【云原生系列之kubernetes】--Ingress使用

service的缺点:

  • 不支持基于URL等机制对HTTP/HTTPS协议进行高级路由、超时、重试、基于流量的灰度等高级流量治理机制
  • 难以将多个service流量统一管理

1.1ingress的概念

  • ingress是k8s中的一个对象,作用是如何将请求转发到service的规则
  • ingress controller是实现反向代理以及负载均衡的程序,对ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式多种,如nginx、haproxy等

10.2ingress工作原理

  • 编写ingress规则,说明请求域名对应kubernetes集群中的那个service
  • Ingress控制器动态感知Ingress服务规则的变化,然后生成一段对应的nginx反向代理配置
  • Ingress控制器会将生成的nginx配置写入到一个运行nginx的服务中并动态更新

1.3 Ingress实验环境的准备

1.3.1 部署Ingress controller
bash 复制代码
root@k8s-master1:/app/yaml/ingress# cat ingress-control.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx

---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - configmaps
    resourceNames:
      - ingress-controller-leader
    verbs:
      - get
      - update
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10
  minReadySeconds: 0
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirst
      containers:
        - name: controller
          image: registry.cn-beijing.aliyuncs.com/kole_chang/controller:v1.0.0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
            - --watch-ingress-without-class=true
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            runAsUser: 101
            allowPrivilegeEscalation: true
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:
            failureThreshold: 5
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: webhook
              containerPort: 8443
              protocol: TCP
          volumeMounts:
            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 90Mi
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/controller-ingressclass.yaml
# We don't support namespaced ingressClass yet
# So a ClusterRole and a ClusterRoleBinding is required
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: nginx
  namespace: ingress-nginx
spec:
  controller: k8s.io/ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:
  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /networking/v1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - get
      - create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:
  template:
    metadata:
      name: ingress-nginx-admission-create
      labels:
        helm.sh/chart: ingress-nginx-4.0.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.0.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: create
          image: registry.cn-beijing.aliyuncs.com/kole_chang/kube-webhook-certgen:v1.0
          imagePullPolicy: IfNotPresent
          args:
            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:
  template:
    metadata:
      name: ingress-nginx-admission-patch
      labels:
        helm.sh/chart: ingress-nginx-4.0.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.0.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: patch
          image: registry.cn-beijing.aliyuncs.com/kole_chang/kube-webhook-certgen:v1.0
          imagePullPolicy: IfNotPresent
          args:
            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
        
        
        
 #验证
 root@k8s-master1:/app/yaml/ingress# kubectl get pod -n ingress-nginx
NAME                                      READY   STATUS      RESTARTS       AGE
ingress-nginx-admission-create--1-9p52c   0/1     Completed   0              26h
ingress-nginx-admission-patch--1-mhbl8    0/1     Completed   1              26h
ingress-nginx-controller-74ngs            1/1     Running     1 (19h ago)    26h
ingress-nginx-controller-dcql8            1/1     Running     1 (4h7m ago)   26h
ingress-nginx-controller-nd555            1/1     Running     2 (19h ago)    26h
ingress-nginx-controller-wtb4f            1/1     Running     1 (19h ago)    26h
ingress-nginx-controller-x7c9l            1/1     Running     1 (19h ago)    26h
10.3.2 部署tomcat服务
bash 复制代码
root@k8s-master1:/app/yaml/ingress# cat tomcat-app1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: webwork-tomcat-app1-deploy-label
  name: webwork-tomcat-app1-deploy
  namespace: webwork
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webwork-tomcat-app1
  template:
    metadata:
      labels:
        app: webwork-tomcat-app1
    spec:
      containers:
      - name: webwork-tomcat-app1-container
        image: harbor.qiange.com/tomcat/tomcat-app1:v1
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          protocol: TCP
          name: http
        env:
        - name: "password"
          value: "123456"
        - name: "name"
          value: "wengsq"
        - name: "age"
          value: "18"
        resources:
          limits:
            cpu: 1
            memory: "512Mi"
          requests:
            cpu: 500m
            memory: "512Mi"
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: webwork-tomcat-app1-service-label
  name: webwork-tomcat-app1-service
  namespace: webwork
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
    nodePort: 30066
  selector:
    app: webwork-tomcat-app1

root@k8s-master1:/app/yaml/ingress# cat tomcat-app2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: webwork-tomcat-app2-deploy-label
  name: webwork-tomcat-app2-deploy
  namespace: webwork
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webwork-tomcat-app2
  template:
    metadata:
      labels:
        app: webwork-tomcat-app2
    spec:
      containers:
      - name: webwork-tomcat-app1-container
        image: harbor.qiange.com/tomcat/tomcat-app2:v1
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          protocol: TCP
          name: http
        env:
        - name: "password"
          value: "123456"
        - name: "name"
          value: "wengsq"
        - name: "age"
          value: "18"
        resources:
          limits:
            cpu: 1
            memory: "512Mi"
          requests:
            cpu: 500m
            memory: "512Mi"
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: webwork-tomcat-app2-service-label
  name: webwork-tomcat-app2-service
  namespace: webwork
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
    nodePort: 30067
  selector:
    app: webwork-tomcat-app2

#验证
root@k8s-master1:/app/yaml/ingress# kubectl get pod -n webwork -o wide
webwork-nginx-app1-deploy-68f5f5588c-zsr8d    1/1     Running   0               3h43m   10.200.107.252   172.17.1.109   <none>           <none>
webwork-nginx-app2-deploy-8699cb49dd-s7s87    1/1     Running   0               3h43m   10.200.36.84     172.17.1.107   <none>           <none>
webwork-tomcat-app1-deploy-854545898b-j7b9q   1/1     Running   0               147m    10.200.107.197   172.17.1.109   <none>           <none>
webwork-tomcat-app2-deploy-75bc95cc54-vznlw   1/1     Running   0               146m    10.200.107.198   172.17.1.109   <none>           <none>

root@k8s-master1:/app/yaml/ingress# kubectl get svc -n webwork
NAME                          TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
webwork-nginx-app1-service    NodePort   10.100.188.84    <none>        80:30068/TCP   3h41m
webwork-nginx-app2-service    NodePort   10.100.157.154   <none>        80:30069/TCP   3h40m
webwork-tomcat-app1-service   NodePort   10.100.128.159   <none>        80:30066/TCP   144m
webwork-tomcat-app2-service   NodePort   10.100.123.243   <none>        80:30067/TCP   143m

root@k8s-master1:/app/yaml/ingress# kubectl get ep -n webwork
NAME                          ENDPOINTS             AGE
webwork-nginx-app1-service    10.200.107.252:80     3h44m
webwork-nginx-app2-service    10.200.36.84:80       3h43m
webwork-tomcat-app1-service   10.200.107.197:8080   147m
webwork-tomcat-app2-service   10.200.107.198:8080   147m


#进入pod中验证svc是否配置成功
root@k8s-master1:/app/yaml/ingress# kubectl exec -it webwork-tomcat-app1-deploy-854545898b-j7b9q sh -n webwork
sh-4.2# curl webwork-tomcat-app2-service.webwork.svc.cluster.local/app2/index.jsp
<h1>This is  tomcat app2 web page</h1>

#测试tomcat服务是否能被访问
root@k8s-master1:/app/yaml/ingress# curl 172.17.1.88:30066/app1/index.jsp
<h1>This is  tomcat app1 web page</h1>
root@k8s-master1:/app/yaml/ingress# curl 172.17.1.88:30067/app2/index.jsp
<h1>This is  tomcat app2 web page</h1>

1.4Ingress实验

1.4.1 单tomcat主机配置
bash 复制代码
root@k8s-master1:/app/yaml/ingress# cat ingress-tomcat1.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: webwork
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/use-regex: "true" ##指定后面rules定义的path可以使用正则表达式
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" ##连接超时时间,默认为5s
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600" ##后端服务器回转数据超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600" ##后端服务器响应超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-body-size: "50m" ##客户端上传文件,最大大小,默认为20m
    #nginx.ingress.kubernetes.io/rewrite-target: / ##URL重写
    nginx.ingress.kubernetes.io/app-root: /index.html 
spec:
  rules:
  - host: www.wengsq.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webwork-tomcat-app1-service
            port:
              number: 80
              
root@k8s-master1:/app/yaml/ingress# kubectl apply -f ingress-tomcat1.yaml
ingress.networking.k8s.io/nginx-web created
root@k8s-master1:/app/yaml/ingress# kubectl get ingress -n webwork   #一般要等几十秒IP才能获取到
NAME        CLASS    HOSTS            ADDRESS   PORTS   AGE
nginx-web   <none>   www.wengsq.com             80      7s
root@k8s-master1:/app/yaml/ingress# kubectl get ingress -n webwork
NAME        CLASS    HOSTS            ADDRESS                                                            PORTS   AGE
nginx-web   <none>   www.wengsq.com   172.17.1.101,172.17.1.102,172.17.1.103,172.17.1.107,172.17.1.109   80      9s

#验证
root@k8s-master1:/app/yaml/ingress# curl www.wengsq.com/app1/index.jsp
<h1>This is  tomcat app1 web page</h1>
1.4.2 多个tomcat主机配置
bash 复制代码
root@k8s-master1:/app/yaml/ingress# cat ingress-tomcat2.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: webwork
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/use-regex: "true" ##指定后面rules定义的path可以使用正则表达式
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" ##连接超时时间,默认为5s
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600" ##后端服务器回转数据超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600" ##后端服务器响应超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-body-size: "50m" ##客户端上传文件,最大大小,默认为20m
    nginx.ingress.kubernetes.io/app-root: /index.html
spec:
  rules:
  - host: www.wengsq.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webwork-tomcat-app1-service
            port:
              number: 80
  - host: app.wengsq.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webwork-tomcat-app2-service
            port:
              number: 80
1.4.3 根据URL匹配service
bash 复制代码
root@k8s-master1:/app/yaml/ingress# cat ingress-tomcat3.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tomcat-web
  namespace: webwork
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/use-regex: "true" ##指定后面rules定义的path可以使用正则表达式
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" ##连接超时时间,默认为5s
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600" ##后端服务器回转数据超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600" ##后端服务器响应超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-body-size: "50m" ##客户端上传文件,最大大小,默认为20m
    nginx.ingress.kubernetes.io/app-root: /index.html
#    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: app.wsq.com
    http:
      paths:
      - pathType: Prefix
        path: "/app1"
        backend:
          service:
            name: webwork-tomcat-app1-service
            port:
              number: 80
      - pathType: Prefix
        path: "/app2"
        backend:
          service:
            name: webwork-tomcat-app2-service
            port:
              number: 80
  
#验证
root@k8s-master1:/app/yaml/ingress# kubectl get ingress -n webwork
NAME         CLASS    HOSTS            ADDRESS                                                            PORTS   AGE
nginx-web    <none>   www.wengsq.com   172.17.1.101,172.17.1.102,172.17.1.103,172.17.1.107,172.17.1.109   80      8m8s
tomcat-web   <none>   app.wsq.com      172.17.1.101,172.17.1.102,172.17.1.103,172.17.1.107,172.17.1.109   80      34s
root@k8s-master1:/app/yaml/ingress# curl app.wsq.com/app2/index.jsp
<h1>This is  tomcat app2 web page</h1>
root@k8s-master1:/app/yaml/ingress# curl app.wsq.com/app1/index.jsp
<h1>This is  tomcat app1 web page</h1>
1.4.4 单域名SSL证书挂载
bash 复制代码
#签发证书
root@k8s-master1:/app/yaml/ingress# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt
root@k8s-master1:/app/yaml/ingress# ll
total 80
drwxr-xr-x 2 root root  4096 Feb 20 12:04 ./
drwxr-xr-x 9 root root   107 Feb 19 10:15 ../
-rw-r--r-- 1 root root  1245 Feb 20 11:45 tls.crt  #签发的证书
-rw------- 1 root root  1704 Feb 20 11:45 tls.key

#进行secret资源存储
root@k8s-master1:/app/yaml/ingress#kubectl create secret tls tls-secret --key tls.key --cert tls.crt -n webwork
#验证
root@k8s-master1:/app/yaml/ingress# kubectl get secrets -n webwork
NAME                  TYPE                                  DATA   AGE
default-token-lvmvm   kubernetes.io/service-account-token   3      26d
tls-secret            kubernetes.io/tls                     2      117m
root@k8s-master1:/app/yaml/ingress# kubectl describe secrets tls-secret -n webwork
Name:         tls-secret
Namespace:    webwork
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/tls

Data
====
tls.crt:  1245 bytes
tls.key:  1704 bytes

#配置单域名SSL证书挂载
root@k8s-master1:/app/yaml/ingress# cat ingress-https-tomcat1.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: webwork
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/ssl-redirect: 'true' #SSL重定向,即将http请求强制重定向至https,等于nginx中的全站https
spec:
  tls:
  - hosts:
    - ttt.wengsq.com
    secretName: tls-secret

  rules:
  - host: ttt.wengsq.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webwork-tomcat-app1-service
            port:
              number: 80
1.4.5 多域名SSL证书挂载
bash 复制代码
root@k8s-master1:/app/yaml/ingress# cat ingress-https-tomcat2.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: webwork
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/ssl-redirect: 'true' #SSL重定向,即将http请求强制重定向至https,等于nginx中的全站https
spec:
  tls:
  - hosts:
    - ttt.wengsq.com
    - aaa.wengsq.com
    secretName: tls-secret

  rules:
  - host: ttt.wengsq.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webwork-tomcat-app1-service
            port:
              number: 80
  - host: aaa.wengsq.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webwork-tomcat-app2-service
            port:
              number: 80

总结:

1、当Ingress访问域名出现问题时,进入某个pod,curl 后端SVC看能否访问:curl svc-name.namespace.svc.cluster.local

2、Ingress配置根据URL匹配后端service时要注意重定向

相关推荐
Gabriel_liao14 分钟前
Docker安装Neo4j
docker·容器·neo4j
有一个好名字28 分钟前
zookeeper分布式锁模拟12306买票
分布式·zookeeper·云原生
Anna_Tong3 小时前
云原生大数据计算服务 MaxCompute 是什么?
大数据·阿里云·云原生·maxcompute·odps
豆豆豆豆变3 小时前
Docker轻量级可视化工具Portainer
docker·容器·自动化运维
花晓木3 小时前
k8s etcd 数据损坏处理方式
容器·kubernetes·etcd
运维&陈同学3 小时前
【模块一】kubernetes容器编排进阶实战之基于velero及minio实现etcd数据备份与恢复
数据库·后端·云原生·容器·kubernetes·etcd·minio·velero
花晓木4 小时前
k8s备份 ETCD , 使用velero工具进行备份
容器·kubernetes·etcd
大熊程序猿4 小时前
xxl-job docker 安装
运维·docker·容器
liuxuzxx6 小时前
Istio-2:流量治理之简单负载均衡
云原生·kubernetes·istio
上海运维Q先生6 小时前
面试题整理14----kube-proxy有什么作用
运维·面试·kubernetes