Kubernetes Service & LB & Networking :Ingress
Kubernetes Service & LB & Networking :Ingress
准备工作
1、启用 minikube 的 ingress 插件
minikube addons enable ingress2、补全 ingress 插件所需的镜像
minikube ssh export image=nginx-ingress-controller:0.14.0
docker pull registry.cn-hangzhou.aliyuncs.com/anoy/${image}
docker tag registry.cn-hangzhou.aliyuncs.com/anoy/${image} quay.io/kubernetes-ingress-controller/${image}
docker rmi registry.cn-hangzhou.aliyuncs.com/anoy/${image}
export image=defaultbackend:1.4
docker pull registry.cn-hangzhou.aliyuncs.com/anoy/${image}
docker tag registry.cn-hangzhou.aliyuncs.com/anoy/${image} k8s.gcr.io/${image}
docker rmi registry.cn-hangzhou.aliyuncs.com/anoy/${image}说明:网络好可以忽略此步骤
3、创建 2 个服务
创建服务 blog-anoyi : Anoyi 的个人博客
apiVersion: apps/v1
kind: Deployment
metadata:
name: blog-anoyi
labels:
app: blog
spec:
selector:
matchLabels:
blog-name: anoyi
template:
metadata:
labels:
blog-name: anoyi
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/anoy/blog
name: blog
env:
- name: JIANSHU_ID
value: 7b7ec6f2db21
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: blog-anoyi
labels:
app: blog
spec:
ports:
- port: 8080
selector:
blog-name: anoyi
clusterIP: None创建服务 blog-science : 科学Jia 的个人博客
apiVersion: apps/v1
kind: Deployment
metadata:
name: blog-science
labels:
app: blog
spec:
selector:
matchLabels:
blog-name: science
template:
metadata:
labels:
blog-name: science
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/anoy/blog
name: blog
env:
- name: JIANSHU_ID
value: 66a89bc4d1b3
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: blog-science
labels:
app: blog
spec:
ports:
- port: 8080
selector:
blog-name: science
clusterIP: NoneIngress 类型
1、Single Service Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: blog-ingress
spec:
backend:
serviceName: blog-anoyi
servicePort: 8080简单服务路由,将 Node 的入站流量从 80 端口转发到服务 blog-anoyi, 查看 ingress 规则:
kubectl describe ingName: blog-ingress
Namespace: default
Address: 192.168.99.100
Default backend: blog-anoyi:8080 (172.17.0.3:8080)
Rules:
Host Path Backends
---- ---- --------
* * blog-anoyi:8080 (172.17.0.3:8080)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 18m nginx-ingress-controller Ingress default/blog-ingress
Normal UPDATE 17m nginx-ingress-controller Ingress default/blog-ingress即:访问 http://192.168.99.100/ 等于访问 http://172.17.0.3:8080/ ,在浏览器中访问会显示 Anoyi 的博客
2、Name based virtual hosting
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: blog-ingress
spec:
rules:
- host: anoyi.anoy.com
http:
paths:
- backend:
serviceName: blog-anoyi
servicePort: 8080
- host: science.anoy.com
http:
paths:
- backend:
serviceName: blog-science
servicePort: 8080基于名称的虚拟主机转发,将 anoyi.anoy.com 域名下的请求转发到服务 blog-anoyi ,将 science.anoy.com 域名下的转发到服务 blog-science,ingress 规则如下:
Name: test
Namespace: default
Address: 192.168.99.100
Default backend: default-http-backend:80 ()
Rules:
Host Path Backends
---- ---- --------
anoyi.anoy.com
blog-anoyi:8080 (<none>)
science.anoy.com
blog-science:8080 (<none>)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 3m nginx-ingress-controller Ingress default/test
Normal UPDATE 2m nginx-ingress-controller Ingress default/test配置 Host 如下图所示,分别访问 http://anoyi.anoy.com 和 http://science.anoy.com
host 配置
说明: 192.168.99.100 为 Ingress 中的 Address
Anoyi 的个人博客
科学Jia 的个人博客
3、Simple fanout
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: blog-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: anoy.com
http:
paths:
- path: /anoyi
backend:
serviceName: blog-anoyi
servicePort: 8080
- path: /science
backend:
serviceName: blog-science
servicePort: 8080简单路径转发,将 http://anoy.com/anoyi 路径的请求转发到服务 blog-anoyi ,将 http://anoy.com/science 转发到服务 blog-science,ingress 规则如下:
Name: blog-ingress
Namespace: default
Address: 192.168.99.100
Default backend: default-http-backend:80 ()
Rules:
Host Path Backends
---- ---- --------
anoy.com
/anoyi blog-anoyi:8080 (<none>)
/science blog-science:8080 (<none>)
Annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 26s nginx-ingress-controller Ingress default/blog-ingress
Normal UPDATE 4s nginx-ingress-controller Ingress default/blog-ingress因该博客镜像的路径跳转不适应此场景,所以此处不截图具体效果。
TLS
您可以通过指定包含 TLS 私钥和证书的 Secure 来保护 Ingress。目前,Ingress 只支持一个 TLS 端口 443。如果 Ingress 中 TLS 的配置部分指定了不同的主机,则它们将根据通过 SNI TLS 扩展指定的主机名(在 Ingress Controller 支持 SNI 的情况下)在同一端口进行多路复用。TLS 密钥必须包含名为 tls.crt 和 tls.key 的密钥,其中包含用于 TLS 的证书和私钥。
示例:为 "Name based virtual hosting" 类型的 Ingress 添加 TLS
生成 CA 私钥与证书
openssl genrsa -out tls.key 2048openssl req -x509 -new -key tls.key -out tls.crt查看 tls.key 与 tls.crt 的 base64 值:
cat tls.key | base64cat tls.crt | base64创建包含 tls.key 和 tls.crt 的 Secret
apiVersion: v1
kind: Secret
metadata:
name: ingress-tls
type: Opaque
data:
tls.key: <上述 tls.key 的 Base64 值>
tls.crt: <上述 tls.crt 的 Base64 值>创建带 TLS 的 Ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: blog-ingress
spec:
tls:
- secretName: ingress-tls
rules:
- host: anoyi.anoy.com
http:
paths:
- backend:
serviceName: blog-anoyi
servicePort: 8080
- host: science.anoy.com
http:
paths:
- backend:
serviceName: blog-science
servicePort: 8080访问 https://anoyi.anoy.com/ 发现浏览器显示 "不安全",因为这个证书没有通过提三方认证
如何解决呢?很简单,将 tls.crt 添加到系统受信任的证书列表。
相关文档
- Kubernetes Ingress
- Kubernetes Secret
- 自制 Https 证书
- 科学Jia 的简书