1. 程式人生 > >K8s Ingress 模式簡介及示例

K8s Ingress 模式簡介及示例

檢測 nag ofo rule ive ssl back 訪問 域名

註:

默認本文讀者具備一定的k8s基礎,並對k8s的apiserver、service、controller manager等基本概念有所了解。

模式簡介:

Ingress在service之前加了一層ingress,結構如下:

                            ingress ->   service    -> label selector -> pods
                        www.ok1.com -> app1-service -> app1 selector  -> app1 1234
Port:80 or other   ->  www.ok2.com -> app2-service -> app2 selector  -> app2 3456

Ingerss模式的優點

增加了7層的識別能力,可以根據 http header, path 等進行路由轉發。

模式缺點

復雜度大為提升。

理解Ingress 實現

Ingress 的實現分為兩個部分 Ingress Controller 和 Ingress。
Ingress Controller 是流量的入口,是一個實體軟件, 一般是Nginx 和 Haproxy(較少使用)。
Ingress 描述具體的路由規則。
Ingress Controller 會監聽 api server上的 /ingresses 資源 並實時生效。
Ingerss 描述了一個或者多個 域名的路由規則,以 ingress 資源的形式存在。

簡單說: Ingress 描述路由規則, Ingress Controller 實時實現規則。

示例:

結構圖:

技術分享圖片

完成k8s集群環境搭建

創建後端測試app及service,本例使用ikubernetes/myapp:v2鏡像。

more deploy-demo.yaml

apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: default
spec:
  selector:
    app: myapp
    release: canary
  ports:
  - name: http
    targetPort: 80
    port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-deploy
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: myapp
      release: canary
  template:
    metadata:
      labels:
        app: myapp
        release: canary
    spec:
      containers:
      - name: myapp
        image: ikubernetes/myapp:v2
        ports:
        - name: http
          containerPort: 80

創建Ingress及Ingress Controller環境。

下載並部署:

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

default-http-backend默認鏡像使用:gcr.io/google_containers/defaultbackend:1.4
因被墻的原因,改為:registry.cn-hangzhou.aliyuncs.com/google_containers/defaultbackend:1.4

kubectl apply -f mandatory.yaml

檢測:

kubectl get pods -n ingress-nginx
NAME                                       READY     STATUS    RESTARTS   AGE
default-http-backend-5ccf4689c5-tc4mr      1/1       Running   0          19m
nginx-ingress-controller-5b6864749-5kcc9   1/1       Running   0          19m

創建service-nodeport

下載並部署:

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

修改yaml文件,增加nodePort設置,將隨機端口固定。
more service-nodeport.yaml

apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
    nodePort: 30080
  - name: https
    port: 443
    targetPort: 443
    protocol: TCP
    nodePort: 30443
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

配置Ingress,將服務暴露,完成示例目標。

more ingress-myapp.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myapp
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: www.ok.com
    http:
      paths:
      - path:
        backend:
          serviceName: myapp
          servicePort: 80 

測試:
修改本機hosts,訪問截圖如下:
技術分享圖片

配置https:

生成證書:

openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.ok.com

轉格式:

kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
kubectl get secret
kubectl describe secret tomcat-ingress-secret

more tomcat-demo.yaml

apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: default
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    targetPort: 8080
    port: 8080
  - name: ajp
    targetPort: 8009
    port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: tomcat
        image: tomcat:latest
        ports:
        - name: http
          containerPort: 8080
        - name: ajp
          containerPort: 8009

more ingress-tomcat-tls.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat-tls
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - tomcat.ok.com
    secretName: tomcat-ingress-secret
  rules:
  - host: tomcat.ok.com
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080 

測試:
技術分享圖片
後續可在其前端增加四層或七層負載,完成高可用。

參考鏈接:

https://github.com/kubernetes/ingress-nginx/tree/master/deploy
https://kubernetes.github.io/ingress-nginx/deploy/
https://www.jianshu.com/p/189fab1845c5

K8s Ingress 模式簡介及示例