Ingress

Service对集群外暴露端口两种方式，这两种方式都有一定的缺点：

• NodePort ：会占用集群集群端口，当集群服务变多时，缺点明显
• LoadBalancer：每个Service都需要一个LB，并且需要k8s之外设备支持

基于现状，k8s提供了Ingress资源对象,Ingresss只需要一个NodePort或一个LB就能满足多个Service的需求。

可以在Ingress建立规则，Ingress Controller通过监听这些配置规则并转化成Nignx反向代理配置，对外提供服务。

核心概念：

• ingress：k8s对象，作用定义请求如何转发service规则
• ingress controller：具体实现反向代理及负载均衡的程序,对ingress汇总进行解析，根据规则实现请求转发

工作原理：

• 编写Ingress规则，说明域名对应k8s集群中那个Service
• Ingress控制器动态感知Ingress服务规则变化，然后生成一段对应Nginx反向代理配置
• Ingress控制器将生成Nginx配置写入运行的Nginx服务中，并动态更新

环境准备

搭建Ingress环境

#创建文件夹
[root@master ~]# mkdir ingress-controller
[root@master ~]# cd ingress-controller/
#获取资源 （需要科学上网）也可以github直接下载再上传上去
[root@master ingress-controller]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml
[root@master ingress-controller]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml

[root@master ingress-controller]# ls
mandatory.yaml  service-nodeport.yaml
# 修改mandatory.yaml文件中的仓库
# 修改quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
# 为quay-mirror.qiniu.com/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0

#创建ingress-nginx
[root@master ingress-controller]# kubectl apply -f ./
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.apps/nginx-ingress-controller created
limitrange/ingress-nginx created
service/ingress-nginx created

#查看Pod
[root@master ingress-controller]# kubectl get pod -n ingress-nginx
NAME                                        READY   STATUS    RESTARTS   AGE
nginx-ingress-controller-7f74f657bd-rjpgn   1/1     Running   0          81s
#查看Service
[root@master ingress-controller]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.109.45.51   <none>        80:30291/TCP,443:30946/TCP   2m15s

准备Service和Pod

创建tomcat-nginx.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: dev
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx-pod
  template:
    metadata:
      labels:
        app: nginx-pod
    spec:
      containers:
      - name: nginx
        image: nginx:1.17.1
        ports:
        - containerPort: 80

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deployment
  namespace: dev
spec:
  replicas: 3
  selector:
    matchLabels:
      app: tomcat-pod
  template:
    metadata:
      labels:
        app: tomcat-pod
    spec:
      containers:
      - name: tomcat
        image: tomcat:8.5-jre10-slim
        ports:
        - containerPort: 8080

---

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  namespace: dev
spec:
  selector:
    app: nginx-pod
  clusterIP: None
  type: ClusterIP
  ports:
  - port: 80
    targetPort: 80

---

apiVersion: v1
kind: Service
metadata:
  name: tomcat-service
  namespace: dev
spec:
  selector:
    app: tomcat-pod
  clusterIP: None
  type: ClusterIP
  ports:
  - port: 8080
    targetPort: 8080

#创建名称空间
[root@master tmp]# kubectl create ns dev
namespace/dev created
[root@master tmp]# vim tomcat-nginx.yaml
#创建svc和pod
[root@master tmp]#  kubectl create -f tomcat-nginx.yaml
deployment.apps/nginx-deployment created
deployment.apps/tomcat-deployment created
service/nginx-service created
service/tomcat-service created
[root@master tmp]# kubectl get svc -n dev
NAME             TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
nginx-service    ClusterIP   None         <none>        80/TCP     8s
tomcat-service   ClusterIP   None         <none>        8080/TCP   8s

HTTP代理

创建ingress-http.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-http
  namespace: dev
spec:
  rules:
  - host: nginx.rkun18.com
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx-service
          servicePort: 80 
  - host: tomcat.rkun18.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-service
          servicePort: 8080

配置两个对应的规则

[root@master tmp]# vim ingress-http.yaml
[root@master tmp]# kubectl create -f ingress-http.yaml
ingress.extensions/ingress-http created
[root@master tmp]# kubectl get ing -n dev
NAME           HOSTS                                ADDRESS   PORTS   AGE
ingress-http   nginx.rkun18.com,tomcat.rkun18.com             80      9s

[root@master tmp]# kubectl describe ing ingress-http  -n dev
Name:             ingress-http
Namespace:        dev
Address:          10.109.45.51
Default backend:  default-http-backend:80 (<none>)
Rules:
  Host               Path  Backends
  ----               ----  --------
  nginx.rkun18.com
                     /   nginx-service:80 (10.244.1.10:80,10.244.1.9:80,10.244.2.6:80)
  tomcat.rkun18.com
                     /   tomcat-service:8080 (10.244.1.11:8080,10.244.2.7:8080,10.244.2.8:8080)
Annotations:
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  59s   nginx-ingress-controller  Ingress dev/ingress-http
  Normal  UPDATE  0s    nginx-ingress-controller  Ingress dev/ingress-http

由于无法解析地址，仅作测试使用，我们需要更改主机hosts文件：

将你的master主机IP和你设置的域名进行绑定

你的master节点IP nginx.rkun18.com
你的master节点IP tomcat.rkun18.com

#查看ingress对外暴露的端口
[root@master tmp]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.109.45.51   <none>        80:30291/TCP,443:30946/TCP   28m

HTTPS代理

创建证书

[root@master ~]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=BJ/L=BJ/O=nginx/CN=rkun18.com"
Generating a 2048 bit RSA private key
.............+++
.............................................................................+++
writing new private key to 'tls.key'
-----
#创建密钥
[root@master ~]# kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created
[root@master ~]#

创建ingress-https.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-https
  namespace: dev
spec:
  tls:
    - hosts:
      - nginx.rkun18.com
      - tomcat.rkun18.com
      secretName: tls-secret # 指定秘钥
  rules:
  - host: nginx.rkun18.com
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx-service
          servicePort: 80
  - host: tomcat.rkun18.com
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-service
          servicePort: 8080

[root@master tmp]# kubectl create -f ingress-https.yaml
ingress.extensions/ingress-https created
[root@master tmp]# kubectl get ing ingress-https -n dev
NAME            HOSTS                                ADDRESS        PORTS     AGE
ingress-https   nginx.rkun18.com,tomcat.rkun18.com   10.109.45.51   80, 443   23s

访问第二个端口30946

[root@master tmp]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.109.45.51   <none>        80:30291/TCP,443:30946/TCP   110m