K8s Ingress服务发布

原创 已于 2025-08-15 09:42:26 修改 · 850 阅读 · 8 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#kubernetes #容器 #云原生

于 2025-08-15 09:40:31 首次发布

文章目录



提示: kubernetes官方Ingress安装说明:https://kubernetes.github.io/ingress-nginx/deploy/


一、Ingress Controller安装部署

提示:Ingress Controller是代理服务,类似Nginx服务,Ingress是Ingerss Controller代理服务的配置文件,类似Nginx服务的nginx.conf配置文件


1、Kubernetes版本与Ingress Nginx版本兼容列表

提示: 登录Kubernetes github官方Ingress说明文档:https://github.com/kubernetes/ingress-nginx

### Kubernetes版本
[root@k8s-master01 ~]# kubectl version
Client Version: v1.28.15
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.15

在这里插入图片描述


2、Helm客户端安装(master主管理节点安装即可)

提示:Helm官方提供的Helm客户端安装说明:https://helm.sh/docs/intro/install/ 

wget https://get.helm.sh/helm-v3.17.0-linux-amd64.tar.gz -P /mnt/
tar xf /mnt/helm-v3.17.0-linux-amd64.tar.gz -C /mnt/
mv /mnt/linux-amd64/helm /usr/local/bin/helm
helm version

3、下载Ingress Nginx Controller安装包
### 添加Ingress Nginx官方Helm仓库
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo list

### 更新Helm仓库
helm repo update

### 下载Ingress Nginx Controller指定版本的安装包
helm pull ingress-nginx/ingress-nginx --version 4.12.0

### 解压下载的Ingress Nginx Controller安装包到自定义的目录存放
mkdir -p /data/yaml/helm
tar xf /root/ingress-nginx-4.12.0.tgz -C /data/yaml/helm/

4、修改Ingress Nginx Controller values.yaml文件

(1)、修改Ingress Controller官方镜像源地址为个人镜像仓库源地址

提示:如果ngress Controller官方镜像源地址不可用时,可以修改成个人镜像仓库源地址拉取镜像

sed -i 's#registry: registry.k8s.io#registry: registry.cn-shenzhen.aliyuncs.com#g' /data/yaml/helm/ingress-nginx/values.yaml
sed -i 's#ingress-nginx/controller#k8sghost/controller#g' /data/yaml/helm/ingress-nginx/values.yaml
sed -i 's#ingress-nginx/kube-webhook-certgen#k8sghost/kube-webhook-certgen#g' /data/yaml/helm/ingress-nginx/values.yaml
sed -i 's#defaultbackend-amd64#k8sghost/defaultbackend-amd64#g'  /data/yaml/helm/ingress-nginx/values.yaml

(2)、如果你使用的不是Ingress Controller官方镜像源地址需要把digest值注释掉

cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "digest:"
sed -i 's/digest:/#digest:/g' /data/yaml/helm/ingress-nginx/values.yaml
cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "digest:"

(3)、hostNetwork设置为true

cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "hostNetwork: true"
sed -i 's#hostNetwork: false#hostNetwork: true#g' /data/yaml/helm/ingress-nginx/values.yaml
cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "hostNetwork: true"

(4)、dnsPolicy设置为ClusterFirstWithHostNet

cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "dnsPolicy:"
sed -i 's# dnsPolicy: ClusterFirst# dnsPolicy: ClusterFirstWithHostNet#g' /data/yaml/helm/ingress-nginx/values.yaml
cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "dnsPolicy:"

(5)、NodeSelector添加标签ingress: "true"部署到指定节点

### values.yaml配置文件有三处nodeSelector都需要添加以ingress: "true"参数
[root@k8s-master01 ~]# vim /data/yaml/helm/ingress-nginx/values.yaml
nodeSelector:
kubernetes.io/os: linux
ingress: "true"

(6)、把Kind类型更改为DaemonSet,让每个标签为ngress: "true"的节点都部署Ingress Controller

cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "kind:"
sed -i 's#kind: Deployment#kind: DaemonSet#g' /data/yaml/helm/ingress-nginx/values.yaml
cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "kind:"

(7)、设置当前ingress nginx为默认的ingressClass

提示:如果你不设置默认ingressClass,当你K8s集群有多个ingress nginx时,使用ingress yaml文件时需要配置参数应用到哪个ingress nginx,如果设置了默认ingressClass就不必配置参数指定

ingress nginx
cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "default:"
sed -i 's#default: false#default: true#g' /data/yaml/helm/ingress-nginx/values.yaml                                     
cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "default:"

5、K8s集群需要部署Ingress Nginx的节点打上标签ingress:“true”
kubectl label node k8s-node01 ingress=true
kubectl get nodes --show-labels -l ingress=true

6、安装部署Ingress Nginx
### 创建自定义ingress-nginx命名空间
kubectl create namespace ingress-nginx
kubectl get namespace

### 安装Ingress Nginx
helm install ingress-nginx -n ingress-nginx /data/yaml/helm/ingress-nginx/
kubectl get pods -n ingress-nginx -owide

### 登录K8s-node01节点查看是否有80端口
[root@k8s-node01 ~]# netstat -tlunp | grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      24438/nginx: master 
tcp6       0      0 :::80                   :::*                    LISTEN      24438/nginx: master

7、创建一个简单的Ingress模拟访问Nginx Web服务

提示:创建的Nginx容器与Ingress Service必须要在同一个命名空间,但ingress-nginx-controller可以不在同一个命名空间下

### 创建命名空间并创建一个deployment的Nginx Pod资源
kubectl create ns study-ingress
kubectl create deploy nginx --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n study-ingress
kubectl get pods -n study-ingress

### 创建Nginx容器的Service
kubectl expose deploy nginx --port 80 -n study-ingress
kubectl get svc -n study-ingress 
curl  10.96.59.213

### Ingress的yaml文件参数说明
apiVersion: networking.k8s.io/v1     # networking.k8s.io/v1必须是k8s版本 >=1.22使用,k8s版本 < 1.22 使用networking.k8s.io/v1beat
kind: Ingress
metadata:
  labels:
    app: nginx-ingress              # 自定义访问的域名
  name: nginx-ingress
  namespace: study-ingress
spec:
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx            # 指定Service的名称
            port:
              number: 80           # 指定Service的端口号
        path: /
        pathType: ImplementationSpecific
### pathType:路径的匹配方式,目前有ImplementationSpecific、Exact 和 Prefix 方式
# Exact:精确匹配,比如配置为path为/bar,那么/bar/将不能被路由
# Prefix:前缀匹配,基于以/分隔的 URL 路径。比如 path 为/abc,可以匹配到/abc/bbb等,比较常用的配置
# ImplementationSpecific:这种类型的路由匹配根据 Ingress Controller 来实现,可以当做一个单独的类型,也可以当做 Prefix和 Exact。lmplementationSpecific是 1.18 版本引入 Prefix 和 Exact 的默认配置

### 创建Ingress指向Nginx容器的Service
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-ingress.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: nginx-ingress
  name: nginx-ingress
  namespace: study-ingress
spec:
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f  /data/yaml/helm/study-ingress/nginx-ingress.yaml
kubectl get ingress -n study-ingress

### 查看ingress-nginx-controller容器是否已生成nginx容器配置文件
kubectl get pods -n ingress-nginx
kubectl exec -it -n ingress-nginx ingress-nginx-controller-9k626 -- cat /etc/nginx/nginx.conf | grep "nginx.test.com"

### 测试Ingress Nginx,当前ingress-nginx-controller容器部署在k8s-node01节点上,把DNS域名nginx.test.com解析到k8s-node01主节点IP即可
kubectl get pods -n ingress-nginx -owide
curl -H "Host:nginx.test.com" 172.20.235.204


二、Ingress Controller实现Ingress Nginx SSL


1、生成SSL证书(如果公司有SSL证书就不必执行)
### 指定nginx.test.com域名生成一个SSL证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /data/yaml/helm/ingress-nginx/ssl/tls.key -out  /data/yaml/helm/ingress-nginx/ssl/tls.crt -subj "/CN=nginx.test.com"
ls -l /data/yaml/helm/ingress-nginx/ssl/

2、Ingress Nginx配置TLS(配置强转HTTPS)
## 创建命名空间并创建一个deployment的Nginx Pod资源
kubectl create ns study-ingress
kubectl create deploy nginx --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n study-ingress
kubectl get pods -n study-ingress

### 创建Nginx容器的Service
kubectl expose deploy nginx --port 80 -n study-ingress
kubectl get svc -n study-ingress 
curl http://10.96.114.226

### 查看K8s集群有哪些IngressClassName
[root@k8s-master01 ~]# kubectl get ingressclass
NAME    CONTROLLER             PARAMETERS   AGE
nginx   k8s.io/ingress-nginx   <none>       2d18h

### 创建Secret
kubectl create secret tls ca-secret --cert=/data/yaml/helm/ingress-nginx/ssl/tls.crt --key=/data/yaml/helm/ingress-nginx/ssl/tls.key -n study-ingress --dry-run=client 
kubectl get secret -n study-ingress 

### 创建Ingress配置TLS配置
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-ingress-tls.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: nginx-ingress
  name: nginx-ingress
  namespace: study-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
    - hosts:
      - nginx.test.com
      secretName: ca-secret
EOF
kubectl create -f  /data/yaml/helm/study-ingress/nginx-ingress-tls.yaml
kubectl get ingress -n study-ingress

### 查看ingress-nginx-controller容器是否已生成nginx容器SSL配置参数
kubectl get pods -n ingress-nginx
kubectl exec -it -n ingress-nginx ingress-nginx-controller-g54xn  -- cat /etc/nginx/nginx.conf

### 测试
echo "172.20.235.204   nginx.test.com" >> /etc/hosts
curl https://nginx.test.com

3、Ingress Nginx配置不强制转HTTPS
### 修改Ingress配置添加annotations参数
### 创建Ingress配置TLS配置
cat > /data/yaml/helm/study-ingress/nginx-ingress-tls.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  labels:
    app: nginx-ingress
  name: nginx-ingress
  namespace: study-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
    - hosts:
      - nginx.test.com
      secretName: ca-secret
EOF
kubectl apply -f /data/yaml/helm/study-ingress/nginx-ingress-tls.yaml 
kubectl get ingress nginx-ingress -n study-ingress -oyaml


三、Ingress Controller实现Ingress Nginx的其它功能


1、Ingress Nginx Redirect域名重定向

提示:Kubernetes官网annotations说明:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

提示:在 Nginx 作为代理服务器时,Redirect 可用于域名的重定向,比如访问ingress.test.com 被重定向到新指定的域名www.baidu.com。Imgress 可以更简单的实现 Redirect 功能

### 修改Nginx容器的Service并重新应用
cat > /data/yaml/helm/study-ingress/nginx-ingress-redirect.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
    nginx.ingress.kubernetes.io/permanent-redirect-code: '308'
  labels:
    app: nginx-ingress-redirect
  name: nginx-ingress-redirect
  namespace: study-ingress
spec:
  rules:
  - host: ingress.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f /data/yaml/helm/study-ingress/nginx-ingress-redirect.yaml
kubectl get ingress -n study-ingress

### 查看ingress-nginx-controller容器是否已生成nginx容器配置文件
kubectl get pods -n ingress-nginx
kubectl exec -it -n ingress-nginx ingress-nginx-controller-9k626 -- cat /etc/nginx/nginx.conf | grep "ingress.test.com"
kubectl exec -it -n ingress-nginx ingress-nginx-controller-9k626 -- cat /etc/nginx/nginx.conf | grep www.baidu.com

### 测试Ingress Nginx
kubectl get pods -n ingress-nginx -owide
curl -H "Host:ingress.test.com" 172.20.235.204 -I

2、Ingress Nginx Rewrite实现前后端分离

提示:Kubernetes官网annotations Rewrite说明:https://kubernetes.github.io/ingress-nginx/examples/rewrite/

实验模拟说明:当访问http://nginx.test.com跳转到Nginx-index容器首页,当访问http://nginx.test.com/api-a跳转到Nginx-api容器首页

### 创建命名空间并创建一个deployment的Nginx Pod资源
kubectl create ns study-ingress
kubectl create deploy nginx-index --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n study-ingress
kubectl create deploy nginx-api --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.26 -n study-ingress
kubectl get deploy -n study-ingress
kubectl get pods -n study-ingress

### 创建Nginx容器的Service
kubectl expose deploy nginx-index --port 80 -n study-ingress
kubectl expose deploy nginx-api --port 80 -n study-ingress
kubectl get svc -n study-ingress 

### 修改nginx-api容器的首页显示内容
kubectl get pods -n study-ingress
kubectl -n study-ingress exec -it nginx-api-5477d9689-f6hsm -- bash
echo "This is a API">/usr/share/nginx/html/index.html
cat /usr/share/nginx/html/index.html
exit

### 访问两个Nginx容器的首页
kubectl get svc -n study-ingress 
curl 10.96.128.232
curl 10.96.208.29

### 创建名称nginx-index-ingress的Ingress(Nginx / 目录访问)
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-index-ingress.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: nginx-index-ingress
  name: nginx-index-ingress
  namespace: study-ingress
spec:
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx-index
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f  /data/yaml/helm/study-ingress/nginx-index-ingress.yaml
kubectl get ingress -n study-ingress
kubectl get pods -n study-ingress

### 创建名称nginx-api-ingress的Ingress(Nginx /api-a 目录访问)
cat > /data/yaml/helm/study-ingress/nginx-api-ingress.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  labels:
    app: nginx-api-ingress
  name: nginx-api-ingress
  namespace: study-ingress
spec:
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx-api
            port:
              number: 80
        path: /api-a(/|$)(.*)
        pathType: ImplementationSpecific
EOF
kubectl create -f  /data/yaml/helm/study-ingress/nginx-api-ingress.yaml
kubectl get ingress -n study-ingress
kubectl get pods -n study-ingress

### 测试
echo "172.20.235.204   nginx.test.com" >> /etc/hosts
curl http://nginx.test.com
curl http://nginx.test.com/api-a

3、Ingress Nginx 实现错误代码友好页面

提示:Kubernetes官网Nginx参数设置说明:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ 

### 修改Ingress Nginx Helm的values.yaml配置文件
[root@k8s-master01 ~]# vim /data/yaml/helm/ingress-nginx/values.yaml
# 把defaultBackend的enabled参数false修改成true
defaultBackend:
  ##
  enabled: true
  name: defaultbackend
# 添加自定义的apiVersion、custom-htt-errors、client_max_body_size错误代码参数
controller:
  name: controller
  config: 
    config:
    apiVersion: v1
    client_max_body_size: 20m
    custom-http-errors: "404,415,503"

### 更新Ingress Nginx
helm upgrade ingress-nginx -n ingress-nginx /data/yaml/helm/ingress-nginx/
kubectl get pods -n ingress-nginx -owide

### 查看Ingress Nginx的ConfigureMap没有配置任何data数据
kubectl get cm -n ingress-nginx
kubectl get cm ingress-nginx-controller -n ingress-nginx –oyaml

### 测试,访问不存在的一个Nginx页面,会提示default backend - 404
echo "172.20.235.204   nginx.test.com" >> /etc/hosts
curl http://nginx.test.com/123

4、Ingress Nginx 实现匹配请求头

提示:kubernetes官网annotations server-snippet参数说明:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#server-snippet

实验模拟说明:当访问http://nginx.test.com匹配到请求头User-Agent是主机端就跳转到nginx-laptop容器首页,当访问http://nginx.test.com匹配请求头User-Agent是手机端就跳转到nginx-phone容器首页

(1)、Ingress Nginx开启snippet功能

提示: 如果Ingress Contriller是使用Helm 4.12.0版以上安装部署的,需要添加以下参数开启snippet功能才可以使用

### 需要使用snippet功能,需要开启该功能,默认关闭snippet功能
cat /data/yaml/helm/ingress-nginx/values.yaml | grep -w "allowSnippetAnnotations"
sed -i 's#allowSnippetAnnotations: false#allowSnippetAnnotations: true#g' /data/yaml/helm/ingress-nginx/values.yaml

### Helm添加以下参数controller.config.annotations-risk-level: Critical
[root@k8s-master01 ~]# vim /data/yaml/helm/ingress-nginx/values.yaml
  config:
annotations-risk-level: Critical

### 更新Ingress Nginx
helm upgrade ingress-nginx -n ingress-nginx /data/yaml/helm/ingress-nginx/
kubectl get pods -n ingress-nginx

### 查看Ingress Nginx的ConfigMap是否生效
kubectl get cm ingress-nginx-controller -n ingress-nginx -oyaml
# 显示allow-snippet-annotations: "true"和annotations-risk-level: Critical
apiVersion: v1
data:
  allow-snippet-annotations: "true"
  annotations-risk-level: Critical

(2)、部署移动端Ingress Nginx

### 创建移动端的Deployment
kubectl create ns study-ingress
kubectl create deploy nginx-phone --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n study-ingress
kubectl get deploy -n study-ingress
kubectl get pods -n study-ingress

### 暴露Nginx容器的Service
kubectl expose deploy nginx-phone --port 80 -n study-ingress
kubectl get svc -n study-ingress

### 修改nginx-phone容器的首页显示内容
kubectl get pods -n study-ingress
kubectl -n study-ingress exec -it nginx-phone-b54b88d75-qv5dg -- bash
echo "This is a phone html">/usr/share/nginx/html/index.html
cat /usr/share/nginx/html/index.html
exit

### 访问nginx-phone容器的首页
kubectl get svc -n study-ingress 
curl 10.96.77.40

### 创建nginx-phone的Ingress
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-phone-ingress.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: nginx-phone-ingress
  name: nginx-phone-ingress
  namespace: study-ingress
spec:
  rules:
  - host: phone.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx-phone
            port:
              number: 80
        path: /
        pathType: Prefix
EOF
kubectl create -f /data/yaml/helm/study-ingress/nginx-phone-ingress.yaml
kubectl get ingress -n study-ingress

(3)、部署主机端Ingress Nginx

### 创建主机端的Deployment
kubectl create ns study-ingress
kubectl create deploy nginx-laptop --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.26 -n study-ingress
kubectl get deploy -n study-ingress
kubectl get pods -n study-ingress

### 暴露Nginx容器的Service
kubectl expose deploy nginx-laptop --port 80 -n study-ingress
kubectl get svc -n study-ingress

### 修改nginx-laptop容器的首页显示内容
kubectl get pods -n study-ingress
kubectl -n study-ingress exec -it nginx-laptop-64b69d4bb7-q7ztn -- bash
echo "This is a laptop html">/usr/share/nginx/html/index.html
cat /usr/share/nginx/html/index.html
exit

### 访问nginx-phone容器的首页
kubectl get svc -n study-ingress 
curl 10.96.44.161

### 创建nginx-laptop的Ingress
cat > /data/yaml/helm/study-ingress/nginx-laptop-ingress.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |
        set $agentflag 0;

        if ($http_user_agent ~* "(Android|iPhone|WindowsPhone|UC|Kindle)" ){
          set $agentflag 1;
        }

        if ( $agentflag = 1 ) {
          return 301 http://phone.test.com; 
        }
  labels:
    app: nginx-laptop-ingress
  name: nginx-laptop-ingress
  namespace: study-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: laptop.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx-laptop
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f  /data/yaml/helm/study-ingress/nginx-laptop-ingress.yaml
kubectl get ingress -n study-ingress

(4)、打开浏览器模拟移动端和主机端访问

在这里插入图片描述

在这里插入图片描述

在这里插入图片描述


5、Ingress Nginx 添加账号和密码认证

提示:Kubernetes官方Ingress Nginx说明:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/

提示:Kubernetes官方Ingress Nginx说明:https://kubernetes.github.io/ingress-nginx/examples/auth/basic/ 

### 创建命名空间并创建一个deployment的Nginx Pod资源
kubectl create ns study-ingress
kubectl create deploy nginx --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n study-ingress
kubectl get pods -n study-ingress

### 创建Nginx容器的Service
kubectl expose deploy nginx --port 80 -n study-ingress
kubectl get svc -n study-ingress 
curl  10.96.59.213

### 安装htpasswd工具生成账号和密码
yum install httpd -y
mkdir -p /data/yaml/helm/study-ingress/passwd
htpasswd -c /data/yaml/helm/study-ingress/passwd/auth admin
# cat /data/yaml/helm/study-ingress/passwd/auth
admin:$apr1$/kaaohHW$xhb8XFravmWWzKSIu/cvg/

### 创建Secret
kubectl create secret generic basic-auth --from-file=/data/yaml/helm/study-ingress/passwd/auth -n study-ingress
kubectl get secret -n study-ingress
kubectl get secret basic-auth -n study-ingress -oyaml

### 创建Ingress
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-ingress-passwd.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-realm: 'Please Input Your Username and Password'
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-type: basic
  labels:
    app: nnginx-ingress-passwd
  name: nginx-ingress-passwd
  namespace: study-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
EOF
kubectl create -f /data/yaml/helm/study-ingress/nginx-ingress-passwd.yaml
kubectl get ingress -n study-ingress

### 参数说明
# nginx.ingress.kubernetes.io/auth-realm:需要密码认证的消息提醒
# nginx.ingress.kubernetes.io/auth-secret:填写已创建的Secret 名称,
# nginx.ingress.kubernetes.io/auth-type:认证类型,可以是 basic 和 digest

打开浏览器访问测试

在这里插入图片描述

在这里插入图片描述


6、Ingress Nginx 实现黑白名单访问

(1)、创建测试的Deployment和Service

### 创建命名空间并创建一个deployment的Nginx Pod资源
kubectl create ns study-ingress
kubectl create deploy nginx --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n study-ingress
kubectl get pods -n study-ingress

### 创建Nginx容器的Service
kubectl expose deploy nginx --port 80 -n study-ingress
kubectl get svc -n study-ingress 
curl -H "Host:nginx.test.com" 10.96.67.221
curl -H "Host:nginx.test.com" 10.96.67.221 -I

(2)、创建Ingress配置黑名单

### 创建Ingress配置黑名单:禁止k8s-node02节点IP访问Nginx容器首页
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-ingress-denylist.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    spec.ingressClassName: nginx
    nginx.ingress.kubernetes.io/denylist-source-range: 172.20.235.205
  labels:
    app: nnginx-ingress-passwd
  name: nginx-ingress-passwd
  namespace: study-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f /data/yaml/helm/study-ingress/nginx-ingress-denylist.yaml 
kubectl get ingress -n study-ingress

### 登录k8s-node02访问测试,提示403 Forbidden错误
curl -H "Host:nginx.test.com" 172.20.235.204
curl -H "Host:nginx.test.com" 172.20.235.204 -I

(3)、创建Ingress配置白名单

### 创建Ingress配置白名单:只允许k8s-node02节点IP访问Nginx容器首页
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-ingress-denylist.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    spec.ingressClassName: nginx
    nginx.ingress.kubernetes.io/whitelist-source-range: 172.20.235.205
  labels:
    app: nnginx-ingress-passwd
  name: nginx-ingress-passwd
  namespace: study-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f /data/yaml/helm/study-ingress/nginx-ingress-denylist.yaml 
kubectl get ingress -n study-ingress

### 登录k8s-node02访问测试正常
curl -H "Host:nginx.test.com" 172.20.235.204
curl -H "Host:nginx.test.com" 172.20.235.204 -I

### 登录k8s集群其它节点访问测试,提示403 Forbidden错误
curl -H "Host:nginx.test.com" 172.20.235.204
curl -H "Host:nginx.test.com" 172.20.235.204 -I

7、Ingress Nginx 实现连接数限制

提示:Kubernetes官方annotations 黑白名单配置说明:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ 

### 创建命名空间并创建一个deployment的Nginx Pod资源
kubectl create ns study-ingress
kubectl create deploy nginx --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n study-ingress
kubectl get pods -n study-ingress

### 创建Nginx容器的Service
kubectl expose deploy nginx --port 80 -n study-ingress
kubectl get svc -n study-ingress 
curl -H "Host:nginx.test.com" 10.96.67.221
curl -H "Host:nginx.test.com" 10.96.67.221 -I

### 创建Ingress:没有配置限制连接数量
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-ingress-limit.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: nginx-ingress-passwd
  name: nginx-ingress-passwd
  namespace: study-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f /data/yaml/helm/study-ingress/nginx-ingress-limit.yaml
kubectl get ingress -n study-ingress

### 登录其它Linux测试主机使用ab工具测试连接数
[root@testmysql01 ~]# echo "172.20.235.204  nginx.test.com" >> /etc/hosts
[root@testmysql01 ~]# yum install httpd -y
[root@testmysql01 ~]# ab -c 100 -n 1000 http://nginx.test.com/ | grep requests
Complete requests:      1000
Failed requests:        0
Time per request:       0.199 [ms] (mean, across all concurrent requests)
Percentage of the requests served within a certain time (ms)

### 创建Ingress:配置限制连接数量10
cat > /data/yaml/helm/study-ingress/nginx-ingress-limit.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    spec.ingressClassName: nginx
    nginx.ingress.kubernetes.io/limit-connections: "10"
  labels:
    app: nnginx-ingress-passwd
  name: nginx-ingress-passwd
  namespace: study-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl replace -f /data/yaml/helm/study-ingress/nginx-ingress-limit.yaml
kubectl get ingress -n study-ingress

### 登录其它Linux测试主机使用ab工具测试连接数
[root@testmysql01 ~]# ab -c 100 -n 1000 http://nginx.test.com/ | grep requests
Complete requests:      1000
Failed requests:        679
Time per request:       0.215 [ms] (mean, across all concurrent requests)
Percentage of the requests served within a certain time (ms)

### 其它限制参数说明
# 限制每秒的连接,单个 IP:
nginx.ingress.kubernetes.io/limit-rps
# 限制每分钟的连接,单个 IP:
nginx.ingress.kubernetes.io/limit-rpm
# 限制客户端每秒传输的字节数,单位为K,需要开启proxy-buffering:
nginx.ingress.kubernetes.io/limit-rate
# 速率限制白名单
nginx.ingress.kubernetes.io/limit-whitelist

8、Ingress Nginx 实现灰度发布

提示:Kubernetes官方annotations 灰度发布说明:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ 

### 创建一个生产命名空间和一个测试命名空间
kubectl create namespace production
kubectl create namespace test
kubectl get ns

### 创建一个生产Deployment和一个测试Deployment
kubectl create deploy nginx-production --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n production
kubectl create deploy nginx-test --image=registry.cn-shenzhen.aliyuncs.com/dockerghost/nginx:1.24 -n test
kubectl get deployment -n production
kubectl get pods -n production
kubectl get deployment -n test
kubectl get pods -n test

### 修改生产Nginx容器和测试Nginx容器首页内容
kubectl get pods -n production
kubectl exec -it -n production nginx-production-5f6b664b98-22ndr -- bash
echo "Production Project" > /usr/share/nginx/html/index.html 
cat /usr/share/nginx/html/index.html 
exit
kubectl get pods -n test
kubectl exec -it -n test nginx-test-8655f87d6f-h5n6g -- bash 
echo "Test Project" > /usr/share/nginx/html/index.html 
cat /usr/share/nginx/html/index.html 
exit

### 创建生产系统Nginx和测试系统Nginx的Service
kubectl expose deploy nginx-production --port 80 -n production
kubectl expose deploy nginx-test --port 80 -n test
kubectl get svc -n production
curl -H "Host:nginx.test.com" 10.96.94.47
curl -H "Host:nginx.test.com" 10.96.254.241

### 创建nginx-production生产系统Ingress
mkdir -p /data/yaml/helm/study-ingress
cat > /data/yaml/helm/study-ingress/nginx-ingress-production.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: nginx-ingress-production
  name: nginx-ingress-production
  namespace: production
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx-production
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f /data/yaml/helm/study-ingress/nginx-ingress-production.yaml
kubectl get ingress -n production
kubectl get ingress nginx-ingress-production -n production -oyaml

### 创建nginx-test生产系统Ingress(设置灰度发布占用生产发布50%)
cat > /data/yaml/helm/study-ingress/nginx-ingress-test.yaml << 'EOF'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    spec.ingressClassName: nginx
    nginx.ingress.kubernetes.io/canary: "true"
    nginx.ingress.kubernetes.io/canary-weight: "50"
  labels:
    app: nnginx-ingress-test
  name: nginx-ingress-test
  namespace: test
spec:
  ingressClassName: nginx
  rules:
  - host: nginx.test.com
    http:
      paths:
      - backend:
          service:
            name: nginx-test
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
EOF
kubectl create -f /data/yaml/helm/study-ingress/nginx-ingress-test.yaml
kubectl get ingress -n test
 kubectl get ingress nginx-ingress-test -n test -oyaml

### 测试
[root@testmysql01 ~]# for ((i=1;i<=20;i++));do curl http://nginx.test.com;done
Production Project
Production Project
Test Project
Production Project
Test Project
Test Project
Production Project
Production Project
Production Project
Production Project
Test Project
Production Project
Test Project
Test Project
Production Project
Test Project
Test Project
Test Project
Production Project
Production Project
K8S Ingress 常用配置
小五
08-08 2286
本次所有操作都是在K8S 1.26.14 上面操作,太老的版本不知道会不会有问题。更多 Ingress 配置请查看ingress-nginx 官网定义服务托管页面后段程序(为了演示使用 nginx 部署)。部署自定义页面 配置文件。
k8s 对外服务Ingress
wys_jj的博客
06-04 959
对集群内部,它不断跟踪pod的变化,更新 endpoint 中对应 pod 的对象,提供了 ip 不断变化的 pod 的服务发现机制;对集群外部,他类似负载均衡器,可以在集群内外部对 pod 进行访问。IngressKubernetes 中用于管理对集群内服务的外部访问的 API 对象。它允许您将 HTTP 和 HTTPS 路由流量到集群中的服务,通过定义规则,Ingress 可以将传入的请求路由到适当的服务
k8s服务发布Ingress
henanchenxuyuan的博客
09-05 1549
Kubernetes暴露服务的方式目前只有三种:LoadBlancer Service、NodePort Service、,通俗来讲,ingress和之前提到的Service、Deployment,也是一个k8s的资源类型,ingress用于实现用域名的方式访问k8s内部应用。IngressKubernetes集群中的服务提供了入口,可以提供负载均衡、SSL终止和基于名称的虚拟主机,在生产环境中常用的Ingress有Treafik、Nginx、HAProxy、Istio等。
基于K8s ingress灰度发布配置
qq_46162321的博客
07-18 276
文章摘要:本文演示了Kubernetes中基于Ingress和ConfigMap的两种灰度发布方案。Ingress方式通过配置权重路由实现精准流量控制(如V1=5%,V2=95%),适合整体版本更新或局部页面更新;ConfigMap方式结合代码实现按地理区域或设备类型推送新配置。详细介绍了Ingress-Nginx安装、双版本Deployment创建及流量切分配置,以及ConfigMap配置隔离方案,通过多Deployment挂载不同ConfigMap实现渐进式配置更新。两种方案均可保证服务连续性,建议生产
K8s Ingress 详解
go|Python的个人博客
05-31 1265
Ingress 中引入 Secret 资源,然后告诉 Ingress 控制器使用 TLS 加密从客户端到负载均衡器的通道。上面基于URL实现路由方案中,就应用到了 ingress rewrite 方案,下面示例插入自定义的 Nginx 配置。Ingress 灰度发布就是通过两套ingress 配置同一个域名,来实现。注: 同一域名,不同的URL调度到不同的 Service。基于Request Header的流量切分。基于Cookie的流量切分。基于服务权重的流量切分。
k8s 对外发布ingress
m0_66372974的博客
06-04 1169
k8s中,service的作用体现在两个方面,对集群内部,它不断跟踪pod的变化,更新endpoint中对应pod的对象,提供了ip不断变化的pod的服务发现机制;对集群外部,他类似负载均衡器,可以在集群内外部对pod进行访问。
k8s ingress 代理 mysql 3306端口
...
11-07 1434
k8s 使用 ingress 代理 mysql
k8s-ingress发布https服务
huahua1999的博客
04-17 586
配置HTTPS步骤: 1、准备域名证书文件(来自:openssl/cfssl工具自签或者权威机构颁发) 2、将证书文件保存到Secret kubectl create secret tls \ blog-aliangedu-cn --cert=blog.aliangedu.cn.pem --key=blog.aliangedu.cn-key.pem 3、Ingress规则配置tls 1、生成自签证书 先去生成证书,然后将证书放入kubectl的secret中,在代码中写明引用如下
k8s service管理之对外发布应用NodePort、Ingress服务
m0_67252568的博客
07-03 1881
k8s service管理之对外发布应用NodePort、Ingress服务
K8S的 Nginx Ingress 调优
summer_fish的专栏
09-14 1798
我们先看看通过内核的哪些参数能够提高Ingress的性能。保证在高并发环境下,发挥Ingress的最大性能。。在高并发环境下,如果队列过小,可能导致队列溢出,使得连接部分连接无法建立。要调大 Nginx Ingress 的连接队列,只需要调整 somaxconn 内核参数的值即可,但我想跟你分享下这背后的相关原理。Nginx 监听 socket 时没有读取 somaxconn,而是有自己单独的参数配置。
k8s基于ingress-nginx的服务发现和负载均衡
wangxin123wangxin的博客
02-23 1900
k8s ingress服务发现和负载均衡实战
k8s+kubeedge的混合框架下,云端pod与边缘端pod如何进行通信?
最新发布
m0_37843156的博客
08-16 241
在同一个k8s pod当中,有pause进程还有一个或多个容器共享一个网络命名空间,pause之间进行通信主要依赖2个设备,一个是虚拟网络设备,它的一端接在pod网络命名空间里面,另外一端接在宿主机的网络命名空间里面,这是一个全局的网络命名空间,然后在宿主机的这一端又接在了网桥设备,这个网桥设备又会把报文发送到相连的另外一个pod上的虚拟网络设备,从而通过虚拟网络设备发送到另外的一个pod当中,也就是说这个虚拟网络设备就是虚线的圈,类似于一个网线的2端。
k8s注意事项
码二哥的技术池
08-15 90
在 Dockerfile 中,设置了 echo “source activate mytest” > ~/.bashrc 配置了自动激活,只在docker 创建的容器中生效,容器启动时会默认进入conda的mytest虚拟环境中。args: [“source /opt/conda/bin/activate mytest && 执行xxx程序”]但 Kubernetes 启动容器时使用的是非交互式 shell,默认不会加载 .bashrc,因此环境没有被激活。command 或者args中设置。
K8S 节点初始化一键脚本(禁用 SELinux + 关闭 swap + 开启 ipvs 亲测实用)
tigerhhzz的博客
08-12 450
一键禁用 SELinux + 关闭 swap + 开启 ipvs 的 K8S 前置环境准备脚本;开启 ipvs 转发(并开机自动加载)关闭 swap(并永久禁用)永久禁用 SELinux。粘贴上面内容,保存退出。
k8s1.28.2集群部署istioctl的1.20.0版本(X86架构)
大新新大浩浩的博客
08-15 261
记录一下在k8s1.28.2集群部署istioctl的1.20.0版本的过程(X86架构)
KubernetesK8S)中,kubectl describe node与kubectl top pod命令显示POD资源的核心区别
lmzf2011的专栏
08-13 342
特性数据来源Pod的YAML资源配置声明实时Metrics Server监控数据指标类型静态配置(Requests/Limits)动态消耗(CPU/内存实际用量)内存指标意义申请的内存配额上限工作集(含缓存,用于OOM判断)核心用途检查资源分配、调度瓶颈监控运行时负载、性能调优操作建议:日常监控应结合两者。通过top pod观察实时负载波动,通过验证资源分配是否符合预期,避免节点资源过载。若内存消耗接近Limit且工作集持续增长,需警惕OOM风险。
K8S-单Master集群部署-OpenEuler
CZZDg的博客
08-14 1029
改为与“kubeadm init”命令中指定的 Pod 网络CIDR 地址范围保持一致。#清除nat表中所有网络地址转换规则。#清除filter表中的数据包过滤规则。#注释所有交换空间挂载配置。#关闭防火墙并开机不自启。###拷贝到node节点。修改cidr “ip”
容器 K8S CRI CNI CSI 学习(二)
zyl042的博客
08-13 699
本文介绍了Kubernetes中的三大关键接口:CRI(容器运行时接口)、CNI(容器网络接口)和CSI(容器存储接口),它们分别负责容器运行时、网络和存储的标准化管理。文章详细阐述了Kubernetes从早期依赖Docker到逐步支持CRI-O、containerd等容器运行时的演进过程。在存储系统方面,对比了块存储、文件存储和对象存储三种形式,解释了文件分配表(FAT)和文件系统的工作原理,展示了如何通过元数据管理实现文件的高级功能。这些接口和存储技术的标准化推动了容器生态的发展。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

大新屋

你的支持是我无限的动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值