欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  科技

kubernetes系列09—Ingress控制器详解

程序员文章站 2022-08-17 13:01:48
本文收录在容器技术学习系列文章总目录 1、认识Ingress 1.1 什么是Ingress? 通常情况下,service和pod仅可在集群内部网络中通过IP地址访问。所有到达边界路由器的流量或被丢弃或被转发到其他地方。从概念上讲,可能像下面这样: Ingress是授权入站连接到达集群服务的规则集合。 ......

本文收录在

1、认识ingress

1.1 什么是ingress

  通常情况下,servicepod仅可在集群内部网络中通过ip地址访问。所有到达边界路由器的流量或被丢弃或被转发到其他地方。从概念上讲,可能像下面这样:

    internet
        |
  ------------
  [ services ]

ingress是授权入站连接到达集群服务的规则集合。

    internet
        |
   [ ingress ]
   --|-----|--
   [ services ]

  你可以给ingress配置提供外部可访问的url、负载均衡、ssl、基于名称的虚拟主机等。用户通过post ingress资源到api server的方式来请求ingress ingress controller负责实现ingress,通常使用负载平衡器,它还可以配置边界路由和其他前端,这有助于以ha方式处理流量。

 

1.2 ingress工作示意图

kubernetes系列09—Ingress控制器详解

 

1.3先决条件

  在使用ingress resource之前,有必要先了解下面几件事情。ingressbeta版本的resource,在kubernetes1.1之前还没有。你需要一个ingress controller来实现ingress,单纯的创建一个ingress没有任何意义。

  gce/gke会在master节点上部署一个ingress controller。你可以在一个pod中部署任意个自定义的ingress controller。你必须正确地annotate每个ingress,比如 运行多个ingress controller  关闭glbc.

  确定你已经阅读了ingress controllerbeta版本限制。在非gce/gke的环境中,你需要在pod

 

1.4 ingress定义资源清单几个字段

  •  apiversionv1  版本
  •  kindingress  类型
  •  metadata  元数据
  •  spec  期望状态
    •  backend: 默认后端,能够处理与任何规则不匹配的请求
    •  rules:用于配置ingress的主机规则列表
    •  tls:目前ingress仅支持单个tls端口443
  •  status  当前状态

 

2、部署一个ingress

1)在gitlab上下载yaml文件,并创建部署

gitlab ingress-nginx项目:

ingress安装指南:

因为需要拉取镜像,所以需要等一段时间

---下载需要的yaml文件
[root@master ingress-nginx]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
---查询下载成功
[root@master ingress-nginx]# ls
mandatory.yaml
---创建ingress
[root@master ingress-nginx]# kubectl apply -f mandatory.yaml 
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.apps/nginx-ingress-controller created

  

2)如果是裸机,还需要安装service

[root@master ingress-nginx]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml
[root@master ingress-nginx]# kubectl apply -f service-nodeport.yaml 
service/ingress-nginx created

  

3)验证

---查询生产的pod
[root@master ~]# kubectl get pods -n ingress-nginx
name                                        ready     status    restarts   age
nginx-ingress-controller-648c7bb65b-df9qz   1/1       running   0          34m
---查询生产的svc
[root@master ingress-nginx]# kubectl get svc -n ingress-nginx
name            type       cluster-ip       external-ip   port(s)                      age
ingress-nginx   nodeport   10.109.244.123   <none>        80:30080/tcp,443:30443/tcp   21s
---查询svc的详细信息
[root@master ~]# kubectl describe svc ingress-nginx -n ingress-nginx
name:                     ingress-nginx
namespace:                ingress-nginx
labels:                   app.kubernetes.io/name=ingress-nginx
                          app.kubernetes.io/part-of=ingress-nginx
annotations:              kubectl.kubernetes.io/last-applied-configuration={"apiversion":"v1","kind":"service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/part-of":"ingres...
selector:                 app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
type:                     nodeport
ip:                       10.111.143.90
port:                     http  80/tcp
targetport:               80/tcp
nodeport:                 http  30080/tcp
endpoints:                10.244.1.104:80
port:                     https  443/tcp
targetport:               443/tcp
nodeport:                 https  30443/tcp
endpoints:                10.244.1.104:443
session affinity:         none
external traffic policy:  cluster
events:                   <none>

  

3、创建ingress,代理到后端nginx服务

3.1 准备后端podservice

1)编写yaml文件,并创建

创建3nginx服务的pod,并创建一个service绑定

[root@master ingress]# vim deploy-damo.yaml
apiversion: v1
kind: service
metadata:
  name: myapp
  namespace: default
spec:
  selector:
    app: myapp
    release: canary
  ports:
  - name: http
    targetport: 80
    port: 80
---
apiversion: apps/v1
kind: deployment
metadata:
  name: myapp-deploy
  namespace: default
spec:
  replicas: 3
  selector:
    matchlabels:
      app: myapp
      release: canary
  template:
    metadata:
      labels:
        app: myapp
        release: canary
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v2
        ports:
        - name: http
          containerport: 80
[root@master ingress]# kubectl apply -f deploy-damo.yaml 
service/myapp created
deployment.apps/myapp-deploy created

  

2)查询验证

[root@master ~]# kubectl get svc
name         type        cluster-ip       external-ip   port(s)   age
kubernetes   clusterip   10.96.0.1        <none>        443/tcp   146d
myapp        clusterip   10.103.137.126   <none>        80/tcp    6s
[root@master ~]# kubectl get pods
name                            ready     status    restarts   age
myapp-deploy-67f6f6b4dc-2vzjn   1/1       running   0          14s
myapp-deploy-67f6f6b4dc-c7f76   1/1       running   0          14s
myapp-deploy-67f6f6b4dc-x79hc   1/1       running   0          14s
[root@master ~]# kubectl describe svc myapp
name:              myapp
namespace:         default
labels:            <none>
annotations:       kubectl.kubernetes.io/last-applied-configuration={"apiversion":"v1","kind":"service","metadata":{"annotations":{},"name":"myapp","namespace":"default"},"spec":{"ports":[{"name":"http","port":80,"targe...
selector:          app=myapp,release=canary
type:              clusterip
ip:                10.103.137.126
port:              http  80/tcp
targetport:        80/tcp
endpoints:         10.244.1.102:80,10.244.1.103:80,10.244.2.109:80
session affinity:  none
events:            <none>

  

3.2 创建ingress,绑定后端nginx服务

1)编写yaml文件,并创建

[root@master ingress]# vim ingress-myapp.yaml
apiversion: extensions/v1beta1
kind: ingress
metadata:
  name: ingress-myapp
  namespace: default
spec:
  rules:
  - host: myapp.along.com
    http:
      paths:
      - path:
        backend:
          servicename: myapp
          serviceport: 80
[root@master ingress]# kubectl apply -f ingress-myapp.yaml
ingress.extensions/ingress-myapp created

  

2)查询验证

[root@master ~]# kubectl get ingress
name            hosts             address   ports     age
ingress-myapp   myapp.along.com             80        140d
[root@master ~]# kubectl describe ingress ingress-myapp
name:             ingress-myapp
namespace:        default
address:          
default backend:  default-http-backend:80 (<none>)
rules:
  host             path  backends
  ----             ----  --------
  myapp.along.com  
                      myapp:80 (<none>)
annotations:
  kubectl.kubernetes.io/last-applied-configuration:  {"apiversion":"extensions/v1beta1","kind":"ingress","metadata":{"annotations":{},"name":"ingress-myapp","namespace":"default"},"spec":{"rules":[{"host":"myapp.along.com","http":{"paths":[{"backend":{"servicename":"myapp","serviceport":80},"path":null}]}}]}}

events:
  type    reason  age   from                      message
  ----    ------  ----  ----                      -------
  normal  create  37s   nginx-ingress-controller  ingress default/ingress-myapp

  

3)在集群外,查询服务验证

可以先修改一下主机的hosts,因为不是公网域名

192.168.130.103 myapp.along.com

访问业务成功

kubernetes系列09—Ingress控制器详解

 

4、创建ingress,代理到后端tomcat服务

4.1 准备后端podservice

1)编写yaml文件,并创建

创建3tomcat服务的pod,并创建一个service绑定

[root@master ingress]# vim tomcat-deploy.yaml 
apiversion: v1
kind: service
metadata:
  name: tomcat
  namespace: default
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    targetport: 8080
    port: 8080
  - name: ajp
    targetport: 8009
    port: 8009
---
apiversion: apps/v1
kind: deployment
metadata:
  name: tomcat-deploy
  namespace: default
spec:
  replicas: 3
  selector:
    matchlabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: tomcat
        image: tomcat:8.5.37-jre8-alpine
        ports:
        - name: http
          containerport: 8080
        - name: ajp
          containerport: 8009
[root@master ingress]# kubectl apply -f tomcat-deploy.yaml 
service/tomcat created
deployment.apps/tomcat-deploy created

  

2)查询验证

[root@master ~]# kubectl get pods
name                            ready     status    restarts   age
tomcat-deploy-97d6458c5-hrmrw   1/1       running   0          1m
tomcat-deploy-97d6458c5-ngxxx   1/1       running   0          1m
tomcat-deploy-97d6458c5-xchgn   1/1       running   0          1m
[root@master ~]# kubectl get svc
name         type        cluster-ip       external-ip   port(s)             age
kubernetes   clusterip   10.96.0.1        <none>        443/tcp             146d
tomcat       clusterip   10.98.193.252    <none>        8080/tcp,8009/tcp   1m

  

4.2 创建ingress,绑定后端tomcat服务

1)编写yaml文件,并创建

[root@master ingress]# vim ingress-tomcat.yaml 
apiversion: extensions/v1beta1
kind: ingress
metadata:
  name: ingress-tomcat
  namespace: default
spec:
  rules:
  - host: tomcat.along.com
    http:
      paths:
      - path:
        backend:
          servicename: tomcat
          serviceport: 8080
[root@master ingress]# kubectl apply -f ingress-tomcat.yaml 
ingress.extensions/ingress-tomcat created

 

2)查询验证

[root@master ~]# kubectl get ingress
name             hosts              address   ports     age
ingress-myapp    myapp.along.com              80        17m
ingress-tomcat   tomcat.along.com             80        6s
[root@master ~]# kubectl describe ingress ingress-tomcat
name:             ingress-tomcat
namespace:        default
address:          
default backend:  default-http-backend:80 (<none>)
rules:
  host              path  backends
  ----              ----  --------
  tomcat.along.com  
                       tomcat:8080 (<none>)
annotations:
  kubectl.kubernetes.io/last-applied-configuration:  {"apiversion":"extensions/v1beta1","kind":"ingress","metadata":{"annotations":{},"name":"ingress-tomcat","namespace":"default"},"spec":{"rules":[{"host":"tomcat.along.com","http":{"paths":[{"backend":{"servicename":"tomcat","serviceport":8080},"path":null}]}}]}}

events:
  type    reason  age   from                      message
  ----    ------  ----  ----                      -------
  normal  create  17s   nginx-ingress-controller  ingress default/ingress-tomcat

  

3)在集群外,查询服务验证

可以先修改一下主机的hosts,因为不是公网域名

192.168.130.103 tomcat.along.com

访问业务成功

kubernetes系列09—Ingress控制器详解

 

4.3 使用https协议访问服务

4.3.1 创建证书、私钥和secret

1)创建私钥

[root@master ingress]# openssl genrsa -out tls.key 2048
generating rsa private key, 2048 bit long modulus
.............................................+++
...............+++
e is 65537 (0x10001)
[root@master ingress]# ls *key
tls.key

  

2)创建证书

[root@master ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj /c=cn/st=beijing/l=beijing/o=devops/cn=tomcat.along.com
[root@master ingress]# ls tls.*
tls.crt  tls.key

  

3)创建secret

[root@master ingress]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ingress]# kubectl get secret
name                              type                                  data      age
tomcat-ingress-secret             kubernetes.io/tls                     2         8s
[root@master ingress]# kubectl describe secret tomcat-ingress-secret
name:         tomcat-ingress-secret
namespace:    default
labels:       <none>
annotations:  <none>

type:  kubernetes.io/tls

data
====
tls.key:  1675 bytes
tls.crt:  1294 bytes

  

4.3.2 重新创建ingress,使用https协议绑定后端tomcat服务

1)编写yaml文件,并创建

[root@master ingress]# vim ingress-tomcat-tls.yaml
apiversion: extensions/v1beta1
kind: ingress
metadata:
  name: ingress-tomcat-tls
  namespace: default
spec:
  tls:
  - hosts:
    - tomcat.along.com
    secretname: tomcat-ingress-secret
  rules:
  - host: tomcat.along.com
    http:
      paths:
      - path:
        backend:
          servicename: tomcat
          serviceport: 8080

  

2)查询验证

[root@master ~]# kubectl get ingress
name                 hosts              address   ports     age
ingress-myapp        myapp.along.com              80        34m
ingress-tomcat       tomcat.along.com             80        16m
ingress-tomcat-tls   tomcat.along.com             80, 443   8s
[root@master ~]# kubectl describe ingress ingress-tomcat-tls
name:             ingress-tomcat-tls
namespace:        default
address:          
default backend:  default-http-backend:80 (<none>)
tls:
  tomcat-ingress-secret terminates tomcat.along.com
rules:
  host              path  backends
  ----              ----  --------
  tomcat.along.com  
                       tomcat:8080 (<none>)
annotations:
  kubectl.kubernetes.io/last-applied-configuration:  {"apiversion":"extensions/v1beta1","kind":"ingress","metadata":{"annotations":{},"name":"ingress-tomcat-tls","namespace":"default"},"spec":{"rules":[{"host":"tomcat.along.com","http":{"paths":[{"backend":{"servicename":"tomcat","serviceport":8080},"path":null}]}}],"tls":[{"hosts":["tomcat.along.com"],"secretname":"tomcat-ingress-secret"}]}}

events:
  type    reason  age   from                      message
  ----    ------  ----  ----                      -------
  normal  create  14s   nginx-ingress-controller  ingress default/ingress-tomcat-tls

  

3)在集群外,查询服务验证

使用https协议,访问业务成功

kubernetes系列09—Ingress控制器详解