通过dig命令解析(yum install bind-utils -y) [root@k8s-master01 service]# dig -t A myapp-headless.default.svc.cluster.local. @10.244.0.7 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A myapp-headless.default.svc.cluster.local. @10.244.0.7 ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39219 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;myapp-headless.default.svc.cluster.local. IN A ;; ANSWER SECTION: myapp-headless.default.svc.cluster.local. 30 IN A 10.244.1.138 #解析成功 myapp-headless.default.svc.cluster.local. 30 IN A 10.244.2.140 myapp-headless.default.svc.cluster.local. 30 IN A 10.244.1.137 ;; Query time: 60 msec ;; SERVER: 10.244.0.7#53(10.244.0.7) ;; WHEN: Mon Feb 03 21:33:48 CST 2020 ;; MSG SIZE rcvd: 237 [root@k8s-master01 service]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES myapp-deploy-7cb48b56d7-9g2zm 1/1 Running 0 18m 10.244.1.137 k8s-node01 <none> <none> myapp-deploy-7cb48b56d7-dxtbz 1/1 Running 0 18m 10.244.1.138 k8s-node01 <none> <none> myapp-deploy-7cb48b56d7-gw4jn 1/1 Running 0 18m 10.244.2.140 k8s-node02 <none> <none>
3.2、NodePort
在 ClusterIP 基础上为 Service 在每台机器上绑定一个端口,这样就可以通过NodeIp:NodePort 来访问该服务
nodePort 的原理在于在 node 上开了一个端口,将向该端口的流量导入到 kube-proxy,然后由 kube-proxy 进一步到给对应的 pod
[root@k8s-master01 service]# cat myapp-service-nodeport.yaml apiVersion: v1 kind: Service metadata: name: myapp namespace: default spec: type: NodePort selector: app: myapp release: stable ports: - name: http port: 80 targetPort: 80 [root@k8s-master01 service]# kubectl create -f myapp-service-nodeport.yaml service/myapp created [root@k8s-master01 service]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h myapp NodePort 10.98.28.131 <none> 80:30833/TCP 5s #宿主机上会产生随机端口 [root@k8s-master01 service]# netstat -lntp|grep 30833 tcp6 0 0 :::30833 :::* LISTEN 125046/kube-proxy #可以直接访问宿主机ip的随机端口,是负载均衡的 [root@k8s-master01 service]# curl 10.0.0.11:30833 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> [root@k8s-master01 service]# curl 10.0.0.11:30833/hostname.html myapp-deploy-7cb48b56d7-dxtbz [root@k8s-master01 service]# curl 10.0.0.11:30833/hostname.html myapp-deploy-7cb48b56d7-9g2zm [root@k8s-master01 service]# curl 10.0.0.11:30833/hostname.html myapp-deploy-7cb48b56d7-gw4jn #查看ipvs规则 [root@k8s-master01 service]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn .... TCP 10.0.0.11:30833 rr -> 10.244.1.137:80 Masq 1 0 0 -> 10.244.1.138:80 Masq 1 0 0 -> 10.244.2.140:80 Masq 1 0 0
3.3、LoadBalancer
在 NodePort 的基础上,借助 cloud provider 创建一个外部负载均衡器,并将请求转发到NodeIp:NodePort
loadBalancer 和 nodePort 其实是同一种方式。区别在于 loadBalancer 比 nodePort 多了一步,就是可以调用cloud provider(花钱) 去创建 LB 来向节点导流
3.4、ExternalName
把集群外部的服务引入到集群内部来,在集群内部直接使用。没有任何类型代理被创建,这只有 kubernetes 1.7 或更高版本的 kube-dns 才支持
这种类型的 Service 通过返回 CNAME 和它的值,可以将服务映射到 externalName 字段的内容( 例如:hub.atguigu.com )。ExternalName Service 是 Service 的特例,它没有 selector,也没有定义任何的端口和Endpoint。相反的,对于运行在集群外部的服务,它通过返回该外部服务的别名这种方式来提供服务
[root@k8s-master01 service]# cat ExternalName.yaml apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: default spec: type: ExternalName externalName: hub.dianchou.com [root@k8s-master01 service]# kubectl create -f ExternalName.yaml service/my-service-1 created [root@k8s-master01 service]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h my-service-1 ExternalName <none> hub.dianchou.com <none> 5s myapp NodePort 10.98.28.131 <none> 80:30833/TCP 17m [root@k8s-master01 service]# dig -t A my-service-1.default.svc.cluster.local. @10.244.0.7 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A my-service-1.default.svc.cluster.local. @10.244.0.7 ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9807 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;my-service-1.default.svc.cluster.local. IN A ;; ANSWER SECTION: my-service-1.default.svc.cluster.local. 30 IN CNAME hub.dianchou.com. ;; Query time: 156 msec ;; SERVER: 10.244.0.7#53(10.244.0.7) ;; WHEN: Mon Feb 03 22:08:29 CST 2020 ;; MSG SIZE rcvd: 135
当查询主机 my-service-1.defalut.svc.cluster.local ( SVC_NAME.NAMESPACE.svc.cluster.local. )时,集群的DNS 服务将返回一个值 hub.dianchou.com 的 CNAME 记录。访问这个服务的工作方式和其他的相同,唯一不同的是重定向发生在 DNS 层,而且不会进行代理或转发
四、Ingress(七层负载均衡)
Ingress-Nginx github 地址:https://github.com/kubernetes/ingress-nginx
Ingress-Nginx 官方网站:https://kubernetes.github.io/ingress-nginx/
4.1、原理简介
4.2、部署Ingress-Nginx
[root@k8s-master01 ingress]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/mandatory.yaml [root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-5876d56d4c-h86vr 1/1 Running 0 11s #使用NodePort暴露服务 [root@k8s-master01 ingress]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/baremetal/service-nodeport.yaml service/ingress-nginx created [root@k8s-master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.111.99.244 <none> 80:31055/TCP,443:32472/TCP 22s
4.3、Ingress HTTP 代理访问
[root@k8s-master01 ingress]# cat ingress-http.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-dm spec: replicas: 2 template: metadata: labels: name: nginx spec: containers: - name: nginx image: hub.dianchou.com/library/myapp:v1 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: nginx-svc spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx --- #ingress关联service,提供域名访问 apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-test spec: rules: - host: www1.dianchou.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80 [root@k8s-master01 ingress]# kubectl apply -f ingress-http.yaml deployment.extensions/nginx-dm created service/nginx-svc created ingress.extensions/nginx-test created [root@k8s-master01 ingress]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE nginx-test www1.dianchou.com 10.111.99.244 80 10s [root@k8s-master01 ingress]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 44h nginx-svc ClusterIP 10.103.4.238 <none> 80/TCP 17s [root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-5876d56d4c-h86vr 1/1 Running 0 28m [root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-ingress-controller-5876d56d4c-h86vr 1/1 Running 0 28m 10.244.2.143 k8s-node02 <none> <none> [root@k8s-master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.111.99.244 <none> 80:31055/TCP,443:32472/TCP 28m [root@k8s-master01 ingress]# curl 10.103.4.238/hostname.html nginx-dm-8dcbdb778-dclhn [root@k8s-master01 ingress]# curl 10.103.4.238/hostname.html nginx-dm-8dcbdb778-7qsnh #在windows上做域名解析:10.0.0.11 www1.dianchou.com #在浏览器访问域名,注意端口:80:31055/TCP,443:32472/TCP
实验:使用ingress实现不同域名的虚拟主机访问
[root@k8s-master01 ingress-vhost]# ls deployment1-svc1.yaml deployment2-svc2.yaml #创建deployment1及svc1 [root@k8s-master01 ingress-vhost]# cat deployment1-svc1.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment1 spec: replicas: 2 template: metadata: labels: name: nginx1 spec: containers: - name: nginx1 image: hub.dianchou.com/library/myapp:v1 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc1 spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx1 [root@k8s-master01 ingress-vhost]# kubectl create -f deployment1-svc1.yaml deployment.extensions/deployment1 created service/svc1 created #创建deployment2及svc2 [root@k8s-master01 ingress-vhost]# cat deployment2-svc2.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment2 spec: replicas: 2 template: metadata: labels: name: nginx2 spec: containers: - name: nginx2 image: hub.dianchou.com/library/myapp:v2 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc2 spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx2 [root@k8s-master01 ingress-vhost]# kubectl create -f deployment2-svc2.yaml deployment.extensions/deployment2 created service/svc2 created [root@k8s-master01 ingress-vhost]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 44h svc1 ClusterIP 10.109.57.186 <none> 80/TCP 25s svc2 ClusterIP 10.101.144.196 <none> 80/TCP 11s [root@k8s-master01 ingress-vhost]# curl 10.109.57.186 Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a> [root@k8s-master01 ingress-vhost]# curl 10.101.144.196 Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a> #创建ingress [root@k8s-master01 ingress-vhost]# cat ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress1 spec: rules: - host: www1.dianchou.com http: paths: - path: / backend: serviceName: svc1 servicePort: 80 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress2 spec: rules: - host: www2.dianchou.com http: paths: - path: / backend: serviceName: svc2 servicePort: 80 [root@k8s-master01 ingress-vhost]# kubectl create -f ingress.yaml ingress.extensions/ingress1 created ingress.extensions/ingress2 created [root@k8s-master01 ingress-vhost]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE ingress1 www1.dianchou.com 10.111.99.244 80 100s ingress2 www2.dianchou.com 10.111.99.244 80 100s #windows做hosts解析,访问测试 10.0.0.11 www1.dianchou.com 10.0.0.11 www2.dianchou.com
4.4、Ingress https代理访问
1)创建证书以及 cert 存储方式
[root@k8s-master01 ingress-https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc" Generating a 2048 bit RSA private key .............+++ ......+++ writing new private key to 'tls.key' ----- [root@k8s-master01 ingress-https]# kubectl create secret tls tls-secret --key tls.key --cert tls.crt secret/tls-secret created [root@k8s-master01 ingress-https]# ls tls.crt tls.key
2)创建deployment、Service、Ingress Yaml 文件
[root@k8s-master01 ingress-https]# cat deployment3-svc3-ingress3.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: deployment3 spec: replicas: 2 template: metadata: labels: name: nginx3 spec: containers: - name: nginx3 image: hub.dianchou.com/library/myapp:v3 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: svc3 spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: name: nginx3 --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress3 spec: tls: - hosts: - www3.dianchou.com secretName: tls-secret rules: - host: www3.dianchou.com http: paths: - path: / backend: serviceName: svc3 servicePort: 80 [root@k8s-master01 ingress-https]# kubectl apply -f deployment3-svc3-ingress3.yaml deployment.extensions/deployment3 created service/svc3 created ingress.extensions/ingress3 created [root@k8s-master01 ingress-https]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE ingress1 www1.dianchou.com 10.111.99.244 80 25m ingress2 www2.dianchou.com 10.111.99.244 80 25m ingress3 www3.dianchou.com 80, 443 6s [root@k8s-master01 ingress-https]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 45h svc1 ClusterIP 10.109.57.186 <none> 80/TCP 30m svc2 ClusterIP 10.101.144.196 <none> 80/TCP 30m svc3 ClusterIP 10.99.196.231 <none> 80/TCP 18s [root@k8s-master01 ingress-https]# curl 10.99.196.231 Hello MyApp | Version: v3 | <a href="hostname.html">Pod Name</a> [root@k8s-master01 ingress-https]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.111.99.244 <none> 80:31055/TCP,443:32472/TCP 90m
3)hosts解析,浏览器测试https://www3.dianchou.com:32472/
4.5、nginx BasicAuth访问认证
1)创建密码文件
[root@k8s-master01 basic-auth]# yum -y install httpd [root@k8s-master01 basic-auth]# htpasswd -c auth foo #文件名auth,用户名foo New password: Re-type new password: Adding password for user foo [root@k8s-master01 basic-auth]# ls auth [root@k8s-master01 basic-auth]# kubectl create secret generic basic-auth --from-file=auth secret/basic-auth created
2)创建ingress文件
[root@k8s-master01 basic-auth]# cat ingress-basicAuth.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-with-auth annotations: nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo' spec: rules: - host: auth.dianchou.com http: paths: - path: / backend: serviceName: svc1 servicePort: 80 [root@k8s-master01 basic-auth]# kubectl apply -f ingress-basicAuth.yaml ingress.extensions/ingress-with-auth created [root@k8s-master01 basic-auth]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE ingress-with-auth auth.dianchou.com 10.111.99.244 80 6s ingress1 www1.dianchou.com 10.111.99.244 80 42m ingress2 www2.dianchou.com 10.111.99.244 80 42m ingress3 www3.dianchou.com 10.111.99.244 80, 443 16m [root@k8s-master01 basic-auth]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 45h svc1 ClusterIP 10.109.57.186 <none> 80/TCP 47m svc2 ClusterIP 10.101.144.196 <none> 80/TCP 46m svc3 ClusterIP 10.99.196.231 <none> 80/TCP 17m [root@k8s-master01 basic-auth]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.111.99.244 <none> 80:31055/TCP,443:32472/TCP 107m #hosts解析。浏览器测试
4.6、nginx重写
实验模拟:
[root@k8s-master01 rewrite]# cat ingress-rewrite.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-rewrite annotations: nginx.ingress.kubernetes.io/rewrite-target: https://www3.dianchou.com:32472/ spec: rules: - host: re.dianchou.com http: paths: - path: / backend: serviceName: svc1 servicePort: 80 [root@k8s-master01 rewrite]# kubectl create -f ingress-rewrite.yaml ingress.extensions/ingress-rewrite created [root@k8s-master01 rewrite]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE ingress-rewrite re.dianchou.com 10.111.99.244 80 5s ingress-with-auth auth.dianchou.com 10.111.99.244 80 26m ingress1 www1.dianchou.com 10.111.99.244 80 68m ingress2 www2.dianchou.com 10.111.99.244 80 68m ingress3 www3.dianchou.com 10.111.99.244 80, 443 42m #hosts解析,浏览器访问测试 http://re.dianchou.com:31055 ==> https://www3.dianchou.com:32472/