最近更新时间:2022-05-12 19:56:16
Ingress是kubernetes集群中授权入站连接到达集群服务的规则集合,您可以通过配置转发规则,实现不同 URL 可以访问到集群内不同的 Service,以实现HTTP层的业务路由机制。
为了使Ingress正常工作,集群内必须部署Ingress Controller,以实现为后端所有的service提供一个统一的入口。 这里我们使用Traefik作为集群内的Ingress Controller,traefik部署的YAML如下:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
nodeSelector:
kubernetes.io/role: "node"
tolerations:
- operator: Exists
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: hub.kce.ksyun.com/ksyun/traefik:v1.6.5-mp
name: traefik-ingress-lb
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
- --entryPoints=Name:https Address::443 TLS
- --entryPoints=Name:http Address::80
- --defaultentrypoints=https,http
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
type: LoadBalancer
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 443
name: tls
- protocol: TCP
port: 8080
name: admin
为了让traefik服务在集群外可达,我们这里将traefik-ingress-controller对应的Service的访问类型设置为LoadBalancer。
查看treafik的部署情况:
[root@vm10-0-33-13 ~]# kubectl get ds -n kube-system | grep traefik
traefik-ingress-controller 2 2 2 2 2 kubernetes.io/role=node 3m16s
查看对应的service:
[root@vm10-0-33-13 ~]# kubectl get svc -n kube-system | grep traefik
traefik-ingress-service LoadBalancer 10.254.67.8 120.92.123.155 80:32676/TCP,443:31720/TCP,8080:31840/TCP 105m
这里,traefik-ingress-controller服务通过金山云的负载均衡暴露到公网,从这里看到它同时启动了80、8080和443三个端口,80和443对应的服务端口,8080 对应的 UI 端口,用户可以通过LB的IP:8080访问traefik的UI界面。
以下创建两个应用,用于测试。
hello-world.yaml
如下:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: hello-world
spec:
replicas: 1
template:
metadata:
labels:
app: hello-world
spec:
containers:
- name: hello-world
image: hub.kce.ksyun.com/kingsoft/hello-world:latest
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hello-world
name: hello-world-svc
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: hello-world
type: ClusterIP
hello-k8s.yaml
如下:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: hello-k8s
spec:
replicas: 1
template:
metadata:
labels:
app: hello-k8s
spec:
containers:
- name: hello-k8s
image: hub.kce.ksyun.com/kingsoft/hello-k8s:latest
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hello-k8s
name: hello-k8s-svc
spec:
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
app: hello-k8s
type: ClusterIP
创建对应的deploy和service:
[root@vm10-0-33-13 hello]# kubectl create -f hello-k8s.yaml
deployment.extensions/hello-k8s created
service/hello-k8s-svc created
[root@vm10-0-33-13 hello]# kubectl create -f hello-world.yaml
deployment.extensions/hello-world created
service/hello-world-svc created
[root@vm10-0-33-13 hello]# kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
hello-k8s 1 1 1 1 5m2s
hello-world 1 1 1 1 4m50s
[root@vm10-0-33-13 hello]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-k8s-svc ClusterIP 10.254.131.29 <none> 8080/TCP 5m31s
hello-world-svc ClusterIP 10.254.244.96 <none> 80/TCP 5m19s
kubernetes ClusterIP 10.254.0.1 <none> 443/TCP 52d
为了支持灵活的分发策略,ingress策略可以按照多种分发方式进行配置,下面对几种常见的ingress转发策略简单介绍。
这种配置常用于一个网站通过不同的路径提供不同服务的场景。
通过如下的访问配置:
http://my.k8s.traefik/hello-k8s
的访问将被路由到后端名为"hello-k8s-svc" 的Service。http://my.k8s.traefik/hello-world
的访问将被路由到后端名为"hello-world-svc" 的Service。ingress.yaml
如下:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-k8s-traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
rules:
- host: my.k8s.traefik
http:
paths:
- path: /hello-world
backend:
serviceName: hello-world-svc
servicePort: 80
- path: /hello-k8s
backend:
serviceName: hello-k8s-svc
servicePort: 8080
创建ingress策略:
[root@vm10-0-33-13 hello]# kubectl create -f ingres.yaml
ingress.extensions/my-k8s-traefik created
[root@vm10-0-33-13 hello]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
my-k8s-traefik my.k8s.traefik 80 73s
备注:
- 这里我们将自有域名my.k8s.traefik解析到负载均衡的IP。
- 这里我们根据路径来转发,需要指明 rule 为 PathPrefixStrip,配置为
traefik.frontend.rule.type: PathPrefixStrip
。
在浏览器的访问验证如下:
这种配置常用于一个网站通过不同的域名或者虚拟主机名提供不同的服务的场景。
通过如下的访问配置:
http://traefik.hello.k8s
的访问将被路由到后端名为"hello-k8s-svc" 的Service。http://traefik.hello.world
的访问将被路由到后端名为"hello-world-svc" 的Service。ingress2.yaml
如下:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-k8s-traefik-1
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik.hello.k8s
http:
paths:
- path: /
backend:
serviceName: hello-k8s-svc
servicePort: 8080
- host: traefik.hello.world
http:
paths:
- path: /
backend:
serviceName: hello-world-svc
servicePort: 80
[root@vm10-0-33-13 hello]# kubectl create -f ingress2.yaml
ingress.extensions/my-k8s-traefik-1 created
[root@vm10-0-33-13 hello]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
my-k8s-traefik-1 traefik.hello.k8s,traefik.hello.world 80 21s
在浏览器的访问验证如下:
我们可以通过traefik的UI来查看上面配置的ingress规则,如图:
更多traefik的特性,请参考Kubernetes Ingress Controller。
纯净模式