一. Ingress与Pod
1.Pod与Ingress的关系
• 通过service相关联
• 通过Ingress Controller实现Pod的负载均衡, 支持TCP/UDP 4层和HTTP 7层
Ingress 只是定义规则,具体的负载均衡服务是由Ingress controller控制器完成。
Pod与Ingress的关系.png
Igress Controller.png
访问流程:用户---> Ingress Controller(Node) --->service ---> Pod
2. Ingress Controller部署
部署文档:https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md
# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
注意事项:
• pod副本数:replicas: 3
• 镜像地址修改成国内的:lizhenliang/nginx-ingress-controller:0.20.0
• 使用宿主机网络:hostNetwork: true
# kubectl create -f mandatory.yaml
# kubectl get ns
# # kubectl get pods -n ingress-nginx
二. Ingress HTTP网站测试
# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-service NodePort 10.0.0.138 <none> 80:43431/TCP 8d
创建一个ingress规则:
域名为 foo.bar.com,转发到 nginx-service service
# cat ingress01.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: simple-fanout-example
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: nginx-service
servicePort: 80
创建查看:
# kubectl apply -f ingress01.yaml
# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
simple-fanout-example foo.bar.com 80 5m47s
然后在DNS对foo.bar.com 域名解析或本地绑定hosts,用浏览器访问域名即可
Ingress Controller 会有一个进程nginx-ingress-controller监听apiserver中的service,实时更新nginxconf配置文件
三. Ingress HTTPS网站测试
HTTPS只要在yaml文件中定义TLS证书(CRT和key)即可:
1.颁发域名证书
创建CA机构和颁发相关域名证书脚本:
# cat certs.sh
#!/bin/bash
##定义一个CA机构
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
##创建一个CA机构
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
##通过上定义的CA颁发一个 sslexample.foo.com 域名证书
cat > sslexample.foo.com-csr.json <<EOF
{
"CN": "sslexample.foo.com",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes sslexample.foo.com-csr.json | cfssljson -bare sslexample.foo.com
# bash certs.sh
# ls sslexample.foo.com*.pem
sslexample.foo.com-key.pem sslexample.foo.com.pem
2. 将证书pem保存到secret
# kubectl create secret tls sslexample-foo-com --cert=sslexample.foo.com.pem --key=sslexample.foo.com-key.pem
# kubectl get secret
NAME TYPE DATA AGE
sslexample-foo-com kubernetes.io/tls 2 39m
3. 创建ingress规则
创建ingress规则yaml配置文件:
# cat ingress-sslexample-foo-com-https.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tls-example-ingress
spec:
tls:
- hosts:
- sslexample.foo.com
secretName: sslexample-foo-com
rules:
- host: sslexample.foo.com
http:
paths:
- path: /
backend:
serviceName: nginx-service
servicePort: 80
创建:
# kubectl create -f ingress-sslexample-foo-com-https.yaml
# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
simple-fanout-example foo.bar.com 80 42h
tls-example-ingress sslexample.foo.com 80, 443 3m42s
注意: yaml 配置文件中的证书必须与域名配对,否则kubernetes自动帮你创建证书
小结:
Ingress
1、四层、七层负载均衡转发
2、支持自定义Service访问策略
3、只支持基于域名的网站访问
4、支持TLS
用户 -> 域名 -> 负载均衡器 -> Ingress Controller(Node) -> Pod
网友评论