kubernetes Ingress、Ingress controller
前言
擁抱開源,無私分享,共享技術,相互學習,共同進步,分享更多有深度的文章,歡迎轉發分享node
四層負載均衡調度器service回顧
使用四層負載均衡調度器service時,當客戶端訪問kubernetes集羣內部的應用時,數據包走向以下面流程所示 client--->nodeip:port--->service ip:port--->podip:port 客戶端-->node節點的ip:端口--->service的ip:端口--->pod的ip:端口
1.Ingress Controller
Ingress Controller是一個七層負載均衡調度器,客戶端的請求先到達這個七層負載均衡調度器,由七層負載均衡器在反向代理到後端pod,常見的七層負載均衡器有nginx,traefik等,以咱們熟悉的nginx爲例,假如請求到達nginx,會經過upstream反向代理到後端pod,可是後端pod的ip地址是一直在變化的,所以在後端pod前須要加一個service,這個service只是起到分組的做用,那麼咱們upstream只須要填寫service地址便可nginx
nginx:須要手動加載配置文件
traefik:按期自動加載配置文件,不須要手動干預,在微服務中幾乎都會使用這種調度器web
2.Ingress
官方:https://kubernetes.io/docs/concepts/services-networking/ingress/docker
ingress官網定義:ingress能夠把進入到集羣內部的請求轉發到集羣中的一些服務上,從而能夠把服務暴漏到集羣外部。Ingress 能把集羣內Service 配置成外網可以訪問的 URL,流量負載均衡,提供基於域名訪問的虛擬主機等;ingress是k8s中的資源,當service關聯的後端pod ip地址發生變化,就會把這些變化信息保存在ingress中,由ingress注入到七層負載均衡調度器ingress controller中,也就是把信息傳入到七層負載均衡調度器的配置文件中,而且從新加載使配置生效,Ingress 能夠用來規定 HTTP/S 請求應該被轉發到哪一個 Service 上,好比根據請求中不一樣的 Host 和 url 路徑讓請求落到不一樣的 Service 上後端
總結:
Ingress Controller:
Ingress Controller 能夠理解爲控制器,它經過不斷的跟 Kubernetes API 交互,實時獲取後端Service、Pod的變化,好比新增、刪除等,結合Ingress 定義的規則生成配置,而後動態更新上邊的 Nginx 或者trafik負載均衡器,並刷新使配置生效,來達到服務自動發現的做用。api
Ingress:
Ingress 則是定義規則,經過它定義某個域名的請求過來以後轉發到集羣中指定的 Service。它能夠經過 Yaml 文件定義,能夠給一個或多個 Service 定義一個或多個 Ingress 規則。瀏覽器
3.七層調度器traefik
若是七層負載均衡調度器使用nginx,那麼每次nginx配置文件修改以後,都須要從新reload才能生效,很不方便,若是使用traefik或者Envoy,能夠每隔必定時間從新加載配置文件,不須要手動從新加載,對於這種微服務架構來講特別方便tomcat
4.使用七層負載均衡調度器的步驟
(1)部署ingress controller,咱們ingress controller使用的是traefik
(2)建立service,用來分組pod
(3)建立pod應用,能夠經過控制器建立pod
(4)建立ingress http,測試經過http訪問
(5)建立ingress https,測試經過https訪問安全
5.客戶端經過七層調度器訪問後端pod的方式
使用七層負載均衡調度器ingress controller時,當客戶端訪問kubernetes集羣內部的應用時,數據包走向以下面流程所示:
client--->Nodeip:port----->IngressController--->service--->pod
微信
6.生成證書,在k8s集羣的master節點操做
(1)生成私鑰
openssl genrsa -out tls.key 2048
(2)生成證書
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=tomcat.lucky.com
(3)生成secret
kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
Secret 對象類型用來保存敏感信息,例如密碼、OAuth 令牌和 ssh key。將這些信息放在 secret 中比放在 pod 的定義或者 docker 鏡像中來講更加安全和靈活
kubectl get secret 顯示以下:
7.部署trafik,在k8s集羣的master節點操做
(1)生成openssl.cnf文件,這個文件裏面把簽發證書時須要的參數已經定義好了
mkdir /root/test
echo """
[req]
distinguished_name = req_distinguished_name
prompt = yes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_value = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_value = Beijing
localityName = Locality Name (eg, city)
localityName_value = Haidian
organizationName = Organization Name (eg, company)
organizationName_value = Channelsoft
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_value = R & D Department
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_value = *.multi.io
emailAddress = Email Address
emailAddress_value = xianchao@qq.com
""" > /root/test/openssl.cnf
(2)生成一個證書
openssl req -newkey rsa:4096 -nodes -config /root/test/openssl.cnf -days 3650 -x509 -out /root/test/tls.crt -keyout /root/test/tls.key
(3)建立一個secret對象
kubectl create -n kube-system secret tls ssl --cert /root/test/tls.crt --key /root/test/tls.key
(4)部署traefik
cat traefik.yaml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik.toml: |
insecureSkipVerify = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
terminationGracePeriodSeconds: 60
hostNetwork: true
volumes:
- name: ssl
secret:
secretName: ssl
- name: config
configMap:
name: traefik-conf
containers:
- image: k8s.gcr.io/traefik:1.7.9
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
securityContext:
privileged: true
args:
- --configfile=/config/traefik.toml
- -d
- --web
- --kubernetes
volumeMounts:
- mountPath: "/ssl"
name: "ssl"
- mountPath: "/config"
name: "config"
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
- protocol: TCP
port: 443
name: https
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: ingress.multi.io
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
把traefik鏡像traefik_1_7_9.tar.gz上傳到k8s各個節點,手動解壓:
docker load -i traefik_1_7_9.tar.gz
鏡像地址:
連接:https://pan.baidu.com/s/1fTRc0J0iL7DeAH_LNUkTQQ
提取碼:xg1z
kubectl apply -f traefik.yaml
(5)驗證traefik部署是否成功
kubectl get pods -n kube-system 顯示以下,說明部署成功
traefik-ingress-controller-g45th 1/1 Running 0 9m2s
traefik-ingress-controller-lj9md 1/1 Running 0 9m2s
8.部署tomcat
cat tomcat-deploy.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 80
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: myapp
image: tomcat:8.5-jre8-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
kubectl apply -f tomcat-deploy.yaml
kubectl get pods 顯示以下,說明部署成功
tomcat-deploy-59664bcb6f-5z4nn 1/1 Running 0 20s
tomcat-deploy-59664bcb6f-cgjbn 1/1 Running 0 20s
tomcat-deploy-59664bcb6f-n4tqq 1/1 Running 0 20s
9.部署tomcat http
cat ingress-tomcat.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
rules:
- host: tomcat.lucky.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 80
kubectl apply -f ingress-tomcat.yaml
10.部署tomcat https
cat ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
tls:
- hosts:
- tomcat.lucky.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.lucky.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 80
kubectl apply -f ingress-tomcat-tls.yaml
kubectl get ingress
顯示以下:
NAME HOSTS ADDRESS PORTS AGE
ingress-tomcat tomcat.lucky.com 80 103s
ingress-tomcat-tls tomcat.lucky.com 80, 443 8s
11.配置本身電腦的hosts文件
192.168.0.16 tomcat.lucky.com
12.在瀏覽器訪問:
或者http://tomcat.lucky.com
可看到以下界面,說明https配置成功
想要了解kubernetes更多知識和生產案例,獲取免費視頻,可按以下方式進羣獲取哈~~~
微信:luckylucky421302
- 1. kubernetes之ingress及ingress controller
- 2. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
- 3. Kubernetes 學習11 kubernetes ingress及ingress controller
- 4. Kubernetes之服務發現ingress & ingress controller
- 5. ingress-controller
- 6. k8s之ingress及ingress controller
- 7. kubernetes nginx ingress controller部署
- 8. kubernetes Ingress
- 9. Kubernetes Ingress
- 10. Nginx-ingress-controller部署
- 更多相關文章...
- • ASP.NET MVC - 控制器 - ASP.NET 教程
- • ionic 下拉刷新 - ionic 教程
- • Docker容器實戰(八) - 漫談 Kubernetes 的本質
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. kubernetes之ingress及ingress controller
- 2. Kubernetes 部署 Nginx Ingress Controller 之 nginxinc/kubernetes-ingress
- 3. Kubernetes 學習11 kubernetes ingress及ingress controller
- 4. Kubernetes之服務發現ingress & ingress controller
- 5. ingress-controller
- 6. k8s之ingress及ingress controller
- 7. kubernetes nginx ingress controller部署
- 8. kubernetes Ingress
- 9. Kubernetes Ingress
- 10. Nginx-ingress-controller部署