ingress

Ingress

Ingress为Kubernetes集群中的服务提供了入口，可以提供负载均衡、SSL终止和基于名称的虚拟主机，在生产环境中常用的Ingress有Treafik、Nginx、HAProxy、Istio等。

基本Ingress

在Kubernetesv 1.1版中添加的Ingress用于从集群外部到集群内部Service的HTTP和HTTPS路由，流量从Internet到Ingress再到Services最后到Pod上，通常情况下，Ingress部署在所有的Node节点上。

Ingress可以配置提供服务外部访问的URL、负载均衡、终止SSL，并提供基于域名的虚拟主机。但Ingress不会暴露任意端口或协议。

创建Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simple-fanout-example
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: foo.bar.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: service1
          servicePort: 4200
      - path: /bar
        backend:
          serviceName: service2
          servicePort: 8080Copy to clipboardErrorCopied

上述host定义该Ingress的域名，将其解析至任意Node上即可访问。

• 如果访问的是foo.bar.com/foo，则被转发到service1的4200端口。
• 如果访问的是foo.bar.com/bar，则被转发到service2的8080端口。

Ingress Rules

• host：可选，一般都会配置对应的域名。
• path：每个路径都有一个对应的serviceName和servicePort，在流量到达服务之前，主机和路径都会与传入请求的内容匹配。
• backend：描述Service和Port的组合。对Ingress匹配主机和路径的HTTP与HTTPS请求将被发送到对应的后端。

普通Ingress

kind: Deployment
apiVersion: apps/v1
metadata:
  name: ingress-deployment
  namespace: default
  labels:
    app: deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: pod
  template:
    metadata:
      labels:
        app: pod
    spec:
      containers:
        - name: ingress-pod
          image: nginx
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80
              name: http

            - containerPort: 443
              name: https
---
kind: Service
apiVersion: v1
metadata:
  name: ingress-service
  namespace: default
  labels:
    app: svc
spec:
  type: ClusterIP
  selector:
    app: pod
  ports:
    - port: 80
      targetPort: 80
      name: http
    - port: 443
      targetPort: 443
      name: https
---
kind: Ingress
apiVersion: extensions/v1
metadata:
  name: ingress-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: www.test.com
      http:
        paths:
          - path: /
            backend:
              serviceName: ingress-service
              servicePort: 80Copy to clipboardErrorCopied

基于TLS的Ingress

1. 创建证书，生产环境的证书为公司购买的证书

   [root@instance-gvpb80ao yaml]# openssl genrsa -out tls.key 2048
   Generating RSA private key, 2048 bit long modulus
   .........+++
   ......+++
   e is 65537 (0x10001)
   [root@instance-gvpb80ao yaml]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShangHai/L=ShangHai/O=Ingress/CN=www.test.com
   [root@instance-gvpb80ao yaml]# kubectl -n default create secret tls ingress-tls --cert=tls.crt --key=tls.key
   secret/ingress-tls created
   [root@instance-gvpb80ao yaml]# kubectl get secrets
   NAME                  TYPE                                  DATA   AGE
   ingress-tls           kubernetes.io/tls                     2      9sCopy to clipboardErrorCopied
   

2. 定义Ingress

kind: Ingress
apiVersion: extensions/v1
metadata:
  name: ingress-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - secretName: tls
  rules:
    - host: www.test.com
      http:
        paths:
          - path: /
            backend:
              serviceName: ingress-service
              servicePort: 80Copy to clipboardErrorCopied