kubernetes之Ingress介绍
Ingress
组成
ingress controller将新加入的Ingress转化成Nginx的配置文件并使之生效
ingress服务将Nginx的配置抽象成一个Ingress对象,每添加一个新的服务只需写一个新的Ingress的yaml文件即可
工作原理
1.ingress controller通过和kubernetes api交互,动态的去感知集群中ingress规则变化,
2.然后读取它,按照自定义的规则,规则就是写明了哪个域名对应哪个service,生成一段nginx配置,
3.再写到nginx-ingress-control的pod里,这个Ingress controller的pod里运行着一个Nginx服务,控制器会把生成的nginx配置
写入/etc/nginx.conf文件中,
4.然后reload一下使配置生效。以此达到域名分配置和动态更新的问题。
访问原理
Ingress-nginx与Service之间通过匹配serviceName绑定,Service相当于给外界提供访问pod的端口,如果不采用ingress-nginx,
那么是由kube-proxy实现4层代理,只能通过ip访问,所以由NodePort的类型将端口暴露。如果采用ingress-nginx相当于在Service
前面加了一层代理,访问会先经过ingress-nginx,这样Service的类型就不需要变更为NodePort
测试部署
ingress-nginx.yaml
apiVersion: v1
kind: Namespace
metadata:name: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx---kind: ConfigMap
apiVersion: v1
metadata:name: nginx-configurationnamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx
data:proxy-body-size: 100M---
kind: ConfigMap
apiVersion: v1
metadata:name: tcp-servicesnamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx---
kind: ConfigMap
apiVersion: v1
metadata:name: udp-servicesnamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx---
apiVersion: v1
kind: ServiceAccount
metadata:name: nginx-ingress-serviceaccountnamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:name: nginx-ingress-clusterrolelabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx
rules:- apiGroups:- ""resources:- configmaps- endpoints- nodes- pods- secretsverbs:- list- watch- apiGroups:- ""resources:- nodesverbs:- get- apiGroups:- ""resources:- servicesverbs:- get- list- watch- apiGroups:- ""resources:- eventsverbs:- create- patch- apiGroups:- "extensions"- "networking.k8s.io"resources:- ingressesverbs:- get- list- watch- apiGroups:- "extensions"- "networking.k8s.io"resources:- ingresses/statusverbs:- update---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:name: nginx-ingress-rolenamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx
rules:- apiGroups:- ""resources:- configmaps- pods- secrets- namespacesverbs:- get- apiGroups:- ""resources:- configmapsresourceNames:# Defaults to "<election-id>-<ingress-class>"# Here: "<ingress-controller-leader>-<nginx>"# This has to be adapted if you change either parameter# when launching the nginx-ingress-controller.- "ingress-controller-leader-nginx"verbs:- get- update- apiGroups:- ""resources:- configmapsverbs:- create- apiGroups:- ""resources:- endpointsverbs:- get---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:name: nginx-ingress-role-nisa-bindingnamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: nginx-ingress-role
subjects:- kind: ServiceAccountname: nginx-ingress-serviceaccountnamespace: ingress-nginx---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:name: nginx-ingress-clusterrole-nisa-bindinglabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: nginx-ingress-clusterrole
subjects:- kind: ServiceAccountname: nginx-ingress-serviceaccountnamespace: ingress-nginx---apiVersion: apps/v1
#kind: Deployment
kind: DaemonSet
metadata:name: nginx-ingress-controllernamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx
spec:# replicas: 1selector:matchLabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxtemplate:metadata:labels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxannotations:prometheus.io/port: "10254"prometheus.io/scrape: "true"spec:serviceAccountName: nginx-ingress-serviceaccountcontainers:- name: nginx-ingress-controllerimage: registry:5000/library/k8s/nginx-ingress-controller:0.25.0_xargs:- /nginx-ingress-controller- --configmap=$(POD_NAMESPACE)/nginx-configuration- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services- --udp-services-configmap=$(POD_NAMESPACE)/udp-services- --publish-service=$(POD_NAMESPACE)/ingress-nginx- --annotations-prefix=nginx.ingress.kubernetes.iosecurityContext:allowPrivilegeEscalation: truecapabilities:drop:- ALLadd:- NET_BIND_SERVICE# www-data -> 33runAsUser: 33env:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespaceports:- name: httpcontainerPort: 80hostPort: 80protocol: TCP- name: httpscontainerPort: 443hostPort: 443protocol: TCPlivenessProbe:failureThreshold: 3httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 10readinessProbe:failureThreshold: 3httpGet:path: /healthzport: 10254scheme: HTTPperiodSeconds: 10successThreshold: 1timeoutSeconds: 10---
ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:name: ingress
spec:rules:- host: www.aaa.comhttp:paths:- backend:serviceName: myappservicePort: 80path: /
#serviceName对应service服务名
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 241.254.0.1 <none> 443/TCP 40m
myapp ClusterIP 241.254.50.93 <none> 80/TCP 37m
$ kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress <none> www.aaa.com 80 25m#做宿主机host文件
$ cat /etc/hosts
192.168.234.134 www.aaa.com
$ curl www.aaa.com/hostname.html
myapp-deploy-6d4bc5cc76-g7tqw
$ curl www.aaa.com/hostname.html
myapp-deploy-6d4bc5cc76-jg4xf
https部署测试
#自签发证书,可以使用下面的语句,也可以阅读自制https的博客
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/O=aaa/CN=*.aaa.com"$ ll
总用量 8
-rw-r--r-- 1 root root 1131 9月 19 16:30 tls.crt
-rw-r--r-- 1 root root 1704 9月 19 16:30 tls.key#导入证书文件到k8s secret(注意这边的nginx-test要和下面ingress.yaml文件中tls相对应)
$ kubectl create -n 名称空间(ingress.yaml所在名称空间,如果是default,可忽略) secret tls nginx-test --cert=tls.crt --key=tls.key
$ kubectl get secret
NAME TYPE DATA AGE
nginx-test kubernetes.io/tls 2 53m#创建https的ingrss.yaml文件
$ cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:name: ingressannotations:nginx.ingress.kubernetes.io/ssl-redirect: "false" #是否开启强制跳转,true/false,默认开启
spec:tls:- hosts:- www.aaa.comsecretName: nginx-test#多域名配置#- hosts:# - www.bbb.com# secretName: nginx-bbbrules:- host: www.aaa.comhttp:paths:- backend:serviceName: myappservicePort: 80path: /#- host: www.bbb.com# http:# paths:# - backend:# serviceName: myapp3# servicePort: 80# path: /
Ingress相关配置
通用配置
| 名称 | 描述 | 值 |
|---|---|---|
| nginx.ingress.kubernetes.io/enable-access-log | 对当前虚拟主机设置是否启用访问日志,默认为真 | true 或 false |
| nginx.ingress.kubernetes.io/server-alias | 为 Nginx 添加更多的主机名,同 Nginx 配置指令 server name | string |
| nginx.ingress.kubernetes.io/app-root | 将当前虚拟主机根目录的访问 302 跳转到当前指定的路径 | string |
| nginx.ingress.kubernetes.io/client-body-buffer-size | 同 Nginx 配置指令 client_body_buffer_size | string |
| nginx.ingress.kubernetes.io/use-regex | 指示在 Ingress 上定义的路径是否使用正则表达式 默认值为 false | true 或 false |
| nginx.ingress.kubernetes.io/custom-http-errors | 根据响应码状态定义为错误状态并跳转到设置的默认后端 | []int |
| nginx.ingress.kubernetes.io/default-backend | 自定义默认后端的资源对象 Service 名称,当客户端的请求没有匹配的 Nginx 规则或响应错误时,将被转发到默认后端 | string |
| nginx.ingress.kubernetes.io/whitelist-source-range | 功能同 ConfigMap 配置键 whitelist-source-range | CIDR |
| nginx.ingress.kubernetes.io/permanent-redirect | 设置永久重定向的目标地址 | string |
| nginx.ingress.kubernetes.io/permanent-redirect-code | 自定义永久重定向的响应码,默认为 301 | number |
| nginx.ingress.kubernetes.io/temporal-redirect | 设置临时重定向的目标地址 | string |
| nginx.ingress.kubernetes.io/from-to-www-redirect | 设置是否将当前虚拟主机子域名为 www 的请求跳转到当前主机域名 | true 或 false |
| nginx.ingress.kubernetes.io/rewrite-target | 同 Nginx 配置指令 rewrite | URI |
| nginx.ingress.kubernetes.io/enable-rewrite-log | 同 Nginx 配置指令 rewrite log,默认为 false | true 或 false |
| nginx.ingress.kubernetes.io/mirror-uri | 同 Nginx 配置指令 mirro | true 或 false |
| nginx.ingress.kubernetes.io/mirror-request-body | 同 Nginx 配置指令 mirror_request_body,默认为 true | true 或 false |
访问控制
| 名称 | 描述 | 值 |
|---|---|---|
| nginx.ingress.kubernetes.io/limit-rate | 访问流量速度限制,同 Nginx 配置指令 limit_rate | number |
| nginx.ingress.kubernetes.io/limit-rate-after | 启用访问流量速度限制的最大值,同 Nginx 配置指令 limit_rate_after | number |
| nginx.ingress.kubernetes.io/limit-connections | 节并发连接数限制,同 Nginx 配置指令 limit_conn | number |
| nginx.ingress.kubernetes.io/limit-rps | 每秒请求频率限制,burst 参数为给定值的 5 倍,响应状态码由 ConfigMap 的 limit-req-status-code 设定 | number |
| nginx.ingress.kubernetes.io/limit-rpm | 每分钟请求频率限制,burst 参数为给定值的 5 倍,响应状态码由 ConfigMap 的 limit-req-status-code 设定 | number |
| nginx.ingress.kubernetes.io/limit-whitelist | 对以上限制设置基于 IP 的白名单 | CIDR |
认证管理
Nginx Ingress 提供了基本认证、摘要认证和外部认证 3 种方式,为被代理服务器提供认证支持。认证管理配置说明如下表所示
| 名称 | 描述 | 值 |
|---|---|---|
| nginx.ingress.kubernetes.io/enable-global-auth | 如果 ConfigMap 的 global-auth-url 被设置,Nginx 会将所有的请求重定向到提供身份验证的 URL,默认为 true | true 或 false |
| nginx.ingress.kubernetes.io/satisfy | 同 Nginx 配置指令 satisfy | string |
| nginx.ingress.kubernetes.io/auth-type | 设置 HTTP 认证类型,支持基本和摘要两种类型 | basic 或 digest |
| nginx.ingress.kubernetes.io/auth-secret | 指定关联资源对象 secret 的名称 | string |
| nginx.ingress.kubernetes.io/auth-realm | 设置基本认证的提示信息 auth_basic | string |
| nginx.ingress.kubernetes.io/auth-url | 设置提供外部身份认证的 URL,由 Nginx 配置指令 auth_request 提供该功能 | string |
| nginx.ingress.kubernetes.io/auth-signin | 设置当外部认证返回 401 时跳转的 URL,通常为提示输入用户名和密码的 URL | string |
| nginx.ingress.kubernetes.io/auth-method | 指定访问外部认证 URL 的 HTTP 方法,由 Nginx 配置指令 proxy_method 提供该功能 | string |
| nginx.ingress.kubernetes.io/auth-request-redirect | 设置发送给认证服务器请求头中 X-Auth-Request-Redirect 的值 | string |
| nginx.ingress.kubernetes.io/auth-cache-key | 启用认证缓存,并设置认证缓存的关键字 | string |
| nginx.ingress.kubernetes.io/auth-cache-duration | 基于响应码设置认证缓存的有效时间 | string |
| nginx.ingress.kubernetes.io/auth-response-headers | 设置认证请求完成后传递到真实后端的头信息 | string |
| nginx.ingress.kubernetes.io/auth-snippet | 可以自定义在外部认证指令区域添加 Nginx 配置指令 | string |
跨域访问
| 名称 | 描述 | 值 |
|---|---|---|
| nginx.ingress.kubernetes.io/enable-cors | 是否启用跨域访问支持,默认为 false | true 或 false |
| nginx.ingress.kubernetes.io/cors-allow-origin | 允许跨域访问的域名,默认为 *,表示接受任意域名的访问 | string |
| nginx.ingress.kubernetes.io/cors-allow-methods | 允许跨域访问方法,默认为 GET、PUT、POST、DELETE、PATCH、OPTIONS | string |
| nginx.ingress.kubernetes.io/cors-allow-headers | 允许跨域访问的请求头,默认为 DNT,X-CustomHeader、Keep-Alive、User-Agent、X-Requested-With、If-Modified-Since、Cache-Control、Content-Type、Authorization | string |
| nginx.ingress.kubernetes.io/cors-allow-credentials | 设置在响应头中 Access-Control-Allow-Credentials 的值,设置是否允许客户端携带验证信息,如 cookie 等,默认为 true | true 或 false |
| nginx.ingress.kubernetes.io/cors-max-age | 设置响应头中 Access-Control-Max-Age 的值,设置返回结果可以用于缓存的最长时间,默认为 1728000 秒 | number |
HTTPS配置
| 名称 | 描述 | 值 |
|---|---|---|
| nginx.ingress.kubernetes.io/force-ssl-redirect | 当客户端的 HTTPS 被外部集群进行 SSL 卸载(SSL offloading)时,仍将 HTTP 的请求强制跳转到 HTTPS 端口 | true 或 false |
| nginx.ingress.kubernetes.io/ssl-redirect | 设置当前虚拟主机支持 HTTPS 请求时,是否将 HTTP 的请求强制跳转到 HTTPS 端口,全局默认为 true | true 或 false |
| nginx.ingress.kubernetes.io/ssl-passthrough | 设置是否启用 SSL 透传 | true 或 false |
| nginx.ingress.kubernetes.io/auth-tls-secret | 设置客户端证书的资源对象名称 | string |
| nginx.ingress.kubernetes.io/ssl-ciphers | 设置 TLS 用于协商使用的加密算法组合,同 Nginx 配置指令 ssl_ciphers | string |
| nginx.ingress.kubernetes.io/auth-tls-verify-client | 是否启用客户端证书验证,同 Nginx 配置指令 ssl_verify_client | string |
| nginx.ingress.kubernetes.io/auth-tls-verify-depth | 客户端证书链的验证深度同 Nginx 配置指令 ssl_verify_depth | number |
| nginx.ingress.kubernetes.io/auth-tls-error-page | 设置客户端证书验证错误时的跳转页面 | string |
| nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream | 指定证书是否传递到上游服务器 | true 或 false |
| nginx.ingress.kubernetes.io/secure-verify-ca-secret | 设置是否启用对被代理服务器的 SSL 证书验证功能 | string |