Kubernetes Ingress 控制器 Nginx
Kubernetes Nginx About 8,435 words概念
Ingress相当于一个7层的负载均衡器,是Kubernetes对反向代理的一个抽象,它的工作原理类似于Nginx,可以理解成在** Ingress 里建立诸多映射规则,Ingress Controller 通过监听这些配置规则并转化成 Nginx 的反向代理配置,然后对外部提供服务**。
两个核心概念:
Ingress:Kubernetes中的一个对象,作用是定义请求如何转发到Service的规则Ingress Controller:具体实现反向代理及负载均衡的程序,对Ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如Nginx,Contour,Haproxy等
工作原理
- 用户编写
Ingress规则,说明哪个域名对应Kubernetes集群中的哪个Service Ingress控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新
查看帮助
kubectl explain IngressClassminikube 开启 Ingress
minikube addons enable ingress输出:
$ minikube addons enable ingress
▪ Using image registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1
▪ Using image registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.1.0
▪ Using image registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1
🔎 Verifying ingress addon...
🌟 The 'ingress' addon is enabled测试容器
tomcat-nginx.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx-pod
template:
metadata:
labels:
app: nginx-pod
spec:
containers:
- name: nginx
image: nginx:1.17.1
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: tomcat-pod
template:
metadata:
labels:
app: tomcat-pod
spec:
containers:
- name: tomcat
image: tomcat:8.5-jre10-slim
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: dev
spec:
selector:
app: nginx-pod
clusterIP: None
type: ClusterIP
ports:
- port: 80
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: tomcat-service
namespace: dev
spec:
selector:
app: tomcat-pod
clusterIP: None
type: ClusterIP
ports:
- port: 8080
targetPort: 8080创建实例
kubectl create -f tomcat-nginx.yml输出:
$ kubectl create -f tomcat-nginx.yml
deployment.apps/nginx-deployment created
deployment.apps/tomcat-deployment created
service/nginx-service created
service/tomcat-service created查看服务
kubectl get svc -n dev输出:
$ kubectl get svc -n dev
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-service ClusterIP None <none> 80/TCP 84s
tomcat-service ClusterIP None <none> 8080/TCP 84sHTTP 代理
ingress-http.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-http
namespace: dev
spec:
rules:
- host: nginx.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service # svc 中配置的名字
port:
number: 80 # svc 中配置的端口
- host: tomcat.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-service
port:
number: 8080创建实例
kubectl create -f ingress-http.yml输出:
$ kubectl create -f ingress-http.yml
ingress.networking.k8s.io/ingress-http created查看 Ingress
kubectl get ing -n dev输出:
$ kubectl get ing -n dev
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-http nginx nginx.example.com,tomcat.example.com 80 29s查看服务
namespace为ingress-nginx(注意:不是dev)
kubectl get svc -n ingress-nginx输出:
$ kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.98.74.163 <none> 80:30148/TCP,443:32532/TCP 4h17m
ingress-nginx-controller-admission ClusterIP 10.106.203.126 <none> 443/TCP 4h17m访问站点
测试用域名,需在hosts文件配置映射。30148是ingress-nginx命名空间下的svc映射的HTTP端口。
访问Nginx容器
curl nginx.example.com:30148访问Tomcat容器
curl tomcat.example.com:30148查看详细描述
kubectl describe ing ingress-http -n dev输出:
$ kubectl describe ing ingress-http -n dev
Name: ingress-http
Labels: <none>
Namespace: dev
Address: localhost
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
nginx.example.com
/ nginx-service:80 (172.17.0.4:80,172.17.0.5:80,172.17.0.8:80)
tomcat.example.com
/ tomcat-service:8080 (172.17.0.6:8080,172.17.0.7:8080,172.17.0.9:8080)
Annotations: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 2m37s (x2 over 3m31s) nginx-ingress-controller Scheduled for syncHTTPS 代理
创建证书
会在当前目录生成tls.crt和tls.key两个文件。
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=BJ/L=BJ/O=nginx/CN=example.com"创建密钥
kubectl create secret tls tls-secret --key tls.key --cert tls.crt输出:
$ kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created示例 yml
ingress-https.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-https
namespace: dev
spec:
tls:
- hosts:
- nginx.itheima.com
- tomcat.itheima.com
secretName: tls-secret # 指定秘钥
rules:
- host: nginx.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service # svc 中配置的名字
port:
number: 80 # svc 中配置的端口
- host: tomcat.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-service
port:
number: 8080创建实例
kubectl create -f ingress-https.yml输出:
$ kubectl create -f ingress-https.yml
ingress.networking.k8s.io/ingress-https created如果报以下错误,可以先删除dev命名空间再创建。(主要是因为演示HTTP代理时已经使用过了域名配置)
备注:如果删除了dev命名空间,Service也会被删除,容器tomcat-nginx需要重新创建。
Error from server (BadRequest): error when creating "ingress-https.yml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: host "nginx.example.com" and path "/" is already defined in ingress dev/ingress-http查看 Ingress
kubectl get ing -n dev输出:
$ kubectl get ing -n dev
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-https nginx nginx.example.com,tomcat.example.com localhost 80, 443 4m查看服务
namespace为ingress-nginx(注意:不是dev)
kubectl get svc -n ingress-nginx输出:
$ kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.98.74.163 <none> 80:30148/TCP,443:32532/TCP 4h47m
ingress-nginx-controller-admission ClusterIP 10.106.203.126 <none> 443/TCP 4h47m访问站点
测试用域名,需在hosts文件配置映射。32532是ingress-nginx命名空间下的svc映射的HTTPS端口。
-k参数是忽略校验SSL证书。
访问Nginx容器
curl -k https://nginx.example.com:32532访问Tomcat容器
curl -k https://tomcat.example.com:32532查看详细描述
kubectl describe ing ingress-https -n dev输出:(多了TLS信息)
$ kubectl describe ing ingress-https -n dev
Name: ingress-https
Labels: <none>
Namespace: dev
Address: localhost
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
tls-secret terminates nginx.itheima.com,tomcat.itheima.com
Rules:
Host Path Backends
---- ---- --------
nginx.example.com
/ nginx-service:80 (<error: endpoints "nginx-service" not found>)
tomcat.example.com
/ tomcat-service:8080 (<error: endpoints "tomcat-service" not found>)
Annotations: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 4m25s (x2 over 4m42s) nginx-ingress-controller Scheduled for sync开源地址
Views: 1,592 · Posted: 2022-03-17
———— END ————
Give me a Star, Thanks:)
https://github.com/fendoudebb/LiteNote扫描下方二维码关注公众号和小程序↓↓↓
Loading...