kubernetes配置外网访问是个麻烦事
- kubectl port-forward
- 临时性的转发,退出就失效
- 如果后台运行,容易遗忘啊,难道还要设置开机启动?
- NodePort
- 还算方便好用。就是设置多了,感觉到处开天窗
- LoadBalencer
- 需要依赖云环境,裸机(bare metal)环境用不了
- hostNetwork
- 感觉是邪门歪道,容易走火入魔
- Ingress
- traefik 简单方便,但是不支持TCP(数据库连不上-。-)
- nginx-ingress 强扭的瓜不甜(和kubernete集成的有点勉强),没啥文档,连不上也找不到问题(对我这样的新手太不友好)。。。
考察了半天,还是选择Ambassador
- "kubernetes native" 对kubernete集成很友好,虽然不太支持ingress
- http/https/websocket/tcp/udp 协议比较全面
- 支持Istio。 能抱网红大腿,前途无量
安装
- helm安装
helm install -n ambassador stable/ambassador
这个会帮你装好service如果,之后需要自己改
- yaml安装
kubectl apply -f https://getambassador.io/yaml/ambassador/ambassador-rbac.yaml
或
kubectl apply -f https://getambassador.io/yaml/ambassador/ambassador-no-rbac.yaml
- 也可以 wget 拉下来再部署
暴露网关服务
- vi ambassador-service.yaml
---
apiVersion: v1
kind: Service
metadata:
name: ambassador
spec:
type: NodePort
externalTrafficPolicy: Local
ports:
- name: http
port: 80
targetPort: 8080
nodePort: 30080
- name: https
port: 443
targetPort: 8443
nodePort: 30443
- name: mysql-rw
nodePort: 30306
port: 33306
protocol: TCP
targetPort: 33306
- name: mysql-r
nodePort: 30307
port: 33307
protocol: TCP
targetPort: 33307
selector:
service: ambassador
- 这里暴露了http/https/mysql-master/mysql-slave, 按需复制替换
- 如果是helm安装的需要编辑或替换,注意namespace
配置路由规则
- 一般建议路由规则随service发布
- 因为我本地已经安装好了service,再定的路由,所以就写在一起了
---
apiVersion: getambassador.io/v1
kind: Mapping
metadata:
name: weave-scope
spec:
prefix: /
host: weave-scope.hh:30080
service: weave-scope-app.weave:80
use_websocket: true
---
apiVersion: getambassador.io/v1
kind: Mapping
metadata:
name: mysql-operator
spec:
prefix: /
host: mysql-operator.hh:30080
service: mysql-operator:80
---
apiVersion: getambassador.io/v1
kind: Mapping
metadata:
name: traefik-dashboard
spec:
prefix: /
host: dashboard.traefik:30080
service: traefik-dashboard.kube-system:80
---
apiVersion: getambassador.io/v1
kind: TCPMapping
metadata:
name: mysql-rw
spec:
port: 33306
service: my-cluster-mysql-master:3306
---
apiVersion: getambassador.io/v1
kind: TCPMapping
metadata:
name: mysql-r
spec:
port: 33307
service: my-cluster-mysql:3306
- 这是我自己的真实例子
- weave-scope是kubernetes-dashborad, 用到了websocket
- host要配置本地DNS
- mysql-rw/mysql-r分别是TCP类型的
- 注意service需要指定namespace和非80端口,默认80
service: traefik-dashboard.kube-system:80
web页面
- http://ip:30080/ambassador/v0/diag
- 只能看到http配置。TCP没有显示
gzip压缩
apiVersion: getambassador.io/v1
kind: Module
metadata:
name: ambassador
spec:
config:
gzip:
memory_level: 2
min_content_length: 1024
compression_level: BEST
compression_strategy: RLE
content_type:
- application/javascript
- application/json
- text/plain
- text/css
- application/x-javascript
- image/svg+xml
- application/xhtml+xml
disable_on_etag_header: false
remove_accept_encoding_header: false
TLS
- 具体流程参考官网,这里就不多说
- 这里有个大坑。部署TLS后,http不再可用(无法访问)
- 如果希望同时处理TLS和非LTS,需要部署两套
网友评论