kubernetes系列09—Ingress控制器详解
本文收录在
1、认识ingress
1.1 什么是ingress?
通常情况下,service和pod仅可在集群内部网络中通过ip地址访问。所有到达边界路由器的流量或被丢弃或被转发到其他地方。从概念上讲,可能像下面这样:
internet
|
------------
[ services ]
ingress是授权入站连接到达集群服务的规则集合。
internet
|
[ ingress ]
--|-----|--
[ services ]
你可以给ingress配置提供外部可访问的url、负载均衡、ssl、基于名称的虚拟主机等。用户通过post ingress资源到api server的方式来请求ingress。 ingress controller负责实现ingress,通常使用负载平衡器,它还可以配置边界路由和其他前端,这有助于以ha方式处理流量。
1.2 ingress工作示意图
1.3先决条件
在使用ingress resource之前,有必要先了解下面几件事情。ingress是beta版本的resource,在kubernetes1.1之前还没有。你需要一个ingress controller来实现ingress,单纯的创建一个ingress没有任何意义。
gce/gke会在master节点上部署一个ingress controller。你可以在一个pod中部署任意个自定义的ingress controller。你必须正确地annotate每个ingress,比如 运行多个ingress controller 和 关闭glbc.
确定你已经阅读了ingress controller的beta版本限制。在非gce/gke的环境中,你需要在pod中。
1.4 ingress定义资源清单几个字段
- apiversion: v1 版本
- kind: ingress 类型
- metadata 元数据
- spec 期望状态
- backend: 默认后端,能够处理与任何规则不匹配的请求
- rules:用于配置ingress的主机规则列表
- tls:目前ingress仅支持单个tls端口443
- status 当前状态
2、部署一个ingress
(1)在gitlab上下载yaml文件,并创建部署
gitlab ingress-nginx项目:
ingress安装指南:
因为需要拉取镜像,所以需要等一段时间
---下载需要的yaml文件
[root@master ingress-nginx]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
---查询下载成功
[root@master ingress-nginx]# ls
mandatory.yaml
---创建ingress
[root@master ingress-nginx]# kubectl apply -f mandatory.yaml
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.apps/nginx-ingress-controller created
(2)如果是裸机,还需要安装service
[root@master ingress-nginx]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml
[root@master ingress-nginx]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
(3)验证
---查询生产的pod
[root@master ~]# kubectl get pods -n ingress-nginx
name ready status restarts age
nginx-ingress-controller-648c7bb65b-df9qz 1/1 running 0 34m
---查询生产的svc
[root@master ingress-nginx]# kubectl get svc -n ingress-nginx
name type cluster-ip external-ip port(s) age
ingress-nginx nodeport 10.109.244.123 <none> 80:30080/tcp,443:30443/tcp 21s
---查询svc的详细信息
[root@master ~]# kubectl describe svc ingress-nginx -n ingress-nginx
name: ingress-nginx
namespace: ingress-nginx
labels: app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/part-of=ingress-nginx
annotations: kubectl.kubernetes.io/last-applied-configuration={"apiversion":"v1","kind":"service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/part-of":"ingres...
selector: app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
type: nodeport
ip: 10.111.143.90
port: http 80/tcp
targetport: 80/tcp
nodeport: http 30080/tcp
endpoints: 10.244.1.104:80
port: https 443/tcp
targetport: 443/tcp
nodeport: https 30443/tcp
endpoints: 10.244.1.104:443
session affinity: none
external traffic policy: cluster
events: <none>
3、创建ingress,代理到后端nginx服务
3.1 准备后端pod和service
(1)编写yaml文件,并创建
创建3个nginx服务的pod,并创建一个service绑定
[root@master ingress]# vim deploy-damo.yaml
apiversion: v1
kind: service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetport: 80
port: 80
---
apiversion: apps/v1
kind: deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 3
selector:
matchlabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerport: 80
[root@master ingress]# kubectl apply -f deploy-damo.yaml
service/myapp created
deployment.apps/myapp-deploy created
(2)查询验证
[root@master ~]# kubectl get svc
name type cluster-ip external-ip port(s) age
kubernetes clusterip 10.96.0.1 <none> 443/tcp 146d
myapp clusterip 10.103.137.126 <none> 80/tcp 6s
[root@master ~]# kubectl get pods
name ready status restarts age
myapp-deploy-67f6f6b4dc-2vzjn 1/1 running 0 14s
myapp-deploy-67f6f6b4dc-c7f76 1/1 running 0 14s
myapp-deploy-67f6f6b4dc-x79hc 1/1 running 0 14s
[root@master ~]# kubectl describe svc myapp
name: myapp
namespace: default
labels: <none>
annotations: kubectl.kubernetes.io/last-applied-configuration={"apiversion":"v1","kind":"service","metadata":{"annotations":{},"name":"myapp","namespace":"default"},"spec":{"ports":[{"name":"http","port":80,"targe...
selector: app=myapp,release=canary
type: clusterip
ip: 10.103.137.126
port: http 80/tcp
targetport: 80/tcp
endpoints: 10.244.1.102:80,10.244.1.103:80,10.244.2.109:80
session affinity: none
events: <none>
3.2 创建ingress,绑定后端nginx服务
(1)编写yaml文件,并创建
[root@master ingress]# vim ingress-myapp.yaml
apiversion: extensions/v1beta1
kind: ingress
metadata:
name: ingress-myapp
namespace: default
spec:
rules:
- host: myapp.along.com
http:
paths:
- path:
backend:
servicename: myapp
serviceport: 80
[root@master ingress]# kubectl apply -f ingress-myapp.yaml
ingress.extensions/ingress-myapp created
(2)查询验证
[root@master ~]# kubectl get ingress
name hosts address ports age
ingress-myapp myapp.along.com 80 140d
[root@master ~]# kubectl describe ingress ingress-myapp
name: ingress-myapp
namespace: default
address:
default backend: default-http-backend:80 (<none>)
rules:
host path backends
---- ---- --------
myapp.along.com
myapp:80 (<none>)
annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiversion":"extensions/v1beta1","kind":"ingress","metadata":{"annotations":{},"name":"ingress-myapp","namespace":"default"},"spec":{"rules":[{"host":"myapp.along.com","http":{"paths":[{"backend":{"servicename":"myapp","serviceport":80},"path":null}]}}]}}
events:
type reason age from message
---- ------ ---- ---- -------
normal create 37s nginx-ingress-controller ingress default/ingress-myapp
(3)在集群外,查询服务验证
① 可以先修改一下主机的hosts,因为不是公网域名
192.168.130.103 myapp.along.com
② 访问业务成功
4、创建ingress,代理到后端tomcat服务
4.1 准备后端pod和service
(1)编写yaml文件,并创建
创建3个tomcat服务的pod,并创建一个service绑定
[root@master ingress]# vim tomcat-deploy.yaml
apiversion: v1
kind: service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetport: 8080
port: 8080
- name: ajp
targetport: 8009
port: 8009
---
apiversion: apps/v1
kind: deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchlabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5.37-jre8-alpine
ports:
- name: http
containerport: 8080
- name: ajp
containerport: 8009
[root@master ingress]# kubectl apply -f tomcat-deploy.yaml
service/tomcat created
deployment.apps/tomcat-deploy created
(2)查询验证
[root@master ~]# kubectl get pods
name ready status restarts age
tomcat-deploy-97d6458c5-hrmrw 1/1 running 0 1m
tomcat-deploy-97d6458c5-ngxxx 1/1 running 0 1m
tomcat-deploy-97d6458c5-xchgn 1/1 running 0 1m
[root@master ~]# kubectl get svc
name type cluster-ip external-ip port(s) age
kubernetes clusterip 10.96.0.1 <none> 443/tcp 146d
tomcat clusterip 10.98.193.252 <none> 8080/tcp,8009/tcp 1m
4.2 创建ingress,绑定后端tomcat服务
(1)编写yaml文件,并创建
[root@master ingress]# vim ingress-tomcat.yaml
apiversion: extensions/v1beta1
kind: ingress
metadata:
name: ingress-tomcat
namespace: default
spec:
rules:
- host: tomcat.along.com
http:
paths:
- path:
backend:
servicename: tomcat
serviceport: 8080
[root@master ingress]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions/ingress-tomcat created
(2)查询验证
[root@master ~]# kubectl get ingress
name hosts address ports age
ingress-myapp myapp.along.com 80 17m
ingress-tomcat tomcat.along.com 80 6s
[root@master ~]# kubectl describe ingress ingress-tomcat
name: ingress-tomcat
namespace: default
address:
default backend: default-http-backend:80 (<none>)
rules:
host path backends
---- ---- --------
tomcat.along.com
tomcat:8080 (<none>)
annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiversion":"extensions/v1beta1","kind":"ingress","metadata":{"annotations":{},"name":"ingress-tomcat","namespace":"default"},"spec":{"rules":[{"host":"tomcat.along.com","http":{"paths":[{"backend":{"servicename":"tomcat","serviceport":8080},"path":null}]}}]}}
events:
type reason age from message
---- ------ ---- ---- -------
normal create 17s nginx-ingress-controller ingress default/ingress-tomcat
(3)在集群外,查询服务验证
① 可以先修改一下主机的hosts,因为不是公网域名
192.168.130.103 tomcat.along.com
② 访问业务成功
4.3 使用https协议访问服务
4.3.1 创建证书、私钥和secret
(1)创建私钥
[root@master ingress]# openssl genrsa -out tls.key 2048
generating rsa private key, 2048 bit long modulus
.............................................+++
...............+++
e is 65537 (0x10001)
[root@master ingress]# ls *key
tls.key
(2)创建证书
[root@master ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj /c=cn/st=beijing/l=beijing/o=devops/cn=tomcat.along.com
[root@master ingress]# ls tls.*
tls.crt tls.key
(3)创建secret
[root@master ingress]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ingress]# kubectl get secret
name type data age
tomcat-ingress-secret kubernetes.io/tls 2 8s
[root@master ingress]# kubectl describe secret tomcat-ingress-secret
name: tomcat-ingress-secret
namespace: default
labels: <none>
annotations: <none>
type: kubernetes.io/tls
data
====
tls.key: 1675 bytes
tls.crt: 1294 bytes
4.3.2 重新创建ingress,使用https协议绑定后端tomcat服务
(1)编写yaml文件,并创建
[root@master ingress]# vim ingress-tomcat-tls.yaml
apiversion: extensions/v1beta1
kind: ingress
metadata:
name: ingress-tomcat-tls
namespace: default
spec:
tls:
- hosts:
- tomcat.along.com
secretname: tomcat-ingress-secret
rules:
- host: tomcat.along.com
http:
paths:
- path:
backend:
servicename: tomcat
serviceport: 8080
(2)查询验证
[root@master ~]# kubectl get ingress
name hosts address ports age
ingress-myapp myapp.along.com 80 34m
ingress-tomcat tomcat.along.com 80 16m
ingress-tomcat-tls tomcat.along.com 80, 443 8s
[root@master ~]# kubectl describe ingress ingress-tomcat-tls
name: ingress-tomcat-tls
namespace: default
address:
default backend: default-http-backend:80 (<none>)
tls:
tomcat-ingress-secret terminates tomcat.along.com
rules:
host path backends
---- ---- --------
tomcat.along.com
tomcat:8080 (<none>)
annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiversion":"extensions/v1beta1","kind":"ingress","metadata":{"annotations":{},"name":"ingress-tomcat-tls","namespace":"default"},"spec":{"rules":[{"host":"tomcat.along.com","http":{"paths":[{"backend":{"servicename":"tomcat","serviceport":8080},"path":null}]}}],"tls":[{"hosts":["tomcat.along.com"],"secretname":"tomcat-ingress-secret"}]}}
events:
type reason age from message
---- ------ ---- ---- -------
normal create 14s nginx-ingress-controller ingress default/ingress-tomcat-tls
(3)在集群外,查询服务验证
使用https协议,访问业务成功