描述
Ingress 是个 API 对象,管理外部(集群外部)对内部服务的访问,暴露“从集群外到集群内部服务的”HTTP 与 HTTPS 路由;
原理
关于 Ingress 网络 | Understanding kubernetes networking: ingress
Studying the Kubernetes Ingress system
Ingress Controller
注意与 Ingress Controller 进行区分,Ingress Controller 负责执行 Ingress 资源的定义。Ingress Controller 类似于我们平时作为反向代理存在的 Nginx 服务,而 Ingress 则像 Nginx 配置;
该笔记将记录:与 Ingress 资源有关的内容(但不包含 Ingress Controller 组件部署相关内容),以及常见问题的处理;
Ingress 可以由不同的控制器来实现,通常具有不同的配置。每个 Ingress 应指定一个类,即对 IngressClass 资源的引用,该资源包含其他配置,包括应实现该类的控制器的名称。
应用
pathType
Each path in an Ingress is required to have a corresponding path type. Paths that do not include an explicit pathType will fail validation.
There are three supported path types:
apiVersion
Deprecated API Migration Guide | Kubernetes
我们讲过很多不同版本的 apiVersion 字段:
1)apiVersion: extensions/v1beta1
2)apiVersion: networking.k8s.io/v1beta1
3)apiVersion: networking.k8s.io/v1
正常的 APIVersion 升级,我们根据集群版本进行调整资源声明:
1)extensions/v1beta1 与 networking.k8s.io/v1beta1 从 v1.22 不再可用;
2)networking.k8s.io/v1 从 v1.19 开始可用,并引入很多新的属性字段;
创建 Ingress 资源
通过 命令 创建:
通过 YAML 文件:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx-example # 指定 IngressClass 参数
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80
创建 HTTPS 的 Ingress 资源 | enable HTTPS
定义 TLS 资源(Secret):
kubectl create secret tls mytlssecret \ --cert=/path/to/cert/file \ --key=/path/to/key/file # 注意事项: # --cert must be .PEM encoded (Base64-encoded DER format) # --key must be in what is commonly called PEM private key format, unencrypted. # 这两个文件的开始和结尾行都会被忽略; # 如果需要生成 Secret 资源文件,使用: kubectl create secret tls mytlssecret \ --cert=/path/to/cert/file --key=/path/to/key/file \ --dry-run=true -o yaml > mytlssecret.yaml
定义并应用部署资源:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-example-ingress
spec:
tls:
- hosts:
- https-example.foo.com
secretName: mytlssecret
rules:
- host: https-example.foo.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service1
port:
number: 80
如果有多个 Ingress Controller 部署在集群中。那么在 Ingress 中需要添加 ingress.class 注解来指定要使用的 Ingress Controler 类型;
An example Ingress that makes use of the controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: foo
spec:
ingressClassName: nginx
rules:
- host: www.example.com
http:
paths:
- pathType: Prefix
backend:
service:
name: exampleService
port:
number: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
创建 TLS 证书
kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]
kubectl create secret tls tls-secret --cert=path/to/tls.crt --key=path/to/tls.key
# 更新证书
kubectl create secret tls example-tls --cert=./example.com.pem --key=example.com.key --save-config \
--dry-run=client -o yaml | kubectl apply -f -
参考
kubernetes/CONCEPTS/Ingress
kubernetes/Concepts/Ingress Controllers
k8s1.8 ingress 配置
Sample Ingress resource YAML
NGINX Configuration/Annotations
Secrets | Kubernetes
Basic usage – NGINX Ingress Controller
K8s Ingress 模式简介及示例