k8s之Ingress讲解
一、Ingress基本介绍
Ingress是管理k8s外部访问(http/https)的API对象,提供应用层的路由功能,处理第七层(http/https)流量,支持基于域名、路径的路由。与service不同的是,service处理第四次(tcp/udp)流量,通过ClusterIP、Nodeport或者LoadBalancer暴露服务。
Ingress是k8s中管理外部流量的核心组件,通过灵活的路由规则和丰富的控制器生态满足多样化需求。
二、Ingress部署
本文采用的ingress的控制器为Traefik
1.下载镜像和yaml文件
traefik镜像和yaml文件可在此次下载
2.导入镜像或者拉取镜像
[root@node-1 ~]# docker pull traefik:2.9
[root@node-2 ~]# docker load -i traefik.2.9.tar.gz3.创建Traefik资源
#创建Traefik CRD资源(master-1)
[root@master-1 ingress]# kubectl apply -f traefik-crd.yaml
#创建Traefik RABC文件(master-1)
[root@master-1 ingress]# kubectl create -f traefik-rbac.yaml
#创建配置文件
[root@master-1 ingress]# kubectl apply -f traefik-config.yaml
#设置节点标签(注意主机名) traefik-deploy有用到
[root@master-1 ingress]# kubectl label nodes node-1 IngressProxy=true
node/node-1 labeled
#注意每个Node节点的80与443端口不能被占用
[root@master-1 ingress]# netstat -antupl | grep -E "80|443"
#部署 Traefik deploy资源
#注意修改k8s集群VIP 192.168.91.254
[root@master-1 ingress]# kubectl apply -f traefik-deploy.yaml
daemonset.apps/traefik-ingress-controller created
[root@master-1 ingress]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
traefik-ingress-controller-ktdvl 1/1 Running 0 15s
#部署sevice
[root@master-1 ingress]# kubectl apply -f traefik-service.yaml
service/traefik created
[root@master-1 ingress]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik NodePort 10.0.0.127 <none> 80:47646/TCP,443:32007/TCP,8080:44168/TCP 7s
#访问web页面
http://192.168.91.21:441684.Traefik 路由配置
#访问ingress.liux.com 代理到 8080业务
[root@master-1 ingress]# vim traefik-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: Host(`ingress.liux.com`)
kin1d: Rule
services:
- name: traefik
port: 8080
[root@master-1 ingress]# kubectl apply -f traefik-dashboard-route.yaml
#配置hosts
[root@master-1 ingress]# vim /etc/hosts
192.168.91.21 node-1 ingress.liux.com
[root@master-1 ingress]# curl ingress.liux.com
Moved Permanently
#如上代表成功了
#windows上配置hosts
192.168.91.21 ingress.liux.com
#访问
http://ingress.liux.com/dashboard/#/ 正常,说明代理成功了5.ingress代理nginx
[root@master-1 ingress]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) nginx-demo NodePort 10.0.0.3 <none> 88:40132/TCP
#编写Traefik 路由配置 访问nginx.liux.com 代理到nginx的88端口
[root@master-1 ingress]# cat nginx-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx-route
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: Host(`nginx.liux.com`)
kind: Rule
services:
- name: nginx-demo
port: 88
[root@master-1 ingress]# kubectl apply -f nginx-route.yaml
[root@master-1 ingress]# kubectl get ingressroute -n kube-system
NAME AGE
nginx-route 45s
traefik-dashboard-route 23m
#配置hosts
192.168.91.21 nginx.liux.com
#页面访问 显示nginx页面
http://nginx.liux.com/6.ingress代理nginx的443端口
6.1 生成自签证书
[root@master-1 ingress]# openssl req -x509 -newkey rsa:2048 -nodes -keyout tls.key -out tls.crt -days 365 -subj "/CN=cloud.liux.com"6.2 将证书存储在secret
[root@master-1 ingress]# kubectl create secret tls liux-tls --cert=tls.crt --key=tls.key -n kube-system
[root@master-1 ingress]# kubectl get secret -n kube-system | grep liux-tls
liux-tls kubernetes.io/tls 2 16s6.3 创建路由规则文件
[root@master-1 ingress]# cat nginx-route-https.yaml
#注意命名空间 namespace与要代理的服务需要在同一个名称空间
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx-https-route
namespace: kube-system
spec:
entryPoints:
- websecure
tls:
secretName: liux-tls
routes:
- match: Host(`cloud.liux.com`)
kind: Rule
services:
- name: nginx-demo
port: 88
#创建 Kubernetes Dashboard 路由规则对象
[root@master-1 ingress]# kubectl apply -f nginx-route-https.yaml
#配置hosts
192.168.91.21 cloud.liux.com
#使用https页面访问 显示nginx页面
https://cloud.liux.com/