一、Ingress介紹和安裝
1,介紹
Ingress 是對集羣中服務的外部訪問進行管理的 API 對象,典型的訪問方式是 HTTP。Ingress 可以提供負載均衡、SSL 終結和基於名稱的虛擬託管。可理解爲Ingress 是在 k8s 集羣中的 Service 上做了一個 nginx 代理,將所有匹配到的請求轉發到對應的 Service 中。
2,安裝Ingress-nginx
參考:https://github.com/kubernetes/ingress-nginx/blob/nginx-0.30.0/docs/deploy/index.md
# 下載 mandatory.yaml 。--no-check-certificate:避免“無法建立 SSL 連接”錯誤 wget --no-check-certificate https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml # 查看需要的鏡像 cat mandatory.yaml | grep image # 在每個集羣節點中拉取 docker 鏡像 自行解決 # 創建 Pod kubectl apply -f mandatory.yaml # 查看 Pod。注意 命令空間是:ingress-nginx kubectl get pod -n ingress-nginx # 下載 service-nodeport.yaml wget --no-check-certificate https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml # 創建 svc kubectl apply -f service-nodeport.yaml kubectl get svc -n ingress-nginx
注意:如果出現權限問題。參考文章
二、示例
1,HTTP代理訪問
a)創建ingress-http.yaml
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 3 template: metadata: labels: app: nginx-app spec: containers: - name: nginx-container image: hub.xcc.com/my-xcc/my-nginx:v1 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector: app: nginx-app ports: - port: 80 targetPort: 80 protocol: TCP --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-ing spec: rules: - host: foo.xcc.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80
b)執行命令
kubectl apply -f ingress-http.yaml kubectl get deployment kubectl get svc kubectl get pod kubectl get ing
c)訪問
#查看ingress-nginx暴露的端口 通過該域名foo.xcc.com:端口 [root@master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.116.16.25 <none> 80:30554/TCP,443:30935/TCP 36m
2,HTTPS代理訪問
a)創建證書
# 生成證書文件 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc /O=nginxsvc" #查看文件 ls #創建secret kubectl create secret tls tls-secret --key tls.key --cert tls.crt #查看secret kubectl get secret
b)創建nginx-https-ing.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-https-ing spec: tls: - hosts: - foo.bar.com secretName: tls-secret rules: - host: foo.xcc.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80
c)執行命令創建
kubectl apply -f nginx-https-ing.yaml
d)訪問
#可通過域名https:// foo.xcc.com:端口。查看端口 [root@master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.116.16.25 <none> 80:30554/TCP,443:30935/TCP 36m
3,BasicAuth認證
採用訪問某一域名是進行賬號密碼認證
a)創建證書
# 安裝 httpd yum -y install httpd # 創建認證賬戶foo 並設置密碼 htpasswd -c auth foo # 創建secret kubectl create secret generic basic-auth --from-file=auth # 查看證書 kubectl get secret
b)創建auth-ing.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: auth-ing annotations: nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authenticasion Required - foo' spec: rules: - host: auth.xcc.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80
c)執行命令
kubectl apply -f auth-ing.yaml #查看ingress kubectl get ing
d)訪問
訪問auth.xcc.com:端口,此時需要輸入用戶名和密碼(前面設置的)
#查看端口 [root@master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.116.16.25 <none> 80:30554/TCP,443:30935/TCP 36m
三、查看Ingress-Nginx的代理配置
# 查看 ingress-controller pod [root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-ab5didia2-eds1d 1/1 Running 0 59m # 進入到 pod 中 [root@k8s-master01 ingress]# kubectl exec nginx-ingress-controller-ab5didia2-eds1d -n ingress-nginx -it /bin/bash # 在容器內 查看裏面的 /etc/nginx/nginx.conf 文件 cat /etc/nginx/nginx.conf