Ingress
Ingress为Kubernetes集群中的服务提供了入口,可以提供负载均衡、SSL终止和基于名称的虚拟主机,在生产环境中常用的Ingress有Treafik、Nginx、HAProxy、Istio等。
基本Ingress
在Kubernetesv 1.1版中添加的Ingress用于从集群外部到集群内部Service的HTTP和HTTPS路由,流量从Internet到Ingress再到Services最后到Pod上,通常情况下,Ingress部署在所有的Node节点上。
Ingress可以配置提供服务外部访问的URL、负载均衡、终止SSL,并提供基于域名的虚拟主机。但Ingress不会暴露任意端口或协议。
创建Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: simple-fanout-example
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /foo
backend:
serviceName: service1
servicePort: 4200
- path: /bar
backend:
serviceName: service2
servicePort: 8080Copy to clipboardErrorCopied
上述host定义该Ingress的域名,将其解析至任意Node上即可访问。
- 如果访问的是foo.bar.com/foo,则被转发到service1的4200端口。
- 如果访问的是foo.bar.com/bar,则被转发到service2的8080端口。
Ingress Rules
- host:可选,一般都会配置对应的域名。
- path:每个路径都有一个对应的serviceName和servicePort,在流量到达服务之前,主机和路径都会与传入请求的内容匹配。
- backend:描述Service和Port的组合。对Ingress匹配主机和路径的HTTP与HTTPS请求将被发送到对应的后端。
普通Ingress
kind: Deployment
apiVersion: apps/v1
metadata:
name: ingress-deployment
namespace: default
labels:
app: deployment
spec:
replicas: 3
selector:
matchLabels:
app: pod
template:
metadata:
labels:
app: pod
spec:
containers:
- name: ingress-pod
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: http
- containerPort: 443
name: https
---
kind: Service
apiVersion: v1
metadata:
name: ingress-service
namespace: default
labels:
app: svc
spec:
type: ClusterIP
selector:
app: pod
ports:
- port: 80
targetPort: 80
name: http
- port: 443
targetPort: 443
name: https
---
kind: Ingress
apiVersion: extensions/v1
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: ingress-service
servicePort: 80Copy to clipboardErrorCopied
基于TLS的Ingress
-
创建证书,生产环境的证书为公司购买的证书
[root@instance-gvpb80ao yaml]# openssl genrsa -out tls.key 2048 Generating RSA private key, 2048 bit long modulus .........+++ ......+++ e is 65537 (0x10001) [root@instance-gvpb80ao yaml]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com [root@instance-gvpb80ao yaml]# kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key secret/ingress-tls created [root@instance-gvpb80ao yaml]# kubectl get secrets NAME TYPE DATA AGE ingress-tls kubernetes.io/tls 2 9sCopy to clipboardErrorCopied
-
定义Ingress
kind: Ingress
apiVersion: extensions/v1
metadata:
name: ingress-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- secretName: tls
rules:
- host: www.test.com
http:
paths:
- path: /
backend:
serviceName: ingress-service
servicePort: 80Copy to clipboardErrorCopied