Ingress 不会直接访问 Pod,它必须先访问 Service,再由 Service 转发给 Pod。
外部请求 (浏览器)
│
▼
Ingress Controller (Nginx)
│ 根据域名/路径匹配
▼
Service (ClusterIP / NodePort)
│
▼
Pod (应用容器)
一、Ingress
Ingress 是 Kubernetes 中的 七层(HTTP/HTTPS)路由规则,主要用来把 集群外的流量 引入到集群内部的 Service。
它不是单独工作的,必须依赖一个 Ingress Controller(常见的有 Nginx Ingress Controller、Traefik、HAProxy 等)。
有了 Ingress,就可以通过 域名 / 路径 来访问不同的 Service,而不用记
NodePort或配置外部负载均衡。
二、实例说明
1、基于域名的路由
访问
frontend.example.com→ 转发到frontend-svc访问
backend.example.com→ 转发到backend-svc
bashapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: domain-based-ingress spec: rules: - host: frontend.example.com http: paths: - path: / pathType: Prefix backend: service: name: frontend-svc port: number: 80 - host: backend.example.com http: paths: - path: / pathType: Prefix backend: service: name: backend-svc port: number: 8080根据请求的 域名 转发到不同的 Service。
2、基于路径的路由
http://mall.example.com/→ 前端服务
http://mall.example.com/api→ 后端服务
bashapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: path-based-ingress spec: rules: - host: mall.example.com http: paths: - path: / pathType: Prefix backend: service: name: frontend-svc port: number: 80 - path: /api pathType: Prefix backend: service: name: backend-svc port: number: 8080同一个域名,根据不同路径转发
3、启用 HTTPS (TLS)
你有一个证书
mall-tls(由 Secret 存储),希望通过 HTTPS 访问
bashapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tls-ingress spec: tls: - hosts: - mall.example.com secretName: mall-tls # 这里的 mall-tls 是存放证书的 Secret rules: - host: mall.example.com http: paths: - path: / pathType: Prefix backend: service: name: frontend-svc port: number: 80
mall-tls是通过kubectl create secret tls mall-tls --cert=mall.crt --key=mall.key创建的。用户访问时就是 https://mall.example.com
三、组合案例
部署一个 前后端分离商城
服务 Pod 名称 Service 名称 端口 前端 (React) frontend-pod frontend-svc 80 后端 (API) backend-pod backend-svc 8080
用户访问
http://mall.example.com/→ 访问前端用户访问
http://mall.example.com/api→ 访问后端通过 Ingress 实现统一入口,无需直接访问 NodePort 或 ClusterIP
1、部署前端 Deployment + Service
Deployment (frontend-deployment.yaml)
bashapiVersion: apps/v1 kind: Deployment metadata: name: frontend-deployment spec: replicas: 2 selector: matchLabels: app: frontend template: metadata: labels: app: frontend spec: containers: - name: frontend image: nginx:alpine # 假设前端打包后放在 Nginx 中 ports: - containerPort: 80Service (frontend-svc.yaml)
bashapiVersion: v1 kind: Service metadata: name: frontend-svc spec: selector: app: frontend ports: - port: 80 targetPort: 80 type: ClusterIP
2、部署后端 Deployment + Service
Deployment (backend-deployment.yaml)
bashapiVersion: apps/v1 kind: Deployment metadata: name: backend-deployment spec: replicas: 2 selector: matchLabels: app: backend template: metadata: labels: app: backend spec: containers: - name: backend image: my-backend:latest ports: - containerPort: 8080Service (backend-svc.yaml)
bashapiVersion: v1 kind: Service metadata: name: backend-svc spec: selector: app: backend ports: - port: 8080 targetPort: 8080 type: ClusterIP
3、创建 Ingress
Ingress (mall-ingress.yaml)
bashapiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: mall-ingress spec: rules: - host: mall.example.com http: paths: - path: / pathType: Prefix backend: service: name: frontend-svc #前端的service port: number: 80 - path: /api pathType: Prefix backend: service: name: backend-svc #后端的service port: number: 8080
浏览器访问 http://mall.example.com/api ###后端的路径
│
▼
Ingress Controller (Nginx)
│ 根据规则匹配路径 /api
▼
Service: backend-svc ###后端的service
│ 转发请求到对应 Pod
▼
Pod: backend-pod
##有待补充