整体企业架构
公网/内网用户 → 云厂商SLB → Ingress-Nginx 网关
→ 路由/HTTPS/限流/IP白名单/灰度
→ 微服务 Service(ClusterIP)
→ Pod 负载均衡
→ 监控告警 Prometheus + Grafana
→ 证书自动续期 Cert-Manager1. 安装 Ingress-Nginx 高可用版
bash
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml查看是否启动成功:
bash
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx1.1 企业级资源限制(必须加)
bash
kubectl edit deployment ingress-nginx-controller -n ingress-nginx添加 resources:
yaml
resources:
limits:
cpu: "1000m"
memory: "1Gi"
requests:
cpu: "500m"
memory: "512Mi"2. 安装 Cert-Manager(自动签发免费 HTTPS 证书)
企业内部必备,再也不用手动更新证书。
2.1 安装 CRD
bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml2.2 创建 ClusterIssuer(签发机构)
cluster-issuer.yaml
yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@company.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx应用:
bash
kubectl apply -f cluster-issuer.yaml3. 企业微服务标准模板(3套:user/order/admin)
3.1 用户服务 user-service.yaml
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: user-service
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: user-service
template:
metadata:
labels:
app: user-service
spec:
containers:
- name: user-service
image: nginx:alpine # 替换为你的业务镜像
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi
ports:
- containerPort: 80
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 10
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: user-service
spec:
type: ClusterIP
selector:
app: user-service
ports:
- port: 80
targetPort: 803.2 订单服务 order-service.yaml
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: order-service
spec:
replicas: 2
selector:
matchLabels:
app: order-service
template:
metadata:
labels:
app: order-service
spec:
containers:
- name: order-service
image: nginx:alpine
resources:
limits:
cpu: 500m
memory: 512Mi
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: order-service
spec:
type: ClusterIP
selector:
app: order-service
ports:
- port: 803.3 后台 admin-service.yaml
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: admin-service
spec:
replicas: 1
selector:
matchLabels:
app: admin-service
template:
metadata:
labels:
app: admin-service
spec:
containers:
- name: admin-service
image: nginx:alpine
---
apiVersion: v1
kind: Service
metadata:
name: admin-service
spec:
type: ClusterIP
selector:
app: admin-service
ports:
- port: 80应用:
bash
kubectl apply -f user-service.yaml
kubectl apply -f order-service.yaml
kubectl apply -f admin-service.yaml4. Ingress 网关
enterprise-ingress.yaml
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: enterprise-gateway
namespace: default
annotations:
# 基础
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
# 正则与重写
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
# HTTPS 自动证书(关键)
cert-manager.io/cluster-issuer: "letsencrypt-prod"
# 强制 HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/hsts: "true"
nginx.ingress.kubernetes.io/hsts-max-age: "31536000"
# 文件上传
nginx.ingress.kubernetes.io/proxy-body-size: "200m"
# 超时
nginx.ingress.kubernetes.io/proxy-connect-timeout: "5"
nginx.ingress.kubernetes.io/proxy-send-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
# 真实IP透传
nginx.ingress.kubernetes.io/proxy-set-header: |
X-Real-IP $remote_addr,
X-Forwarded-For $proxy_add_x_forwarded_for,
X-Forwarded-Proto $scheme
# 限流
nginx.ingress.kubernetes.io/limit-rps: "200"
nginx.ingress.kubernetes.io/limit-connections: "100"
# 跨域
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET,POST,PUT,DELETE,OPTIONS,PATCH"
# 安全
nginx.ingress.kubernetes.io/server-tokens: "false"
nginx.ingress.kubernetes.io/xss-protection: "1; mode=block"
nginx.ingress.kubernetes.io/frame-options: "DENY"
spec:
tls:
- hosts:
- api.company.com
- admin.company.com
secretName: tls-cert-company
rules:
- host: api.company.com
http:
paths:
- path: /user/(.*)
pathType: ImplementationSpecific
backend:
service:
name: user-service
port:
number: 80
- path: /order/(.*)
pathType: ImplementationSpecific
backend:
service:
name: order-service
port:
number: 80
- host: admin.company.com
http:
paths:
- path: /(.*)
pathType: ImplementationSpecific
backend:
service:
name: admin-service
port:
number: 80应用:
bash
kubectl apply -f enterprise-ingress.yaml5. 灰度发布(金丝雀)
ingress-canary.yaml
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: order-canary
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "30" # 30%流量到v2
spec:
rules:
- host: api.company.com
http:
paths:
- path: /order/(.*)
pathType: ImplementationSpecific
backend:
service:
name: order-service-v2
port:
number: 806. IP 白名单(内部系统必备)
在 annotations 中加:
yaml
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"只允许内网访问,防止公网恶意扫描。
7. Ingress 监控 Prometheus + Grafana
7.1 给 Ingress 开启监控
bash
kubectl edit deployment ingress-nginx-controller -n ingress-nginx添加 args:
yaml
- --enable-prometheus-metrics=true7.2 一键导入 Grafana 看板
看板 ID:9614
可监控:
- QPS
- 延迟 P50/P90/P99
- 状态码 4xx/5xx
- 流量
- 异常请求
8. 整套企业级能力
- ✅ HTTPS 自动签发、自动续期
- ✅ 7层网关路由、域名拆分
- ✅ URL 重写、文件上传
- ✅ IP 限流、并发限流
- ✅ 跨域、安全头、防XSS
- ✅ 真实IP透传
- ✅ 灰度发布/金丝雀
- ✅ IP 白名单
- ✅ 微服务服务发现 + 负载均衡
- ✅ 完整监控大盘