Kubernetes中的Ingress(五)
2021-01-02 08:28
标签:k8s 均衡 sele replicas rsa creat style docke Kubernete Ingress 是对集群中服务的外部访问进行管理的 API 对象,典型的访问方式是 HTTP。Ingress 可以提供负载均衡、SSL 终结和基于名称的虚拟托管。可理解为Ingress 是在 k8s 集群中的 Service 上做了一个 nginx 代理,将所有匹配到的请求转发到对应的 Service 中。 参考:https://github.com/kubernetes/ingress-nginx/blob/nginx-0.30.0/docs/deploy/index.md 注意:如果出现权限问题。参考文章 采用访问某一域名是进行账号密码认证 Kubernetes中的Ingress(五) 标签:k8s 均衡 sele replicas rsa creat style docke Kubernete 原文地址:https://www.cnblogs.com/bbgs-xc/p/13659219.html一、Ingress介绍和安装
1,介绍
2,安装Ingress-nginx
# 下载 mandatory.yaml 。--no-check-certificate:避免“无法建立 SSL 连接”错误
wget --no-check-certificate https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml
# 查看需要的镜像
cat mandatory.yaml | grep image
# 在每个集群节点中拉取 docker 镜像 自行解决
# 创建 Pod
kubectl apply -f mandatory.yaml
# 查看 Pod。注意 命令空间是:ingress-nginx
kubectl get pod -n ingress-nginx
# 下载 service-nodeport.yaml
wget --no-check-certificate https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
# 创建 svc
kubectl apply -f service-nodeport.yaml
kubectl get svc -n ingress-nginx
二、示例
1,HTTP代理访问
a)创建ingress-http.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
template:
metadata:
labels:
app: nginx-app
spec:
containers:
- name: nginx-container
image: hub.xcc.com/my-xcc/my-nginx:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
selector:
app: nginx-app
ports:
- port: 80
targetPort: 80
protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-ing
spec:
rules:
- host: foo.xcc.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
b)执行命令
kubectl apply -f ingress-http.yaml
kubectl get deployment
kubectl get svc
kubectl get pod
kubectl get ing
c)访问
#查看ingress-nginx暴露的端口 通过该域名foo.xcc.com:端口
[root@master01 ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.116.16.25
2,HTTPS代理访问
a)创建证书
# 生成证书文件
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc /O=nginxsvc"
#查看文件
ls
#创建secret
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
#查看secret
kubectl get secret
b)创建
nginx-https-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-https-ing
spec:
tls:
- hosts:
- foo.bar.com
secretName: tls-secret
rules:
- host: foo.xcc.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
c)执行命令创建
kubectl apply -f nginx-https-ing.yaml
d)访问
#可通过域名https:// foo.xcc.com:端口。查看端口
[root@master01 ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.116.16.25
3,BasicAuth认证
a)创建证书
# 安装 httpd
yum -y install httpd
# 创建认证账户foo 并设置密码
htpasswd -c auth foo
# 创建secret
kubectl create secret generic basic-auth --from-file=auth
# 查看证书
kubectl get secret
b)创建
auth-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: auth-ing
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: ‘Authenticasion Required - foo‘
spec:
rules:
- host: auth.xcc.com
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
c)执行命令
kubectl apply -f auth-ing.yaml
#查看ingress
kubectl get ing
d)访问
访问auth.xcc.com:端口,此时需要输入用户名和密码(前面設置的)
#查看端口
[root@master01 ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.116.16.25
三、查看Ingress-Nginx的代理配置
# 查看 ingress-controller pod
[root@k8s-master01 ingress]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-ab5didia2-eds1d 1/1 Running 0 59m
# 进入到 pod 中
[root@k8s-master01 ingress]# kubectl exec nginx-ingress-controller-ab5didia2-eds1d -n ingress-nginx -it /bin/bash
# 在容器内 查看里面的 /etc/nginx/nginx.conf 文件
cat /etc/nginx/nginx.conf