k8s ingress (二)

Ingress介紹

在前面課程中已經(jīng)提到，Service對集群之外暴露服務(wù)的主要方式有兩種：NodePort和LoadBalancer，但是這兩種方式，都有一定的缺點(diǎn)：

NodePort方式的缺點(diǎn)是會占用很多集群機(jī)器的端口，那么當(dāng)集群服務(wù)變多的時候，這個缺點(diǎn)就愈發(fā)明顯

LB方式的缺點(diǎn)是每個service需要一個LB，浪費(fèi)、麻煩，并且需要kubernetes之外的設(shè)備的支持。

基于這種現(xiàn)狀，kubernetes提供了Ingress資源對象，Ingress只需要一個NodePort或者一個LB就可以滿足暴露多個Service的需求。工作機(jī)制大致如下圖表示：

實(shí)際上，Ingress相當(dāng)于一個7層的負(fù)載均衡器，是kubernetes對反向代理的一個抽象，它的工作原理類似于Nginx,可以理解成在Ingress里建立諸多映射規(guī)則，Ingress Controller通過監(jiān)聽這些配置規(guī)則并轉(zhuǎn)化成Nginx的配置，然后對外部提供服務(wù)。在這里有兩個核心概念：

ingress：kubernetes中的一個對象，作用就定義請求如何轉(zhuǎn)發(fā)到service的規(guī)則

ingress controller：具體實(shí)現(xiàn)發(fā)向代理及負(fù)載均衡的程序，對ingress定義的規(guī)則進(jìn)行解析，根據(jù)配置的規(guī)則來實(shí)現(xiàn)請求轉(zhuǎn)發(fā)，實(shí)現(xiàn)方式有很多，比如Nginx、Contour、Haproxy等等。

Ingress（以Nginx為例）的工作原理如下：

用戶編寫Ingress規(guī)則，說明哪個域名對應(yīng)kubernetes集群中歐冠的哪個Service

Ingress控制器動態(tài)感知Ingress服務(wù)規(guī)則的變化，然后生成一段對應(yīng)的Nginx配置

Ingress控制器會將生成的Nginx配置寫入到一個運(yùn)行著Nginx服務(wù)中，并動態(tài)更新

到此為止，其實(shí)真正在工作的就是Nginx了，內(nèi)部配置了用戶定義的請求轉(zhuǎn)發(fā)規(guī)則

Ingress 環(huán)境準(zhǔn)備

在ELB下的監(jiān)聽器中，可以通過監(jiān)聽器協(xié)議和端口來判斷是4層還是7層的。

如果監(jiān)聽器協(xié)議是TCP或UDP，那么該監(jiān)聽器是4層的。這種監(jiān)聽器只能根據(jù)目標(biāo)端口將流量轉(zhuǎn)發(fā)到后端實(shí)例，不能對流量進(jìn)行任何處理。

如果監(jiān)聽器協(xié)議是HTTP或HTTPS，那么該監(jiān)聽器是7層的。這種監(jiān)聽器可以根據(jù)請求的URL、HTTP頭部等信息對流量進(jìn)行處理，并將流量轉(zhuǎn)發(fā)到后端實(shí)例。

此外，還可以通過監(jiān)聽器端口來判斷是4層還是7層的。如果監(jiān)聽器端口是80或443，那么該監(jiān)聽器是7層的；如果監(jiān)聽器端口是其他端口，那么該監(jiān)聽器是4層的

Ingress 的使用

Ingress 環(huán)境準(zhǔn)備

# 創(chuàng)建文件夾

[root@master ~]# mkdir ingress-controller

[root@master ~]# cd ingress-controller/

# 獲取ingress-nginx,本次案例使用的是0.30版本

[root#master ingress-controller]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml

[root#master ingress-controller]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml

# 修改mandatory.yaml文件中的倉庫(本人實(shí)驗(yàn)不需要修改也可以)

# 修改quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0

# 為quay-mirror.qiniu.com/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0

# 創(chuàng)建ingress-nginx

[root@master ingress-controller]# kubectl apply -f ./

# 查看ingress-nginx

[root@master ingress-controller]# kubectl get pod -n ingress-nginx

NAME?????????????????????????????????????????????????????????????????????????? READY??? STATUS? ?????? RESTARTS???????????? AGE

pod/nginx-ingress-controller-fbf967dd5-4qpbp??? 1/1???????? Running??????? 0??????????????????????????? 12h

# 查看service

[root@master ingress-controller]# kubectl get svc -n ingress-nginx

NAME?????????????????? TYPE???????????? CLUSTER-IP????????? EXTERNAL-IP PORT(S)? ?????????????????????????????????? AGE

ingress-nginx NodePort????? 10.98.75.163? <none>? ?????? 80:32240/TCP,443:31335/TCP??? 11h

準(zhǔn)備service和pod

為了后面的實(shí)驗(yàn)比較方便，創(chuàng)建如下圖所示的模型

創(chuàng)建tomcat-nginx.yaml

apiVersion: apps/v1

kind: Deployment

metadata:

? name: nginx-deployment?

? namespace: dev

spec:

? replicas: 3?

? selector:???

??? matchLabels:

????? app: nginx-pod?

? template:

??? metadata:??

????? labels:????

??????? app: nginx-pod

??? spec:??

????? containers:?????

????? - name: nginx???????

??????? image: nginx:1.17.1???????

??????? ports:???????

???? ???- containerPort: 80

---

apiVersion: apps/v1

kind: Deployment

metadata:

? name: tomat-deployment?

? namespace: dev

spec:?

? replicas: 3?

? selector:???

??? matchLabels:?????

????? app: tomcat-pod?

? template:???

??? metadata:?????

????? labels:???????

??????? app: tomcat-pod???

??? spec:?????

????? containers:?????

????? - name: tomcat???????

??????? image: tomcat:8.5-jre10-slim???????

??????? ports:???????

??????? - containerPort: 8080

---

apiVersion: v1

kind: Service

metadata:?

? name: nginx-service?

? namespace: dev

spec:?

? selector:???

??? app: nginx-pod?

? clusterIP: None?

? type: ClusterIP?

? ports:?

? - port: 80???

??? targetPort: 80

---

apiVersion: v1

kind: Service

metadata:?

? name: tomcat-service?

? namespace: dev

spec:?

? selector:

??? app: tomcat-pod?

? clusterIP: None?

? type: ClusterIP?

? ports:?

? - port: 8080???

targetPort: 8080

# 創(chuàng)建[root@master ~]# kubectl create -f tomcat-nginx.yaml

# 查看

[root@master ~]# kubectl get svc -n dev

NAME????????????????????????? TYPE??????????????????? CLUSTER-IP????????? ?????? EXTERNAL-IP??????? PORT(S)???????? AGE

nginx-service?????? ClusterIP??????? None?????????????????????????? <none>???????? ?????? 80/TCP????????? 48s

tomcat-service??????????? ClusterIP??????? None?????????????????????????? <none>? ????????????? 8080/TCP????? 48s

Http代理

創(chuàng)建ingress-http.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:?

? name: ingress-http?

? namespace: dev

spec:?

? rules:?

? - host: nginx.itheima.com???

??? http:?????

????? paths:?????

????? - path: /???????

??????? backend:?????????

????????? serviceName: nginx-service?????????

????????? servicePort: 80?

? - host: tomcat.itheima.com???

??? http:?????

??? paths:?????

??? - path: /???????

????? backend:?????????

????? serviceName: tomcat-service?????????

????? servicePort: 8080

# 創(chuàng)建

[root@master ~]# kubectl create -f ingress-http.yaml

ingress.extensions/ingress-http created

# 查看

[root@master ~]# kubectl get ing ingress-http -n dev

NAME?????????????????? HOSTS??????????????????????????????????????????????????? ADDRESS?????? ????????????? PORTS?????????? AGE

ingress-http? nginx.itheima.com,tomcat.itheima.com????????????????????????? 80?? ????????????? 22s

# 查看詳情

[root@master ~]# kubectl describe ing ingress-http -n dev

...

Rules:

Host???????????????????? Path backends

----??????????????????????????? ----?????? --------

nginx.itheima.com /???????????? nginx-service:80(10.244.1.96:80,10.244.1.97:80,10.244.2.112.80)

tomcat.itheima.com???? /???????????? tomcat-service:8080(10.244.1.94:8080,10.244.1.95:8080,10.244.2.111.8080)

# 接下來，在本地電腦配置host文件，解析上面的兩個域名到192.168.109.100(master)上

# 然后，就可以分別訪問tomcat.itheima.com:32240 和nginx.itheima.com:32240 查看效果了

Https代理

創(chuàng)建證書

# 生成證書

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=BJ/L=BJ/0=nginx/CN=itheima.com"

# 創(chuàng)建密鑰

kubectl create secret tls tls-secret --key tls.key --cert tls.crt

創(chuàng)建ingress-https.yaml 文件

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

? name: ingress-https

? namespace: dev

spec:

? tls:

??? - hosts:

????? - nginx.itheima.com

????? - tomcat.itheima.com

????? secretName: tls-secret # 指定秘鑰

? rules:

? - host: nginx.itheima.com

??? http:

????? paths:

????? - path: /

??????? backend:

????????? serviceName: nginx-service

????????? servicePort: 80

? - host: tomcat.itheima.com

??? http:

????? paths:

????? - path: /

??????? backend:

????????? serviceName: tomcat-service

????????? servicePort: 8080

# 創(chuàng)建 inress

[root@master ~]# kubectl create -f ingress-https.yaml

ingress.extensions/ingress-https created

# 查看

[root@master ~]# kubectl get ing ingress-https -n dev

NAME?????????????????? HOSTS?????????????????????????????????????????????????????????? ADDRESS???????????????????? PORTS??? AGE

ingress-https nginx.itheima.com,tomcat.itheima.com???? 10.104.184.38 80, 443?????? 2m42s

# 查看詳情

[root@master ~]# kubectl describe ing ingress-https -n dev

...

TLS:

? tls-secret terminates nginx.itheima.com,tomcat.itheima.com

Rules:

Host???????????????????? Path backends

----??????????????????????????? ----?????? --------

nginx.itheima.com /???????????? nginx-service:80(10.244.1.97:80,10.244.1.98:80,10.244.2.119.80)

tomcat.itheima.com???? /???????????? tomcat-service:8080(10.244.1.99:8080,10.244.2.117:8080,10.244.2.120.8080)

# 下面可以通過瀏覽器訪問https://nginx.itheima.com:31335 和 https://tomcat.itheima.com:31335來查看了文章來源地址http://www.zghlxwxcb.cn/news/detail-666855.html

到了這里，關(guān)于k8s ingress (二）的文章就介紹完了。如果您還想了解更多內(nèi)容，請?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！