Kubernetes Ingress 控制器 Nginx

Kubernetes Nginx About 8,435 words

概念

Ingress相当于一个7层的负载均衡器,是Kubernetes对反向代理的一个抽象,它的工作原理类似于Nginx,可以理解成在** Ingress 里建立诸多映射规则,Ingress Controller 通过监听这些配置规则并转化成 Nginx 的反向代理配置,然后对外部提供服务**。

两个核心概念:

  • IngressKubernetes中的一个对象,作用是定义请求如何转发到Service的规则
  • Ingress Controller:具体实现反向代理及负载均衡的程序,对Ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如NginxContourHaproxy

工作原理

  1. 用户编写Ingress规则,说明哪个域名对应Kubernetes集群中的哪个Service
  2. Ingress控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置
  3. Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新

查看帮助

kubectl explain IngressClass

minikube 开启 Ingress

minikube addons enable ingress

输出:

$ minikube addons enable ingress
    ▪ Using image registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1
    ▪ Using image registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.1.0
    ▪ Using image registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1
🔎  Verifying ingress addon...
🌟  The 'ingress' addon is enabled

测试容器

tomcat-nginx.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: dev
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx-pod
  template:
    metadata:
      labels:
        app: nginx-pod
    spec:
      containers:
      - name: nginx
        image: nginx:1.17.1
        ports:
        - containerPort: 80

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deployment
  namespace: dev
spec:
  replicas: 3
  selector:
    matchLabels:
      app: tomcat-pod
  template:
    metadata:
      labels:
        app: tomcat-pod
    spec:
      containers:
      - name: tomcat
        image: tomcat:8.5-jre10-slim
        ports:
        - containerPort: 8080

---

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  namespace: dev
spec:
  selector:
    app: nginx-pod
  clusterIP: None
  type: ClusterIP
  ports:
  - port: 80
    targetPort: 80

---

apiVersion: v1
kind: Service
metadata:
  name: tomcat-service
  namespace: dev
spec:
  selector:
    app: tomcat-pod
  clusterIP: None
  type: ClusterIP
  ports:
  - port: 8080
    targetPort: 8080

创建实例

kubectl create -f tomcat-nginx.yml

输出:

$ kubectl create -f tomcat-nginx.yml
deployment.apps/nginx-deployment created
deployment.apps/tomcat-deployment created
service/nginx-service created
service/tomcat-service created

查看服务

kubectl get svc -n dev

输出:

$ kubectl get svc -n dev
NAME             TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
nginx-service    ClusterIP   None         <none>        80/TCP     84s
tomcat-service   ClusterIP   None         <none>        8080/TCP   84s

HTTP 代理

ingress-http.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-http
  namespace: dev
spec:
  rules:
  - host: nginx.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-service # svc 中配置的名字
            port: 
              number: 80 # svc 中配置的端口
  - host: tomcat.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: tomcat-service
            port: 
              number: 8080

创建实例

kubectl create -f ingress-http.yml

输出:

$ kubectl create -f ingress-http.yml
ingress.networking.k8s.io/ingress-http created

查看 Ingress

kubectl get ing -n dev

输出:

$ kubectl get ing -n dev
NAME           CLASS   HOSTS                                  ADDRESS   PORTS   AGE
ingress-http   nginx   nginx.example.com,tomcat.example.com             80      29s

查看服务

namespaceingress-nginx(注意:不是dev

kubectl get svc -n ingress-nginx

输出:

$ kubectl get svc -n ingress-nginx
NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.98.74.163     <none>        80:30148/TCP,443:32532/TCP   4h17m
ingress-nginx-controller-admission   ClusterIP   10.106.203.126   <none>        443/TCP                      4h17m

访问站点

测试用域名,需在hosts文件配置映射。30148ingress-nginx命名空间下的svc映射的HTTP端口。

访问Nginx容器

curl nginx.example.com:30148

访问Tomcat容器

curl tomcat.example.com:30148

查看详细描述

kubectl describe ing ingress-http -n dev

输出:

$ kubectl describe ing ingress-http -n dev
Name:             ingress-http
Labels:           <none>
Namespace:        dev
Address:          localhost
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host                Path  Backends
  ----                ----  --------
  nginx.example.com
                      /   nginx-service:80 (172.17.0.4:80,172.17.0.5:80,172.17.0.8:80)
  tomcat.example.com
                      /   tomcat-service:8080 (172.17.0.6:8080,172.17.0.7:8080,172.17.0.9:8080)
Annotations:          <none>
Events:
  Type    Reason  Age                    From                      Message
  ----    ------  ----                   ----                      -------
  Normal  Sync    2m37s (x2 over 3m31s)  nginx-ingress-controller  Scheduled for sync

HTTPS 代理

创建证书

会在当前目录生成tls.crttls.key两个文件。

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=BJ/L=BJ/O=nginx/CN=example.com"

创建密钥

kubectl create secret tls tls-secret --key tls.key --cert tls.crt

输出:

$ kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created

示例 yml

ingress-https.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-https
  namespace: dev
spec:
  tls:
    - hosts:
      - nginx.itheima.com
      - tomcat.itheima.com
      secretName: tls-secret # 指定秘钥
  rules:
  - host: nginx.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-service # svc 中配置的名字
            port: 
              number: 80 # svc 中配置的端口
  - host: tomcat.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: tomcat-service
            port: 
              number: 8080

创建实例

kubectl create -f ingress-https.yml

输出:

$ kubectl create -f ingress-https.yml
ingress.networking.k8s.io/ingress-https created

如果报以下错误,可以先删除dev命名空间再创建。(主要是因为演示HTTP代理时已经使用过了域名配置)

备注:如果删除了dev命名空间,Service也会被删除,容器tomcat-nginx需要重新创建。

Error from server (BadRequest): error when creating "ingress-https.yml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: host "nginx.example.com" and path "/" is already defined in ingress dev/ingress-http

查看 Ingress

kubectl get ing -n dev

输出:

$ kubectl get ing -n dev
NAME            CLASS   HOSTS                                  ADDRESS     PORTS     AGE
ingress-https   nginx   nginx.example.com,tomcat.example.com   localhost   80, 443   4m

查看服务

namespaceingress-nginx(注意:不是dev

kubectl get svc -n ingress-nginx

输出:

$ kubectl get svc -n ingress-nginx
NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.98.74.163     <none>        80:30148/TCP,443:32532/TCP   4h47m
ingress-nginx-controller-admission   ClusterIP   10.106.203.126   <none>        443/TCP                      4h47m

访问站点

测试用域名,需在hosts文件配置映射。32532ingress-nginx命名空间下的svc映射的HTTPS端口。

-k参数是忽略校验SSL证书。

访问Nginx容器

curl -k https://nginx.example.com:32532

访问Tomcat容器

curl -k https://tomcat.example.com:32532

查看详细描述

kubectl describe ing ingress-https -n dev

输出:(多了TLS信息)

$ kubectl describe ing ingress-https -n dev
Name:             ingress-https
Labels:           <none>
Namespace:        dev
Address:          localhost
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  tls-secret terminates nginx.itheima.com,tomcat.itheima.com
Rules:
  Host                Path  Backends
  ----                ----  --------
  nginx.example.com
                      /   nginx-service:80 (<error: endpoints "nginx-service" not found>)
  tomcat.example.com
                      /   tomcat-service:8080 (<error: endpoints "tomcat-service" not found>)
Annotations:          <none>
Events:
  Type    Reason  Age                    From                      Message
  ----    ------  ----                   ----                      -------
  Normal  Sync    4m25s (x2 over 4m42s)  nginx-ingress-controller  Scheduled for sync

开源地址

https://github.com/kubernetes/ingress-nginx

Views: 2,125 · Posted: 2022-03-17

————        END        ————

Give me a Star, Thanks:)

https://github.com/fendoudebb/LiteNote

扫描下方二维码关注公众号和小程序↓↓↓

扫描下方二维码关注公众号和小程序↓↓↓


Today On History
Browsing Refresh