kubernetes Ingress详解
<h1 id="什么是ingress" data-source-line="1">什么是Ingress</h1><p data-source-line="2"> 阿里云称之为ingress路由!在Kubernetes集群中,主要用于接入外部请求到k8s内部,Ingress是授权入站连接到达集群服务的规则集合,为您提供七层负载均衡能力。您可以给 Ingress 配置提供外部可访问的URL、负载均衡、SSL、基于名称的虚拟主机等。</p>
<h3 id="service缺点" data-source-line="4">Service缺点</h3>
<p data-source-line="5"> 定义service以后,尤其是NodePort集群访问,需要经过2级转换调度,而且是4层调度,无论是iptables还是ipvs。4调度自身无法实现卸载https会话。<br> ingress----k8s还有一种引入集群外部流量的方式,叫ingress。基于7层调度器。利用7层pod,将外部流量引入到内部。</p>
<p data-source-line="10">回顾-Service:</p>
<p data-source-line="12">工作三种方式模型:</p>
<ul data-source-line="13">
<li>userspace(效率低、各种空间转换)</li>
<li>iptables</li>
<li>ipvs (1.11版之后,部署时需要额外配置先关参数)</li>
</ul>
<p data-source-line="17">Service集群类型:</p>
<ul data-source-line="18">
<li>ClusterIP (集群内部通信)</li>
<li>NodePort (集群内外互通,工作逻辑:client-->nodeip:nodeport-->clusterip:serviceip--->podiip:containerport),可以在前面加个nginx,代理后端各个nodeport的时候,压力得到释放。</li>
<li>LoadBalancer</li>
<li>ExternerName</li>
</ul>
<h3 id="ingress支持的调度方式" data-source-line="23">Ingress支持的调度方式</h3>
<ol data-source-line="24">
<li>url路径映射调度: location /aa ; location /bb。可以参考nginx。</li>
<li>主机调度:l例如server aaa; server bbb</li>
</ol>
<h3 id="ingress类型" data-source-line="26">Ingress类型:</h3>
<ol data-source-line="27">
<li>url映射</li>
<li>虚拟主机</li>
</ol>
<p data-source-line="30"><strong>Ingress-controller:</strong><span class="Apple-converted-space"> (提供特定功能的pod,nginx-ingress-controller-pod):提供接入外部流量的特定pod。例如有3个节点,在这3个节点打上污点,在每个上面运行特定的daemonset pod,实现外部流量接入,为后面pod提供7层调度。众多控制器都是master节点的controllermanager的子件运行的。而ingree controller自己独立运行,通常是一组pod资源。具有7层代理功能。</span></p>
<p data-source-line="32"><strong>支持的代理工具:</strong><span class="Apple-converted-space"> nginx、Traefik、Evoy(微服务)、HAproxy<br><strong>watch:</strong><span class="Apple-converted-space"> Service始终watch着后端pod变化。只要pod发生变化,api-server立刻检测到</span></span></p>
<h3 id="ingress实现原理" data-source-line="34">Ingress实现原理</h3>
<ol data-source-line="35">
<li>正常是用service去调度后面的适配label的pods,当pods增加,因为有labels,会自动识别后端添加的pods,如果用nginx怎么实现?把nginx运行在pod里面,配置文件在pod内部。这种pod叫ingress controller随时观察着后端的pod的改变。ingress controler自己没有这种能力,借助于service去实现。所以nginx-ingress-controller后端还得建立service。这种service仅仅帮忙分类后端的pods资源。pods的配置在nignx里upstream面。service不会进行调度,仅仅分组。因此可以使用headless service,直接调度至后端pods。关键pods变化,怎么自动nginx的upstream以及其他配置,这种就通过ingress路由实现!</li>
<li>ingress需要建一个前端接入层,前端有可能是虚拟主机nginx配置的server,或者是location url映射,同时也要定义一个后端upstream-server。 upstream有几个主机。通过service来获取的。</li>
<li>ingress有个特点:作为资源来讲,直接通过编辑注入到nginx-ingress-controller,并保存为nginx的配置文件。而且ingress一旦发现service 后端的pods改变,ingress直接注入更新nginx配置文件,而且需要重载配置文件(traefik支持自动重载)。</li>
</ol>
<h3 id="实现ingress步骤7层调度" data-source-line="39">实现ingress步骤(7层调度):</h3>
<ol data-source-line="40">
<li>部署一个nginx-ingress-controller-pod。部署一个特殊pod。</li>
<li>给nginx-ingress-controller-pod创建前端service1。用来接入外部请求!</li>
<li>创建nginx-ingress-controller-pod后端service2,以及service关联的pods。</li>
<li>创建ingress、自动实现路由规则,自动实现service2自动注入到nginx-ingress-controller-pod规则(nginx.conf)</li>
<li>总结就是首先部署外部请求<------ingress-service<-----nginx-ingress-controller-pod<--------ingress<------service(headless、daemonset)<------pods</li>
</ol>
<h3 id="ingress原理图" data-source-line="46">Ingress原理图</h3>
<p data-source-line="48">原理:外部负载均衡器externalLB请求调至到 nodeport 里面service服务--->调度到内部pod(ingress controller里面)----->根据ingree定义,是虚拟主机,还是url代理---->假设是主机名,一组主机名对应后端的pod资源pod1,pod2,pod3。pod怎么分组通过service进行分组。才能被ingress引用。</p>
<p data-source-line="50">先安装ingress controller pod。然后定义ingress。再定义pod生成service。</p>
<p data-source-line="52">动态生效:pod一变化,service就变化,service一变化,ingress就变化,ingreess一变化就注入到ingress controller里面。实时动态。<span class="Apple-converted-space"> <img src="https://img2018.cnblogs.com/common/1927502/202002/1927502-20200207151030976-270922298.png?ynotemdtimestamp=1597285922661" alt="Ingress原理图" data-src="https%3A%2F%2Fimg2018.cnblogs.com%2Fcommon%2F1927502%2F202002%2F1927502-20200207151030976-270922298.png" data-processed="https%3A%2F%2Fimg2018.cnblogs.com%2Fcommon%2F1927502%2F202002%2F1927502-20200207151030976-270922298.png"></span></p>
<h3 id="部署ingress-nginx" data-source-line="56">部署Ingress-Nginx</h3>
<p data-source-line="57">git地址:https://github.com/kubernetes/Ingress-nginx<br>官方网站:https://kubernetes.github.io/ingress-nginx</p>
<h3 id="安装" data-source-line="61">安装</h3>
<pre data-source-line="62"><code class="hljs"><code class="hljs"><span class="hljs-comment"><span class="hljs-comment">//<span class="zh-hans"><span class="zh-hans">下载ingress-nginx yaml初始化安装模板</span></span></span></span></code><br>wget https:<span class="hljs-comment">//raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.33.0/deploy/static/provider/cloud/deploy.yaml
<span class="hljs-comment">//编辑文件<span class="zh-hans">修改Controller<span class="zh-hans">的下载地址到国内<br>vim deploy.yaml
containers:
- name: controller
image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:<span class="hljs-number">0.33<span class="hljs-number">.0
imagePullPolicy: IfNotPresent
//使用kubectl apply安装
kubectl apply -f deploy.yaml
<span class="hljs-comment">//ingress<span class="zh-hans">默认安装在ingress-nginx<span class="zh-hans">名称空间内
[<span class="hljs-symbol">root@k8s-master ingress]# kubectl <span class="hljs-keyword">get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create<span class="hljs-number">-45qcs <span class="hljs-number">0/<span class="hljs-number">1 Completed <span class="hljs-number">0 <span class="hljs-number">4m12s
ingress-nginx-admission-patch-z52jg <span class="hljs-number">0/<span class="hljs-number">1 Completed <span class="hljs-number">1 <span class="hljs-number">4m12s
ingress-nginx-controller<span class="hljs-number">-5858f5cdf8-kxfwm <span class="hljs-number">1/<span class="hljs-number">1 Running <span class="hljs-number">0 <span class="hljs-number">4m12s
</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
<p data-source-line="81">通过nodeport方式暴露ingress</p>
<pre data-source-line="82"><code class="hljs"><span class="hljs-comment">//<span class="zh-hans">官网下载所需要的yaml<span class="zh-hans">文件
wget https:<span class="hljs-comment">//raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.33.0/deploy/static/provider/baremetal/deploy.yaml
mv deploy.yaml service-nodeport.yaml
<span class="hljs-comment">//<span class="zh-hans">修改Controller<span class="zh-hans">的下载地址到国内。同ingress-controller
<span class="hljs-comment">//<span class="zh-hans">安装
kubectl apply -f service-nodeport.yaml
<span class="hljs-comment">//<span class="zh-hans">查看结果
kubectl <span class="hljs-keyword">get svc -n ingress-nginx
[<span class="hljs-symbol">root@k8s-master ingress]# kubectl <span class="hljs-keyword">get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort <span class="hljs-number">10.103<span class="hljs-number">.86<span class="hljs-number">.19 <none> <span class="hljs-number">80:<span class="hljs-number">30367/TCP,<span class="hljs-number">443:<span class="hljs-number">30621/TCP <span class="hljs-number">21m
ingress-nginx-controller-admission ClusterIP <span class="hljs-number">10.103<span class="hljs-number">.210<span class="hljs-number">.91 <none> <span class="hljs-number">443/TCP <span class="hljs-number">21m
</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
<h3 id="创建http的-nginx-ingress" data-source-line="98">创建http的 nginx-ingress</h3>
<pre data-source-line="99"><code class="hljs"><span class="hljs-attribute">apiVersion: extensions/v1beta1
<span class="hljs-attribute">kind: Ingress
<span class="hljs-attribute">metadata:
<span class="hljs-attribute">name: nginx-ingress <span class="hljs-comment">// name
<span class="hljs-attribute">spec:
<span class="hljs-attribute">rules:
- <span class="hljs-attribute">host: www.xhyan.com <span class="hljs-comment">//domain
<span class="hljs-attribute">http:
<span class="hljs-attribute">paths:
- <span class="hljs-attribute">path: / <span class="hljs-comment">//path
<span class="hljs-attribute">backend:
<span class="hljs-attribute">serviceName: ngx-svc <span class="hljs-comment">//svc name
<span class="hljs-attribute">servicePort: <span class="hljs-number">80 <span class="hljs-comment">//svc port
</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
<h3 id="创建的ingress规则生成对应的nginx配置嵌入到nginx-controller中" data-source-line="114">创建的ingress规则生成对应的nginx配置嵌入到nginx-controller中</h3>
<p data-source-line="115">通过进入ingress controller容器中查看</p>
<pre data-source-line="116"><code class="hljs"><span class="hljs-comment">//<span class="zh-hans">查看ingress-controllerpod<span class="zh-hans">名称
[<span class="hljs-symbol">root@k8s-master ingress]# kubectl <span class="hljs-keyword">get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create<span class="hljs-number">-45qcs <span class="hljs-number">0/<span class="hljs-number">1 Completed <span class="hljs-number">0 <span class="hljs-number">101m
ingress-nginx-admission-patch-z52jg <span class="hljs-number">0/<span class="hljs-number">1 Completed <span class="hljs-number">1 <span class="hljs-number">101m
ingress-nginx-controller<span class="hljs-number">-6995cf966b-qs8rc <span class="hljs-number">1/<span class="hljs-number">1 Running <span class="hljs-number">0 <span class="hljs-number">80m
<span class="hljs-comment">//<span class="zh-hans">进入容器
[<span class="hljs-symbol">root@k8s-master ingress]# kubectl exec -it ingress-nginx-controller<span class="hljs-number">-6995cf966b-qs8rc -n ingress-nginx -- /bin/bash
<span class="hljs-comment">//<span class="zh-hans">容器中查看配置
bash<span class="hljs-number">-5.0$cat nginx.conf
</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
<h3 id="创建https的-nginx-ingress" data-source-line="130">创建https的 nginx-ingress</h3>
<ol data-source-line="131">
<li>将申请好的https证书放在指定目录</li>
<li>通过kubectl create secret将证书加入到ingress中</li>
</ol>
<pre data-source-line="134"><code class="hljs"><span class="hljs-comment">//kubectl create secret<span class="zh-hans">将证书加入到ingress<span class="zh-hans">中
kubectl create tls tls-secret --key tls.key --cert tls.crt <span class="hljs-comment">//<span class="zh-hans">证书名为tls-secret
<span class="hljs-comment">//https ingress
<span class="hljs-symbol">
apiVersion: extensions/v1beta1
<span class="hljs-symbol">kind: Ingress
<span class="hljs-symbol">metadata:
<span class="hljs-symbol">name: nginx-ingress <span class="hljs-comment">// name
<span class="hljs-symbol">spec:
<span class="hljs-symbol">tls:
- hosts:
- www.xhyan.com
<span class="hljs-symbol"> secretName: tls-secret <span class="hljs-comment">//<span class="zh-hans">对应kubectl create<span class="zh-hans">创建的tls<span class="zh-hans">证书名称
<span class="hljs-symbol">rules:
- host: www.xhyan.com <span class="hljs-comment">//domain
<span class="hljs-symbol"> http:
<span class="hljs-symbol"> paths:
- path: / <span class="hljs-comment">//path
<span class="hljs-symbol"> backend:
<span class="hljs-symbol"> serviceName: ngx-svc <span class="hljs-comment">//svc name
<span class="hljs-symbol"> servicePort: <span class="hljs-number">80 <span class="hljs-comment">//svc port
</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
<h3 id="更新ingress" data-source-line="159">更新Ingress</h3>
<p data-source-line="160">假如你想要向已有的ingress中增加一个新的Host,你可以编辑和更新该ingress:</p>
<pre data-source-line="161"><code class="hljs"><span class="hljs-string">$ <span class="hljs-string">kubectl <span class="hljs-string">get <span class="hljs-string">ing
<span class="hljs-string">NAME <span class="hljs-string">RULE <span class="hljs-string">BACKEND <span class="hljs-string">ADDRESS
<span class="hljs-string">test <span class="hljs-bullet">- <span class="hljs-number">178.91<span class="hljs-number">.123<span class="hljs-number">.132
<span class="hljs-string">foo.bar.com
<span class="hljs-string">/foo <span class="hljs-attr">s1:80
<span class="hljs-string">$ <span class="hljs-string">kubectl <span class="hljs-string">edit <span class="hljs-string">ing <span class="hljs-string">test<span class="hljs-string">//<span class="zh-hans">使用kubectl <span class="hljs-string">edit<span class="zh-hans">更新
<span class="hljs-string">//<span class="zh-hans">这会弹出一个包含已有的yaml<span class="zh-hans">文件的编辑器,修改它,增加新的Host<span class="zh-hans">配置。
<span class="hljs-attr">spec:
<span class="hljs-attr">rules:
<span class="hljs-attr">- host: <span class="hljs-string">foo.bar.com
<span class="hljs-attr"> http:
<span class="hljs-attr"> paths:
<span class="hljs-attr"> - backend:
<span class="hljs-attr"> serviceName: <span class="hljs-string">s1
<span class="hljs-attr"> servicePort: <span class="hljs-number">80
<span class="hljs-attr"> path: <span class="hljs-string">/foo
<span class="hljs-attr">- host: <span class="hljs-string">bar.baz.com
<span class="hljs-attr"> http:
<span class="hljs-attr"> paths:
<span class="hljs-attr"> - backend:
<span class="hljs-attr"> serviceName: <span class="hljs-string">s2
<span class="hljs-attr"> servicePort: <span class="hljs-number">80
<span class="hljs-attr"> path: <span class="hljs-string">/foo
<span class="hljs-string">..
</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></code></pre>
<p data-source-line="188">保存它会更新API server中的资源,会触发ingress controller重新配置loadbalancer。</p>
<pre data-source-line="189"><code class="hljs">$ kubectl <span class="hljs-builtin-name">get ing
NAME RULE BACKEND<span class="hljs-built_in"> ADDRESS
test - 178.91.123.132
foo.bar.com
/foo s1:80
bar.baz.com
/foo s2:80
</span></span></code></pre>
<p data-source-line="198"><strong>在一个修改过的ingress yaml文件上调用kubectl replace -f命令一样可以达到同样的效果。</strong></p><br><br>
来源:https://www.cnblogs.com/xhyan/p/13591382.html
頁:
[1]