前提
本文使用 Ingress Nginx Version 0.24.1nginx
本文所講的配置規則,都配置在 annotations(局部配置) 中,Ingress Nginx Deployment 必須配置 --annotations-prefix 參數,默認以 nginx.ingress.kubernetes.io 開頭。git
Ingress Nginx Deployment 示例:github
containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1 args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io - --ingress-class=nginx # 指定ingress-class 屬性
--ingress-class:聲明ingress入口名稱,若是要綁定這個ingress,須要在 annotation 中定義 kubernetes.io/ingress.class: "nginx"web
開啓 TLS
建立ssl證書 secretapi
$ kubectl create secret tls www-example-com --key tls.key --cert tls.crt -n default
nginx.ingress.kubernetes.io/ssl-redirect默認爲true,啓用TLS時,http請求會308重定向到httpsbash
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: demo-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" # 綁定ingress-class nginx.ingress.kubernetes.io/ssl-redirect: "false" # 關閉SSL跳轉spec: rules: - host: www.example.com http: paths: - path: / backend: serviceName: demo-svc servicePort: 8080 tls: - secretName: www-example-com hosts: - www.example.com
配置白名單IP範圍
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: demo-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" # 綁定ingress-class nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/24,172.10.0.1spec: rules: - host: www.example.com http: paths: - path: / backend: serviceName: demo-svc servicePort: 8080
支持socket.io配置
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: demo-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" # 綁定ingress-class nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" nginx.ingress.kubernetes.io/upstream-hash-by: "$http_x_forwarded_for" # 以客戶端IP哈希spec: rules: - host: www.example.com http: paths: - path: / backend: serviceName: demo-svc servicePort: 8080
rewrite 配置
下面 rewrite 規則意思是 訪問 www.example.com/hello/(.*) 跳轉到 www.example.com/(.*)微信
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: demo-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" # 綁定ingress-class nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: "/$1"spec: rules: - host: www.example.com http: paths: - path: /hello/(.*)$ backend: serviceName: demo-svc servicePort: 8080
或者app
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: demo-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" # 綁定ingress-class nginx.ingress.kubernetes.io/configuration-snippet: | rewrite ^/hello/(.*)$ /$1 redirect;spec: rules: - host: www.example.com http: paths: - path: /hello/(.*)$ backend: serviceName: demo-svc servicePort: 8080
限速
設置 www.example.com/login 登錄頁爲每秒100個鏈接數,10.0.0.0/24,172.10.0.1 IP段不在限速範圍運維
apiVersion: networking.k8s.io/v1beta1kind: Ingressmetadata: name: demo-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" # 綁定ingress-class nginx.ingress.kubernetes.io/limit-rps: '100' nginx.ingress.kubernetes.io/limit-whitelist: 10.0.0.0/24,172.10.0.1spec: rules: - host: www.example.com http: paths: - path: /login backend: serviceName: demo-svc servicePort: 8080
參考連接
-
https://github.com/kubernetes/ingress-nginx/blob/nginx-0.24.1/docs/user-guide/nginx-configuration/annotations.md
往期精彩文章
-
Prometheus BlackBox簡單監控 -
kubectl 建立 Pod 背後到底發生了什麼? -
K8s Deployment YAML 名詞解釋 -
Kubernetes 必須掌握技能之 RBAC -
K8S 滾動更新如何優雅中止 Pod -
批量建立阿里雲ECS並初始化
您的關注是小站的動力
歡迎你們關注交流,按期分享自動化運維、DevOps、Kubernetes、Service Mesh和Cloud Nativesocket
掃碼『加羣』交流技術
本文分享自微信公衆號 - YP小站(ypxiaozhan)。
若有侵權,請聯繫 support@oschina.cn 刪除。
本文參與「OSC源創計劃」,歡迎正在閱讀的你也加入,一塊兒分享。