ingress基于域名进行映射,把url(http https)的请求转发到service,再由service把请求转发到每一个pod
ingress只要一个或者少量的公网ip或者LB,可以把多个http请求暴露到外网,七层反向代理
理解为service的service,是一组基于域名和URL路径,把一个或者多个请求转发到service
先是七层代理然后再是四层代理再到pod
ingress >service>nginx
ingress的组成:
ingress是要给api对象,通过yaml文件来进行配置,ingress作用定义规则,定义请求如何转发到service的规则,配置的一个模板
ingress通过http和https暴漏集群内部的service,给service提供一个外部的url,负载均衡,ssl/tls(https),实现一份基于域名的负载均衡
ingress-controller:是具体的实现反向代理和负载均衡的程序,对ingress定义的规则进行解析,根据ingress的配置规则进行请求的转发
ingress-controller:不是k8s自带的组件功能,ingress-controller一个统称。
nginx ingress controller,traefik都是ingress-controller,开源
ingress资源的定义项
1、定义外部流量的路由规则
2、定义服务的暴漏方式,主机名,访问路径和其他的选项
3、负载均衡(ingress-controller)
nginx-ingress-controller运行方式是pod方式运行在集群当中
nginx-ingress-controller
ingress暴漏服务的方式
1、deployment+loadBalancer模式
ingress部署在公有云,会ingress配置文件里面会有一个type,type:LoadBalancer,公有云平台会为个loadbalancer的service创建一个负载均衡器,绑定一个公网地址。
通过域名指向这个公网地址就可以实现集群对外暴漏。
2、方式二:DaemonSet+hostnetwork+nodeSelector
DaemonSet在每个节点都会创建一个pod
hostnetwork:pod会共享节点主机的网络命名空间,容器内直接使用节点主机ip+端口,pod中的容器直接访问主机上网络资源
nodeSelector:根据标签来选择部署的节点,nginx-ingress-controller部署的节点
缺点:直接利用节点主机的网络和端口,一个node只能部署一个ingress-controller pod.比较适合大并发的生产环境。性能最好的。
netstat -lntp | grep nginx
8081端口,nginx-controller默认配置的一个bachend。反向代理端口
所有的请求当中,只要是不符合ingress配置的请求转发到8181,相当于一个error的页面
现在执行这个yaml文件,会生成一个service会生成一个service,在ingress-nginx这个命名空间生成一个service,所有的controlle的请求都会从这个定义的service的nodeport的端口,把请求转发到自定义的service的pod
过程
wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/mandatory.yamlvim mandatory.yamlapiVersion: apps/v1
#kind: Deployment
kind: DaemonSet
metadata:name: nginx-ingress-controllernamespace: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginx
spec:replicas: 1selector:matchLabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxtemplate:metadata:labels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxannotations:prometheus.io/port: "10254"prometheus.io/scrape: "true"spec:# wait up to five minutes for the drain of connectionshostNetwork: trueterminationGracePeriodSeconds: 300serviceAccountName: nginx-ingress-serviceaccountnodeSelector:test1: "true"#kubernetes.io/os: linux#在master节点上上传镜像压缩包
cd /opt/ingress
tar zxvf ingree.contro.tar.gz#所有节点加载镜像包
docker load -i ingree.contro.tarkubectl apply -f mandatory.yaml//到 node02 节点查看
netstat -lntp | grep nginxvim /opt/ingress/nginx-service.yamlapiVersion: v1
kind: PersistentVolumeClaim
metadata:name: nfs-pvc1
spec:accessModes:- ReadWriteManystorageClassName: nfs-client-storagesclassresources:requests:storage: 2Gi---
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-app1labels:app: nginx2
spec:replicas: 3selector:matchLabels:app: nginx2template:metadata:labels:app: nginx2spec:containers:- name: nginximage: nginx:1.22volumeMounts:- name: nfs-pvc2mountPath: /usr/share/nginx/html/volumes:- name: nfs-pvc2persistentVolumeClaim:claimName: nfs-pvc2---
apiVersion: v1
kind: Service
metadata:name: nginx-app-svc2
spec:ports:- protocol: TCPport: 80targetPort: 80selector:app: nginx2---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-app-ingress2
spec:rules:- host: www.test1.comhttp:paths:- path: /pathType: Prefixbackend:service:name: nginx-app-svc2port:number: 80kubectl apply -f nginx-service.yaml
3、deployment+NodePort:
nginx+ingress-controller
host--->ingress的配置赵大鹏pod---controller---请求到pod
nodeport----controller---ingress==service---pod
nodeport暴露端口的方式最简单的方法,nodeport多了一层nat地址转换
并发量大的对性能会有一定影响,内部都会用nodeport
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: nfs-pvc3
spec:accessModes:- ReadWriteManystorageClassName: nfs-client-storageclassresources:requests:storage: 2Gi---
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-app3labels:app: nginx3
spec:replicas: 1selector:matchLabels:app: nginx3template:metadata:labels:app: nginx3spec:containers:- name: nginx3image: nginx:1.22volumeMounts:- name: nfs-pvc3mountPath: /usr/share/nginx/htmlvolumes:- name: nfs-pvc3persistentVolumeClaim:claimName: nfs-pvc3---
apiVersion: v1
kind: Service
metadata:name: nginx-app-svc3
spec:ports:- protocol: TCPport: 80targetPort: 80selector:app: nginx3---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-app-ingress3
spec:rules:- host: www.test2.comhttp:paths:- path: /pathType: Prefixbackend:service:name: nginx-app-svc3port:number: 80
kubectl apply -f nodePort.yamlvim /etc/hosts
20.0.0.92 www.test2.com
~
Ingress HTTP 代理访问虚拟主机
apiVersion: apps/v1
kind: Deployment
metadata:name: deployment1
spec:replicas: 1selector:matchLabels:name: nginx1template:metadata:labels:name: nginx1spec:containers:- name: nginx1image: nginx:1.14imagePullPolicy: IfNotPresentports:- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:name: svc-1
spec:ports:- port: 80targetPort: 80protocol: TCPselector:name: nginx1
kubectl apply -f deployment1.yaml
vim deployment2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: deployment2
spec:replicas: 1selector:matchLabels:name: nginx2template:metadata:labels:name: nginx2spec:containers:- name: nginx2image: nginx:1.14imagePullPolicy: IfNotPresentports:- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:name: svc-2
spec:ports:- port: 80targetPort: 80protocol: TCPselector:name: nginx2kubectl apply -f deployment2.yaml
创建ingress资源
vim ingress-nginx.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress1
spec:rules:- host: www.test.comhttp:paths:- path: /pathType: Prefixbackend:service: name: svc-1port:number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress2
spec:rules:- host: www.abc.comhttp:paths:- path: /pathType: Prefixbackend:service: name: svc-2port:number: 80kubectl apply -f ingress-nginx.yaml
ingress实现https代理访问
证书密钥创建证书,密钥
创建证书 密钥
secret 保存密钥信息
openssl req -x509 -sha256 -nodes -days 356 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "CN=nginxsvc/O=nginxsvc"
openssl req -x509 -sha256 -nodes -days 356 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "CN=nginxsvc/O=nginxsvc"
req生成证书文件的
x509生成x.509自签名 的证书
-sha256:表示使用sha-256的散列算法
-nodes:表示生成的密钥不加密
-days:365天 证书有效期365天
-newkey rsa:RSA的密钥对,长度2048位
-subj "/CN=nginxsvc/O=nginxsvc":主题,CN common name O: organzation组织
kubectl create secret tls tls-secret --key tls.key --cert tls.crtkubectl describe secrets tls-secretcd /optmkdir httpsvim ingress-cs.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-httpslabels:app: https
spec:replicas: 3selector:matchLabels:app: httpstemplate:metadata:labels:app: httpsspec:containers:- name: nginximage: nginx:1.22---
apiVersion: v1
kind: Service
metadata:name: nginx-svc
spec:ports:- port: 80targetPort: 80protocol: TCPselector:app: https---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-ingress-https
spec:tls:- hosts:- www.123ccc.comsecretName: tls-secret
#加密的配置保存在ingress当中,请求先到ingress-controller再根据ingress配置解析再转发到service,在代理进行时就要先验证密钥对,然后再把请求转发到service对应的pod。rules:- hosts: www.123ccc.comhttp:paths:- paths: /pathType: prefixbackend:service:name: nginx-svcport:number: 80kubectl get svc -n ingress-nginx
容器对nginx实现账号密码认证
mkdir basic-authyum -y install http
cd basic-auth
vim ingress-auth.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-authannotations:
#开启认证模块的位置nginx.ingress.kubernets.io/auth-type: basic
#设置认证类型basic,这是k8s自带的认证加密模块nginx.ingress.kubernets.io/auth-secret: basic-auth
#把认证的加密模块导入到ingress当中nginx.ingress.kubernets.io/auth-realm: 'Authentication Required -wqb'
#设置认证窗口的提示信息。
spec:rules:- host: www.wqb.comhttp:paths:- path: /pathType: Prefixbackend:service:name: nginx-svcport:number: 80kubectl apply -f ingress-auth.yamlvim nginx-rewrite.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: nginx-rewriteannotation:nginx.ingress.kubernetes.io/rewrite-target: https://www.123ccc.com:32336
#访问页面会跳转到指定的页面。
spec:rules:- host: www.wqb.comhttp:paths:- path: /pathType: Prefixbackend:service:name: nginx-svcport:number: 80
kubectl apply -f nginx-rewrite.yaml
traefik是一个为了让部署微服务更加快捷而诞生的一个http反向代理,负载均衡
traefik设计时就能够实现和k8ss API交互,感知后端service以及pod的变化,可以自动更新配置和重载
pod内的nginx 80 8081
traefik的部署方式
daemonset
特点优点:每个节点都会部署要给traeflk,节点感知,可以自动发现,更新容器的配置,不需要手动重载
缺点:资源占用,大型集群中,aemonset可能会运行多个traefik的实例,尤其时节点上不需要大量容器运行的情况下,没有办法进行扩缩容
主要部署再对外集群:对外的业务会经常容易八年更,daemonset可以更好的,自动的发现服务配置变更
部署对外集群。
deployment:集中控制,可以使用少量的实例来运行处理整个集群的流量
缺点:deployment的负载均衡不会均分到每个节点
手动更新,无法感知容器内部配置变化,主要部署在对内集群
部署对内集群:对内相对稳定,更新和变化也比较少。适合deployment
traffic-tye:internal 对内服务
traffic-type:external 对外服务
nginx-ingress:相对较慢
工作原理都一样,都是七层代理,都可以动态的更新配置,都可以自动发现服务
traefik-ingress:自动更新重载更快,更方便
traefik的并发能力只有nginx-ingress的6成
ingress
nginx-ingress-controller用的时最多的
deployment+loadbalaner这个必须要共有云提供公网的地址
daemonset+hostnetwork+nodeselector:和节点服务器共享网络,一个节点部署一个controller pod. 既然使用宿主机的端口性能最好适合大并发
deployment+NodePort:这是最常见的也是最常用最简单的方法,但是性能不太好,因为多了一层nat地址转发,不太适合大并发
另外就是traefik-controller
deamontset适合对外 可以自动更新容器配置 hsot 用的时节点的网络
deployment适合对内 无法自动更新配置 Nodeport
daomonset演示
daemonset的配置更新后的自动发现wget https://gitee.com/mirrors/traefik/raw/v1.7/examples/k8s/traefik-rbac.yaml wget https://gitee.com/mirrors/traefik/raw/v1.7/examples/k8s/traefik-ds.yaml wget https://gitee.com/mirrors/traefik/raw/v1.7/examples/k8s/ui.yaml需要执行这三个文件然后自己配置yaml文件
kubectl apply -f traefik-ingress2.yaml
接下来做域名映射vim /etc/hosts用域名加8080访问页面