k8s之ingress

ingress基于域名进行映射,把url(http https)的请求转发到service,再由service把请求转发到每一个pod

ingress只要一个或者少量的公网ip或者LB,可以把多个http请求暴露到外网,七层反向代理

理解为service的service,是一组基于域名和URL路径,把一个或者多个请求转发到service

先是七层代理然后再是四层代理再到pod

ingress >service>nginx

ingress的组成:

ingress是要给api对象,通过yaml文件来进行配置,ingress作用定义规则,定义请求如何转发到service的规则,配置的一个模板

ingress通过http和https暴漏集群内部的service,给service提供一个外部的url,负载均衡,ssl/tls(https),实现一份基于域名的负载均衡

ingress-controller:是具体的实现反向代理和负载均衡的程序,对ingress定义的规则进行解析,根据ingress的配置规则进行请求的转发

ingress-controller:不是k8s自带的组件功能,ingress-controller一个统称。

nginx ingress controller,traefik都是ingress-controller,开源

ingress资源的定义项

1、定义外部流量的路由规则

2、定义服务的暴漏方式,主机名,访问路径和其他的选项

3、负载均衡(ingress-controller)

nginx-ingress-controller运行方式是pod方式运行在集群当中

nginx-ingress-controller

ingress暴漏服务的方式

1、deployment+loadBalancer模式

ingress部署在公有云,会ingress配置文件里面会有一个type,type:LoadBalancer,公有云平台会为个loadbalancer的service创建一个负载均衡器,绑定一个公网地址。

通过域名指向这个公网地址就可以实现集群对外暴漏。

2、方式二:DaemonSet+hostnetwork+nodeSelector

DaemonSet在每个节点都会创建一个pod

hostnetwork:pod会共享节点主机的网络命名空间,容器内直接使用节点主机ip+端口,pod中的容器直接访问主机上网络资源

nodeSelector:根据标签来选择部署的节点,nginx-ingress-controller部署的节点

缺点:直接利用节点主机的网络和端口,一个node只能部署一个ingress-controller pod.比较适合大并发的生产环境。性能最好的。

netstat -lntp | grep nginx

8081端口,nginx-controller默认配置的一个bachend。反向代理端口

所有的请求当中,只要是不符合ingress配置的请求转发到8181,相当于一个error的页面

现在执行这个yaml文件,会生成一个service会生成一个service,在ingress-nginx这个命名空间生成一个service,所有的controlle的请求都会从这个定义的service的nodeport的端口,把请求转发到自定义的service的pod

过程

复制代码
wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/mandatory.yaml

vim mandatory.yaml


apiVersion: apps/v1
#kind: Deployment
kind: DaemonSet
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      # wait up to five minutes for the drain of connections
      hostNetwork: true
      terminationGracePeriodSeconds: 300
      serviceAccountName: nginx-ingress-serviceaccount
      nodeSelector:
        test1: "true"
        #kubernetes.io/os: linux

#在master节点上上传镜像压缩包
cd /opt/ingress
tar zxvf ingree.contro.tar.gz



#所有节点加载镜像包
docker load -i ingree.contro.tar

kubectl apply -f mandatory.yaml


//到 node02 节点查看
netstat -lntp | grep nginx


vim /opt/ingress/nginx-service.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc1
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client-storagesclass
  resources:
    requests:
      storage: 2Gi

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app1
  labels:
    app: nginx2
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx2
  template:
    metadata:
      labels:
        app: nginx2
    spec:
      containers:
        - name: nginx
          image: nginx:1.22
          volumeMounts:
          - name: nfs-pvc2
            mountPath: /usr/share/nginx/html/
      volumes:
      - name: nfs-pvc2
        persistentVolumeClaim:
          claimName: nfs-pvc2

---
apiVersion: v1
kind: Service
metadata:
  name: nginx-app-svc2
spec:
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: nginx2

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-app-ingress2
spec:
  rules:
  - host: www.test1.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-app-svc2
            port:
              number: 80

kubectl apply -f nginx-service.yaml

3、deployment+NodePort:

nginx+ingress-controller

host--->ingress的配置赵大鹏pod---controller---请求到pod

nodeport----controller---ingress==service---pod

nodeport暴露端口的方式最简单的方法,nodeport多了一层nat地址转换

并发量大的对性能会有一定影响,内部都会用nodeport

复制代码
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-pvc3
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: nfs-client-storageclass
  resources:
    requests:
      storage: 2Gi

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app3
  labels:
    app: nginx3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx3
  template:
    metadata:
      labels:
        app: nginx3
    spec:
      containers:
        - name: nginx3
          image: nginx:1.22
          volumeMounts:
          - name: nfs-pvc3
            mountPath: /usr/share/nginx/html
      volumes:
      - name: nfs-pvc3
        persistentVolumeClaim:
          claimName: nfs-pvc3

---
apiVersion: v1
kind: Service
metadata:
  name: nginx-app-svc3
spec:
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: nginx3

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-app-ingress3
spec:
  rules:
  - host: www.test2.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-app-svc3
            port:
              number: 80
kubectl apply -f nodePort.yaml

vim /etc/hosts
20.0.0.92 www.test2.com
~                         

Ingress HTTP 代理访问虚拟主机

复制代码
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment1
spec:
  replicas: 1
  selector:
    matchLabels:
      name: nginx1
  template:
    metadata:
      labels:
        name: nginx1
    spec:
      containers:
        - name: nginx1
          image: nginx:1.14
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: svc-1
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  selector:
    name: nginx1

kubectl apply -f deployment1.yaml

复制代码
vim deployment2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment2
spec:
  replicas: 1
  selector:
    matchLabels:
      name: nginx2
  template:
    metadata:
      labels:
        name: nginx2
    spec:
      containers:
        - name: nginx2
          image: nginx:1.14
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: svc-2
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  selector:
    name: nginx2
 
 
kubectl apply -f deployment2.yaml
创建ingress资源
复制代码
vim ingress-nginx.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress1
spec:
  rules:
    - host: www.test.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service: 
              name: svc-1
              port:
                number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress2
spec:
  rules:
    - host: www.abc.com
      http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service: 
              name: svc-2
              port:
                number: 80
 
 
kubectl apply -f ingress-nginx.yaml

ingress实现https代理访问

证书密钥创建证书,密钥

创建证书 密钥

secret 保存密钥信息

openssl req -x509 -sha256 -nodes -days 356 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "CN=nginxsvc/O=nginxsvc"

openssl req -x509 -sha256 -nodes -days 356 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "CN=nginxsvc/O=nginxsvc"

req生成证书文件的

x509生成x.509自签名 的证书

-sha256:表示使用sha-256的散列算法

-nodes:表示生成的密钥不加密

-days:365天 证书有效期365天

-newkey rsa:RSA的密钥对,长度2048位

-subj "/CN=nginxsvc/O=nginxsvc":主题,CN common name O: organzation组织

复制代码
kubectl create secret tls tls-secret --key tls.key --cert tls.crt

kubectl describe secrets tls-secret

cd /opt

mkdir https

vim ingress-cs.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-https
  labels:
    app: https
spec:
  replicas: 3
  selector:
    matchLabels:
      app: https
  template:
    metadata:
      labels:
        app: https
    spec:
      containers:
        - name: nginx
          image: nginx:1.22

---
apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  selector:
    app: https

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress-https
spec:
  tls:
    - hosts:
      - www.123ccc.com
      secretName: tls-secret
#加密的配置保存在ingress当中,请求先到ingress-controller再根据ingress配置解析再转发到service,在代理进行时就要先验证密钥对,然后再把请求转发到service对应的pod。
  rules:
    - hosts: www.123ccc.com
      http:
        paths:
        - paths: /
          pathType: prefix
          backend:
            service:
              name: nginx-svc
              port:
                number: 80





kubectl get svc -n ingress-nginx

容器对nginx实现账号密码认证

复制代码
mkdir basic-auth

yum -y install http
cd basic-auth
vim ingress-auth.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-auth
  annotations:
#开启认证模块的位置
    nginx.ingress.kubernets.io/auth-type: basic
#设置认证类型basic,这是k8s自带的认证加密模块
    nginx.ingress.kubernets.io/auth-secret: basic-auth
#把认证的加密模块导入到ingress当中
    nginx.ingress.kubernets.io/auth-realm: 'Authentication Required -wqb'
#设置认证窗口的提示信息。
spec:
  rules:
  - host: www.wqb.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-svc
            port:
              number: 80

kubectl apply -f ingress-auth.yaml


vim nginx-rewrite.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-rewrite
  annotation:
    nginx.ingress.kubernetes.io/rewrite-target: https://www.123ccc.com:32336
#访问页面会跳转到指定的页面。
spec:
  rules:
  - host: www.wqb.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-svc
            port:
              number: 80
kubectl apply -f nginx-rewrite.yaml                     

traefik是一个为了让部署微服务更加快捷而诞生的一个http反向代理,负载均衡

traefik设计时就能够实现和k8ss API交互,感知后端service以及pod的变化,可以自动更新配置和重载

pod内的nginx 80 8081

traefik的部署方式

daemonset

特点优点:每个节点都会部署要给traeflk,节点感知,可以自动发现,更新容器的配置,不需要手动重载

缺点:资源占用,大型集群中,aemonset可能会运行多个traefik的实例,尤其时节点上不需要大量容器运行的情况下,没有办法进行扩缩容

主要部署再对外集群:对外的业务会经常容易八年更,daemonset可以更好的,自动的发现服务配置变更

部署对外集群。

deployment:集中控制,可以使用少量的实例来运行处理整个集群的流量

缺点:deployment的负载均衡不会均分到每个节点

手动更新,无法感知容器内部配置变化,主要部署在对内集群

部署对内集群:对内相对稳定,更新和变化也比较少。适合deployment

traffic-tye:internal 对内服务

traffic-type:external 对外服务

nginx-ingress:相对较慢

工作原理都一样,都是七层代理,都可以动态的更新配置,都可以自动发现服务

traefik-ingress:自动更新重载更快,更方便

traefik的并发能力只有nginx-ingress的6成

ingress

nginx-ingress-controller用的时最多的

deployment+loadbalaner这个必须要共有云提供公网的地址

daemonset+hostnetwork+nodeselector:和节点服务器共享网络,一个节点部署一个controller pod. 既然使用宿主机的端口性能最好适合大并发

deployment+NodePort:这是最常见的也是最常用最简单的方法,但是性能不太好,因为多了一层nat地址转发,不太适合大并发

另外就是traefik-controller

deamontset适合对外 可以自动更新容器配置 hsot 用的时节点的网络

deployment适合对内 无法自动更新配置 Nodeport

daomonset演示

复制代码
daemonset的配置更新后的自动发现wget https://gitee.com/mirrors/traefik/raw/v1.7/examples/k8s/traefik-rbac.yaml wget https://gitee.com/mirrors/traefik/raw/v1.7/examples/k8s/traefik-ds.yaml wget https://gitee.com/mirrors/traefik/raw/v1.7/examples/k8s/ui.yaml

需要执行这三个文件

然后自己配置yaml文件

kubectl apply -f traefik-ingress2.yaml

复制代码
接下来做域名映射

vim /etc/hosts

用域名加8080访问页面
相关推荐
众人皆醒我独醉1 小时前
Pod 一直 Terminating,死活删不掉?三个凶手,每一个你都意想不到
面试·kubernetes
飞翔沫沫情2 小时前
K8s Alloy 采集 Pod 控制台日志
云原生·容器·kubernetes
潮起鲸落入海8 小时前
Kubernetes Metric Server, Quota and Limits
容器·kubernetes
摇滚侠9 小时前
云原生 Java 架构师的第一课 K8s+Docker+KubeSphere+DevOps 19-25
java·云原生·kubernetes
咕噜咕噜的猪大侠11 小时前
《K8s 核心知识梳理:Deployment 滚动更新、JobCronJob、DaemonSet 和 Service》
云原生·容器·kubernetes
摇滚侠11 小时前
云原生 Java 架构师的第一课 K8s+Docker+KubeSphere+DevOps 26-40
java·云原生·kubernetes
AOwhisky1 天前
kubernetes(K8s)学习笔记:第十期与第十一期核心知识点自测与详解
运维·笔记·云原生·kubernetes·云计算·k8s·hpa
Waay2 天前
面试口述版:个人对 Prometheus 完整理解
运维·学习·云原生·面试·职场和发展·kubernetes·prometheus
云烟成雨TD2 天前
Kubernetes 系列【4】基础概念
云原生·容器·kubernetes