K8s Ingress 模式簡介及示例
默認本文讀者具備一定的k8s基礎,並對k8s的apiserver、service、controller manager等基本概念有所了解。
模式簡介:
Ingress在service之前加了一層ingress,結構如下:
ingress -> service -> label selector -> pods www.ok1.com -> app1-service -> app1 selector -> app1 1234 Port:80 or other -> www.ok2.com -> app2-service -> app2 selector -> app2 3456
Ingerss模式的優點
增加了7層的識別能力,可以根據 http header, path 等進行路由轉發。模式缺點
復雜度大為提升。理解Ingress 實現
Ingress 的實現分為兩個部分 Ingress Controller 和 Ingress。
Ingress Controller 是流量的入口,是一個實體軟件, 一般是Nginx 和 Haproxy(較少使用)。
Ingress 描述具體的路由規則。
Ingress Controller 會監聽 api server上的 /ingresses 資源 並實時生效。
Ingerss 描述了一個或者多個 域名的路由規則,以 ingress 資源的形式存在。
示例:
結構圖:
完成k8s集群環境搭建
創建後端測試app及service,本例使用ikubernetes/myapp:v2鏡像。
more deploy-demo.yaml
apiVersion: v1 kind: Service metadata: name: myapp namespace: default spec: selector: app: myapp release: canary ports: - name: http targetPort: 80 port: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: myapp-deploy namespace: default spec: replicas: 2 selector: matchLabels: app: myapp release: canary template: metadata: labels: app: myapp release: canary spec: containers: - name: myapp image: ikubernetes/myapp:v2 ports: - name: http containerPort: 80
創建Ingress及Ingress Controller環境。
下載並部署:
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yamldefault-http-backend默認鏡像使用:gcr.io/google_containers/defaultbackend:1.4
因被墻的原因,改為:registry.cn-hangzhou.aliyuncs.com/google_containers/defaultbackend:1.4
kubectl apply -f mandatory.yaml檢測:
kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-5ccf4689c5-tc4mr 1/1 Running 0 19m
nginx-ingress-controller-5b6864749-5kcc9 1/1 Running 0 19m創建service-nodeport
下載並部署:
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml修改yaml文件,增加nodePort設置,將隨機端口固定。
more service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx配置Ingress,將服務暴露,完成示例目標。
more ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.ok.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80 測試:
修改本機hosts,訪問截圖如下:
配置https:
生成證書:
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.ok.com轉格式:
kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
kubectl get secret
kubectl describe secret tomcat-ingress-secretmore tomcat-demo.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:latest
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009more ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.ok.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.ok.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080 測試:
後續可在其前端增加四層或七層負載,完成高可用。
參考鏈接:
https://github.com/kubernetes/ingress-nginx/tree/master/deploy
https://kubernetes.github.io/ingress-nginx/deploy/
https://www.jianshu.com/p/189fab1845c5
K8s Ingress 模式簡介及示例