一 Ingress簡介
1.1 Ingress
通常Service的表現形式為IP:Port,即作業在TCP/IP層, 對于基于HTTP的服務來說,不同的URL地址經常對應到不同的后端服務(RS)或者虛擬服務器( Virtual Host),這些應用層的轉發機制僅通過Kubernetes的Service機制是無法實作的, 從Kubernetes 1.1版本開始新增Ingress資源物件,用于將不同URL的訪問請求轉發到后端不同的Service,以實作HTTP層的業務路由機制, Kubernetes使用了一個Ingress策略定義和一個具體的Ingress Controller,兩者結合并實作了一個完整的Ingress負載均衡器,使用Ingress進行負載分發時,Ingress Controller基于Ingress規則將客戶端請求直接轉發到Service對應的后端Endpoint(Pod)上,從而跳過kube-proxy的轉發功能,kube-proxy不再起作用, 簡單的理解就是:ingress使用DaemonSet在每個Node上監聽80,然后配合相應規則,因為Nginx外面系結了宿主機80埠(就像 NodePort),本身又在集群內,那么向后直接轉發到相應ServiceIP即可實作相應需求,ingress controller + ingress 規則 ----> services, 同時當Ingress Controller提供的是對外服務,則實際上實作的是邊緣路由器的功能, 典型的HTTP層路由的架構:
如上所示:
對http://uclouda.com/api的訪問將被路由到后端名為api的Service;
對http://uclouda.com/web的訪問將被路由到后端名為web的Service;
對http://uclouda.com/docs的訪問將被路由到后端名為docs的Service,
二 Ingress創建
為使用Ingress,需要創建Ingress Controller(帶一個默認backend服務)和Ingress策略設定來共同完成, Ingree創建通過分為:Ingress Controller吃、Ingress策略配置、客戶端訪問Ingress提供的服務,2.1 創建Ingress Controller
在定義Ingress策略之前,需要先部署Ingress Controller,以實作為所有后端Service都提供一個統一的入口, Ingress Controller需要實作基于不同HTTP URL向后轉發的負載分發規則,并可以靈活設定7層負載分發策略,如果公有云服務商能夠提供該型別的HTTP路由LoadBalancer,則也可設定其為Ingress Controller,在Kubernetes中,Ingress Controller將以Pod的形式運行,監控APIServer的/ingress介面后端的backend services,如果Service發生變化,則Ingress Controller應自動更新其轉發規則, 示例1:該例子使用Nginx來實作一個Ingress Controller,需要實作的基本邏輯如下: (1)監聽API Server,獲取全部Ingress的定義, (2)基于Ingress的定義,生成Nginx所需的組態檔/etc/nginx/nginx.conf, (3)執行nginx -s reload命令,重新加載nginx.conf組態檔的內容, [root@k8smaster01 study]# vi nginx-ingress-daemonset.yaml1 apiVersion: extensions/v1beta1 2 kind: DaemonSet 3 metadata: 4 name: nginx-ingress-lb 5 labels: 6 name: nginx-ingress-lb 7 namespace: default 8 spec: 9 template: 10 metadata: 11 labels: 12 name: nginx-ingress-lb 13 spec: 14 terminationGracePeriodSeconds: 60 15 containers: 16 - image: gcr.azk8s.cn/google_containers/nginx-ingress-controller:0.9.0-beta.2 17 name: nginx-ingress-lb 18 readinessProbe: 19 httpGet: 20 path: /healthz 21 port: 10254 22 scheme: HTTP 23 livenessProbe: 24 httpGet: 25 path: /healthz 26 port: 10254 27 scheme: HTTP 28 initialDelaySeconds: 10 29 timeoutSeconds: 1 30 ports: 31 - containerPort: 80 32 hostPort: 80 33 - containerPort: 443 34 hostPort: 443 35 env: 36 - name: POD_NAME 37 valueFrom: 38 fieldRef: 39 fieldPath: metadata.name 40 - name: POD_NAMESPACE 41 valueFrom: 42 fieldRef: 43 fieldPath: metadata.namespace 44 args: 45 - /nginx-ingress-controller 46 - --default-backend-service=$(POD_NAMESPACE)/default-http-backend釋義:如上Nginx容器設定了hostPort,將容器應用監聽的80和443埠號映射到物理機上,使得客戶端應用可以通過URL地址“http://物理機IP:80”或“https://物理機IP:443”來訪問該Ingress Controller,使得Nginx類似于通過NodePort映射到物理機的Service,成為代替kube-proxy的HTTP層的Load Balancer, 提示:本示例使用谷歌提供的nginx-ingress-controller鏡像來創建IngressController,該Ingress Controller以daemonset的形式進行創建,在每個Node上都將啟動一個Nginx服務, [root@k8smaster01 study]# vi default-backend.yaml
1 apiVersion: extensions/v1beta1 2 kind: Deployment 3 metadata: 4 name: default-http-backend 5 labels: 6 k8s-app: default-http-backend 7 namespace: default 8 spec: 9 replicas: 1 10 template: 11 metadata: 12 labels: 13 k8s-app: default-http-backend 14 spec: 15 terminationGracePeriodSeconds: 60 16 containers: 17 - name: default-http-backend 18 image: gcr.azk8s.cn/google_containers/defaultbackend:1.0 19 livenessProbe: 20 httpGet: 21 path: /healthz 22 port: 8080 23 scheme: HTTP 24 initialDelaySeconds: 30 25 timeoutSeconds: 5 26 ports: 27 - containerPort: 8080 28 resources: 29 limits: 30 cpu: 10m 31 memory: 20Mi 32 requests: 33 cpu: 10m 34 memory: 20Mi 35 --- 36 apiVersion: v1 37 kind: Service 38 metadata: 39 name: default-http-backend 40 namespace: default 41 labels: 42 k8s-app: default-http-backend 43 spec: 44 ports: 45 - port: 80 46 targetPort: 8080 47 selector: 48 k8s-app: default-http-backend釋義:為使ingress controller正常啟動,需要設定一個默認的backend,用于在客戶端訪問URL地址不存在時,回傳一個正確的404應答, [root@k8smaster01 study]# kubectl create -f default-backend.yaml #創建默認的backend服務 [root@k8smaster01 study]# kubectl create -f nginx-ingress-daemonset.yaml #創建ingress controller 提示:若提示forbidden: User “system:serviceaccount:default:default” cannot……,可通過以下方式解決: kubectl create rolebinding default --clusterrole=edit --serviceaccount=default:default --namespace=default 有關edit角色的權限可通過如下方式查看: [root@k8smaster01 study]# kubectl describe clusterrole edit 提示:將默認service account與集群角色etid相關聯,該角色視圖使pod能夠列出資源, [root@k8smaster01 study]# curl k8smaster01 #測驗nginx-ingress所在的節點訪問 default backend - 404 提示:如上404為所有服務例外的時候ingress所轉發的默認404錯誤網頁,
2.2 定義ingress策略
基于《002.Kubernetes簡單入門實體》中的實驗,本環境將demo通過nodeport暴露于http://172.24.8.71:30001/demo/, 同時在宿主機添加如下hosts,以便于測驗ingress, 172.24.8.71 mywebsite.com 對mywebsite.com網站的訪問設定Ingress策略,如下定義的ingress策略對其/demo路徑的訪問轉發到后端webapp Service, [root@k8smaster01 study]# vi nginx-ingress-policy.yaml1 apiVersion: extensions/v1beta1 2 kind: Ingress 3 metadata: 4 name: mywebsite-ingress 5 spec: 6 rules: 7 - host: mywebsite.com 8 http: 9 paths: 10 - path: /demo 11 backend: 12 serviceName: myweb 13 servicePort: 8080[root@k8smaster01 study]# kubectl get pods #查看相關Pod
1 Pod 2 NAME READY STATUS RESTARTS AGE 3 …… 4 mysql-m652j 1/1 Running 0 21m #入門實體中的mysql,用于測驗 5 myweb-gnhk4 1/1 Running 0 20m 6 myweb-vzg58 1/1 Running 0 20m #入門實體中的myweb,用于測驗 7 nginx-ingress-lb-6mj49 1/1 Running 0 16m 8 nginx-ingress-lb-7z74c 1/1 Running 0 16m 9 nginx-ingress-lb-9wlpd 1/1 Running 0 16m 10 nginx-ingress-lb-flgvs 1/1 Running 0 16m 11 nginx-ingress-lb-gcczc 1/1 Running 0 16m 12 nginx-ingress-lb-hcfg6 1/1 Running 0 16m #2.1中的ingress-lb[root@k8smaster01 study]# kubectl get svc #查看相關SVC
1 SVC 2 NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) 3 default-http-backend ClusterIP 10.254.236.120 <none> 80/TCP #默認的backend svc 4 …… 5 mysql ClusterIP 10.254.84.247 <none> 3306/TCP #入門實體中的mysql svc,用于測驗 6 myweb NodePort 10.254.119.124 <none> 8080:30001/TCP #入門實體中的myweb svc,用于測驗[root@k8smaster01 study]# kubectl create -f nginx-ingress-policy.yaml #檢查完畢后創建該ingress [root@k8smaster01 study]# kubectl get ingresses -o wide #查看ingress
1 ingress 2 NAME HOSTS ADDRESS PORTS AGE 3 mywebsite-ingress mywebsite.com 80 9m12s解釋:如上ingress定義,說明對目標地址http://mywebsite.com/demo的訪問將被轉發到集群中的Service webapp即webapp:8080/demo上,更多ingress策略配置方法見2.4, 注意:在Ingress生效之前,需要先將webapp服務部署完成,同時需要注意Ingress中path的定義,需要與后端真實Service提供的path一致,否則將被轉發到一個不存在的path上,引發錯誤,
2.3 測驗訪問
由于Ingress Controller容器通過hostPort將服務埠號80映射到了所有Node上,結合ingress controller和ingress規則配合,客戶端可以通過任意Node訪問mywebsite.com提供的服務,從而實作訪問http://mywebsite.com/demo轉發至myweb的service,myweb的service又具有如下兩個作用:- 將后端Pod的8080暴露于nodeport的30001(因此入門實體可以通過nodeport的30001直接訪問服務);
- 后端selector選擇了真正實作功能的tomcat pod,
2.4 Ingress策略配置詳解
為了實作靈活的負載分發策略,Ingress策略可以按多種方式進行配置,如下為幾種常見的Ingress轉發策略配置,- 轉發到單個后端服務上
1 apiVersion: extensions/v1beta1 2 kind: Ingress 3 metadata: 4 name: test-ingress 5 spec: 6 backend: 7 serviceName: myweb 8 servicePort: 8080
- 同一域名下,不同的URL路徑被轉發到不同的服務上
1 apiVersion: extensions/v1beta1 2 kind: Ingress 3 metadata: 4 name: test-ingress 5 spec: 6 rules: 7 - host: mywebsite.com 8 http: 9 paths: 10 - path: /demo 11 backend: 12 serviceName: myweb 13 servicePort: 8080 14 - path: /api 15 backend: 16 serviceName: myapi 17 servicePort: 8081
- 不同的域名(虛擬主機名)被轉發到不同的服務上
1 apiVersion: extensions/v1beta1 2 kind: Ingress 3 metadata: 4 name: test-ingress 5 spec: 6 rules: 7 - host: foo.bar.com 8 http: 9 paths: 10 - backend: 11 serviceName: service1 12 servicePort: 8080 13 - host: bar.foo.com 14 http: 15 paths: 16 - backend: 17 serviceName: service2 18 servicePort: 8080
- 不使用域名的轉發規則
1 apiVersion: extensions/v1beta1 2 kind: Ingress 3 metadata: 4 name: test-ingress 5 spec: 6 rules: 7 - http: 8 paths: 9 - path: /demo 10 backend: 11 serviceName: myweb 12 servicePort: 8080注意:使用無域名的Ingress轉發規則時,將默認禁用非安全HTTP,強制啟用HTTPS,只有使用HTTPS才能夠訪問成功,例如,當使用Nginx作為Ingress Controller時,在其組態檔/etc/nginx/nginx.conf中將會自動設定下面的規則,將全部HTTP的訪問請求直接回傳301錯誤:
1 …… 2 if (%pass_access_scheme = http) { 3 return 301 https://$best_http_host$request_uri; 4 } 5 ……如上強制策略也可以在Ingress的定義中設定一個annotation“ingress.kubernetes.io/sslredirect=false”來關閉強制啟用HTTPS的設定,
1 apiVersion: extensions/v1beta1 2 kind: Ingress 3 metadata: 4 name: test-ingress 5 annotations: 6 ingress.kubernetes.io/ssl-redirect: "false" 7 spec: 8 rules: 9 - http: 10 paths: 11 - path: /demo 12 backend: 13 serviceName: myweb 14 servicePort: 8080如上設定后,也可通過http進行訪問,
三 Ingress TLS
3.1 Ingress TLS配置步驟
Ingress同時提供HTTPS的安全訪問配置,可以在Ingress中的域名進行TLS安全證書的設定, 設定的步驟如下,- 創建自簽名的密鑰和SSL證書檔案,
- 將證書保存到Kubernetes中的一個Secret資源物件上,
- 將該Secret物件設定到Ingress中,
3.2 單域名TLS設定
對于只有一個域名的場景來說,可以通過OpenSSL工具直接生成密鑰和證書檔案,將命令列引數-subj中的/CN設定為網站域名:- 創建自簽名證書
1 [root@k8smaster01 study]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=mywebsite.com"
提示:更多證書創建知識參考《附008.Kubernetes TLS證書介紹及創建》,
- 創建secret物件
- 方法一:kubectl create secret命令列方式
- 方法二:編輯mywebsite-ingress-secret.yaml檔案
1 apiVersion: v1 2 kind: Secret 3 metadata: 4 name: mywebsite-ingress-secret 5 namespace: default 6 type: kubernetes.io/tls 7 data: 8 tls.crt: MIIDAzCCAeugAwIBAgIJAP5FWrsNH3MMMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNVBAMMDW15d2Vic2l0ZS5jb20wHhcNMTkxMTI2MDkxODA2WhcNMjkxMTIzMDkxODA2WjAYMRYwFAYDVQQDDA1teXdlYnNpdGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwxh45nxBk3ROD1Dl6NWa+PGgQWcty3Mcu57RyNFTQ2MOOZ0l53kML9cuLau4OJqk7yvI6rKhtNP5kMNzFrdrsL5cX44wItO3XA2GtO7r7t7PrTwoDskGqQiz0yDw0Ya1TpkOFbCA9VphojXHAL77s2YUG1sZrOSUU0SL3H0v8xUnKIiUPzRCzBqGFUeR7zDuATFQbjrkHUWiPIQ9/7n4YVj35ChHhWco4kuP4RL6l5lZqegYxx2vkSgGWcmJor2d+8Qiv3t5HPrZcKrSnWdWvpZ9IPA8iT6Yl9lmk9cmoVcB9mXklbhm0fs2/S8vvyrCt7GO0PyIyQ2uGiQIBbIZ0QIDAQABo1AwTjAdBgNVHQ4EFgQU/Ji8BRdqF54yhOXkFxQgpeePUpYwHwYDVR0jBBgwFoAU/Ji8BRdqF54yhOXkFxQgpeePUpYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAeN95smuD4mG9zqAn7r1/FTt2OkTxofj7Q9x5ccoLDYJmBv8whbs0/oF0NOYwdsLJirrF0xuWksWvMFpPRJiNe/4c8nYPdPDaUsxcS2fesvvBL5Dw45J6RBIAFKNyoC9wtwtPR88oes82y7WlrgvML83bC9B5cB+HnJzPoWPArgUvPZeZxcQw3Vq088axdyOZBV27rWNKNCFWKve+TF+vt3zD0FeDOYCTY94HRfRzjKimRadrnEl4+w4j+dYMjwuy4CEFSwW7pb/AntWTcjQWBTuWyqvNTIG9+Vchz+YjRZG1P/AInkl4J/QmS1cvCN2zKVFyZS5DdlIX1wvsI93C3A== 13 tls.key: MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDGHjmfEGTdE4PUOXo1Zr48aBBZy3Lcxy7ntHI0VNDYw45nSXneQwv1y4tq7g4mqTvK8jqsqG00/mQw3MWt2uwvlxfjjAi07dcDYa07uvu3s+tPCgOyQapCLPTIPDRhrVOmQ4VsID1WmGiNccAvvuzZhQbWxms5JRTRIvcfS/zFScoiJQ/NELMGoYVR5HvMO4BMVBuOuQdRaI8hD3/ufhhWPfkKEeFZyjiS4/hEvqXmVmp6BjHHa+RKAZZyYmivZ37xCK/e3kc+tlwqtKdZ1a+ln0g8DyJPpiX2WaT1yahVwH2ZeSVuGbR+zb9Ly+/KsK3sY7Q/IjJDa4aJAgFshnRAgMBAAECggEAKFAYO1gVnMh9kMCgoTnyKdqTyK/vUIjauRIaOyq1z8jaGaGVQX1LvV7zVdCT4m5iAmHDxGtg6qKagQVB9MG16PGM2NnirG+fBdBts1ljOxqjQyKZDGURkUARGGFIIaN6N2F8/ZJZM1mXrxL5qffMvscrBHQQnB8nXwVc+RSNIecx7UQ1nGjhfabfywwVRT8PpjxKN35+bbFUEKPPf4sh3hf7B7+aZZep7Y32AXUtJUH8MKXo98QJ22kZja4zZI96O/q2s10CXv13x7FHOlaNtxha5qWW7lynWm4q7dKvZ0gF2Yd59/Nry3p6oGGAkBcDTR9T11BBEYMoQYx1BYdKoQKBgQD+RRbKQq8b24zrPPU3jFANDG9IKyjMEjdxQzPUgNjEXKdwA/Ge37Byzgjkf2bWPUCJb7Gzt6PHEnYHTxP1zWc1iM0r10qRHI5+J+dFtaleJdzm/sRiIta5QVLuwy+giKFdmbwA1d4Frl93DivexFj153LRCHsHJcLWK15GwC1IXQKBgQDEbE7WaePmzoTOV2XRfrykNiEv7U7acy8gfXTbT5HRIF89GJyMpYYF8e6+S/K3/HKSP2PsWDz35K8ax0OQrk2LvAe9DxA+sjNwxnTam8oRmDG9xoPD8VvuLRivUVxzftcxxgKindZNC78F3NzPRGcKeeq2jLqqUvIJQlpoC1NwBQKBgCl0oDOXza7wC7iqtpw43zBRb69Hgh5LdgicWU3zN+RD6vSjX/h0JfOBzgdbEiwpzmTZ9hIEBcrGIsIsTWfM9l/PDwxvzHN+QWkmHlnKNXPpHmv265PIdFO958SPxCsbO5vkHbfRJqKsfFoP0G1Ae/STqK+V/2D58hsy9Or6GCftAoGBAJeVPgIaFda46aSTre/ObqYLX/Esof3Thjr8loHpFg7dfKIZrDaeRp+v5R7WXam/GGvkn6h1MBfeU4PG4010NkPwB8jPJyo7O5d8kBFkyLxrR3e9C1LboKZeBv7FOyOmb0vqE36LcCZlOjW8DGunzh03mPrn/+YRvNeIbVx94RZBAoGBAIpirteUaXDZWTUH2i0uPrBeVYMJQWZGu4BCqnAVCP/wWERY2O7tPgUSRyd5Alg0VpmU0tkmaWj7Wejbs9KYjNNvLfmleR771aIgE/cL4Lp3ijvSHaQEFPob3HKoC0LR2Cw0jH6wX1B1MT5ymIIlXYn3aAmu790HbwySwjrxkmAY[root@k8smaster01 study]# kubectl create -f mywebsite-ingress-secret #創建TLS的secret 繼續創建Ingress物件,同時在tls段參考剛剛創建好的Secret物件即可, [root@k8smaster01 study]# vi mywebsite-ingress-tls.yaml
1 apiVersion: extensions/v1beta1 2 kind: Ingress 3 metadata: 4 name: mywebsite-ingress-tls 5 spec: 6 tls: 7 - hosts: 8 - mywebsite.com 9 secretName: mywebsite-ingress-secret 10 rules: 11 - host: mywebsite.com 12 http: 13 paths: 14 - path: /demo 15 backend: 16 serviceName: myweb 17 servicePort: 8080[root@k8smaster01 study]# kubectl create -f mywebsite-ingress-tls.yaml 然后可以通過HTTPS來訪問mywebsite.com了, [root@k8smaster02 ~]# curl -H 'Host:mywebsite.com' -k https://172.24.8.71/demo/ #測驗訪問
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 瀏覽器訪問測驗:https://mywebsite.com/demo/
3.3 多域名TLS設定
如果提供服務的網站不止一個域名,例如2.4所述的第3種Ingress策略配置方式,則SSL證書需要使用額外的一個x509 v3組態檔輔助完成,在[alt_names]段中完成多個DNS域名的設定, [root@k8smaster01 study]# vi openssl.cnf1 [req] 2 req_extensions = v3_req 3 distinguished_name = req_distinguished_name 4 [req_distinguished_name] 5 [ v3_req ] 6 basicConstraints = CA:FALSE 7 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 8 subjectAltName = @alt_names 9 [alt_names] 10 DNS.1 = mywebsite.com 11 DNS.2 = mywebsite2.com[root@k8smaster01 study]# openssl genrsa -out ca.key 2048 [root@k8smaster01 study]# openssl req -x509 -new -nodes -key ca.key -days 3650 -out ca.crt -subj "/CN=mywebsite.com" #生成自簽名CA證書 [root@k8smaster01 study]# openssl genrsa -out ingress.key 2048 [root@k8smaster01 study]# openssl req -new -key ingress.key -out ingress.csr -subj "/CN=mywebsite.com" -config openssl.cnf #基于openssl.cnf和CA證書生成ingress SSL證書 [root@k8smaster01 study]# openssl x509 -req -in ingress.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ingress.crt -days 3650 -extensions v3_req -extfile openssl.cnf 然后根據ingress.key和ingress.crt檔案創建secret資源物件,同樣可以通過kubectl create secret tls命令或YAML組態檔生成(參考3.2方法), [root@k8smaster01 study]# kubectl create secret tls mywebsite-ingress-secret --key ingress.key --cert ingress.crt 繼續創建Ingress物件,同時在tls段參考剛剛創建好的Secret物件即可, 測驗及訪問參考3.2即可,
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/128301.html
標籤:Linux