kubernetes系列09—Ingress控制器详解
本文收录在容器技术学习系列文章总目录
1、认识Ingress
1.1 什么是Ingress?
通常情况下,service和pod仅可在集群内部网络中通过IP地址访问。所有到达边界路由器的流量或被丢弃或被转发到其他地方。从概念上讲,可能像下面这样:
- internet
- |
- ------------
- [ Services ]
Ingress是授权入站连接到达集群服务的规则集合。
- internet
- |
- [ Ingress ]
- --|-----|--
- [ Services ]
你可以给Ingress配置提供外部可访问的URL、负载均衡、SSL、基于名称的虚拟主机等。用户通过POST Ingress资源到API server的方式来请求ingress。 Ingress controller负责实现Ingress,通常使用负载平衡器,它还可以配置边界路由和其他前端,这有助于以HA方式处理流量。
1.2 Ingress工作示意图
1.3先决条件
在使用Ingress resource之前,有必要先了解下面几件事情。Ingress是beta版本的resource,在kubernetes1.1之前还没有。你需要一个Ingress Controller来实现Ingress,单纯的创建一个Ingress没有任何意义。
GCE/GKE会在master节点上部署一个ingress controller。你可以在一个pod中部署任意个自定义的ingress controller。你必须正确地annotate每个ingress,比如 运行多个ingress controller 和 关闭glbc.
确定你已经阅读了Ingress controller的beta版本限制。在非GCE/GKE的环境中,你需要在pod中部署一个controller。
1.4 Ingress定义资源清单几个字段
- apiVersion: v1 版本
- kind: Ingress 类型
- metadata 元数据
- spec 期望状态
- backend: 默认后端,能够处理与任何规则不匹配的请求
- rules:用于配置Ingress的主机规则列表
- tls:目前Ingress仅支持单个TLS端口443
- status 当前状态
2、部署一个Ingress
(1)在gitlab上下载yaml文件,并创建部署
gitlab ingress-nginx项目:https://github.com/kubernetes/ingress-nginx
ingress安装指南:https://kubernetes.github.io/ingress-nginx/deploy/
因为需要拉取镜像,所以需要等一段时间
- ---下载需要的yaml文件
- [root@master ingress-nginx]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
- ---查询下载成功
- [root@master ingress-nginx]# ls
- mandatory.yaml
- ---创建ingress
- [root@master ingress-nginx]# kubectl apply -f mandatory.yaml
- namespace/ingress-nginx created
- configmap/nginx-configuration created
- configmap/tcp-services created
- configmap/udp-services created
- serviceaccount/nginx-ingress-serviceaccount created
- clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
- role.rbac.authorization.k8s.io/nginx-ingress-role created
- rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
- clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
- deployment.apps/nginx-ingress-controller created
(2)如果是裸机,还需要安装service
- [root@master ingress-nginx]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml
- [root@master ingress-nginx]# kubectl apply -f service-nodeport.yaml
- service/ingress-nginx created
(3)验证
- ---查询生产的pod
- [root@master ~]# kubectl get pods -n ingress-nginx
- NAME READY STATUS RESTARTS AGE
- nginx-ingress-controller-648c7bb65b-df9qz 1/1 Running 0 34m
- ---查询生产的svc
- [root@master ingress-nginx]# kubectl get svc -n ingress-nginx
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- ingress-nginx NodePort 10.109.244.123 <none> 80:30080/TCP,443:30443/TCP 21s
- ---查询svc的详细信息
- [root@master ~]# kubectl describe svc ingress-nginx -n ingress-nginx
- Name: ingress-nginx
- Namespace: ingress-nginx
- Labels: app.kubernetes.io/name=ingress-nginx
- app.kubernetes.io/part-of=ingress-nginx
- Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/part-of":"ingres...
- Selector: app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
- Type: NodePort
- IP: 10.111.143.90
- Port: http 80/TCP
- TargetPort: 80/TCP
- NodePort: http 30080/TCP
- Endpoints: 10.244.1.104:80
- Port: https 443/TCP
- TargetPort: 443/TCP
- NodePort: https 30443/TCP
- Endpoints: 10.244.1.104:443
- Session Affinity: None
- External Traffic Policy: Cluster
- Events: <none>
3、创建Ingress,代理到后端nginx服务
3.1 准备后端pod和service
(1)编写yaml文件,并创建
创建3个nginx服务的pod,并创建一个service绑定
- [root@master ingress]# vim deploy-damo.yaml
- apiVersion: v1
- kind: Service
- metadata:
- name: myapp
- namespace: default
- spec:
- selector:
- app: myapp
- release: canary
- ports:
- - name: http
- targetPort: 80
- port: 80
- ---
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: myapp-deploy
- namespace: default
- spec:
- replicas: 3
- selector:
- matchLabels:
- app: myapp
- release: canary
- template:
- metadata:
- labels:
- app: myapp
- release: canary
- spec:
- containers:
- - name: myapp
- image: ikubernetes/myapp:v2
- ports:
- - name: http
- containerPort: 80
- [root@master ingress]# kubectl apply -f deploy-damo.yaml
- service/myapp created
- deployment.apps/myapp-deploy created
(2)查询验证
- [root@master ~]# kubectl get svc
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 146d
- myapp ClusterIP 10.103.137.126 <none> 80/TCP 6s
- [root@master ~]# kubectl get pods
- NAME READY STATUS RESTARTS AGE
- myapp-deploy-67f6f6b4dc-2vzjn 1/1 Running 0 14s
- myapp-deploy-67f6f6b4dc-c7f76 1/1 Running 0 14s
- myapp-deploy-67f6f6b4dc-x79hc 1/1 Running 0 14s
- [root@master ~]# kubectl describe svc myapp
- Name: myapp
- Namespace: default
- Labels: <none>
- Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"myapp","namespace":"default"},"spec":{"ports":[{"name":"http","port":80,"targe...
- Selector: app=myapp,release=canary
- Type: ClusterIP
- IP: 10.103.137.126
- Port: http 80/TCP
- TargetPort: 80/TCP
- Endpoints: 10.244.1.102:80,10.244.1.103:80,10.244.2.109:80
- Session Affinity: None
- Events: <none>
3.2 创建ingress,绑定后端nginx服务
(1)编写yaml文件,并创建
- [root@master ingress]# vim ingress-myapp.yaml
- apiVersion: extensions/v1beta1
- kind: Ingress
- metadata:
- name: ingress-myapp
- namespace: default
- spec:
- rules:
- - host: myapp.along.com
- http:
- paths:
- - path:
- backend:
- serviceName: myapp
- servicePort: 80
- [root@master ingress]# kubectl apply -f ingress-myapp.yaml
- ingress.extensions/ingress-myapp created
(2)查询验证
- [root@master ~]# kubectl get ingress
- NAME HOSTS ADDRESS PORTS AGE
- ingress-myapp myapp.along.com 80 140d
- [root@master ~]# kubectl describe ingress ingress-myapp
- Name: ingress-myapp
- Namespace: default
- Address:
- Default backend: default-http-backend:80 (<none>)
- Rules:
- Host Path Backends
- ---- ---- --------
- myapp.along.com
- myapp:80 (<none>)
- Annotations:
- kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"ingress-myapp","namespace":"default"},"spec":{"rules":[{"host":"myapp.along.com","http":{"paths":[{"backend":{"serviceName":"myapp","servicePort":80},"path":null}]}}]}}
- Events:
- Type Reason Age From Message
- ---- ------ ---- ---- -------
- Normal CREATE 37s nginx-ingress-controller Ingress default/ingress-myapp
(3)在集群外,查询服务验证
① 可以先修改一下主机的hosts,因为不是公网域名
192.168.130.103 myapp.along.com
② 访问业务成功
4、创建Ingress,代理到后端tomcat服务
4.1 准备后端pod和service
(1)编写yaml文件,并创建
创建3个tomcat服务的pod,并创建一个service绑定
- [root@master ingress]# vim tomcat-deploy.yaml
- apiVersion: v1
- kind: Service
- metadata:
- name: tomcat
- namespace: default
- spec:
- selector:
- app: tomcat
- release: canary
- ports:
- - name: http
- targetPort: 8080
- port: 8080
- - name: ajp
- targetPort: 8009
- port: 8009
- ---
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: tomcat-deploy
- namespace: default
- spec:
- replicas: 3
- selector:
- matchLabels:
- app: tomcat
- release: canary
- template:
- metadata:
- labels:
- app: tomcat
- release: canary
- spec:
- containers:
- - name: tomcat
- image: tomcat:8.5.37-jre8-alpine
- ports:
- - name: http
- containerPort: 8080
- - name: ajp
- containerPort: 8009
- [root@master ingress]# kubectl apply -f tomcat-deploy.yaml
- service/tomcat created
- deployment.apps/tomcat-deploy created
(2)查询验证
- [root@master ~]# kubectl get pods
- NAME READY STATUS RESTARTS AGE
- tomcat-deploy-97d6458c5-hrmrw 1/1 Running 0 1m
- tomcat-deploy-97d6458c5-ngxxx 1/1 Running 0 1m
- tomcat-deploy-97d6458c5-xchgn 1/1 Running 0 1m
- [root@master ~]# kubectl get svc
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 146d
- tomcat ClusterIP 10.98.193.252 <none> 8080/TCP,8009/TCP 1m
4.2 创建ingress,绑定后端tomcat服务
(1)编写yaml文件,并创建
- [root@master ingress]# vim ingress-tomcat.yaml
- apiVersion: extensions/v1beta1
- kind: Ingress
- metadata:
- name: ingress-tomcat
- namespace: default
- spec:
- rules:
- - host: tomcat.along.com
- http:
- paths:
- - path:
- backend:
- serviceName: tomcat
- servicePort: 8080
- [root@master ingress]# kubectl apply -f ingress-tomcat.yaml
- ingress.extensions/ingress-tomcat created
(2)查询验证
- [root@master ~]# kubectl get ingress
- NAME HOSTS ADDRESS PORTS AGE
- ingress-myapp myapp.along.com 80 17m
- ingress-tomcat tomcat.along.com 80 6s
- [root@master ~]# kubectl describe ingress ingress-tomcat
- Name: ingress-tomcat
- Namespace: default
- Address:
- Default backend: default-http-backend:80 (<none>)
- Rules:
- Host Path Backends
- ---- ---- --------
- tomcat.along.com
- tomcat:8080 (<none>)
- Annotations:
- kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"ingress-tomcat","namespace":"default"},"spec":{"rules":[{"host":"tomcat.along.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}]}}
- Events:
- Type Reason Age From Message
- ---- ------ ---- ---- -------
- Normal CREATE 17s nginx-ingress-controller Ingress default/ingress-tomcat
(3)在集群外,查询服务验证
① 可以先修改一下主机的hosts,因为不是公网域名
192.168.130.103 tomcat.along.com
② 访问业务成功
4.3 使用https协议访问服务
4.3.1 创建证书、私钥和secret
(1)创建私钥
- [root@master ingress]# openssl genrsa -out tls.key 2048
- Generating RSA private key, 2048 bit long modulus
- .............................................+++
- ...............+++
- e is 65537 (0x10001)
- [root@master ingress]# ls *key
- tls.key
(2)创建证书
- [root@master ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.along.com
- [root@master ingress]# ls tls.*
- tls.crt tls.key
(3)创建secret
- [root@master ingress]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
- secret/tomcat-ingress-secret created
- [root@master ingress]# kubectl get secret
- NAME TYPE DATA AGE
- tomcat-ingress-secret kubernetes.io/tls 2 8s
- [root@master ingress]# kubectl describe secret tomcat-ingress-secret
- Name: tomcat-ingress-secret
- Namespace: default
- Labels: <none>
- Annotations: <none>
- Type: kubernetes.io/tls
- Data
- ====
- tls.key: 1675 bytes
- tls.crt: 1294 bytes
4.3.2 重新创建ingress,使用https协议绑定后端tomcat服务
(1)编写yaml文件,并创建
- [root@master ingress]# vim ingress-tomcat-tls.yaml
- apiVersion: extensions/v1beta1
- kind: Ingress
- metadata:
- name: ingress-tomcat-tls
- namespace: default
- spec:
- tls:
- - hosts:
- - tomcat.along.com
- secretName: tomcat-ingress-secret
- rules:
- - host: tomcat.along.com
- http:
- paths:
- - path:
- backend:
- serviceName: tomcat
- servicePort: 8080
(2)查询验证
- [root@master ~]# kubectl get ingress
- NAME HOSTS ADDRESS PORTS AGE
- ingress-myapp myapp.along.com 80 34m
- ingress-tomcat tomcat.along.com 80 16m
- ingress-tomcat-tls tomcat.along.com 80, 443 8s
- [root@master ~]# kubectl describe ingress ingress-tomcat-tls
- Name: ingress-tomcat-tls
- Namespace: default
- Address:
- Default backend: default-http-backend:80 (<none>)
- TLS:
- tomcat-ingress-secret terminates tomcat.along.com
- Rules:
- Host Path Backends
- ---- ---- --------
- tomcat.along.com
- tomcat:8080 (<none>)
- Annotations:
- kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"ingress-tomcat-tls","namespace":"default"},"spec":{"rules":[{"host":"tomcat.along.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}],"tls":[{"hosts":["tomcat.along.com"],"secretName":"tomcat-ingress-secret"}]}}
- Events:
- Type Reason Age From Message
- ---- ------ ---- ---- -------
- Normal CREATE 14s nginx-ingress-controller Ingress default/ingress-tomcat-tls
(3)在集群外,查询服务验证
使用https协议,访问业务成功
kubernetes系列09—Ingress控制器详解的更多相关文章
- kubernetes系列07—Pod控制器详解
本文收录在容器技术学习系列文章总目录 1.Pod控制器 1.1 介绍 Pod控制器是用于实现管理pod的中间层,确保pod资源符合预期的状态,pod的资源出现故障时,会尝试 进行重启,当根据重启策略无 ...
- kubernetes系列10—存储卷详解
本文收录在容器技术学习系列文章总目录 1.认识存储卷 1.1 背景 默认情况下容器中的磁盘文件是非持久化的,容器中的磁盘的生命周期是短暂的,这就带来了一系列的问题:第一,当一个容器损坏之后,kubel ...
- kubernetes系列08—service资源详解
本文收录在容器技术学习系列文章总目录 1.认识service 1.1 为什么要使用service Kubernetes Pod 是有生命周期的,它们可以被创建,也可以被销毁,然而一旦被销毁生命就永远结 ...
- ASP.NET MVC深入浅出系列(持续更新) ORM系列之Entity FrameWork详解(持续更新) 第十六节:语法总结(3)(C#6.0和C#7.0新语法) 第三节:深度剖析各类数据结构(Array、List、Queue、Stack)及线程安全问题和yeild关键字 各种通讯连接方式 设计模式篇 第十二节: 总结Quartz.Net几种部署模式(IIS、Exe、服务部署【借
ASP.NET MVC深入浅出系列(持续更新) 一. ASP.NET体系 从事.Net开发以来,最先接触的Web开发框架是Asp.Net WebForm,该框架高度封装,为了隐藏Http的无状态模 ...
- Kubernetes YAML 文件全字段详解
Kubernetes YAML 文件全字段详解 Deployment yaml 其中主要参数都在podTemplate 中,DaemonSet StatefulSet 中的pod部分一样. apiVe ...
- SpringMVC强大的数据绑定(2)——第六章 注解式控制器详解
SpringMVC强大的数据绑定(2)——第六章 注解式控制器详解 博客分类: 跟开涛学SpringMVC 6.6.2.@RequestParam绑定单个请求参数值 @RequestParam用于 ...
- Hexo系列(三) 常用命令详解
Hexo 框架可以帮助我们快速创建一个属于自己的博客网站,熟悉 Hexo 框架提供的命令有利于我们管理博客 1.hexo init hexo init 命令用于初始化本地文件夹为网站的根目录 $ he ...
- Kubernetes K8S之存储ConfigMap详解
K8S之存储ConfigMap概述与说明,并详解常用ConfigMap示例 主机配置规划 服务器名称(hostname) 系统版本 配置 内网IP 外网IP(模拟) k8s-master CentOS ...
- Kubernetes K8S之存储Volume详解
K8S之存储Volume概述与说明,并详解常用Volume示例 主机配置规划 服务器名称(hostname) 系统版本 配置 内网IP 外网IP(模拟) k8s-master CentOS7.7 2C ...
随机推荐
- BZOJ_1901_Zju2112 Dynamic Rankings_树状数组+主席树
BZOJ_1901_Zju2112 Dynamic Rankings_树状数组+主席树 题意: 给定一个含有n个数的序列a[1],a[2],a[3]……a[n],程序必须回答这样的询问:对于给定的i, ...
- 我和Python的Py交易》》》》》》数据类型
Python里的变量 ---门牌 Python在使用变量之前无须定义它的类型,但是必须声明以及初始化该变量. Python中给变量赋值就是声明,初始化变量(也就是创建一个相应数据类型的对象,而那些数据 ...
- 关于table表格 td里内容较多换行的处理方法
最近在用table的时候由于td内容较多默认换行了,很不美观.于是找到处理方法: 在声明table的时候添加一个样式: <table id="tbOffice" data-r ...
- redis与CPU、内存
任何一个后端应用,包括代码都要考虑对于CPU和内存的影响.redis本质上类似于nodejs,单进程.单线程,事件驱动,但不同的是redis是CPU密集型的.这里列出了redis与内存CPU的相关考虑 ...
- [Inside HotSpot] C1编译器HIR的构造
1. 简介 这篇文章可以说是Christian Wimmer硕士论文Linear Scan Register Allocation for the Java HotSpot™ Client Compi ...
- 大数据技术之_19_Spark学习_03_Spark SQL 应用解析小结
========== Spark SQL ==========1.Spark SQL 是 Spark 的一个模块,可以和 RDD 进行混合编程.支持标准的数据源.可以集成和替代 Hive.可以提供 J ...
- 【机器学习基础】熵、KL散度、交叉熵
熵(entropy).KL 散度(Kullback-Leibler (KL) divergence)和交叉熵(cross-entropy)在机器学习的很多地方会用到.比如在决策树模型使用信息增益来选择 ...
- java游戏开发杂谈 - 创建一个窗体
package game1; import javax.swing.JFrame; /** * java游戏开发杂谈 * ---demo1:创建一个窗体 * * @author 台哥 * @date ...
- Android中一个经典理解误区的剖析
今天,在Q群中有网友(@广州-包晴天)发出了网上的一个相对经典的问题,问题具体见下图. 本来是无意写此文的,但群里多个网友热情不好推却,于是,撰此文予以分析. 从这个问题的陈述中,我们发现,提问者明显 ...
- Springboot 系列(六)Spring Boot web 开发之拦截器和三大组件
1. 拦截器 Springboot 中的 Interceptor 拦截器也就是 mvc 中的拦截器,只是省去了 xml 配置部分.并没有本质的不同,都是通过实现 HandlerInterceptor ...