Ingress Introduction
Typically, service and pod in the cluster can be accessed only through the internal network ip address, network outside the cluster inaccessible. Use NodePort type of service, although you can turn on the external access channel, but too much can lead to service port on the node in the cluster service when too much is not conducive to management.
Ingress can be understood as a proxy 'nginx' on K8S cluster boundary, you can configure a variety of forwarding rules based on URL, SSL, domain name, etc. to achieve Ingress, eventually external access to internal cluster service resources.
So you can use only one port, multiple services to achieve the cluster of foreign exposure
ingress consists of two components: ingress controller and ingress service.
ingress controller的本质是一个运行负载均衡器的Pod
There are two main: ingress controller-based services and nginx based traefik the ingress controller.
working principle
ingress service configured to receive and store user-defined forwarding rule, and notifies the K8S api-server.
api-server real-time interaction ingress controller and K8S dynamic service-aware ingress forwarding rule changes and read the new forwarding rule, and then press the configuration format of the load balancer configuration file is written to the load balancer, and reload the its new configuration can take effect.
ingress用于设定转发规则,ingress controller为pod应用这些规则。ingress controller建议设置为daemonset控制器部署,这些Pod设置NodePort类型的Service
Ingress type
Single Service Ingress
The back end is exposed to the outside of the default Service directly by creating a cluster no rules.
Default Service field is defined spec.backend
, for example as follows
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
spec:
backend:
serviceName: testsvc
servicePort: 80
URL-based traffic forwarding path
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
spec:
rules: ##列表rules是一个列表,保存多条转发规则
- http: ##定义一条转发规则
paths:
- path: /test ##针对此url进行转发至后端服务,后端服务上需要有此path,否则需要rewrite处理。下面会再举例
backend: ##定义后端服务
serviceName: test ##后端提供服务的service的name
servicePort: 80 ##后端提供服务的service的port
后端服务没有对应的路径test
Do first rewrite process
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations: #注解信息
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite /test /hostname.html break;
spec:
rules: ##列表rules是一个列表,保存多条转发规则
- http: ##定义一条转发规则
paths:
- path:
backend: ##定义后端服务
serviceName: test ##后端提供服务的service的name
servicePort: 80 ##后端提供服务的service的port
Host-based virtual host name
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
rules: ##列表rules是一个列表,保存多条转发规则
- host: myapp.magedu.com
http: ##定义一条转发规则
paths:
- path:
backend: ##定义后端服务
serviceName: test ##后端提供服务的service的name
servicePort: 80 ##后端提供服务的service的port
Deployment Ingress controller
architecture is shown
Deploy a backend service
Provide back-end services Pod, to ensure the stability of the back-end service is accessed is service; therefore need to create a new pod and service. 注意后端服务无需使用ingress-nginx的名称空间
, The following list of definitions
apiVersion: v1
kind: Service
metadata:
name: ngx-service
spec:
selector:
app: ngx
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: deployment
metadata:
name: ngx-deployment
labels:
app: ngx
spec:
replicas: 2
selector:
matchLabels:
app: ngx
template:
metadata:
labels:
app: ngx
spec:
containers:
- name: ngxv2
image: 192.168.80.146:5000/my_ngx:v2
Create and view the results after verify
[root@k8s-master ingress-nginx]# kubectl get pod
NAME READY STATUS RESTARTS AGE
ngx-deployment-58d847f49c-9tbwh 1/1 Running 0 1d
ngx-deployment-58d847f49c-vvnrj 1/1 Running 0 1d
[root@k8s-master ingress-nginx]# kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 9d
ngx-service ClusterIP 10.106.74.134 <none> 80/TCP 1d
Deployment of ingress controller
Deployment of service ingress controller
By ingress-controller to provide services, now also need to manually create one for ingress-controller NodePort类型的service
, receives a cluster external traffic. Configuration list is as follows
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30081
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
Create and view the results after verify
[root@k8s-master ingress-nginx]# kubectl get -n ingress-nginx services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.102.208.10 <none> 80:30081/TCP,443:30443/TCP 2h
Deployment of ingress
That configuration of forwarding rules ingress controller
apiVersion: extensions/v1beta1 #api版本
kind: Ingress #清单类型
metadata: #元数据
name: ingress-myapp #ingress的名称
namespace: default #所属名称空间
annotations: #注解信息
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite /test /hostname.html break;
kubernetes.io/ingress.class: "nginx"
spec: #规格
rules: #定义后端转发的规则
- host: myapp.magedu.com
http:
paths:
- path: #配置访问路径,如果通过url进行转发,需要修改;空默认为访问的路径为"/"
backend: #配置后端服务
serviceName: ngx-service
servicePort: 80
Create and view the results after verify
[root@k8s-master ingress-nginx]# kubectl get -n ingress-nginx pods
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-5c54df76f6-qktts 1/1 Running 0 2h
##进入ingress controller的Pod内部查看nginx配置文件
[root@k8s-master ingress-nginx]# kubectl exec -n ingress-nginx -it nginx-ingress-controller-5c54df76f6-qktts /bin/bash
www-data@nginx-ingress-controller-5c54df76f6-qktts:/etc/nginx$ cat nginx.conf
.....
## start server myapp.magedu.com
server {
server_name myapp.magedu.com ;
listen 80;
set $proxy_upstream_name "-";
location / {
set $namespace "default";
set $ingress_name "ingress-myapp";
set $service_name "myapp";
set $service_port "80";
set $location_path "/";
.....
Use tls
configured to use https for the forwarding rule, you can specify hosts and secretName used in spec.tls in;
create store certificates for secretName
kubectl create secret tls tls-myapp --key tls.key --cert tls.crt
tls:
- hosts:
- myapp.magedu.com
secretName: tls-myapp
to sum up
Out of the cluster initiate access for verification, to modify the local hosts file
[root@192-168-80-114 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.80.147 k8s-node2 myapp.magedu.com
192.168.80.140 k8s-node1 myapp.magedu.com
[root@192-168-80-114 ~]# curl myapp.magedu.com:30081
ngx-deployment-58d847f49c-vvnrj
[root@192-168-80-114 ~]# curl myapp.magedu.com:30081
ngx-deployment-58d847f49c-9tbwh