教学网站前台模板,怎么找需要推广的商家,seo免费培训教程,做安全防护信息的网站Ingress介绍 Kubernetes 集群中#xff0c;服务#xff08;Service#xff09;是一种抽象#xff0c;它定义了一种访问 Pod 的方式#xff0c;无论这些 Pod 如何变化#xff0c;服务都保持不变。服务可以被映射到一个静态的 IP 地址#xff08;ClusterIP#xff09;、一…Ingress介绍 Kubernetes 集群中服务Service是一种抽象它定义了一种访问 Pod 的方式无论这些 Pod 如何变化服务都保持不变。服务可以被映射到一个静态的 IP 地址ClusterIP、一个 NodePort在集群的每个节点上的特定端口、一个 LoadBalancer通过云服务提供商的负载均衡器或一个外部 IP。 Service的两种服务暴露方式NodePort 和 LoadBalancer确存在一些局限性 NodePort当一个服务被配置为 NodePort 类型时它会在集群的所有节点上的一个静态端口上暴露服务。这种方式的缺点是如果集群中有大量的服务那么就需要占用大量的端口而这些端口资源是有限的。 LoadBalancer这种方式通过云服务提供商的负载均衡器来暴露服务。虽然它解决了 NodePort 方式中端口资源有限的问题但是每个服务都需要一个单独的负载均衡器这不仅增加了成本而且管理起来也相对复杂。 为了解决这些问题Kubernetes 引入了 Ingress 资源对象 Ingress 是一种 API 对象它管理外部访问到集群内服务的 HTTP 和 HTTPS 路由。它提供了一种规则允许你将外部 HTTP/HTTPS 路由到集群内的多个服务。 Ingress 可以提供单一的 IP 地址通过不同的 URL 路径或不同的端口来路由到不同的服务。 它只需要一个 NodePort 或者一个 LoadBalancer就可以将多个服务暴露给外部网络这样做既节省了资源又简化了配置。 Ingress 还支持 SSL/TLS 终止可以为不同的服务配置 SSL 证书。 它允许更复杂的路由规则比如基于路径、主机名或 HTTP 头部的路由。 实际上Ingress相当于一个7层的负载均衡器是kubernetes对反向代理的一个抽象它的工作原理类似于Nginx可以理解成在Ingress里建立诸多映射规则Ingress Controller通过监听这些配置规则并转化成Nginx的反向代理配置 , 然后对外部提供服务。在这里有两个核心概念 ingresskubernetes中的一个对象作用是定义请求如何转发到service的规则 ingress controller具体实现反向代理及负载均衡的程序对ingress定义的规则进行解析根据配置的规则来实现请求转发实现方式有很多比如Nginx, Contour, Haproxy等等 Ingress以Nginx为例的工作原理 定义路由规则用户通过 Kubernetes API 创建 Ingress 规则指定域名与集群内服务的映射关系。 感知规则变化Ingress 控制器如基于 Nginx实时监控 Kubernetes API以便发现 Ingress 规则的更新。 生成配置一旦检测到变化Ingress 控制器自动生成相应的 Nginx 配置以实现定义的路由规则。 更新 Nginx 配置新生成的 Nginx 配置被应用到运行中的 Nginx 实例无需重启服务即可动态更新路由规则。 流量转发Nginx 作为反向代理根据更新的配置将外部请求转发到集群内正确的服务。 SSL/TLS 终止可选如果配置了 SSL/TLSNginx 还可以在转发前终止加密连接提高安全性和效率。 Ingress安装部署
[rootk8s-master ~]# vi deploy.yaml
[rootk8s-master ~]# kubectl label node k8s-node1 node-roleingress
node/k8s-node1 labeled
[rootk8s-master ~]# kubectl label node k8s-node2 node-roleingress
node/k8s-node2 labeled
[rootk8s-master ~]# kubectl apply -f deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
serviceaccount/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
configmap/ingress-nginx-controller created
service/ingress-nginx-controller created
service/ingress-nginx-controller-admission created
daemonset.apps/ingress-nginx-controller created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
[rootk8s-master ~]# kubectl get pod
No resources found in default namespace.
[rootk8s-master ~]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-sgcg6 0/1 ContainerCreating 0 21s
ingress-nginx-admission-patch-2kdw2 0/1 CrashLoopBackOff 1 21s
ingress-nginx-controller-55776 0/1 ContainerCreating 0 21s
ingress-nginx-controller-vm965 0/1 ContainerCreating 0 21s
[rootk8s-master ~]# kubectl get pod -n ingress-nginx -w
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-sgcg6 0/1 ContainerCreating 0 24s
ingress-nginx-admission-patch-2kdw2 0/1 CrashLoopBackOff 1 24s
ingress-nginx-controller-55776 0/1 ContainerCreating 0 24s
ingress-nginx-controller-vm965 0/1 ContainerCreating 0 24s
ingress-nginx-admission-create-sgcg6 0/1 Completed 0 25s
ingress-nginx-admission-create-sgcg6 0/1 Completed 0 25s
ingress-nginx-admission-patch-2kdw2 1/1 Running 2 28s
ingress-nginx-admission-patch-2kdw2 0/1 Completed 2 29s
ingress-nginx-admission-patch-2kdw2 0/1 Completed 2 29s
ingress-nginx-controller-55776 0/1 Running 0 87s
ingress-nginx-controller-vm965 0/1 Running 0 90s
^C[rootk8s-master ~]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-sgcg6 0/1 Completed 0 95s
ingress-nginx-admission-patch-2kdw2 0/1 Completed 2 95s
ingress-nginx-controller-55776 0/1 Running 0 95s
ingress-nginx-controller-vm965 0/1 Running 0 95s
[rootk8s-master ~]# kubectl get pod -n ingress-nginx -w
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-sgcg6 0/1 Completed 0 105s
ingress-nginx-admission-patch-2kdw2 0/1 Completed 2 105s
ingress-nginx-controller-55776 1/1 Running 0 105s
ingress-nginx-controller-vm965 1/1 Running 0 105sIngress的HTTP代理 准备service和pod为了后面的实验比较方便创建如下图所示的模型
[rootk8s-master ~]# vim tomcat-nginx.yaml
[rootk8s-master ~]# kubectl create ns test
namespace/test created
[rootk8s-master ~]# kubectl apply -f tomcat-nginx.yaml
deployment.apps/tomcat-deployment created
service/tomcat-service created[rootk8s-master ~]# kubectl get pod -n test -w
NAME READY STATUS RESTARTS AGE
tomcat-deployment-7db86c59b7-7zbnc 0/1 ContainerCreating 0 50s
tomcat-deployment-7db86c59b7-r5xsn 0/1 ContainerCreating 0 50s
tomcat-deployment-7db86c59b7-sphwk 0/1 ImagePullBackOff 0 50s
tomcat-deployment-7db86c59b7-sphwk 0/1 ErrImagePull 0 70s
tomcat-deployment-7db86c59b7-sphwk 0/1 ImagePullBackOff 0 82s
tomcat-deployment-7db86c59b7-r5xsn 1/1 Running 0 4m29s
tomcat-deployment-7db86c59b7-7zbnc 1/1 Running 0 4m29s
tomcat-deployment-7db86c59b7-sphwk 1/1 Running 0 5m7s
^C[rootk8s-master ~]# kubectl get deploy,pod -n test
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/tomcat-deployment 3/3 3 3 6m52sNAME READY STATUS RESTARTS AGE
pod/tomcat-deployment-7db86c59b7-7zbnc 1/1 Running 0 6m52s
pod/tomcat-deployment-7db86c59b7-r5xsn 1/1 Running 0 6m52s
pod/tomcat-deployment-7db86c59b7-sphwk 1/1 Running 0 6m52sIngress配置
[rootk8s-master ~]# cat ingress-dep_lb.yaml ---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-ingressnamespace: test
spec:ingressClassName: nginxrules:- host: www.test.comhttp:paths:- path: /pathType: Prefixbackend:service:name: svc-lbport:number: 80- host: tomcat.ctl.comhttp:paths:- path: /pathType: Prefixbackend:service:name: tomcat-serviceport:number: 80[rootk8s-master ~]# kubectl apply -f ingress-dep_lb.yaml
ingress.networking.k8s.io/nginx-ingress created
[rootk8s-master ~]# kubectl get service,ingress -n test
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/tomcat-service LoadBalancer 10.96.166.18 pending 80:32593/TCP 10mNAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/nginx-ingress nginx www.test.com,tomcat.ctl.com 80 5s
[rootk8s-master ~]# kubectl get service,ingress -n test
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/tomcat-service LoadBalancer 10.96.166.18 pending 80:32593/TCP 10mNAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/nginx-ingress nginx www.test.com,tomcat.ctl.com 192.168.58.232,192.168.58.233 80 42s[rootk8s-master ~]# kubectl get deploy,pod -n test
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/tomcat-deployment 3/3 3 3 14mNAME READY STATUS RESTARTS AGE
pod/tomcat-deployment-7db86c59b7-7zbnc 1/1 Running 0 14m
pod/tomcat-deployment-7db86c59b7-r5xsn 1/1 Running 0 14m
pod/tomcat-deployment-7db86c59b7-sphwk 1/1 Running 0 14m
[rootk8s-master ~]# kubectl get deploy,pod -n test -o wide
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/tomcat-deployment 3/3 3 3 14m tomcat tomcat:8.5-jre10-slim apptomcat-podNAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/tomcat-deployment-7db86c59b7-7zbnc 1/1 Running 0 14m 10.244.36.73 k8s-node1 none none
pod/tomcat-deployment-7db86c59b7-r5xsn 1/1 Running 0 14m 10.244.36.72 k8s-node1 none none
pod/tomcat-deployment-7db86c59b7-sphwk 1/1 Running 0 14m 10.244.169.131 k8s-node2 none none
[rootk8s-master ~]# kubectl get service,ingress -n test
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/tomcat-service LoadBalancer 10.96.166.18 pending 80:32593/TCP 14mNAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/nginx-ingress nginx www.test.com,tomcat.ctl.com 192.168.58.232,192.168.58.233 80 4m34s
[rootk8s-master ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.58.231 k8s-master
192.168.58.232 k8s-node1
192.168.58.233 k8s-node2
192.168.58.232 www.test.com
192.168.58.233 tomcat.ctl.comIngress的HTTPS代理 创建证书和密钥
[rootk8s-master ~]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj /CCN/STBJ/LBJ/Onginx/CNitopenlab.com
Generating a 2048 bit RSA private key
.................................................................
.....
writing new private key to tls.key
-----
[rootk8s-master ~]# kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created 创建ingress-https.yaml [rootk8s-master ~]# vim ingress-https.yaml
[rootk8s-master ~]# kubectl apply -f ingress-https.yaml
ingress.networking.k8s.io/ingress-https created
[rootk8s-master ~]# kubectl get ing ingress-https -n test
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-https none nginx.ctl.com,tomcat.ctl.com 80, 443 8s
[rootk8s-master ~]# kubectl describe ing ingress-https -n test
Name: ingress-https
Namespace: test
Address:
Default backend: default-http-backend:80 (error: endpoints default-http-backend not found)
TLS:tls-secret terminates nginx.ctl.com,tomcat.ctl.com
Rules:Host Path Backends---- ---- --------nginx.ctl.com / nginx-service:80 (error: endpoints nginx-service not found)tomcat.ctl.com / tomcat-service:8080 (10.244.169.131:8080,10.244.36.72:8080,10.244.36.73:8080)
Annotations: none
Events: none
[rootk8s-master ~]# cat ingress-https.yaml apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-httpsnamespace: test
spec:tls:- hosts:- nginx.ctl.com- tomcat.ctl.comsecretName: tls-secret # 指定秘钥rules:- host: nginx.ctl.comhttp:paths:- path: /pathType: Prefixbackend:service:name: nginx-serviceport:number: 80- host: tomcat.ctl.comhttp:paths:- path: /pathType: Prefixbackend:service:name: tomcat-serviceport:number: 8080
[rootk8s-master ~]# kubectl get ing ingress-https -n test -o wide
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-https none nginx.ctl.com,tomcat.ctl.com 80, 443 105s
[rootk8s-master ~]# kubectl get service,ingress -n test
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/tomcat-service LoadBalancer 10.96.166.18 pending 80:32593/TCP 36mNAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/ingress-https none nginx.ctl.com,tomcat.ctl.com 80, 443 2m1s
ingress.networking.k8s.io/nginx-ingress nginx www.test.com,tomcat.ctl.com 192.168.58.232,192.168.58.233 80 26m
[rootk8s-master ~]# curl https://nginx.ctl.com
^C
[rootk8s-master ~]# kubectl get service,ingress -n test
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/tomcat-service LoadBalancer 10.96.166.18 pending 80:32593/TCP 37mNAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/ingress-https none nginx.ctl.com,tomcat.ctl.com 80, 443 3m37s
ingress.networking.k8s.io/nginx-ingress nginx www.test.com,tomcat.ctl.com 192.168.58.232,192.168.58.233 80 27m
