ingress
概念
k8s的对外服务,ingress
service作用现在两个方面:
1、集群内部:不断跟踪的变化,更新endpoint中的pod对象,基于pod的ip地址不断变化的一种服务发现机制。
2、集群外部:类似于负载均衡器,把流量(ip+端口),不涉及转发url(http https),把请求转发到pod当中。
service:
NodePort: 容器端口-----service端口-----NodePort,设定了nodeport,每个节点都会有一个端口被打开30000-32767
ip+端口: 节点ip+30000-32767.s实现负载均衡
loadbalancer: 云平台上的一种service服务。云平台提供负载均衡ip地址
extrenal: 域名映射
ingress:
ingress基于城名进行映射,把url(http https)请求转发到service,再由service把请求转发到每一个pod.
ingress只要一个或者少量的狗官网ip或者LB,可以把多个http请求暴露到外网,七层反向代理。
service的service是一个基于域名和url路径,把一个或多个请求转发到service
ingress转发请求(七层)----service(四层)----pod
ingress的组成:
ingress是一个api对象,通过yaml文件来进行配置。ingress的作用是定义请求如何转发到service的规则,配置模板
ingress通过http和https暴露集群内部的service,给service提供一个外部的url,负载均衡,ssl/tls(https)的能力,实现一个基于域名的负载均衡。
ingress-controller:
具体的实现反向代理和负载均衡的程序。对ingress定义的规则进行解析,根据ingress的配置规则进行请求的转发。
ingress-controller:不是k8s自带的组件功能,ingress-controller一个统称。
nginx ingress controller,traefik都是ingress-controller,开源
ingress资源的定义项:
1、定义外部流量的路由规则
2、定义了服务暴露方式,主机名、url访问路径和其他属性
3、负载均衡(ingress-controller)
ingress-controller的运行方式是pod方式运行在集群当中
nginx-ingress-controller:
ingressbao露服务的方式:
1、方式一:deployment+LoadBalancer
deployment+LoadBalancer模式:ingress部署在公有云。会ingress里面会有一个type,type:LoadBalancer。公有云平台会为loadBalancer的service创建一个负载均衡器。绑定一个公网地址。
通过域名指向这个公网地址就可以实现集群对外暴露。
2、方式二:DaemonSet+hostnetwork+nodeSelector
DaemonSet:在每个节点都会创建一个pod
hostnetwork:pod共享节点主机的网络命令空间。容器内直接使用节点主机的ip+端口。pod直接访问主机上的的网络资源。
nodeSelector: 根据标签来选择部罢的节点。nginx-ingress-controller部罢的节点。
缺点:直接利用节点上的主机的网络和端口,一个node只能部署一个ingress-controller pod 比较适合大并发的生产环境,性能最好。
为什么适合大并发??
pod共享节点主机的网络资源
客户端发起请求域名将先到DNS
DNS开始解析域名。映射到ingress-controller所在的节点
ingress-controller以pod形式运行在节点上。hostnetwork可以和节点主机共享网络
ingress的配置来定义URL的地址
根据ingress的标签匹配将请求转发到service
service寻找endpoints发现匹配能够转发的pod
最终还是由ingress-controller将请求转发到不同的pod上。实现负载均衡
service和endpoints在这里起发现和监控的总用
实际的负载均衡由ingress-controller实现
master01--
wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/mandatory.yaml
修改mandatory.yaml
vim mandatory.yaml
191 #kind: Deployment
192 kind: DaemonSet
200 # replicas: 1
215 hostNetwork: true
220 test1: "true"每台节点主机都添加nginx-ingress-controller镜像
tar -xf ingree.contro-0.30.0.tar.gz
docker load -i ingree.contro-0.30.0.tarmaster01--
kubectal get pod -n ingress-nginxkubectl label nodes node02 ingress=truekubectl apply -f mandatory.yaml
在node02做映射
vim nginx.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: nfs-pvc
spec:accessModes:- ReadWriteManystorageClassName: nfs-client-storageclassresources:requests:storage: 2Gi---
#定义pod
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-applabels:app: nginx1
spec:replicas: 3selector:matchLabels:app: nginx1template:metadata:labels:app: nginx1spec:containers:- name: nginximage: nginx:1.22volumeMounts:- name: nfs-pvcmountPath: /usr/share/nginx/htmlvolumes:- name: nfs-pvcpersistentVolumeClaim:claimName: nfs-pvc---
#定义serviceapiVersion: v1
kind: Service
metadata:name: nginx-app-svc
spec:ports:- protocol: TCPport: 80targetPort: 80selector:app: nginx1---
#定义ingressapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-app-ingress
spec:rules:- host: www.test1.comhttp:paths:- path: /
#匹配工作目录的根目录pathType: Prefix
#根据前缀进行匹配 只要是/开头的都可以匹配到例如/ www.test1.com/www1/www2/www3backend:
#指定后台服务器service:name: nginx-app-svcport:number: 80
查看挂载目录--192.168.10.40
echo 123 > index.html访问
curl www.test2.com
3、方式三:demployment+nodePort
master01---
vim mandatory.yaml
191 kind: Deployment
215 #hostNetwork: true
200 replicas: 1
219 kubernetes.io/os: linux
220 #test1: "true"kubectl apply -f mandatory.yaml wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
#获取service-nodeport.yaml文件
mandatory.yaml
service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:name: ingress-nginxnamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx
spec:type: NodePortports:- name: httpport: 80targetPort: 80protocol: TCP- name: httpsport: 443targetPort: 443protocol: TCPselector:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx---
#现在执行这个yaml文件,会生成一个service,在ingress-nginx这个命名空间生成一个service,所有的controller的请求都会
#从这个定义的service的nodeport的端口,把请求转发到自定义的service的pod
vim nodeport.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: nfs-pvc2
spec:accessModes:- ReadWriteManystorageClassName: nfs-client-storageclassresources:requests:storage: 2Gi---
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-app2labels:app: nginx2
spec:replicas: 3selector:matchLabels:app: nginx2template:metadata:labels:app: nginx2spec:containers:- name: nginximage: nginx:1.22volumeMounts:- name: nfs-pvc2mountPath: /usr/share/nginx/htmlvolumes:- name: nfs-pvc2persistentVolumeClaim:claimName: nfs-pvc2
---
apiVersion: v1
kind: Service
metadata:name: nginx-app-svc1
spec:ports:- protocol: TCPport: 80targetPort: 80selector:app: nginx2
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-app-ingress
spec:rules:- host: www.test2.comhttp:paths:- path: /pathType: Prefixbackend:service:name: nginx-app-svc1port:number: 80kubectl apply -f nodeport.yaml查看挂载目录--192.168.10.40
echo lyw > index.html
在node02做映射
访问
curl www.test2.com:31679
nodeport不再是deployment的service创建的
核心的控制组件时nginx-ingress-controller
host----ingress的配置找到pod----controller----把请求发到pod
nodeport-----controller-----ingress----service----pod
nodeport暴露端口的方式是最简单的。nodeport多了一层net(地址转换)
并发量大的对性能会有一定影响。内部都会用nodeport
通过虚拟主机的方式实现http代理:
ingress的方式实现:一个ingress可以实现不同主机的访问
实验举例:
pod1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: deploymentlabels:test: nginx1
spec:replicas: 1selector:matchLabels:test: nginx1template:metadata:labels:test: nginx1spec:containers:- name: nginx1image: nginx:1.22
---
apiVersion: v1
kind: Service
metadata:name: svc-1
spec:ports:- port: 80targetPort: 80protocol: TCPselector:test: nginx1
pod2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: deployment2labels:test: nginx2
spec:replicas: 1selector:matchLabels:test: nginx2template:metadata:labels:test: nginx2spec:containers:- name: nginx1image: nginx:1.22
---
apiVersion: v1
kind: Service
metadata:name: svc-2
spec: ports:- port: 80targetPort: 80protocol: TCPselector: test: nginx2
ingress1-2.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress1
spec:rules:- host: www.test1.comhttp:paths:- path: /pathType: Prefixbackend:service:name: svc-1port:number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress2
spec:rules:- host: www.test1.comhttp:paths:- path: /pathType: Prefixbackend:service:name: svc-2port:number: 80
做映射
kubectl apply -f pod1.yaml
kubectl apply -f pod2.yaml
kubectl apply -f ingress1-2.yaml
curl www.test1.com:31679
curl www.test2.com:31679
daemonset+hostnetwork+nodeselector实现访问多个主机
实验举例:
nginx-service.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: nfs-pvc
spec:accessModes:- ReadWriteManystorageClassName: nfs-client-storageclassresources:requests:storage: 2Gi---
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-applabels:app: nginx1
spec:replicas: 1selector:matchLabels:app: nginx1template:metadata:labels:app: nginx1spec:containers:- name: nginximage: nginx:1.22volumeMounts:- name: nfs-pvcmountPath: /usr/share/nginx/htmlvolumes:- name: nfs-pvcpersistentVolumeClaim:claimName: nfs-pvc
---
apiVersion: v1
kind: Service
metadata:name: nginx-app-svc
spec:ports:- protocol: TCPport: 80targetPort: 80selector:app: nginx1
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-app-ingress
spec:rules:- host: www.test1.comhttp:paths:- path: /pathType: Prefixbackend:service:name: nginx-app-svcport:number: 80
nginx-service2.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: nfs-pvc1
spec:accessModes:- ReadWriteManystorageClassName: nfs-client-storageclassresources:requests:storage: 2Gi---
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-app2labels:app: nginx2
spec:replicas: 3selector:matchLabels:app: nginx2template:metadata:labels:app: nginx2spec:containers:- name: nginximage: nginx:1.22volumeMounts:- name: nfs-pvc1mountPath: /usr/share/nginx/htmlvolumes:- name: nfs-pvc1persistentVolumeClaim:claimName: nfs-pvc1
---
apiVersion: v1
kind: Service
metadata:name: nginx-app-svc2
spec:ports:- protocol: TCPport: 80targetPort: 80selector:app: nginx2
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-app-ingress2
spec:rules:- host: www.test2.comhttp:paths:- path: /pathType: Prefixbackend:service:name: nginx-app-svc2port:number: 80
查看挂载目录--192.168.10.40
echo 123 > index.html
#连个pv都要写index.htmlkubectl apply -f mandatory.yaml
kubectl apply -f nginx-service.yaml
kubectl apply -f nginx-service2.yaml
总结
ingress-controller两种方式:nginx-ingress-controller、traefik
ingress-controller的三种工作模式:
deployment+loadbalancer:需要云平台提供一个负载均衡的公网地址。公有云上做。需要收费
daemonset+hostnetwork+nodeselector:一般都会指定节点部署controller。缺点就是和宿主机共享网络,只能是一个controller的pod
hostnetwork会和宿主机共享网络。所以需要指定标签
deployment+NodePort:这是最常用最简单的方式。他会集中一个nodeport端口,所有ingress的请求都会转发到nodeport。然后由service将流量转发到pod
一个ingress的nodeport可以实现访问多个虚拟主机。和nginx类似。同一个端口下可以有多个域名