我们知道service的表现形式为IP:PORT,即工作在第四层传输层(TCP/IP层),那么对于不同的URL地址经常对应用不同的后端服务或者虚拟服务器,这些应用层的转发机制仅通过kubernetes的service机制是无法实现的,这种情况我们可以使用ingress策略定义和一个具体的ingress Controller,两者结合实现一个完整的Ingress 负载均衡,这个负载均衡是基于nginx七层反向代理来实现。
k8s 对外暴露服务(service)主要有两种方式:NotePort, LoadBalance, 此外externalIPs也可以使各类service对外提供服务,但是当集群服务很多的时候,NodePort方式最大的缺点是会占用很多集群机器的端口;LB方式最大的缺点则是每个service一个LB又有点浪费和麻烦,并且需要k8s之外的支持; 而ingress则只需要一个NodePort或者一个LB就可以满足所有service对外服务的需求。工作机制大致可以用下图表示:
一种全局的、为了代理不同后端 Service 而设置的负载均衡服务,就是 Kubernetes 里的Ingress 服务。
Ingress由两部分组成:Ingress controller和Ingress服务。
Ingress Controller 会根据你定义的 Ingress 对象,提供对应的代理能力。业界常用的各种反向代理项目,比如 Nginx、HAProxy、Envoy、Traefik 等,都已经为Kubernetes 专门维护了对应的 Ingress Controller。
实际上,ingress相当于一个7层的负载均衡器,是k8s对反向代理的一个抽象。大概的工作原理也确实类似于Nginx,可以理解成在 Ingress 里建立一个个映射规则 , ingress Controller 通过监听 Ingress里的配置规则并转化成 Nginx 的配置 , 然后对外部提供服务。ingress包括:在这里有两个核心概念:
Ingress:kubernetes中的一个对象,作用是定义请求如何转发到service的规则
ingress controller: 核心是一个deployment,实现方式有很多,比如nginx, Contour, Haproxy,需要编写的yaml有:Deployment, Service, ConfigMap, ServiceAccount(Auth),其中service的类型可以是NodePort或者LoadBalancer。
Ingress(以nginx为例)的工作原理如下:
1、用户编写Ingress规则,说明那个域名对应kubernetes集群中的那个Service
2、Ingress Controller动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置
3、Ingress Controller会将生成的nginx配置写入到一个运行着的Nginx服务中,并动态更新
4、到此为止,其实真正在工作的就是一个Nginx了,内部配置了用户定义的请求转发规则
官网:https://kubernetes.github.io/ingress-nginx/
网络不好可下载:百度网盘
yaml链接:https://pan.baidu.com/s/1DRuXSF-KOQ5wKz-nYEciRQ?pwd=o7r9
提取码:o7r9
镜像链接:https://pan.baidu.com/s/1p-fTf6ggGsQrDo_XIdUmXQ?pwd=9xi3
提取码:9xi3
应用ingress controller定义文件
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml
应用ingress-service定义文件
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
[root@k8s-master1 ~]# kubectl -n ingress-nginx get pod
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-7f74f657bd-vrgg6 1/1 Running 0 106m
[root@k8s-master1 ~]# kubectl -n ingress-nginx get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.0.0.126 <none> 80:30726/TCP,443:30852/TCP 116m
为了后面的实验比较方便,创建如下图所示的模型
1、创建tomcat-nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: nginx-pod
template:
metadata:
labels:
app: nginx-pod
spec:
containers:
- name: nginx
image: nginx:1.17.1
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deployment
namespace: dev
spec:
replicas: 3
selector:
matchLabels:
app: tomcat-pod
template:
metadata:
labels:
app: tomcat-pod
spec:
containers:
- name: tomcat
image: tomcat:8.5-jre10-slim
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
namespace: dev
spec:
ports:
- port: 80
name: nginx
clusterIP: None
selector:
app: nginx-pod
---
apiVersion: v1
kind: Service
metadata:
name: tomcat-service
namespace: dev
spec:
ports:
- port: 8080
name: tomcat
clusterIP: None
selector:
app: tomcat-pod
创建
[root@k8s-master1 http]# kubectl apply -f tomcat-nginx.yaml
deployment.apps/nginx-deployment created
deployment.apps/tomcat-deployment created
查看
[root@k8s-master1 http]# kubectl get svc -n dev
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-service ClusterIP None <none> 80/TCP 59m
tomcat-service ClusterIP None <none> 8080/TCP 59m
1、创建ingress-http.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-http
namespace: dev
spec:
rules:
- host: nginx.itheima.com
http:
paths:
- path: /
backend:
serviceName: nginx-service
servicePort: 80
- host: tomcat.itheima.com
http:
paths:
- path: /
backend:
serviceName: tomcat-service
servicePort: 8080
#创建
[root@k8s-master1 http]# kubectl create -f ingress-http.yaml
ingress.extensions/ingress-http created
#查看
[root@k8s-master1 http]# kubectl get ing ingress-http -n dev
NAME HOSTS ADDRESS PORTS AGE
ingress-http nginx.itheima.com,tomcat.itheima.com 80 18s
#查看详细
[root@k8s-master1 http]# kubectl describe ing ingress-http -n dev
Name: ingress-http
Namespace: dev
nginx.itheima.com
/ nginx-service:80 (10.244.1.132:80,10.244.1.135:80,10.244.1.139:80)
tomcat.itheima.com
/ tomcat-service:8080 (10.244.1.129:8080,10.244.1.134:8080,10.244.1.140:8080)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 48s nginx-ingress-controller Ingress dev/ingress-http
#查看ingress-controller得nginx配置是否发生修改
[root@k8s-master1 http]# kubectl exec -it nginx-ingress-controller-7f74f657bd-t8pvt sh -n ingress-nginx
/etc/nginx $ cat nginx.conf|grep nginx.itheima.com
## start server nginx.itheima.com
server_name nginx.itheima.com ;
## end server nginx.itheima.com
/etc/nginx $ cat nginx.conf|grep tomcat.itheima.com
## start server tomcat.itheima.com
server_name tomcat.itheima.com ;
## end server tomcat.itheima.com
2、测试http是否成功
#查看svc端口
[root@k8s-master1 http]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.0.0.126 <none> 80:30726/TCP,443:30852/TCP 25h
进入windows编辑C:\Windows\System32\drivers\etc\hosts
进入谷歌访问
1、创建证书
#生成证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=BJ/L=BJ/O=nginx/CN=itheima.com"
#创建密钥
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
创建ingress-https.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-https
namespace: dev
spec:
tls:
- hosts:
- nginx.itheima.com
- tomcat.itheima.com
rules:
- host: nginx.itheima.com
http:
paths:
- path: /
backend:
serviceName: nginx-service
servicePort: 80
- host: tomcat.itheima.com
http:
paths:
- path: /
backend:
serviceName: tomcat-service
servicePort: 8080
#创建
[root@k8s-master1 http]# vim ingress-https.yaml
[root@k8s-master1 http]# kubectl create -f ingress-https.yaml
ingress.extensions/ingress-https created
#查看
[root@k8s-master1 http]# kubectl get ing ingress-https -n dev
NAME HOSTS ADDRESS PORTS AGE
ingress-https nginx.itheima.com,tomcat.itheima.com 10.0.0.126 80, 443 41s
#查看详情和http不同的是多了TLS
[root@k8s-master1 http]# kubectl describe ing ingress-https -n dev
Name: ingress-https
Namespace: dev
Address: 10.0.0.126
TLS:
SNI routes nginx.itheima.com,tomcat.itheima.com
nginx.itheima.com
/ nginx-service:80 (10.244.1.132:80,10.244.1.135:80,10.244.1.139:80)
tomcat.itheima.com
/ tomcat-service:8080 (10.244.1.129:8080,10.244.1.134:8080,10.244.1.140:8080)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 66s nginx-ingress-controller Ingress dev/ingress-https
Normal UPDATE 37s nginx-ingress-controller Ingress dev/ingress-https
2、测试http是否成功
#查看svc端口
[root@k8s-master1 http]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.0.0.126 <none> 80:30726/TCP,443:30852/TCP 25h
进入windows编辑C:\Windows\System32\drivers\etc\hosts
进入谷歌访问
