一、Service概念
Service:一个Pod的逻辑分组,一种可以访问它们的策略 —— 通常称为微服务。这一组Pod能够被Service访问到,通常是通过Label Selector
Service能够提供负载均衡的能力,但是在使用上有以下限制:只提供 4 层负载均衡能力,而没有 7 层功能
二、代理模式
在 Kubernetes 集群中,每个 Node 运行一个kube-proxy进程。kube-proxy负责为Service实现了一种VIP(虚拟 IP)的形式,而不是ExternalName的形式。
在 Kubernetes v1.0 版本,代理完全在 userspace。在Kubernetes v1.1 版本,新增了 iptables 代理,但并不是默认的运行模式。从 Kubernetes v1.2 起,默认就是iptables 代理。在 Kubernetes v1.8.0-beta.0 中,添加了 ipvs 代理在 Kubernetes 1.14 版本开始默认使用ipvs 代理
在 Kubernetes v1.0 版本,Service是 “4层”(TCP/UDP over IP)概念。在 Kubernetes v1.1 版本,新增了Ingress API(beta 版),用来表示 “7层”(HTTP)服务
2.1、userspace 代理模式
2.2、iptables 代理模式
2.3、ipvs 代理模式
这种模式,kube-proxy 会监视 Kubernetes Service对象和Endpoints,调用netlink接口以相应地创建ipvs 规则并定期与 Kubernetes Service对象和Endpoints对象同步 ipvs 规则,以确保 ipvs 状态与期望一致。访问服务时,流量将被重定向到其中一个后端 Pod
与 iptables 类似,ipvs 于 netfilter 的 hook 功能,但使用哈希表作为底层数据结构并在内核空间中工作。这意味着 ipvs 可以更快地重定向流量,并且在同步代理规则时具有更好的性能。此外,ipvs 为负载均衡算法提供了更多选项,例如:
- rr:轮询调度
- lc:最小连接数
- dh:目标哈希
- sh:源哈希
- sed:最短期望延迟
- nq:不排队调度
三、Service类型
Service 在 K8s 中有以下四种类型
3.1、ClusterIp
默认类型,自动分配一个仅 Cluster 内部可以访问的虚拟 IP
clusterIP 主要在每个 node 节点使用 iptables(ipvs),将发向 clusterIP 对应端口的数据,转发到 kube-proxy 中。然后 kube-proxy 自己内部实现有负载均衡的方法,并可以查询到这个 service 下对应 pod 的地址和端口,进而把数据转发给对应的 pod 的地址和端口
为了实现图上的功能,主要需要以下几个组件的协同工作:
- apiserver 用户通过kubectl命令向apiserver发送创建service的命令,apiserver接收到请求后将数据存储到etcd中
- kubernetes的每个节点中都有一个叫做kube-porxy的进程,这个进程负责感知service,pod的变化,并将变化的信息写入本地的iptables规则中
- iptables 使用NAT等技术将virtualIP的流量转至endpoint中
#创建deployment
[root@k8s-master01 service]# cat myapp-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
release: stable
template:
metadata:
labels:
app: myapp
release: stable
env: test
spec:
containers:
- name: myapp
image: hub.dianchou.com/library/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
[root@k8s-master01 service]# kubectl create -f myapp-deploy.yaml
deployment.apps/myapp-deploy created
[root@k8s-master01 service]# kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
myapp-deploy 3/3 3 3 8s
[root@k8s-master01 service]# kubectl get rs
NAME DESIRED CURRENT READY AGE
myapp-deploy-7cb48b56d7 3 3 3 11s
[root@k8s-master01 service]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myapp-deploy-7cb48b56d7-9g2zm 1/1 Running 0 16s
myapp-deploy-7cb48b56d7-dxtbz 1/1 Running 0 16s
myapp-deploy-7cb48b56d7-gw4jn 1/1 Running 0 16s
[root@k8s-master01 service]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
myapp-deploy-7cb48b56d7-9g2zm 1/1 Running 0 23s 10.244.1.137 k8s-node01 <none> <none>
myapp-deploy-7cb48b56d7-dxtbz 1/1 Running 0 23s 10.244.1.138 k8s-node01 <none> <none>
myapp-deploy-7cb48b56d7-gw4jn 1/1 Running 0 23s 10.244.2.140 k8s-node02 <none> <none>
[root@k8s-master01 service]# curl 10.244.1.137
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
#创建service
[root@k8s-master01 service]# cat myapp-service.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
type: ClusterIP
selector:
app: myapp
release: stable
ports:
- name: http
port: 80
targetPort: 80
[root@k8s-master01 service]# kubectl create -f myapp-service.yaml
service/myapp created
[root@k8s-master01 service]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h
myapp ClusterIP 10.98.224.21 <none> 80/TCP 30s
[root@k8s-master01 service]# curl 10.98.224.21
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master01 service]# curl 10.98.224.21/hostname.html
myapp-deploy-7cb48b56d7-dxtbz
[root@k8s-master01 service]# curl 10.98.224.21/hostname.html
myapp-deploy-7cb48b56d7-9g2zm
[root@k8s-master01 service]# curl 10.98.224.21/hostname.html
myapp-deploy-7cb48b56d7-gw4jn特殊:Headless Service
有时不需要或不想要负载均衡,以及单独的 Service IP 。遇到这种情况,可以通过指定 ClusterIP(spec.clusterIP) 的值为 “None” 来创建 Headless Service 。这类 Service 并不会分配 Cluster IP, kube-proxy 不会处理它们,而且平台也不会为它们进行负载均衡和路由
[root@k8s-master01 service]# cat myapp-svc-headless.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp-headless
namespace: default
spec:
selector:
app: myapp
clusterIP: "None"
ports:
- port: 80
targetPort: 80
[root@k8s-master01 service]# kubectl create -f myapp-svc-headless.yaml
service/myapp-headless created
[root@k8s-master01 service]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h
myapp ClusterIP 10.98.224.21 <none> 80/TCP 8m51s
myapp-headless ClusterIP None <none> 80/TCP 5s
#通过dns进行域名解析
[root@k8s-master01 service]# kubectl get pod -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
coredns-5c98db65d4-6vgp6 1/1 Running 2 31h 10.244.0.7 k8s-master01 <none> <none>
coredns-5c98db65d4-8zbqt 1/1 Running 2 31h 10.244.0.6 k8s-master01 <none> <none>
etcd-k8s-master01 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none>
kube-apiserver-k8s-master01 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none>
kube-controller-manager-k8s-master01 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none>
kube-flannel-ds-amd64-m769r 1/1 Running 1 30h 10.0.0.20 k8s-node01 <none> <none>
kube-flannel-ds-amd64-sjwph 1/1 Running 1 30h 10.0.0.21 k8s-node02 <none> <none>
kube-flannel-ds-amd64-z76v7 1/1 Running 1 30h 10.0.0.11 k8s-master01 <none> <none>
kube-proxy-4g57j 1/1 Running 1 30h 10.0.0.20 k8s-node01 <none> <none>
kube-proxy-qd4xm 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none>
kube-proxy-x66cd 1/1 Running 2 30h 10.0.0.21 k8s-node02 <none> <none>
kube-scheduler-k8s-master01 1/1 Running 2 31h 10.0.0.11 k8s-master01 <none> <none>
#通过dig命令解析(yum install bind-utils -y)
[root@k8s-master01 service]# dig -t A myapp-headless.default.svc.cluster.local. @10.244.0.7
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A myapp-headless.default.svc.cluster.local. @10.244.0.7
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39219
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;myapp-headless.default.svc.cluster.local. IN A
;; ANSWER SECTION:
myapp-headless.default.svc.cluster.local. 30 IN A 10.244.1.138 #解析成功
myapp-headless.default.svc.cluster.local. 30 IN A 10.244.2.140
myapp-headless.default.svc.cluster.local. 30 IN A 10.244.1.137
;; Query time: 60 msec
;; SERVER: 10.244.0.7#53(10.244.0.7)
;; WHEN: Mon Feb 03 21:33:48 CST 2020
;; MSG SIZE rcvd: 237
[root@k8s-master01 service]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
myapp-deploy-7cb48b56d7-9g2zm 1/1 Running 0 18m 10.244.1.137 k8s-node01 <none> <none>
myapp-deploy-7cb48b56d7-dxtbz 1/1 Running 0 18m 10.244.1.138 k8s-node01 <none> <none>
myapp-deploy-7cb48b56d7-gw4jn 1/1 Running 0 18m 10.244.2.140 k8s-node02 <none> <none>3.2、NodePort
在 ClusterIP 基础上为 Service 在每台机器上绑定一个端口,这样就可以通过NodeIp:NodePort 来访问该服务
nodePort 的原理在于在 node 上开了一个端口,将向该端口的流量导入到 kube-proxy,然后由 kube-proxy 进一步到给对应的 pod
[root@k8s-master01 service]# cat myapp-service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
type: NodePort
selector:
app: myapp
release: stable
ports:
- name: http
port: 80
targetPort: 80
[root@k8s-master01 service]# kubectl create -f myapp-service-nodeport.yaml
service/myapp created
[root@k8s-master01 service]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h
myapp NodePort 10.98.28.131 <none> 80:30833/TCP 5s
#宿主机上会产生随机端口
[root@k8s-master01 service]# netstat -lntp|grep 30833
tcp6 0 0 :::30833 :::* LISTEN 125046/kube-proxy
#可以直接访问宿主机ip的随机端口,是负载均衡的
[root@k8s-master01 service]# curl 10.0.0.11:30833
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master01 service]# curl 10.0.0.11:30833/hostname.html
myapp-deploy-7cb48b56d7-dxtbz
[root@k8s-master01 service]# curl 10.0.0.11:30833/hostname.html
myapp-deploy-7cb48b56d7-9g2zm
[root@k8s-master01 service]# curl 10.0.0.11:30833/hostname.html
myapp-deploy-7cb48b56d7-gw4jn
#查看ipvs规则
[root@k8s-master01 service]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
....
TCP 10.0.0.11:30833 rr
-> 10.244.1.137:80 Masq 1 0 0
-> 10.244.1.138:80 Masq 1 0 0
-> 10.244.2.140:80 Masq 1 0 0 3.3、LoadBalancer
在 NodePort 的基础上,借助 cloud provider 创建一个外部负载均衡器,并将请求转发到NodeIp:NodePort
loadBalancer 和 nodePort 其实是同一种方式。区别在于 loadBalancer 比 nodePort 多了一步,就是可以调用cloud provider(花钱) 去创建 LB 来向节点导流
3.4、ExternalName
把集群外部的服务引入到集群内部来,在集群内部直接使用。没有任何类型代理被创建,这只有 kubernetes 1.7 或更高版本的 kube-dns 才支持
这种类型的 Service 通过返回 CNAME 和它的值,可以将服务映射到 externalName 字段的内容( 例如:hub.atguigu.com )。ExternalName Service 是 Service 的特例,它没有 selector,也没有定义任何的端口和Endpoint。相反的,对于运行在集群外部的服务,它通过返回该外部服务的别名这种方式来提供服务
[root@k8s-master01 service]# cat ExternalName.yaml apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: default spec: type: ExternalName externalName: hub.dianchou.com [root@k8s-master01 service]# kubectl create -f ExternalName.yaml service/my-service-1 created [root@k8s-master01 service]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 31h my-service-1 ExternalName <none> hub.dianchou.com <none> 5s myapp NodePort 10.98.28.131 <none> 80:30833/TCP 17m [root@k8s-master01 service]# dig -t A my-service-1.default.svc.cluster.local. @10.244.0.7 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A my-service-1.default.svc.cluster.local. @10.244.0.7 ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9807 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;my-service-1.default.svc.cluster.local. IN A ;; ANSWER SECTION: my-service-1.default.svc.cluster.local. 30 IN CNAME hub.dianchou.com. ;; Query time: 156 msec ;; SERVER: 10.244.0.7#53(10.244.0.7) ;; WHEN: Mon Feb 03 22:08:29 CST 2020 ;; MSG SIZE rcvd: 135
当查询主机 my-service-1.defalut.svc.cluster.local ( SVC_NAME.NAMESPACE.svc.cluster.local. )时,集群的DNS 服务将返回一个值 hub.dianchou.com 的 CNAME 记录。访问这个服务的工作方式和其他的相同,唯一不同的是重定向发生在 DNS 层,而且不会进行代理或转发
四、Ingress(七层负载均衡)
Ingress-Nginx github 地址:https://github.com/kubernetes/ingress-nginx
Ingress-Nginx 官方网站:https://kubernetes.github.io/ingress-nginx/
4.1、原理简介
4.2、部署Ingress-Nginx
[root@k8s-master01 ingress]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/mandatory.yaml [root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-5876d56d4c-h86vr 1/1 Running 0 11s #使用NodePort暴露服务 [root@k8s-master01 ingress]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.28.0/deploy/static/provider/baremetal/service-nodeport.yaml service/ingress-nginx created [root@k8s-master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.111.99.244 <none> 80:31055/TCP,443:32472/TCP 22s
4.3、Ingress HTTP 代理访问
[root@k8s-master01 ingress]# cat ingress-http.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-dm
spec:
replicas: 2
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: nginx
image: hub.dianchou.com/library/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx
---
#ingress关联service,提供域名访问
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-test
spec:
rules:
- host: www1.dianchou.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
[root@k8s-master01 ingress]# kubectl apply -f ingress-http.yaml
deployment.extensions/nginx-dm created
service/nginx-svc created
ingress.extensions/nginx-test created
[root@k8s-master01 ingress]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
nginx-test www1.dianchou.com 10.111.99.244 80 10s
[root@k8s-master01 ingress]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 44h
nginx-svc ClusterIP 10.103.4.238 <none> 80/TCP 17s
[root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-5876d56d4c-h86vr 1/1 Running 0 28m
[root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ingress-controller-5876d56d4c-h86vr 1/1 Running 0 28m 10.244.2.143 k8s-node02 <none> <none>
[root@k8s-master01 ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.111.99.244 <none> 80:31055/TCP,443:32472/TCP 28m
[root@k8s-master01 ingress]# curl 10.103.4.238/hostname.html
nginx-dm-8dcbdb778-dclhn
[root@k8s-master01 ingress]# curl 10.103.4.238/hostname.html
nginx-dm-8dcbdb778-7qsnh
#在windows上做域名解析:10.0.0.11 www1.dianchou.com
#在浏览器访问域名,注意端口:80:31055/TCP,443:32472/TCP 
实验:使用ingress实现不同域名的虚拟主机访问
[root@k8s-master01 ingress-vhost]# ls
deployment1-svc1.yaml deployment2-svc2.yaml
#创建deployment1及svc1
[root@k8s-master01 ingress-vhost]# cat deployment1-svc1.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment1
spec:
replicas: 2
template:
metadata:
labels:
name: nginx1
spec:
containers:
- name: nginx1
image: hub.dianchou.com/library/myapp:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc1
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx1
[root@k8s-master01 ingress-vhost]# kubectl create -f deployment1-svc1.yaml
deployment.extensions/deployment1 created
service/svc1 created
#创建deployment2及svc2
[root@k8s-master01 ingress-vhost]# cat deployment2-svc2.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment2
spec:
replicas: 2
template:
metadata:
labels:
name: nginx2
spec:
containers:
- name: nginx2
image: hub.dianchou.com/library/myapp:v2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc2
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx2
[root@k8s-master01 ingress-vhost]# kubectl create -f deployment2-svc2.yaml
deployment.extensions/deployment2 created
service/svc2 created
[root@k8s-master01 ingress-vhost]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 44h
svc1 ClusterIP 10.109.57.186 <none> 80/TCP 25s
svc2 ClusterIP 10.101.144.196 <none> 80/TCP 11s
[root@k8s-master01 ingress-vhost]# curl 10.109.57.186
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
[root@k8s-master01 ingress-vhost]# curl 10.101.144.196
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
#创建ingress
[root@k8s-master01 ingress-vhost]# cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress1
spec:
rules:
- host: www1.dianchou.com
http:
paths:
- path: /
backend:
serviceName: svc1
servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress2
spec:
rules:
- host: www2.dianchou.com
http:
paths:
- path: /
backend:
serviceName: svc2
servicePort: 80
[root@k8s-master01 ingress-vhost]# kubectl create -f ingress.yaml
ingress.extensions/ingress1 created
ingress.extensions/ingress2 created
[root@k8s-master01 ingress-vhost]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress1 www1.dianchou.com 10.111.99.244 80 100s
ingress2 www2.dianchou.com 10.111.99.244 80 100s
#windows做hosts解析,访问测试
10.0.0.11 www1.dianchou.com
10.0.0.11 www2.dianchou.com
4.4、Ingress https代理访问
1)创建证书以及 cert 存储方式
[root@k8s-master01 ingress-https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc" Generating a 2048 bit RSA private key .............+++ ......+++ writing new private key to 'tls.key' ----- [root@k8s-master01 ingress-https]# kubectl create secret tls tls-secret --key tls.key --cert tls.crt secret/tls-secret created [root@k8s-master01 ingress-https]# ls tls.crt tls.key
2)创建deployment、Service、Ingress Yaml 文件
[root@k8s-master01 ingress-https]# cat deployment3-svc3-ingress3.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deployment3
spec:
replicas: 2
template:
metadata:
labels:
name: nginx3
spec:
containers:
- name: nginx3
image: hub.dianchou.com/library/myapp:v3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc3
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx3
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress3
spec:
tls:
- hosts:
- www3.dianchou.com
secretName: tls-secret
rules:
- host: www3.dianchou.com
http:
paths:
- path: /
backend:
serviceName: svc3
servicePort: 80
[root@k8s-master01 ingress-https]# kubectl apply -f deployment3-svc3-ingress3.yaml
deployment.extensions/deployment3 created
service/svc3 created
ingress.extensions/ingress3 created
[root@k8s-master01 ingress-https]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress1 www1.dianchou.com 10.111.99.244 80 25m
ingress2 www2.dianchou.com 10.111.99.244 80 25m
ingress3 www3.dianchou.com 80, 443 6s
[root@k8s-master01 ingress-https]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 45h
svc1 ClusterIP 10.109.57.186 <none> 80/TCP 30m
svc2 ClusterIP 10.101.144.196 <none> 80/TCP 30m
svc3 ClusterIP 10.99.196.231 <none> 80/TCP 18s
[root@k8s-master01 ingress-https]# curl 10.99.196.231
Hello MyApp | Version: v3 | <a href="hostname.html">Pod Name</a>
[root@k8s-master01 ingress-https]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.111.99.244 <none> 80:31055/TCP,443:32472/TCP 90m3)hosts解析,浏览器测试https://www3.dianchou.com:32472/
4.5、nginx BasicAuth访问认证
1)创建密码文件
[root@k8s-master01 basic-auth]# yum -y install httpd [root@k8s-master01 basic-auth]# htpasswd -c auth foo #文件名auth,用户名foo New password: Re-type new password: Adding password for user foo [root@k8s-master01 basic-auth]# ls auth [root@k8s-master01 basic-auth]# kubectl create secret generic basic-auth --from-file=auth secret/basic-auth created
2)创建ingress文件
[root@k8s-master01 basic-auth]# cat ingress-basicAuth.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: auth.dianchou.com
http:
paths:
- path: /
backend:
serviceName: svc1
servicePort: 80
[root@k8s-master01 basic-auth]# kubectl apply -f ingress-basicAuth.yaml
ingress.extensions/ingress-with-auth created
[root@k8s-master01 basic-auth]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-with-auth auth.dianchou.com 10.111.99.244 80 6s
ingress1 www1.dianchou.com 10.111.99.244 80 42m
ingress2 www2.dianchou.com 10.111.99.244 80 42m
ingress3 www3.dianchou.com 10.111.99.244 80, 443 16m
[root@k8s-master01 basic-auth]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 45h
svc1 ClusterIP 10.109.57.186 <none> 80/TCP 47m
svc2 ClusterIP 10.101.144.196 <none> 80/TCP 46m
svc3 ClusterIP 10.99.196.231 <none> 80/TCP 17m
[root@k8s-master01 basic-auth]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.111.99.244 <none> 80:31055/TCP,443:32472/TCP 107m
#hosts解析。浏览器测试
4.6、nginx重写
实验模拟:
[root@k8s-master01 rewrite]# cat ingress-rewrite.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-rewrite
annotations:
nginx.ingress.kubernetes.io/rewrite-target: https://www3.dianchou.com:32472/
spec:
rules:
- host: re.dianchou.com
http:
paths:
- path: /
backend:
serviceName: svc1
servicePort: 80
[root@k8s-master01 rewrite]# kubectl create -f ingress-rewrite.yaml
ingress.extensions/ingress-rewrite created
[root@k8s-master01 rewrite]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-rewrite re.dianchou.com 10.111.99.244 80 5s
ingress-with-auth auth.dianchou.com 10.111.99.244 80 26m
ingress1 www1.dianchou.com 10.111.99.244 80 68m
ingress2 www2.dianchou.com 10.111.99.244 80 68m
ingress3 www3.dianchou.com 10.111.99.244 80, 443 42m
#hosts解析,浏览器访问测试
http://re.dianchou.com:31055 ==> https://www3.dianchou.com:32472/