一、先搞懂:为什么要用 Ingress?
- Service 只能做 4 层负载均衡(TCP)
- Ingress 是 7 层网关(HTTP/HTTPS),可以:
- 按域名/路径路由
- HTTPS 证书配置
- 重写 URL、限流、跨域
- 灰度发布、黑白名单
- 统一入口、减少端口暴露
最常用实现:Ingress-NGINX
二、整体架构
用户请求 → 云厂商 SLB(LoadBalancer) → Ingress-NGINX → 微服务Service → Pod三、第一步:安装 Ingress-NGINX
bash
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml查看:
bash
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx得到 EXTERNAL-IP,就是网关入口 IP。
四、实战1:多域名路由(最常用)
1)部署两个服务(api、admin)
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: api
spec:
replicas: 2
selector:
matchLabels:
app: api
template:
metadata:
labels:
app: api
spec:
containers:
- name: api
image: nginx:alpine
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: api-svc
spec:
selector:
app: api
ports:
- port: 80
---
# admin 同理,省略2)创建 Ingress 路由规则
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: api.xxx.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-svc
port:
number: 80
- host: admin.xxx.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: admin-svc
port:
number: 80应用:
bash
kubectl apply -f ingress.yaml效果:
api.xxx.com→ api 服务admin.xxx.com→ admin 服务
五、实战2:HTTPS 证书配置(免费 SSL)
1)生成证书(或用 cert-manager 自动签发)
bash
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt2)创建 Secret
bash
kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key3)Ingress 开启 HTTPS
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: https-ingress
spec:
tls:
- hosts:
- api.xxx.com
secretName: tls-secret
rules:
- host: api.xxx.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-svc
port:
number: 80访问 https://api.xxx.com 生效。
六、实战3:URL 重写、路径转发
annotation 开启重写:
yaml
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/use-regex: "true"示例:
api.xxx.com/user/1 → 转发到服务 /1
yaml
paths:
- path: /user/(.*)
pathType: Prefix
backend:
service:
name: user-svc
port:
number: 80七、实战4:灰度发布(按流量比例分流)
核心思路:
- 两个 Deployment(v1、v2)
- 同一个 Service
- Ingress 按权重分流
1)Service 不变,匹配公共 label
yaml
selector:
app: demo2)v1、v2 Deployment 都带 app: demo
3)Ingress 配置权重
yaml
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "30" # 30% 流量到 v290% → v1
10% → v2
逐步切量,安全上线。
八、实战5:蓝绿发布
- 先部署新版本 v2
- 测试没问题
- 修改 Service selector 指向 v2
- 瞬间全量切换,回滚方便
九、生产常用高级注解
yaml
annotations:
# 限流
nginx.ingress.kubernetes.io/limit-rps: "10"
# 大小限制
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
# 跨域
nginx.ingress.kubernetes.io/enable-cors: "true"
# 超时
nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
# 灰度
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "20"十、企业生产标准架构
公网 → Cloud SLB → Ingress-NGINX
→ 网关限流、WAF
→ 域名路由
→ HTTPS
→ 灰度发布
→ 微服务 Service
→ Pod 负载均衡十一、一句话总结
- Ingress 是 K8s 7层统一网关
- 负责域名、HTTPS、路由、灰度、安全
- Service 负责内部4层负载均衡
- CoreDNS 负责服务发现
- 整套组合 = 生产微服务网关标准