Layer 7 Routing Mechanism-Ingress

This article is rather confusing, so I can barely read it.

Ingress concept:

In layman's terms: Ingress, like the Service and Deployment mentioned earlier, is also a k8s resource type; Ingress is used to access the internal application of k8s by implementing a domain name, and Service may be more suitable for inter-service access.

We use this version of the official maintenance of k8s, and there is also an official version of nginx, how to use it depends on the individual.

Ingress supports a variety of solutions: including Nginx, Haproxy, Traefik, istio, etc.; in practice, there may be a company's hardware layer proxy on top of Ingress.

The approximate flow chart is as follows:

Create an Ingress:

This ingress is created using the Hlem method, and I will write an article on the use of helm in the future. I don't care about the principle now.

I will provide the following resources:

• Two container image download addresses used by Ingress-nginx:

• Mirror address: registry.cn-hangzhou.aliyuncs.com

• Mirror:yyangs/ingress-nginx-controller；yyangs/ingress-nginx-kube-webhook-certgen

• Chart package link: ingress-nginx-4.0.17

• First we create a Helm (because we want to use helm to create)

[root@k8s-master01 ~]# wget https://get.helm.sh/helm-v3.8.0-linux-amd64.tar.gz
[root@k8s-master01 ~]# tar xf helm-v3.8.0-linux-amd64.tar.gz
[root@k8s-master01 ~]# mv linux-amd64/helm /usr/local/bin/helm

• Create a repository for easy installation of ingress: the APP VERSION version of ingress should preferably be greater than 0.35, check the available packages under it

[root@k8s-master01 ~]# helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
"ingress-nginx" has been added to your repositories
[root@k8s-master01 ~]# helm repo list
NAME         	URL                                       
ingress-nginx	https://kubernetes.github.io/ingress-nginx
[root@k8s-master01 ~]# helm search repo ingress-nginx
NAME                       	CHART VERSION	APP VERSION	DESCRIPTION                                       
ingress-nginx/ingress-nginx	4.0.17       	1.1.1      	Ingress controller for Kubernetes using NGINX a...

• Download the ingress package and unzip the package to a created directory for easy configuration modification

[root@k8s-master01 ~]# helm pull ingress-nginx/ingress-nginx
ingress-nginx-4.0.17.tgz
[root@k8s-master01 ~]# mkdir /temp
[root@k8s-master01 ~]# mv ingress-nginx-4.0.17.tgz /temp/
[root@k8s-master01 ~]# cd /temp/
[root@k8s-master01 temp]# tar xf ingress-nginx-4.0.17.tgz 
# 进到ingress-nginx目录
[root@k8s-master01 temp]# cd ingress-nginx/

• Modify values.yaml, basically each line represents a position

# 源位置
controller:
  name: controller
  image:
    registry: registry.cn-hangzhou.aliyuncs.com
    image: yyangs/ingress-nginx-controller
    ## digest: sha256:0bc88eb15f9e7f84e8e56c14fa5735aaa488b840983f87bd79b1054190e660de
# dns策略
  dnsPolicy: ClusterFirstWithHostNet
# 使用宿主机端口号，性能好
  hostNetwork: true
# 资源类型选择DaemonSet，会在指定节点上部署
  kind: DaemonSet
# 在有标签的node上部署
  nodeSelector:
    kubernetes.io/os: linux
    ingress: "true"
# 类型，本地环境使用
    type: ClusterIP
# 最后位置的另一处源位置
    patch:
      enabled: true
      image:
        registry: registry.cn-hangzhou.aliyuncs.com
        image: yyangs/ingress-nginx-kube-webhook-certgen
        ## digest: sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660

A few notes on the above modifications:

• Mirror source: his default source is foreign, and we can't access it. So I replaced it with my Ali source. If you are doing this experiment, you can use my source; the last source is the same; pay attention to the verification comments

• Use hostNetwork: true to create, and select DaemonSet with resource type for better performance

• dns policy: If hostNetwork is used, the policy needs to be changed to dnsPolicy: ClusterFirstWithHostNet

• Execute yaml file creation

# 创建一个命名空间
[root@k8s-master01 ingress-nginx]# kubectl create ns ingress-nginx
namespace/ingress-nginx created
# 因为要在指定node上创建，所以给一台机器创建一个标签
[root@k8s-master01 ingress-nginx]# kubectl label nodes k8s-master03 ingress=true
node/k8s-master03 labeled
# 执行helm创建，那个名称自定义，之前出了一点问题，所以换个名字。
[root@k8s-master01 ~]# cd /temp/ingress-nginx/
您在 /var/spool/mail/root 中有新邮件
[root@k8s-master01 ingress-nginx]# helm install nginx-ingress -n ingress-nginx .
[root@k8s-master01 temp]# kubectl get pod -n ingress-nginx -o wide 
NAME                                           READY   STATUS    RESTARTS   AGE   IP             NODE           NOMINATED NODE   READINESS GATES
nginx-ingress-ingress-nginx-controller-lrs9s   1/1     Running   0          22h   192.168.10.4   k8s-master03   <none>           <none>

You can see that the Pod has been up and deployed on the master03 node, that is, ingress=turethe node with the label, so it is much more convenient to expand or shrink the ingress.
For example, when you want to expand the capacity, you only need to mark the corresponding label on the node you want to expand, and a new Pod will be automatically deployed, just like the following command.

kubectl label node k8s-master02 ingress=true

When I don't want this Pod, it will be easier to shrink it, just remove the label, you can see the power of the label, the minus sign means deleting the label.

kubectl label node k8s-master02 ingress-

The ingress deployed by hostNetwork will start a process on the host. Let's go to the node where the Pod is deployed.

[root@k8s-master03 ~]# ss -tpln | grep 80
LISTEN     0      16384  192.168.10.4:2380                     *:*                   users:(("etcd",pid=1703,fd=7))
LISTEN     0      16384        *:80                       *:*                   users:(("nginx",pid=106434,fd=19),("nginx",pid=106427,fd=19))
LISTEN     0      16384        *:80                       *:*                   users:(("nginx",pid=106433,fd=11),("nginx",pid=106427,fd=11))
LISTEN     0      16384     [::]:80                    [::]:*                   users:(("nginx",pid=106433,fd=12),("nginx",pid=106427,fd=12))
LISTEN     0      16384     [::]:80                    [::]:*                   users:(("nginx",pid=106434,fd=20),("nginx",pid=106427,fd=20))
[root@k8s-master03 ~]# ps aux | grep nginx
root       2622  0.0  0.1   8852  5456 ?        Ss   01:12   0:00 nginx: master process nginx -g daemon off;
101        2759  0.0  0.0   9272  2456 ?        S    01:12   0:00 nginx: worker process
101        2760  0.0  0.0   9272  2456 ?        S    01:12   0:00 nginx: worker process
root      25605  0.0  0.0 112840  2292 pts/0    S+   15:19   0:00 grep --color=auto nginx
101      106347  0.0  0.0    208     4 ?        Ss   09:08   0:00 /usr/bin/dumb-init -- /nginx-ingress-controller --publish-service=ingress-nginx/nginx-ingress-ingress-nginx-controller --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/nginx-ingress-ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key
101      106359  0.1  1.1 743048 44956 ?        Ssl  09:08   0:25 /nginx-ingress-controller --publish-service=ingress-nginx/nginx-ingress-ingress-nginx-controller --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/nginx-ingress-ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key
101      106427  0.0  0.9 145100 36332 ?        S    09:08   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf
101      106433  0.0  1.0 157128 40848 ?        Sl   09:08   0:06 nginx: worker process
101      106434  0.0  1.0 157128 41000 ?        Sl   09:08   0:07 nginx: worker process
101      106435  0.0  0.7 143072 29120 ?        S    09:08   0:00 nginx: cache manager process

After running, try to use it simply:
to publish services in the traditional architecture, you need to configure and modify the nginx configuration file; in k8s, ingress is the same as other resource types, and an instance of ingress is declared through yaml.
Official website: The official documentation of ingress-controller can be found here.

Use an example on the official website to get to know ingress first

vim ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
  name: example
spec:
  ingressClassName: nginx
  rules:  # 可以配置多个rules
  - host: foo.bar.com # 域名匹配
    http:
      paths:  # 相当于nginx的location配合，同一个host可以配置多个paths
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-svc # 代理的哪个svc
            port: 
              number: 80

Here are some explanations of the above example:

Starting from rules and going down are the rules that define the front-end and back-end connections:

• host: represents domain-based access, and the client accesses back-end resources through this domain name
• http.paths: Equivalent to matching rules in nginx's location
• pathType:Prefix: Path type. The path is separated into elements by the "/" symbol. The matching rule is to perform prefix matching element by element. The default is ImplementationSpecific, and the other is Exact.
• backend: define the backend
• Define the address of the backend under service, including the proxy's svc and port number
  —————————————————————————————————

Here I have a problem:

[root@k8s-master01 ~]# kubectl create -f ingress.yaml 
Error from server (InternalError): error when creating "ingress.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": failed to call webhook: Post "https://ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": service "ingress-nginx-controller-admission" not found

Error when creating: yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes. io"this.

I checked the Internet and said that it should have been deleted when the resources created before were deleted.

[root@k8s-master01 ~]# kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io 
NAME                                    WEBHOOKS   AGE
ingress-nginx-admission                 1          3d

Then check that there is one ingress-nginx-admission, and after deleting it, the creation is successful

[root@k8s-master01 ~]# kubectl delete -A validatingwebhookconfigurations.admissionregistration.k8s.io ingress-nginx-admission 
validatingwebhookconfiguration.admissionregistration.k8s.io "ingress-nginx-admission" deleted

————————————————————————————————

Execute the ingress.yaml file, this time it was created successfully.

[root@k8s-master01 ~]# kubectl create -f ingress.yaml 
ingress.networking.k8s.io/exmple created
[root@k8s-master01 ~]# kubectl get ingress
NAME     CLASS    HOSTS         ADDRESS   PORTS   AGE
exmple   <none>   foo.bar.com             80      10m

Ingress can also be configured with multiple domain names

Just add a host instance.

# 第一个域名
  - host: foo.bar.com 
    http:
      paths:  
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-svc
            port: 
              number: 80
# 第二个域名
  - host: foo2.bar.com 
    http:
      paths:  
      - path: /test
        pathType: Prefix
        backend:
          service:
            name: nginx-svc-2
            port: 
              number: 80

Then update the yaml file just fine

[root@k8s-master01 ~]# kubectl replace -f ingress.yaml