一、Ingress介绍和安装
1,介绍
Ingress 是对集群中服务的外部访问进行管理的 API 对象,典型的访问方式是 HTTP。Ingress 可以提供负载均衡、SSL 终结和基于名称的虚拟托管。可理解为Ingress 是在 k8s 集群中的 Service 上做了一个 nginx 代理,将所有匹配到的请求转发到对应的 Service 中。
2,安装Ingress-nginx
参考:https://github.com/kubernetes/ingress-nginx/blob/nginx-0.30.0/docs/deploy/index.md
# 下载 mandatory.yaml 。--no-check-certificate:避免“无法建立 SSL 连接”错误 wget --no-check-certificate https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml # 查看需要的镜像 cat mandatory.yaml | grep image # 在每个集群节点中拉取 docker 镜像 自行解决 # 创建 Pod kubectl apply -f mandatory.yaml # 查看 Pod。注意 命令空间是:ingress-nginx kubectl get pod -n ingress-nginx # 下载 service-nodeport.yaml wget --no-check-certificate https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml # 创建 svc kubectl apply -f service-nodeport.yaml kubectl get svc -n ingress-nginx
注意:如果出现权限问题。参考文章
二、示例
1,HTTP代理访问
a)创建ingress-http.yaml
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 3 template: metadata: labels: app: nginx-app spec: containers: - name: nginx-container image: hub.xcc.com/my-xcc/my-nginx:v1 imagePullPolicy: IfNotPresent ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector: app: nginx-app ports: - port: 80 targetPort: 80 protocol: TCP --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-ing spec: rules: - host: foo.xcc.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80
b)执行命令
kubectl apply -f ingress-http.yaml kubectl get deployment kubectl get svc kubectl get pod kubectl get ing
c)访问
#查看ingress-nginx暴露的端口 通过该域名foo.xcc.com:端口 [root@master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.116.16.25 <none> 80:30554/TCP,443:30935/TCP 36m
2,HTTPS代理访问
a)创建证书
# 生成证书文件 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc /O=nginxsvc" #查看文件 ls #创建secret kubectl create secret tls tls-secret --key tls.key --cert tls.crt #查看secret kubectl get secret
b)创建nginx-https-ing.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx-https-ing spec: tls: - hosts: - foo.bar.com secretName: tls-secret rules: - host: foo.xcc.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80
c)执行命令创建
kubectl apply -f nginx-https-ing.yaml
d)访问
#可通过域名https:// foo.xcc.com:端口。查看端口 [root@master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.116.16.25 <none> 80:30554/TCP,443:30935/TCP 36m
3,BasicAuth认证
采用访问某一域名是进行账号密码认证
a)创建证书
# 安装 httpd yum -y install httpd # 创建认证账户foo 并设置密码 htpasswd -c auth foo # 创建secret kubectl create secret generic basic-auth --from-file=auth # 查看证书 kubectl get secret
b)创建auth-ing.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: auth-ing annotations: nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authenticasion Required - foo' spec: rules: - host: auth.xcc.com http: paths: - path: / backend: serviceName: nginx-svc servicePort: 80
c)执行命令
kubectl apply -f auth-ing.yaml #查看ingress kubectl get ing
d)访问
访问auth.xcc.com:端口,此时需要输入用户名和密码(前面設置的)
#查看端口 [root@master01 ingress]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx NodePort 10.116.16.25 <none> 80:30554/TCP,443:30935/TCP 36m
三、查看Ingress-Nginx的代理配置
# 查看 ingress-controller pod [root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-ab5didia2-eds1d 1/1 Running 0 59m # 进入到 pod 中 [root@k8s-master01 ingress]# kubectl exec nginx-ingress-controller-ab5didia2-eds1d -n ingress-nginx -it /bin/bash # 在容器内 查看里面的 /etc/nginx/nginx.conf 文件 cat /etc/nginx/nginx.conf