Kubernetes Ingress 深度解析
Kubernetes Ingress 深度解析
一、Ingress 基本概念
Ingress 是 Kubernetes 中管理外部访问集群服务的 API 对象,提供 HTTP/HTTPS 路由规则,实现以下功能:
- 基于域名/路径的路由
- TLS/SSL 终止
- 负载均衡
- 流量控制
与传统服务的区别
| 特性 | Ingress | Service (NodePort/LoadBalancer) |
|---|---|---|
| 协议支持 | HTTP/HTTPS/GRPC | 所有TCP/UDP协议 |
| 路由能力 | 基于主机名和路径的复杂路由 | 简单的端口转发 |
| 实现层级 | L7 (应用层) | L4 (传输层) |
| 外部依赖 | 需要Ingress Controller | 不需要额外组件 |
二、核心架构组成
1. Ingress 资源 (YAML定义)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: example-ingressannotations:nginx.ingress.kubernetes.io/rewrite-target: /
spec:rules:- host: "example.com"http:paths:- pathType: Prefixpath: "/shop"backend:service:name: shop-serviceport:number: 80
2. Ingress Controller
常见实现:
- Nginx Ingress Controller
- Traefik
- HAProxy Ingress
- AWS ALB Ingress Controller
- Istio Gateway
三、Ingress 详细配置
1. 路由规则类型
路径匹配方式
paths:
- path: /staticpathType: Prefix # 前缀匹配
- path: /exactpathType: Exact # 精确匹配
- path: /regexpathType: ImplementationSpecific # 实现特定
多主机名配置
rules:
- host: "shop.example.com"http: {...}
- host: "blog.example.com"http: {...}
2. TLS 配置
spec:tls:- hosts:- "example.com"secretName: example-tls # 存储证书的Secret
创建证书Secret:
kubectl create secret tls example-tls \--cert=path/to/cert.pem \--key=path/to/key.pem
3. 注解扩展功能(以Nginx为例)
annotations:# 限速设置nginx.ingress.kubernetes.io/limit-rpm: "100"# 跨域支持nginx.ingress.kubernetes.io/enable-cors: "true"# 重写规则nginx.ingress.kubernetes.io/rewrite-target: /$2# 会话保持nginx.ingress.kubernetes.io/affinity: "cookie"
四、部署实践
1. 安装Ingress Controller(以Nginx为例)
# 使用官方部署清单
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml
2. 验证安装
# 检查Controller Pod
kubectl get pods -n ingress-nginx# 获取外部IP
kubectl get svc -n ingress-nginx
3. 完整部署示例
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: web-app
spec:replicas: 3selector:matchLabels:app: webtemplate:metadata:labels:app: webspec:containers:- name: webimage: nginx:1.21ports:- containerPort: 80
---
# service.yaml
apiVersion: v1
kind: Service
metadata:name: web-service
spec:selector:app: webports:- protocol: TCPport: 80targetPort: 80
---
# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: web-ingress
spec:rules:- host: "demo.example.com"http:paths:- path: /pathType: Prefixbackend:service:name: web-serviceport:number: 80
五、高级功能
1. 流量切分 (Canary发布)
annotations:nginx.ingress.kubernetes.io/canary: "true"nginx.ingress.kubernetes.io/canary-weight: "20" # 20%流量
2. 基于Header的路由
annotations:nginx.ingress.kubernetes.io/canary-by-header: "X-Canary"nginx.ingress.kubernetes.io/canary-by-header-value: "true"
3. 身份认证
# 创建认证Secret
htpasswd -c auth foo
kubectl create secret generic basic-auth --from-file=auth
annotations:nginx.ingress.kubernetes.io/auth-type: basicnginx.ingress.kubernetes.io/auth-secret: basic-auth
六、性能优化
1. 配置调优
annotations:# 连接池设置nginx.ingress.kubernetes.io/upstream-keepalive-connections: "100"nginx.ingress.kubernetes.io/upstream-keepalive-timeout: "60"# 缓冲区设置nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
2. 监控指标
# 启用Prometheus监控
annotations:prometheus.io/scrape: "true"prometheus.io/port: "10254"
七、常见问题排查
-
Ingress Controller 未分配IP
kubectl describe ingress <ingress-name> kubectl get events -n ingress-nginx -
502 Bad Gateway
# 检查后端服务 kubectl get endpoints <service-name> kubectl logs <ingress-controller-pod> -
证书问题
kubectl describe secret <tls-secret-name> openssl s_client -connect <host>:443 -servername <host>
Ingress 作为 Kubernetes 的入口网关,通过灵活的配置可以满足各种生产环境需求。实际使用时需根据业务场景选择合适的 Controller 和配置策略。