Ingress支持

最近更新时间:2020-10-21 15:38:57

Ingress是kubernetes集群中授权入站连接到达集群服务的规则集合,您可以通过配置转发规则,实现不同 URL 可以访问到集群内不同的 Service,以实现HTTP层的业务路由机制。

使用Ingress前置条件

为了使Ingress正常工作,集群内必须部署Ingress Controller,以实现为后端所有的service提供一个统一的入口。 这里我们使用Traefik作为集群内的Ingress Controller,traefik部署的YAML如下:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---

kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
      name: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      nodeSelector:
        kubernetes.io/role: "node"
      tolerations:
      - operator: Exists
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: hub.kce.ksyun.com/ksyun/traefik:v1.6.5-mp
        name: traefik-ingress-lb
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
        - --entryPoints=Name:https Address::443 TLS
        - --entryPoints=Name:http Address::80
        - --defaultentrypoints=https,http
---

kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 443
      name: tls
    - protocol: TCP
      port: 8080
      name: admin

为了让traefik服务在集群外可达,我们这里将traefik-ingress-controller对应的Service的访问类型设置为LoadBalancer

查看treafik的部署情况

[[email protected] ~]# kubectl get ds -n kube-system | grep traefik
traefik-ingress-controller       2         2         2       2            2           kubernetes.io/role=node   3m16s

查看对应的service

[[email protected] ~]# kubectl get svc -n kube-system | grep traefik
traefik-ingress-service   LoadBalancer   10.254.67.8     120.92.123.155   80:32676/TCP,443:31720/TCP,8080:31840/TCP   105m

这里,traefik-ingress-controller服务通过金山云的负载均衡暴露到公网,从这里看到它同时启动了80、8080和443三个端口,80和443 对应的服务端口,8080 对应的 UI 端口,用户可以通过LB的IP:8080访问traefik的UI界面

创建测试应用

以下创建两个应用,用于测试

hello-world.yaml如下:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hello-world
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: hello-world
    spec:
      containers:
      - name: hello-world
        image: hub.kce.ksyun.com/kingsoft/hello-world:latest
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hello-world
  name: hello-world-svc
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: hello-world
  type: ClusterIP

hello-k8s.yaml如下

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hello-k8s
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: hello-k8s
    spec:
      containers:
      - name: hello-k8s
        image: hub.kce.ksyun.com/kingsoft/hello-k8s:latest
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: hello-k8s
  name: hello-k8s-svc
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app: hello-k8s
  type: ClusterIP

创建对应的deploy和service

[[email protected] hello]# kubectl create -f hello-k8s.yaml 
deployment.extensions/hello-k8s created
service/hello-k8s-svc created

[[email protected] hello]# kubectl create -f hello-world.yaml 
deployment.extensions/hello-world created
service/hello-world-svc created

[[email protected] hello]# kubectl get deploy
NAME          DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
hello-k8s     1         1         1            1           5m2s
hello-world   1         1         1            1           4m50s

[[email protected] hello]# kubectl get svc
NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
hello-k8s-svc     ClusterIP   10.254.131.29   <none>        8080/TCP   5m31s
hello-world-svc   ClusterIP   10.254.244.96   <none>        80/TCP     5m19s
kubernetes        ClusterIP   10.254.0.1      <none>        443/TCP    52d

Ingress配置策略

为了支持灵活的分发策略,ingress策略可以按照多种分发方式进行配置,下面对几种常见的ingress转发策略简单介绍。

同一域名下,不同的URL的路径转发到不同服务上

这种配置常用于一个网站通过不同的路径提供不同服务的场景。

通过如下的访问配置:

ingress.yaml如下:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-k8s-traefik
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: PathPrefixStrip
spec:
  rules:
  - host: my.k8s.traefik
    http:
      paths:
      - path: /hello-world
        backend:
          serviceName: hello-world-svc
          servicePort: 80
      - path: /hello-k8s
        backend:
          serviceName: hello-k8s-svc
          servicePort: 8080

创建ingress策略

[[email protected] hello]# kubectl create -f ingres.yaml 
ingress.extensions/my-k8s-traefik created

[[email protected] hello]# kubectl get ingress
NAME             HOSTS            ADDRESS   PORTS   AGE
my-k8s-traefik   my.k8s.traefik             80      73s

备注:

  • 这里我们将自有域名my.k8s.traefik解析到负载均衡的IP,详细请参考云解析帮助文档
  • 这里我们根据路径来转发,需要指明 rule 为 PathPrefixStrip,配置为 traefik.frontend.rule.type: PathPrefixStrip

在浏览器的访问验证如下:

Ingress支持

Ingress支持

不同的域名转发到不同的服务

这种配置常用于一个网站通过不同的域名或者虚拟主机名提供不同的服务的场景。

通过如下的访问配置:

ingress2.yaml如下:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-k8s-traefik-1
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.hello.k8s
    http:
      paths:
      - path: /  
        backend:
          serviceName: hello-k8s-svc
          servicePort: 8080
  - host: traefik.hello.world
    http:
      paths:
      - path: /  
        backend:
          serviceName: hello-world-svc
          servicePort: 80
[[email protected] hello]# kubectl create -f ingress2.yaml 
ingress.extensions/my-k8s-traefik-1 created

[[email protected] hello]# kubectl get ingress
NAME               HOSTS                                   ADDRESS   PORTS   AGE
my-k8s-traefik-1   traefik.hello.k8s,traefik.hello.world             80      21s

在浏览器的访问验证如下:

Ingress支持

Ingress支持

我们可以通过traefik的UI来查看上面配置的ingress规则,如图:

Ingress支持

更多traefik的特性,请参考Kubernetes Ingress Controller

金山云,开启您的云计算之旅

免费注册