ingress-nginx
基于域名7层代理
1.安装
# 仓库下载
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm pull ingress-nginx/ingress-nginx# 导入ningress-nginx
[root@master 2、ingress-nginx]# tree -l
.
├── chart
│ └── ingress-nginx-4.8.3.tgz
└── image├── ingress-nginx-kube-webhook-certgen-v20231011-8b53cabe0.tar└── registry.k8s.io-ingress-nginx-controller-v1.9.4.tarscp image/* root@node1/root/
scp image/* root@node2/root/
docker load -i ingress-nginx-kube-webhook-certgen-v20231011-8b53cabe0.tar
docker load -i registry.k8s.io-ingress-nginx-controller-v1.9.4.tar[root@master 2、ingress-nginx]# cd chart/
[root@master chart]# tar -zxvf ingress-nginx-4.8.3.tgz#修改values.yaml
# hostNetwork 值为 True 表示跟主机网络共用
# dnsPolicy值改为ClusterFirstWithHostNet 集群优先 采用主机网络模式
# kind类型改为DaemonSet 保证每个节点都有一个pod运行,高可用
# 关闭所有镜像的digest 保证不会重新获取ingress-nginx
# ingressClassResource.default=true#创建命名空间
[root@master ingress-nginx]# kubectl create ns ingress
namespace/ingress created[root@master ingress-nginx]# helm install ingress-nginx -n ingress . -f values.yaml
NAME: ingress-nginx
LAST DEPLOYED: Sun Sep 1 11:31:39 2024
NAMESPACE: ingress
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace ingress get services -o wide -w ingress-nginx-controller'An example Ingress that makes use of the controller:apiVersion: networking.k8s.io/v1kind: Ingressmetadata:name: examplenamespace: foospec:ingressClassName: nginxrules:- host: www.example.comhttp:paths:- pathType: Prefixbackend:service:name: exampleServiceport:number: 80path: /# This section is only required if TLS is to be enabled for the Ingresstls:- hosts:- www.example.comsecretName: example-tlsIf TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:apiVersion: v1kind: Secretmetadata:name: example-tlsnamespace: foodata:tls.crt: <base64 encoded cert>tls.key: <base64 encoded key>type: kubernetes.io/tls[root@master ingress-nginx]# kubectl get pod -n ingress
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-jjgrc 1/1 Running 0 44s
ingress-nginx-controller-lnfgk 1/1 Running 0 44s# 安装成功
实验1-ingress-nginx http代理
vim 01-http.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: ingress-httpproxy-www1
spec:replicas: 2selector:matchLabels:hostname: www1template:metadata:labels:hostname: www1spec:containers:- name: nginximage: wangyanglinux/myapp:v1.0imagePullPolicy: IfNotPresentports:- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:name: ingress-httpproxy-www1
spec:ports:- port: 80targetPort: 80protocol: TCPselector:hostname: www1
---
apiVersion: networking.k8s.io/v1
kind: Ingress # 类别
metadata: name: ingress-httpproxy-www1 # ingress名字
spec:ingressClassName: nginx # ingress类名rules: # 规则区间- host: www1.noziroh.com # 主机名http: # 基于http协议paths:- path: / # 匹配路径为根路径pathType: Prefix # 基本匹配backend: # 后端基于svc提供服务service:name: ingress-httpproxy-www1 # svc名字port:number: 80 # svc提供的端口
[root@master test]# kubectl get pods -n ingress
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-jjgrc 1/1 Running 0 20m
ingress-nginx-controller-lnfgk 1/1 Running 0 20m[root@master test]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-httpproxy-www1 ClusterIP 10.6.91.37 <none> 80/TCP 5m36s
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 11d[root@master test]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-httpproxy-www1 nginx www1.noziroh.com 80 4m6s[root@master test]# kubectl get pod -n ingress -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-controller-jjgrc 1/1 Running 0 24m 10.0.17.102 node2 <none> <none>
ingress-nginx-controller-lnfgk 1/1 Running 0 24m 10.0.17.101 node1 <none> <none>[root@master test]# curl 10.0.17.101
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html># client主机添加域名
[root@master test]# echo 10.0.17.101 www1.noziroh.com >> /etc/host[root@master test]# curl www1.noziroh.com
www.xinxianghf.com | hello MyAPP | version v1.0[root@master test]# curl www1.noziroh.com/hostname.html
ingress-httpproxy-www1-7999cbf8d7-tk489[root@master test]# sed -i "s/www1/www2/g" 02-http-www2.yaml
[root@master test]# sed -i "s/v1.0/v2.0/g" 02-http-www2.yaml
[root@master test]# echo "10.0.17.102 www2.noziroh.com" >> /etc/hosts
[root@master test]# curl www2.noziroh.com
www.xinxianghf.com | hello MyAPP | version v2.0
实验2-ingress-nginx https代理
deployment、Service、Ingress Yaml 文件
# 创建对应的证书和资料
[root@master https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
.+.+...+...+..+..................+...+.+...+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.....+.........+....+.........+........+....+...+......+.....+.........+.+..+..........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+.........+.........+..........+..+.......+..+....+..+....+...+..+......+..........+..+.+..+....+.....+....+......+.....+.........+.+.....+.+........+.......+........+......+.+.................+.............+..+..........+......+............+...+..+...+....+.....+......+....+...+...+.........+..+.+...+..+.......+......+.....+.+..............................+...........+....+......+..+.......+.........+.........+............+.....+....+..+.......+...+..+......+.......+...+.....+.+...........+....+.....+..........+..............+....+.....+.+...........+...+.+.....+.......+.................+.+..............+......+.+.....+......+...+.+.......................+...+....+.....+...+...+....+.........+..+...+....+......+.....+.........+.+.....+....+.....+......+..........+...........+...+.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+......+..........+...+.....+.+..+....+...........+...+....+..+.+........+..........+.....+....+..+.+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.........+...+.........+.+.....+............+..........+......+.....+............+.......+..+.+...+.....+.+.....+....+..+...+.........+......+....+...+..............+.+..+...............+......+.+........+.......+.........+...........+...+...+...............+.......+...+.....+..........+...+......+..............+....+...........+......+...............+.+..+.+......+...+............+...+...............+..+....+......+........+...+...+..........+......+......+...+....................+.+........+.............+...+.....+....+.....+.+.....................+......+...+..+...+......+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
[root@master https]# ls
tls.crt tls.key
# 封装证书和私钥到secrect对象里
[root@master https]# kubectl create secret tls ingress-nginx-tls --key tls.key --cert tls.crt
secret/ingress-nginx-tls created
[root@master https]# kubectl get secrets ingress-nginx-tls
NAME TYPE DATA AGE
ingress-nginx-tls kubernetes.io/tls 2 74s
vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: ingress-httpproxy-ssl
spec:replicas: 2selector:matchLabels:hostname: ssltemplate:metadata:labels:hostname: sslspec:containers:- name: nginximage: wangyanglinux/myapp:v3.0imagePullPolicy: IfNotPresentports:- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:name: ingress-httpproxy-ssl
spec:ports:- port: 80targetPort: 80protocol: TCPselector:hostname: ssl
vim ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-httpproxy-sslnamespace: defaultannotations: # 声明nginx.ingress.kubernetes.io/ssl-redirect: "true" # key:value https强制开启
spec:ingressClassName: nginxrules: # 规则- host: ssl.noziroh.com # 定义主机域名http: # 后端http协议paths: # 路径- path: / pathType: Prefixbackend:service:name: ingress-httpproxy-sslport:number: 80tls: # 声明tls区域 确认以上有哪些主机需要https访问- hosts:- ssl.noziroh.comsecretName: ingress-nginx-tls # 证书提供文件
[root@master https]# kubectl apply -f deployment.yaml
deployment.apps/ingress-httpproxy-ssl created
service/ingress-httpproxy-ssl created
[root@master https]# kubectl apply -f ingress.yaml
ingress.networking.k8s.io/ingress-httpproxy-ssl created
[root@master https]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-httpproxy-ssl-67bbd9f7c7-4lqsv 1/1 Running 0 40s 10.244.104.40 node2 <none> <none>
ingress-httpproxy-ssl-67bbd9f7c7-ckdtg 1/1 Running 0 40s 10.244.104.41 node2 <none> <none>[root@master https]# kubectl get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
ingress-httpproxy-ssl ClusterIP 10.3.154.30 <none> 80/TCP 69s hostname=ssl[root@master https]# kubectl get ingress -o wide
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-httpproxy-ssl nginx ssl.noziroh.com 80, 443 101s[root@master https]# echo 10.0.17.101 ssl.noziroh.com >> /etc/hosts
https://ssl.noziroh.com
Ingress BasicAuth 代理
http 认证文件创建
基于用户密码进行nginx访问
$ dnf -y install httpd-tools
$ htpasswd -c auth noziroh
$ kubectl create secret generic ingress-basic-auth --from-file=auth[root@master auth]# htpasswd -c auth noziroh
New password:
Re-type new password:
Adding password for user noziroh
[root@master auth]# kubectl create secret generic ingress-basic-auth --from-file=auth
secret/ingress-basic-auth created
vim ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-with-authannotations: # 声明nginx.ingress.kubernetes.io/auth-type: basic # 开启基础认证nginx.ingress.kubernetes.io/auth-secret: ingress-basic-auth # 认证的数据文件名字nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - noziroh' # 认证输出的提示信息
spec:ingressClassName: nginxrules:- host: auth.noziroh.comhttp:paths:- path: /pathType: ImplementationSpecific # 由ingress控制器本身处理backend:service:name: ingress-httpproxy-authport:number: 80
vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: ingress-httpproxy-auth
spec:replicas: 2selector:matchLabels:hostname: authtemplate:metadata:labels:hostname: authspec:containers:- name: nginximage: wangyanglinux/myapp:v4.0imagePullPolicy: IfNotPresentports:- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:name: ingress-httpproxy-auth
spec:ports:- port: 80targetPort: 80protocol: TCPselector:hostname: auth
[root@master auth]# echo 10.0.17.101 auth.noziroh.com >> /etc/hosts
#浏览器访问输入
# 账号:noziroh
# 密码:root
nginx-ingress 域名重定向
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: redirect.noziroh.comnamespace: defaultannotations:kubernetes.io/ingress.class: "nginx"nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com # 指定重定向目标地址nginx.ingress.kubernetes.io/permanent-redirect-code: '301' # 重定向代码 301临时跳转
spec:ingressClassName: "nginx"rules: - host: redirect.noziroh.com # 当前主机名http:
echo 10.0.17.101 redirect.noziroh.com >> /etc/hosts
[root@master redirect]# curl redirect.noziroh.com -I
HTTP/1.1 301 Moved Permanently
Date: Sun, 01 Sep 2024 07:14:01 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.baidu.com
Ingress-nginx 重写
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: rew.noziroh.comnamespace: defaultannotations:nginx.ingress.kubernetes.io/rewrite-target: /$2 # 重写的地址 根下重写路径第二个分组
spec:ingressClassName: "nginx"rules:- host: rew.noziroh.comhttp:paths:- path: /api(/|$)(.*) # 正则表达式 .* 代表所有 (/|$)代表匹配/或末尾pathType: ImplementationSpecific # 基于当前控制器backend:service:name: ingress-httpproxy-rew # 需要与svc名字相同port:number: 80
vim deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: ingress-httpproxy-rew
spec:replicas: 2selector:matchLabels:hostname: rewtemplate:metadata:labels:hostname: rewspec:containers:- name: nginximage: wangyanglinux/myapp:v5.0imagePullPolicy: IfNotPresentports:- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:name: ingress-httpproxy-rew
spec:ports:- port: 80targetPort: 80protocol: TCPselector:hostname: rew
~
[root@master rewrite]# kubectl apply -f deployment.yaml
deployment.apps/ingress-httpproxy-rew created
service/ingress-httpproxy-rew createdecho 10.0.17.101 rew.noziroh.com >> /etc/hosts- Rewrite与Redirect的基本概念
- Rewrite:通常指的是URL重写,是服务器内部对请求URL的一种处理机制。它可以在不改变客户端请求URL的情况下,将请求映射到服务器上的另一个资源逻辑上。
- Redirect:即重定向,是服务器向客户端发送一个指令,告诉客户端去访问另一个URL。这会导致客户端的浏览器地址栏发生变化,并重新发起对新URL的请求。
- Rewrite与Redirect在URL处理上的区别
- Rewrite:是在服务器内部进行的,客户端的浏览器地址栏不会发生变化。它主要用于隐藏实际的URL结构,提高网站的安全性、可读性或实现URL的友好化。
- Redirect:是服务器与客户端之间的交互,客户端的浏览器地址栏会显示新的URL。它主要用于处理URL的变更、临时或永久地移动页面、处理404错误等场景。
- Rewrite与Redirect在服务器与浏览器交互上的差异
- Rewrite:由于是在服务器内部进行,所以浏览器和服务器之间只发生一次交互。服务器直接处理请求,并将结果返回给浏览器,浏览器不知道URL已经被重写。
- Redirect:服务器会向浏览器发送一个重定向指令(通常是HTTP状态码301或302),浏览器接收到指令后,会自动发起对新URL的请求。这意味着浏览器和服务器之间会发生两次交互:第一次是原始请求,第二次是对重定向后URL的请求。
- Rewrite与Redirect在SEO中的应用与影响
- Rewrite:对于SEO来说,URL重写可以帮助实现URL的友好化,提高网站的可读性和用户体验。同时,它还可以帮助隐藏网站的内部结构,防止竞争对手通过URL猜测网站的内容。但是,如果重写规则设置不当,可能会导致搜索引擎无法正确抓取和索引网站内容。
- Redirect:重定向在SEO中扮演着重要角色。当网站页面发生移动或删除时,使用重定向可以确保搜索引擎和用户能够找到新的页面位置。永久重定向(301)会告诉搜索引擎原页面已经永久移动到新位置,并更新搜索引擎索引;临时重定向(302)则用于临时性地更改页面位置,不会更新搜索引擎索引。正确使用重定向可以避免因页面变更而导致的流量损失和排名下降
Ingress-nginx 默认错误后端
安装ingress-nginx时配置
#helm卸载ingress-nginx命令
helm uninstall ingress-nginx -n ingress# 或修改value.yaml文件后upgrade
vim value.yamldefaultBackend:enabled: truename: defaultbackendimage:registry: docker.ioimage: wangyanglinux/toolstag: "errweb1.0"port: 80
[root@master ingress-nginx]# helm upgrade --install ingress-nginx -n ingress . -f values.yamlRelease "ingress-nginx" has been upgraded. Happy Helming!
NAME: ingress-nginx
LAST DEPLOYED: Sun Sep 1 16:00:47 2024
NAMESPACE: ingress
STATUS: deployed
REVISION: 3
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace ingress get services -o wide -w ingress-nginx-controller'An example Ingress that makes use of the controller:apiVersion: networking.k8s.io/v1kind: Ingressmetadata:name: examplenamespace: foospec:ingressClassName: nginxrules:- host: www.example.comhttp:paths:- pathType: Prefixbackend:service:name: exampleServiceport:number: 80path: /# This section is only required if TLS is to be enabled for the Ingresstls:- hosts:- www.example.comsecretName: example-tlsIf TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:apiVersion: v1kind: Secretmetadata:name: example-tlsnamespace: foodata:tls.crt: <base64 encoded cert>tls.key: <base64 encoded key>type: kubernetes.io/tls[root@master ingress-nginx]# kubectl get pod -n ingress
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-96hg7 1/1 Running 0 2m44s
ingress-nginx-controller-mnncd 1/1 Running 0 2m11s
ingress-nginx-defaultbackend-774db5d85d-dswfk 1/1 Running 0 2m57s
Ingress-nginx 定制错误后端(单独申明错误后端)
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: errcodename: errcode
spec:replicas: 1selector:matchLabels:app: errcodetemplate:metadata:labels:app: errcodespec:containers:- image: wangyanglinux/tools:errweb1.0name: tools
---
apiVersion: v1
kind: Service
metadata:labels:app: errcodename: errcode
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: errcodetype: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: errtestname: errtest
spec:replicas: 1selector:matchLabels:app: errtesttemplate:metadata:labels:app: errtestspec:containers:- image: wangyanglinux/myapp:v1.0name: tools
---
apiVersion: v1
kind: Service
metadata:labels:app: errtestname: errtest
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: errtesttype: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: err.noziroh.comnamespace: defaultannotations:nginx.ingress.kubernetes.io/default-backend: 'errcode' # 指定当前后端为errcodenginx.ingress.kubernetes.io/custom-http-errors: "404,415" # 指定当前错误码 若404 415 使用定制页
spec:rules:- host: err.noziroh.comhttp:paths:- path: /pathType: Prefixbackend:service:name: errtestport:number: 80
echo 10.0.17.101 err.noziroh.com >> /etc/hosts
# 访问err.noziroh.com
# 访问err.noziroh.com/123123123123
ingress-nginx 匹配请求头 snippet
模拟移动端与电脑端访问同一域名转发到不同服务
# 修改ingress控制器配置
kubectl edit cm ingress-nginx-controller -n ingress
data:allow-snippet-annotations: "true"
[root@master test]# kubectl get pod -n ingress
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-96hg7 1/1 Running 1 (3h31m ago) 3h41m
ingress-nginx-controller-mnncd 1/1 Running 2 (173m ago) 3h41m
ingress-nginx-defaultbackend-774db5d85d-nmgdd 1/1 Running 0 174m# nginx修改后不触发重载
# 需要删除后自动重建
[root@master test]# kubectl delete -n ingress pod --all
pod "ingress-nginx-controller-96hg7" deleted
pod "ingress-nginx-controller-mnncd" deleted
pod "ingress-nginx-defaultbackend-774db5d85d-nmgdd" deleted
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: snippetname: snippet
spec:replicas: 1selector:matchLabels:app: snippettemplate:metadata:labels:app: snippetspec:containers:- image: wangyanglinux/myapp:v1.0name: tools
---
apiVersion: v1
kind: Service
metadata:labels:app: snippetname: snippet
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: snippettype: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: snippet.noziroh.comnamespace: defaultannotations:nginx.ingress.kubernetes.io/server-snippet: |set $agentflag 0;if ($http_user_agent ~* "(Android|IPhone)") {set $agentflag 1;}if ($agentflag = 1) {return 302 http://www.baidu.com;}
spec:rules:- host: snippet.noziroh.comhttp:paths:- path: /pathType: Prefixbackend:service:name: snippetport:number: 80
echo 10.0.17.101 snippet.noziroh.com >> /etc/hosts$ curl snippet.noziroh.com
[root@master snippet]# curl snippet.noziroh.com
www.xinxianghf.com | hello MyAPP | version v1.0
$ curl snippet.noziroh.com -H 'User-Agent: Android' -I
[root@master snippet]# curl snippet.noziroh.com -H 'User-Agent: Android' -I
HTTP/1.1 302 Moved Temporarily
Date: Sun, 01 Sep 2024 11:53:29 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: http://www.baidu.comingress-nginx 黑白名单
黑名单
配置方案
- Annotations:支队指定ingress生效
- ConfigMap:全局生效
- 同事配置Annotations和ConfigMap,一般Annotations生效,ConfigMap不生效,因为Annotations优先级高
黑白名单区别
- 白名单默认拒绝所有,只允许配置的地址访问
- 黑名单不允许该地址访问所有
配置方法
- 黑名单使用ConfigMap配置
- 白名单建议Annotations配置
1、configmap 添加黑名单
$ kubectl edit cm ingress-nginx-controller -n ingressdata:allow-snippet-annotations: "true"block-cidrs: 10.0.17.101
kubectl delete pod -n ingress --all
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: testname: test-deploy
spec:replicas: 1selector:matchLabels:app: testtemplate:metadata:labels:app: testspec:containers:- image: wangyanglinux/myapp:v1.0name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: testname: test-svc
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: testtype: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: test.noziroh.com
spec:rules:- host: test.noziroh.comhttp:paths:- path: /pathType: Prefixbackend:service:name: test-svcport:number: 80
Annotations 添加黑名单
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: blackname: black-deploy
spec:replicas: 1selector:matchLabels:app: blacktemplate:metadata:labels:app: blackspec:containers:- image: wangyanglinux/myapp:v1.0name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: blackname: black-svc
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: blacktype: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:annotations:nginx.ingress.kubernetes.io/server-snippet: |-deny 10.0.17.100;allow all;name: black.noziroh.com
spec:rules:- host: black.noziroh.comhttp:paths:- pathType: Prefixbackend:service:name: black-svcport:number: 80path: /
白名单
Configmap 设置白名单
kubectl edit cm ingress-nginx-controller -n ingressapiVersion: v1data:allow-snippet-annotations: "true"whitelist-source-range: 10.0.17.101
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: testname: test-deploy
spec:replicas: 1selector:matchLabels:app: testtemplate:metadata:labels:app: testspec:containers:- image: wangyanglinux/myapp:v1.0name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: testname: test-svc
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: testtype: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: test.noziroh.com
spec:rules:- host: test.noziroh.comhttp:paths:- path: /pathType: Prefixbackend:service:name: test-svcport:number: 80
annotations 添加白名单
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: whitename: white-deploy
spec:replicas: 1selector:matchLabels:app: whitetemplate:metadata:labels:app: whitespec:containers:- image: wangyanglinux/myapp:v1.0name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: whitename: white-svc
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: whitetype: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:annotations:nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.17.101name: white.noziroh.com
spec:rules:- host: white.noziroh.comhttp:paths:- path: /pathType: Prefixbackend:service:name: white-svcport:number: 80
ingress-nginx速率限制
基本测试
限速降低后端压力,限制单个IP访问速率防止共计使用rate limit
Annotations标记
nginx.ingress.kubernetes.io/limit-rps: 限制每秒连接,单IP
nginx.ingress.kubernetes.io/limit-rpm: 限制每分钟连接,单IP
nginx.ingress.kubernetes.io/limit-rate: 限制每秒传输速度,单位k 需要开启proxy-buffering
nginx.ingress.kubernetes.io/limit-whitelist:速率限制白名单
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: speedname: speed-deploy
spec:replicas: 1selector:matchLabels:app: speedtemplate:metadata:labels:app: speedspec:containers:- image: wangyanglinux/myapp:v1.0name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: speedname: speed-svc
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: speedtype: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: speed.noziroh.comnamespace: default
spec:rules: - host: speed.noziroh.comhttp: paths:- pathType: Prefixpath: "/"backend:service:name: speed-svcport:number: 80
yum install -y httpd-tools
ab -c 10 -n 100 http://speed.noziroh.com/ | grep requests
# -c 并发数 -n 请求数
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: speed.noziroh.comnamespace: defaultannotations:nginx.ingress.kubernetes.io/limit-connections: "1" # 并发数为1
spec:rules: - host: speed.noziroh.comhttp: paths:- pathType: Prefixpath: "/"backend:service:name: speed-svcport:number: 80
ingress-nginx 灰度发布(金丝雀部署)
1.创建v1版本ingress
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: v1name: v1-deploy
spec:replicas: 10selector:matchLabels:app: v1template:metadata:labels:app: v1spec:containers:- image: wangyanglinux/myapp:v1.0name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: v1name: v1-svc
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: v1type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: v1.noziroh.comnamespace: default
spec:rules: - host: svc.noziroh.comhttp: paths:- pathType: Prefixpath: "/"backend:service:name: v1-svcport:number: 80
2.创建一个 v2 版本的 ingress 金丝雀
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: v2name: v1-deploy
spec:replicas: 10selector:matchLabels:app: v2template:metadata:labels:app: v2spec:containers:- image: wangyanglinux/myapp:v2.0name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: v2name: v2-svc
spec:ports:- name: 80-80port: 80protocol: TCPtargetPort: 80selector:app: v2type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: v2.noziroh.comnamespace: defaultannotations: # 声明nginx.ingress.kubernetes.io/canary: "true" # 进行金丝雀部署nginx.ingress.kubernetes.io/canary-weight: "10" # 部署权重10%
spec:rules: - host: svc.noziroh.comhttp: paths:- pathType: Prefixpath: "/"backend:service:name: v2-svcport:number: 80
3.测试
for i in {1..100};do curl svc.noziroh.com >> sum;done
cat sum | sort | uniq -c
ingress-nginx 代理后端 HTTPS 服务
nginx为集群内部提供负载均时使用https访问或代理
kubernetes-dashboard使用的就是https
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: proxyhttpsname: proxyhttps-deploy
spec:replicas: 1selector:matchLabels:app: proxyhttpstemplate:metadata:labels:app: proxyhttpsspec:containers:- image: wangyanglinux/tools:httpsv1name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: proxyhttpsname: proxyhttps-svc
spec:ports:- name: 443-443port: 443protocol: TCPtargetPort: 443selector:app: proxyhttpstype: ClusterIP
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:annotations:nginx.ingress.kubernetes.io/backend-protocol: HTTPS # 声明后端应用使用https协议name: proxyhttps.noziroh.comnamespace: default
spec:rules:- host: proxyhttps.noziroh.comhttp:paths:- backend:service:name: proxyhttps-svcport:number: 443path: /pathType: ImplementationSpecific
ingress-nginx四层代理
1.tcp
$ kubectl edit -n ingress ingress-nginx-controllerspec:containers:- args: # 启动配置- /nginx-ingress-controller- --tcp-services-configmap=$(POD_NAMESPACE)/nginx-ingress-tcp-configmap # 指定的ConfigMap对象会读取 转换成4层负载均衡配置文件
创建ConfigMap对象
apiVersion: v1
kind: ConfigMap
metadata:name: nginx-ingress-tcp-configmapnamespace: ingress
data:"9000": "default/proxyhttps-svc:443" # 4层负载均衡格式 default攻坚下有一个proxyhttps的svc端口为443 四层负载到当前nginx的9000端口
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: proxyhttpsname: proxyhttps-deploy
spec:replicas: 1selector:matchLabels:app: proxyhttpstemplate:metadata:labels:app: proxyhttpsspec:containers:- image: wangyanglinux/tools:httpsv1name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: proxyhttpsname: proxyhttps-svc
spec:ports:- name: 443-443port: 443protocol: TCPtargetPort: 443selector:app: proxyhttpstype: ClusterIP
curl https://10.0.17.101:9000
2.udp
kubectl edit ds -n ingress ingress-nginx-controllerspec:containers:- args:- /nginx-ingress-controller- --udp-services-configmap=$(POD_NAMESPACE)/nginx-ingress-udp-configmap
apiVersion: v1
kind: ConfigMap
metadata:name: nginx-ingress-udp-configmapnamespace: ingress
data:"53": "kube-system/kube-dns:53"
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: proxyhttpsname: proxyhttps-deploy
spec:replicas: 1selector:matchLabels:app: proxyhttpstemplate:metadata:labels:app: proxyhttpsspec:containers:- image: wangyanglinux/tools:httpsv1name: myapp
---
apiVersion: v1
kind: Service
metadata:labels:app: proxyhttpsname: proxyhttps-svc
spec:ports:- name: 53port: 53protocol: UDPtargetPort: 53selector:app: proxyhttpstype: ClusterIP
ingress-nginx 开启链路追踪
#官方部署示例文件
https://raw.githubusercontent.com/jaegertracing/jaeger-kubernetes/master/all-in-one/jaeger-all-in-one-template.yml
kubectl edit cm ingress-nginx-controller -n ingress
apiVersion: v1
data:allow-snippet-annotations: "true"enable-opentracing: "true" #开启链路追踪jaeger-collector-host: jaeger-agent.default.svc.cluster.local # 链路追踪的svc名称
kind: ConfigMap
metadata:name: ingress-nginx-controllernamespace: ingress-nginx
