(八)Kubernetes Ingress资源
前言
Kubernetes提供了两种内建的云端负载均衡机制(cloud load balancing)用于发布公共应用,一种是工做于传输层的Service资源,它实现的是“TCP负载均衡器”,另外一种是Ingress资源,它实现的是“HTTP(S)负载均衡器”。html
TCP负载均衡器前端
不管是
iptables仍是ipvs模型的Service资源都配置于Linux内核中的Netfilter之上进行四层调度,是一种类型更为通用的调度器,支持调度HTTP、MySQL等应用层服务。不过,也正是因为工做于传输层从而使得它没法作到相似卸载HTTPS中的SSL会话等一类操做,也不支持基于URL的请求调度机制,并且,Kubernetes也不支持为此类负载均衡器配置任何类型的健康状态检查机制。nodeHTTP(S)负载均衡器linux
HTTP(S)负载均衡器是应用层负载均衡机制的一种,支持根据环境作出更好的调度决策。与传输层调度器相比,它提供了诸如可自定义URL映射和TLS卸载等功能,并支持多种类型的后端服务器健康状态检查机制。nginx
Ingress概述
什么是Ingress?
一般状况下,
service和pod仅可在集群内部网络中经过IP地址访问。全部到达边界路由器的流量或被丢弃或被转发到其余地方。从概念上讲,可能像下面这样:gitinternet | ------------ [ Services ]Ingress是受权入站链接到达集群服务的规则集合。github
internet | [ Ingress ] --|-----|-- [ Services ]你能够给
Ingress配置提供外部可访问的URL、负载均衡、SSL、基于名称的虚拟主机等。用户经过POST Ingress资源到API Server的方式来请求Ingress。Ingress controller负责实现Ingress,一般使用负载平衡器,它还能够配置边界路由和其余前端,这有助于以HA方式处理流量。vim
Ingress和Ingress Controller
Ingress是Kubernetes API的标准资源类型之一,它其实就是一组基于DNS名称(host)或URL路径把请求转发至指定的Service资源的规则,用于将集群外部的请求流量转发至集群内部完成服务发布。然而,Ingress资源自身并不能进行“流量穿透”,它仅是一组路由规则的集合,这些规则要想真正发挥做用还须要其余功能的辅助,如监听某套接字,而后根据这些规则的匹配机制路由请求流量。这种可以为Ingress资源监听套接字并转发流量的组件称为Ingress控制器(Ingress Controller)。后端
Ingress控制器并不直接运行为kube-controller-manager的一部分,它是Kubernetes集群的一个重要组件,相似CoreDNS,须要在集群上单独部署。api
Ingress工做流程
以下图所示,流量到达外部负载均衡器(externalLB)后,首先转发至Service资源Ingres-nginx上,而后经过Ingress控制器基于Ingress资源定义的规则将客户端请求流量直接转发至与Service对应的后端Pod资源之上。这种转发机制会绕过Service资源(app Service;api Service),从而省去了由kube-proxy实现的端口代理开销。Ingress规则须要由一个Service资源对象辅助识别相关的全部Pod资源。以下Ingress经过app service资源去匹配后端的pod1和pod2;这个app service只是起到一个辅助识别功能。
先决条件
在使用
Ingress resource以前,必须先了解下面几件事情。Ingress是beta版本的resource,在kubernetes1.1以前尚未。你须要一个Ingress Controller来实现Ingress,单纯的建立一个Ingress没有任何意义。
GCE/GKE会在master节点上部署一个Ingress Controller。你能够在一个Pod中部署任意个自定义的Ingress Controller。你必须正确的annotate每一个Ingress,好比运行多个Ingress Controller和关闭glbc。
Ingress清单文件几个字段说明
Ingress资源是基于HTTP虚拟主机或URL的转发规则,spec字段中嵌套了rules、backend、tls等字段进行定义。下面这个示例中,它包含了一个转发规则,把发往www.ilinux.io的请求代理给名为myapp-svc的Service资源。
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-demo namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: www.ilinux.io http: paths: - backend: serviceName: myapp-svc servicePort: 80 #说明:上面资源清单文件中的annotations用于识别其所属的Ingress控制器的类别,这一点在集群上部署多个Ingress控制器时尤其重要。
Ingress Spec(# kubectl explain ingress.spec)中的字段是定义Ingress资源的核心组成部分,主要嵌套以下三个字段:
rules <[]Object>:用于定义当前
Ingress资源的转发规则列表;未由rules定义规则,或者没有匹配到任何规则时,全部流量都会转发到由backend定义的默认后端。backend <Object>:默认的后端用于服务那些没有匹配到任何规则的请求;定义
Ingress资源时,至少应该定义backend或rules二者之一;此字段用于让负载均衡器指定一个全局默认的后端。tls <[]Object>:
TLS配置,目前仅支持经过默认端口443提供服务;若是要配置指定的列表成员指向了不一样的主机,则必须经过SNI TLS扩展机制来支持此功能。
ingress.spec.rules.http.paths.backend对象的定义由两个必须的内嵌字段组成:serviceName和servicePort,分别用于指定流量转发的后端目标Service资源的名称和端口。
部署Ingress Controller(Nginx)
描述
Ingress控制器自身是运行于Pod中的容器应用,通常是Nginx或Envoy一类的具备代理及负载均衡功能的守护进程,它监视着来自API Server的Ingress对象状态,并根据规则生成相应的应用程序专有格式的配置文件并经过重载或重启守护进程而使新配置生效。
Ingress控制器其实就是托管于Kubernetes系统之上的用于实如今应用层发布服务的Pod资源,跟踪Ingress资源并实时生成配置规则。
运行为Pod资源的Ingress控制器进程经过下面两种方式接入外部请求流量:
一、以Deployment控制器管理Ingress控制器的Pod资源,经过NodePort或LoadBalancer类型的Service对象为其接入集群外部的请求流量,这就意味着,定义一个Ingress控制器时,必须在其前端定义一个专用的Service资源。
二、借助于DaemonSet控制器,将Ingress控制器的Pod资源各自以单一实例的方式运行于集群的全部或部分工做节点之上,并配置这类Pod对象以HostPort(以下图中的a)或HostNetwork(以下图中的b)的方式在当前节点接入外部流量。
部署
1)在github上下载配置清单yaml文件,并建立部署
[root@k8s-master ~]# mkdir ingress-nginx #这里建立一个目录专门用于ingress-nginx(可省略) [root@k8s-master ~]# cd ingress-nginx/ [root@k8s-master ingress-nginx]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml #下载配置清单yaml文件 [root@k8s-master ingress-nginx]# ls #查看下载的文件 mandatory.yaml [root@k8s-master ingress-nginx]# kubectl apply -f mandatory.yaml #建立Ingress namespace/ingress-nginx created configmap/nginx-configuration created configmap/tcp-services created configmap/udp-services created serviceaccount/nginx-ingress-serviceaccount created clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created role.rbac.authorization.k8s.io/nginx-ingress-role created rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created deployment.apps/nginx-ingress-controller created
2)验证
[root@k8s-master ingress-nginx]# kubectl get pods -n ingress-nginx #查看生成的pod,注意这里在ingress-nginx名称空间 NAME READY STATUS RESTARTS AGE nginx-ingress-controller-79f6884cf6-5fb6v 1/1 Running 0 18m [root@k8s-master ingress-nginx]# kubectl describe pod nginx-ingress-controller-79f6884cf6-5fb6v -n ingress-nginx 查看该pod的详细信息 Name: nginx-ingress-controller-79f6884cf6-5fb6v Namespace: ingress-nginx Priority: 0 Node: k8s-node2/192.168.1.33 Start Time: Fri, 27 Sep 2019 17:53:07 +0800 Labels: app.kubernetes.io/name=ingress-nginx app.kubernetes.io/part-of=ingress-nginx pod-template-hash=79f6884cf6 Annotations: prometheus.io/port: 10254 prometheus.io/scrape: true Status: Running IP: 10.244.2.73 ......
3)若是是裸机部署,还须要安装service。(好比VMware虚拟机、硬件服务器等)
---一样去官网下载配置清单文件,也能够自定义建立。 [root@k8s-master ingress-nginx]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml [root@k8s-master ingress-nginx]# kubectl apply -f service-nodeport.yaml #建立service资源 service/ingress-nginx created [root@k8s-master ingress-nginx]# kubectl get svc -n ingress-nginx #查看service资源 NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.107.40.182 <none> 80:32699/TCP,443:30842/TCP 9s [root@k8s-master ingress-nginx]# kubectl describe svc/ingress-nginx -n ingress-nginx #查看该service的详细信息 Name: ingress-nginx Namespace: ingress-nginx Labels: app.kubernetes.io/name=ingress-nginx app.kubernetes.io/part-of=ingress-nginx Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/par... Selector: app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx Type: NodePort IP: 10.107.40.182 Port: http 80/TCP TargetPort: 80/TCP NodePort: http 32699/TCP Endpoints: 10.244.2.73:80 Port: https 443/TCP TargetPort: 443/TCP NodePort: https 30842/TCP Endpoints: 10.244.2.73:443 Session Affinity: None External Traffic Policy: Cluster Events: <none>
经过上面建立的service资源对象能够看出,随机分配的http的NodePort为32668,https的NodePort的为30606。该端口也能够自定义,在前面的service章节说过。单通常不建议自定义。
示例1:使用Ingress发布Nginx
该示例中建立的全部资源都位于新建的testing名称空间中。与其余的资源在逻辑上进行隔离,以方便管理。
首先建立一个单独的目录为了方便管理
[root@k8s-master ~]# mkdir ingress-nginx/ingress [root@k8s-master ~]# cd ingress-nginx/ingress/
(1)、建立testing名称空间(也可使用命令直接建立# kubectl create namespace my-namespace,不过这里使用资源清单格式建立)
[root@k8s-master ingress]# vim namespace-testing.yaml #编写namespace清单文件 apiVersion: v1 kind: Namespace metadata: name: testing labels: env: testing [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl apply -f namespace-testing.yaml #建立namespace namespace/testing created [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl get namespace testing #验证 NAME STATUS AGE testing Active 12s
(2)、部署nginx实例,这里使用Deployment控制器于testing中部署nginx相关的Pod对象。
[root@k8s-master ingress]# vim deployment-nginx.yaml apiVersion: apps/v1 kind: Deployment metadata: name: deploy-nginx namespace: testing spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.12 ports: - name: http containerPort: 80 [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl apply -f deployment-nginx.yaml deployment.apps/deploy-nginx created [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl get deploy -n testing NAME READY UP-TO-DATE AVAILABLE AGE deploy-nginx 3/3 3 3 5s [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl get pods -n testing NAME READY STATUS RESTARTS AGE deploy-nginx-686bddcb56-9g7pq 1/1 Running 0 6s deploy-nginx-686bddcb56-gqpm2 1/1 Running 0 6s deploy-nginx-686bddcb56-vtwkq 1/1 Running 0 6s
(3)、建立Service资源,关联后端的Pod资源。这里经过service资源svc-nginx的80端口去暴露容器的80端口。
[root@k8s-master ingress]# vim service-nginx.yaml apiVersion: v1 kind: Service metadata: name: svc-nginx namespace: testing labels: app: svc-nginx spec: selector: app: nginx ports: - name: http port: 80 targetPort: 80 protocol: TCP [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl apply -f service-nginx.yaml service/svc-nginx created [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl get svc -n testing NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc-nginx ClusterIP 10.99.233.90 <none> 80/TCP 6s [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl describe svc/svc-nginx -n testing Name: svc-nginx Namespace: testing Labels: app=svc-nginx Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"svc-nginx"},"name":"svc-nginx","namespace":"testing"},"s... Selector: app=nginx Type: ClusterIP IP: 10.99.233.90 Port: http 80/TCP TargetPort: 80/TCP Endpoints: 10.244.1.76:80,10.244.1.77:80,10.244.2.74:80 Session Affinity: None Events: <none>
(4)、建立Ingress资源,匹配Service资源svc-nginx,并将svc-nginx的80端口暴露。
[root@k8s-master ingress]# vim ingress-nginx.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx namespace: testing annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: nginx.ilinux.io http: paths: - path: backend: serviceName: svc-nginx servicePort: 80 [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl apply -f ingress-nginx.yaml ingress.extensions/nginx created [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl get ingress -n testing NAME HOSTS ADDRESS PORTS AGE nginx nginx.ilinux.io 80 16s [root@k8s-master ingress]# [root@k8s-master ingress]# kubectl describe ingress -n testing Name: nginx Namespace: testing Address: Default backend: default-http-backend:80 (<none>) Rules: Host Path Backends ---- ---- -------- tomcat.ilinux.io svc-nginx:80 (10.244.1.76:80,10.244.1.77:80,10.244.2.74:80) Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"nginx","namespace":"testing"},"spec":{"rules":[{"host":"nginx.ilinux.io","http":{"paths":[{"backend":{"serviceName":"svc-nginx","servicePort":80},"path":null}]}}]}} kubernetes.io/ingress.class: nginx Events: <none>
(5)、测试,经过Ingress控制器的前端的Service资源的NodePort来访问此服务,
#首先查看前面部署Ingress控制器的前端的Service资源的映射端口 [root@k8s-master ingress-nginx]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.107.40.182 <none> 80:32699/TCP,443:30842/TCP 3m59s #终端测试,添加hosts [root@k8s-master ~]# cat /etc/hosts 192.168.1.31 k8s-master nginx.ilinux.io 192.168.1.32 k8s-node1 nginx.ilinux.io 192.168.1.33 k8s-node2 nginx.ilinux.io #访问测试 [root@k8s-master ~]# curl nginx.ilinux.io:32699 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> ......
验证是否调度到后端的Pod资源,查看日志
[root@k8s-master ~]# kubectl get pods -n testing NAME READY STATUS RESTARTS AGE deploy-nginx-686bddcb56-9g7pq 1/1 Running 0 56m deploy-nginx-686bddcb56-gqpm2 1/1 Running 0 56m deploy-nginx-686bddcb56-vtwkq 1/1 Running 0 56m [root@k8s-master ~]# kubectl logs deploy-nginx-686bddcb56-9g7pq -n testing 10.244.2.75 - - [28/Sep/2019:02:33:45 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "10.244.0.0" 10.244.2.75 - - [28/Sep/2019:02:44:02 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" "10.244.0.0"
(6)、配置TLS Ingress资源(这里使用自签证书)
1)生成key [root@k8s-master ingress]# openssl genrsa -out tls.key 2048 2)生成证书 [root@k8s-master ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=ShenZhen/L=ShenZhen/O=DevOps/CN=nginx.ilinux.io -days 3650 3)建立secret资源 [root@k8s-master ingress]# kubectl create secret tls nginx-ingress-secret --cert=tls.crt --key=tls.key -n testing secret/nginx-ingress-secret created [root@k8s-master ingress]# kubectl get secret -n testing NAME TYPE DATA AGE default-token-lfzrt kubernetes.io/service-account-token 3 116m nginx-ingress-secret kubernetes.io/tls 2 16s 4)编写Ingress资源清单文件 [root@k8s-master ingress]# vim ingress-nginx-https.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-ingress-tls namespace: testing annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - nginx.ilinux.io secretName: nginx-ingress-secret rules: - host: nginx.ilinux.io http: paths: - path: / backend: serviceName: svc-nginx servicePort: 80 5)查看Ingress资源信息 [root@k8s-master ingress]# kubectl get ingress -n testing NAME HOSTS ADDRESS PORTS AGE nginx nginx.ilinux.io 80 66m nginx-ingress-tls nginx.ilinux.io 80, 443 15s [root@k8s-master ingress]# kubectl describe ingress/nginx-ingress-tls -n testing Name: nginx-ingress-tls Namespace: testing Address: Default backend: default-http-backend:80 (<none>) TLS: nginx-ingress-secret terminates nginx.ilinux.io Rules: Host Path Backends ---- ---- -------- nginx.ilinux.io / svc-nginx:80 (10.244.1.76:80,10.244.1.77:80,10.244.2.74:80) Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"nginx-ingress-tls","namespace":"testing"},"spec":{"rules":[{"host":"nginx.ilinux.io","http":{"paths":[{"backend":{"serviceName":"svc-nginx","servicePort":80},"path":"/"}]}}],"tls":[{"hosts":["nginx.ilinux.io"],"secretName":"nginx-ingress-secret"}]}} kubernetes.io/ingress.class: nginx Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal CREATE 64s nginx-ingress-controller Ingress testing/nginx-ingress-tls
(7)、测试https(这里因为是自签,因此上面提示不安全)
#首先查看前面部署Ingress控制器的前端的Service资源的映射端口 [root@k8s-master ingress-nginx]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.107.40.182 <none> 80:32699/TCP,443:30842/TCP 3m59s
示例2:使用Ingress发布多个服务
将不一样的服务映射不一样的主机上
准备工做:这里建立一个目录保存本示例的全部资源配置清单
[root@k8s-master ~]# mkdir ingress-nginx/multi_svc [root@k8s-master ~]# cd !$
建立名称空间
建立一个名称空间保存本示例的全部对象(方便管理)
[root@k8s-master multi_svc]# vim namespace-ms.yaml #编写配置清单文件 apiVersion: v1 kind: Namespace metadata: name: multisvc labels: env: multisvc [root@k8s-master multi_svc]# kubectl apply -f namespace-ms.yaml #建立上面定义的名称空间 namespace/multisvc created [root@k8s-master multi_svc]# kubectl get namespace multisvc #查看名称空间 NAME STATUS AGE multisvc Active 9s
建立后端应用和Service
这里后端应用建立为一组nginx应用和一组tomcat应用
1)编写资源清单文件,这里将service资源对象和deployment控制器写在这一个文件里
[root@k8s-master multi_svc]# vim deploy_service-ms.yaml #tomcat应用的Deployment控制器 apiVersion: apps/v1 kind: Deployment metadata: name: tomcat-deploy namespace: multisvc spec: replicas: 3 selector: matchLabels: app: tomcat template: metadata: labels: app: tomcat spec: containers: - name: tomcat image: tomcat:jdk8 imagePullPolicy: IfNotPresent ports: - name: httpport containerPort: 8080 - name: ajpport containerPort: 8009 --- #tomcat应用的Service资源 apiVersion: v1 kind: Service metadata: name: tomcat-svc namespace: multisvc labels: app: tomcat-svc spec: selector: app: tomcat ports: - name: httpport port: 8080 targetPort: 8080 protocol: TCP - name: ajpport port: 8009 targetPort: 8009 protocol: TCP --- #nginx应用的Deployment控制器 apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deploy namespace: multisvc spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.12 imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 --- #nginx应用的Service资源 apiVersion: v1 kind: Service metadata: name: nginx-svc namespace: multisvc labels: app: nginx-svc spec: selector: app: nginx ports: - name: http port: 80 targetPort: 80 protocol: TCP
2)建立上面定义资源对象并查看验证
[root@k8s-master multi_svc]# kubectl apply -f deploy_service-ms.yaml deployment.apps/tomcat-deploy created service/tomcat-svc created deployment.apps/nginx-deploy created service/nginx-svc created [root@k8s-master multi_svc]# kubectl get pods -n multisvc -o wide #查看pod资源 NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-deploy-86c667ff66-hl6rx 1/1 Running 0 13s 10.244.2.78 k8s-node2 <none> <none> nginx-deploy-86c667ff66-hx4j8 1/1 Running 0 13s 10.244.2.77 k8s-node2 <none> <none> nginx-deploy-86c667ff66-tl9mm 1/1 Running 0 13s 10.244.1.79 k8s-node1 <none> <none> tomcat-deploy-6484688ddc-n25hn 1/1 Running 0 13s 10.244.1.78 k8s-node1 <none> <none> tomcat-deploy-6484688ddc-s8dts 1/1 Running 0 13s 10.244.1.80 k8s-node1 <none> <none> tomcat-deploy-6484688ddc-snszk 1/1 Running 0 13s 10.244.2.76 k8s-node2 <none> <none> [root@k8s-master multi_svc]# kubectl get svc -n multisvc #查看service资源对象 NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-svc ClusterIP 10.104.213.237 <none> 80/TCP 26s tomcat-svc ClusterIP 10.103.75.161 <none> 8080/TCP,8009/TCP 26s [root@k8s-master multi_svc]# kubectl describe svc/nginx-svc -n multisvc #查看service对象nginx-svc的详细信息 Name: nginx-svc Namespace: multisvc Labels: app=nginx-svc Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"nginx-svc"},"name":"nginx-svc","namespace":"multisvc"},"... Selector: app=nginx Type: ClusterIP IP: 10.104.213.237 Port: http 80/TCP TargetPort: 80/TCP Endpoints: 10.244.1.79:80,10.244.2.77:80,10.244.2.78:80 Session Affinity: None Events: <none> [root@k8s-master multi_svc]# kubectl describe svc/tomcat-svc -n multisvc #查看service对象tomcat-svc的详细信息 Name: tomcat-svc Namespace: multisvc Labels: app=tomcat-svc Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"tomcat-svc"},"name":"tomcat-svc","namespace":"multisvc"}... Selector: app=tomcat Type: ClusterIP IP: 10.103.75.161 Port: httpport 8080/TCP TargetPort: 8080/TCP Endpoints: 10.244.1.78:8080,10.244.1.80:8080,10.244.2.76:8080 Port: ajpport 8009/TCP TargetPort: 8009/TCP Endpoints: 10.244.1.78:8009,10.244.1.80:8009,10.244.2.76:8009 Session Affinity: None Events: <none>
建立Ingress资源对象
1)编写资源清单文件
[root@k8s-master multi_svc]# vim ingress_host-ms.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: multi-ingress namespace: multisvc spec: rules: - host: nginx.imyapp.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80 - host: tomcat.imyapp.com http: paths: - path: / backend: serviceName: tomcat-svc servicePort: 8080
2)建立上面定义资源对象并查看验证
[root@k8s-master multi_svc]# kubectl apply -f ingress_host-ms.yaml ingress.extensions/multi-ingress created [root@k8s-master multi_svc]# kubectl get ingress -n multisvc #查看ingress资源对象 NAME HOSTS ADDRESS PORTS AGE multi-ingress nginx.imyapp.com,tomcat.imyapp.com 80 18s [root@k8s-master multi_svc]# kubectl describe ingress/multi-ingress -n multisvc #查看ingress资源multi-ingrsss的详细信息 Name: multi-ingress Namespace: multisvc Address: Default backend: default-http-backend:80 (<none>) Rules: Host Path Backends ---- ---- -------- nginx.imyapp.com / nginx-svc:80 (10.244.1.79:80,10.244.2.77:80,10.244.2.78:80) tomcat.imyapp.com / tomcat-svc:8080 (10.244.1.78:8080,10.244.1.80:8080,10.244.2.76:8080) Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"multi-ingress","namespace":"multisvc"},"spec":{"rules":[{"host":"nginx.imyapp.com","http":{"paths":[{"backend":{"serviceName":"nginx-svc","servicePort":80},"path":"/"}]}},{"host":"tomcat.imyapp.com","http":{"paths":[{"backend":{"serviceName":"tomcat-svc","servicePort":8080},"path":"/"}]}}]}} Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal CREATE 39s nginx-ingress-controller Ingress multisvc/multi-ingress
测试访问
这是测试自定义的域名,故须要配置host
192.168.1.31 nginx.imyapp.com tomcat.imyapp.com 192.168.1.32 nginx.imyapp.com tomcat.imyapp.com 192.168.1.33 nginx.imyapp.com tomcat.imyapp.com
查看部署的Ingress的Service对象的端口
[root@k8s-master multi_svc]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.107.40.182 <none> 80:32699/TCP,443:30842/TCP 6h39m
访问nginx.imyapp.com:32699
访问tomcat.imyapp.com:32699
配置Ingress处理TLS传输
这里使用自签证书,经过OpenSSL进行建立
1)建立证书
#建立nginx.imyapp.com域名的证书 [root@k8s-master multi_svc]# openssl genrsa -out nginx.imyapp.com.key 2048 [root@k8s-master multi_svc]# openssl req -new -x509 -key nginx.imyapp.com.key -out nginx.imyapp.com.crt -subj /C=CN/ST=ShenZhen/L=ShenZhen/O=DevOps/CN=nginx.imyapp.com -days 3650 #建立tomcat.imyapp.com域名的证书 [root@k8s-master multi_svc]# openssl genrsa -out tomcat.imyapp.com.key 2048 [root@k8s-master multi_svc]# openssl req -new -x509 -key tomcat.imyapp.com.key -out tomcat.imyapp.com.crt -subj /C=CN/ST=ShenZhen/L=ShenZhen/O=DevOps/CN=tomcat.imyapp.com -days 3650 #查看生成的证书 [root@k8s-master multi_svc]# ll *.com.* -rw-r--r-- 1 root root 1298 9月 28 17:23 nginx.imyapp.com.crt -rw-r--r-- 1 root root 1675 9月 28 17:22 nginx.imyapp.com.key -rw-r--r-- 1 root root 1302 9月 28 17:24 tomcat.imyapp.com.crt -rw-r--r-- 1 root root 1679 9月 28 17:24 tomcat.imyapp.com.key
2)建立secrte
#建立nginx域名的secret [root@k8s-master multi_svc]# kubectl create secret tls nginx-ingress-secret --cert=nginx.imyapp.com.crt --key=nginx.imyapp.com.key -n multisvc secret/nginx-ingress-secret created #建立tomcat域名的secret [root@k8s-master multi_svc]# kubectl create secret tls tomcat-ingress-secret --cert=tomcat.imyapp.com.crt --key=tomcat.imyapp.com.key -n multisvc secret/tomcat-ingress-secret created #查看secret [root@k8s-master multi_svc]# kubectl get secret -n multisvc NAME TYPE DATA AGE default-token-mf5wd kubernetes.io/service-account-token 3 5h12m nginx-ingress-secret kubernetes.io/tls 2 53s tomcat-ingress-secret kubernetes.io/tls 2 27s
3)编写带TLS的Ingress资源清单(这里经过复制,没有删除上面建立的ingress)
[root@k8s-master multi_svc]# cp ingress_host-ms.yaml ingress_host_https-ms.yaml [root@k8s-master multi_svc]# vim ingress_host_https-ms.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: multi-ingress-https namespace: multisvc annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - nginx.imyapp.com secretName: nginx-ingress-secret - hosts: - tomcat.imyapp.com secretName: tomcat-ingress-secret rules: - host: nginx.imyapp.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80 - host: tomcat.imyapp.com http: paths: - path: / backend: serviceName: tomcat-svc servicePort: 8080
4)建立ingress资源
[root@k8s-master multi_svc]# kubectl apply -f ingress_host_https-ms.yaml ingress.extensions/multi-ingress-https created [root@k8s-master multi_svc]# kubectl get ingress -n multisvc NAME HOSTS ADDRESS PORTS AGE multi-ingress nginx.imyapp.com,tomcat.imyapp.com 80 44m multi-ingress-https nginx.imyapp.com,tomcat.imyapp.com 80, 443 3s
5)测试,经过Ingress控制器的前端的Service资源的NodePort来访问此服务,上面看到ingress控制器的service资源的443端口对应的节点的30842端口。
访问nginx
访问tomcat
将不一样的服务映射到相同主机的不一样路径
在这种状况下,根据请求的
URL中的路径,请求将发送到两个不一样的服务。所以,客户端能够经过一个IP地址(Ingress控制器的IP地址)访问两种不一样的服务。注意:这里
Ingress中path的定义,须要与后端真实Service提供的Path一致,不然将被转发到一个不存在的path上,引起错误。
Ingress定义示例
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: tomcat-ingress namespace: multisvc spec: rules: - host: www.imyapp.com http: paths: - path: /nginx backend: serviceName: nginx-svc servicePort: 80 - path: /tomcat backend: serviceName: tomcat-svc servicePort: 8080
相关文章
- 1. Kubernetes-Ingress资源详解
- 2. kubernetes Ingress
- 3. Kubernetes Ingress
- 4. Kubernetes-Ingress
- 5. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
- 6. Kubernetes 学习11 kubernetes ingress及ingress controller
- 7. kubernetes之ingress及ingress controller
- 8. 八、kubernetes之存储卷资源
- 9. Kubernetes入门(八)
- 10. Kubernetes Ingress 部署
- 更多相关文章...
- • Docker 资源汇总 - Docker教程
- • Java操作Neo4j数据库(附带源码) - NoSQL教程
- • Docker容器实战(八) - 漫谈 Kubernetes 的本质
- • 使用阿里云OSS+CDN部署前端页面与加速静态资源
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. js中 charCodeAt
- 2. Android中通过ViewHelper.setTranslationY实现View移动控制(NineOldAndroids开源项目)
- 3. 【Android】日常记录:BottomNavigationView自定义样式,修改点击后图片
- 4. maya 文件检查 ui和数据分离 (一)
- 5. eclipse 修改项目的jdk版本
- 6. Android InputMethod设置
- 7. Simulink中Bus Selector出现很多? ? ?
- 8. 【Openfire笔记】启动Mac版Openfire时提示“系统偏好设置错误”
- 9. AutoPLP在偏好标签中的生产与应用
- 10. 数据库关闭的四种方式
欢迎关注本站公众号,获取更多信息
相关文章
- 1. Kubernetes-Ingress资源详解
- 2. kubernetes Ingress
- 3. Kubernetes Ingress
- 4. Kubernetes-Ingress
- 5. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
- 6. Kubernetes 学习11 kubernetes ingress及ingress controller
- 7. kubernetes之ingress及ingress controller
- 8. 八、kubernetes之存储卷资源
- 9. Kubernetes入门(八)
- 10. Kubernetes Ingress 部署