神刀安全网

Kubernetes Service & LB & Networking :Ingress

Kubernetes Service & LB & Networking :Ingress

准备工作

1、启用 minikube 的 ingress 插件

minikube addons enable ingress 

2、补全 ingress 插件所需的镜像

minikube ssh  
export image=nginx-ingress-controller:0.14.0 docker pull registry.cn-hangzhou.aliyuncs.com/anoy/${image} docker tag registry.cn-hangzhou.aliyuncs.com/anoy/${image} quay.io/kubernetes-ingress-controller/${image} docker rmi registry.cn-hangzhou.aliyuncs.com/anoy/${image} 

说明:网络好可以忽略此步骤

3、创建 2 个服务

创建服务 blog-anoyi : Anoyi 的个人博客

apiVersion: apps/v1 kind: Deployment metadata:   name: blog-anoyi   labels:     app: blog spec:   selector:     matchLabels:       blog-name: anoyi   template:     metadata:       labels:         blog-name: anoyi     spec:       containers:       - image: registry.cn-hangzhou.aliyuncs.com/anoy/blog         name: blog         env:         - name: JIANSHU_ID           value: 7b7ec6f2db21         ports:         - containerPort: 8080 --- apiVersion: v1 kind: Service metadata:   name: blog-anoyi   labels:     app: blog spec:   ports:     - port: 8080   selector:     blog-name: anoyi   clusterIP: None 

创建服务 blog-science : 科学Jia 的个人博客

apiVersion: apps/v1 kind: Deployment metadata:   name: blog-science   labels:     app: blog spec:   selector:     matchLabels:       blog-name: science   template:     metadata:       labels:         blog-name: science     spec:       containers:       - image: registry.cn-hangzhou.aliyuncs.com/anoy/blog         name: blog         env:         - name: JIANSHU_ID           value: 66a89bc4d1b3         ports:         - containerPort: 8080 --- apiVersion: v1 kind: Service metadata:   name: blog-science   labels:     app: blog spec:   ports:     - port: 8080   selector:     blog-name: science   clusterIP: None 

Ingress 类型

Kubernetes Service & LB & Networking :Ingress

1、Single Service Ingress

apiVersion: extensions/v1beta1 kind: Ingress metadata:   name: blog-ingress spec:   backend:     serviceName: blog-anoyi     servicePort: 8080 

简单服务路由,将 Node 的入站流量从 80 端口转发到服务 blog-anoyi, 查看 ingress 规则:

kubectl describe ing 
Name:             blog-ingress Namespace:        default Address:          192.168.99.100 Default backend:  blog-anoyi:8080 (172.17.0.3:8080) Rules:   Host  Path  Backends   ----  ----  --------   *     *     blog-anoyi:8080 (172.17.0.3:8080) Annotations: Events:   Type    Reason  Age   From                      Message   ----    ------  ----  ----                      -------   Normal  CREATE  18m   nginx-ingress-controller  Ingress default/blog-ingress   Normal  UPDATE  17m   nginx-ingress-controller  Ingress default/blog-ingress 

即:访问 http://192.168.99.100/ 等于访问 http://172.17.0.3:8080/ ,在浏览器中访问会显示 Anoyi 的博客

2、Name based virtual hosting

apiVersion: extensions/v1beta1 kind: Ingress metadata:   name: blog-ingress spec:   rules:   - host: anoyi.anoy.com     http:       paths:       - backend:           serviceName: blog-anoyi           servicePort: 8080   - host: science.anoy.com     http:       paths:       - backend:           serviceName: blog-science           servicePort: 8080 

基于名称的虚拟主机转发,将 anoyi.anoy.com 域名下的请求转发到服务 blog-anoyi ,将 science.anoy.com 域名下的转发到服务 blog-science,ingress 规则如下:

Name:             test Namespace:        default Address:          192.168.99.100 Default backend:  default-http-backend:80 () Rules:   Host              Path  Backends   ----              ----  --------   anoyi.anoy.com                        blog-anoyi:8080 (<none>)   science.anoy.com                        blog-science:8080 (<none>) Annotations: Events:   Type    Reason  Age   From                      Message   ----    ------  ----  ----                      -------   Normal  CREATE  3m    nginx-ingress-controller  Ingress default/test   Normal  UPDATE  2m    nginx-ingress-controller  Ingress default/test 

配置 Host 如下图所示,分别访问 http://anoyi.anoy.comhttp://science.anoy.com

Kubernetes Service &amp; LB &amp; Networking :Ingress

host 配置

说明: 192.168.99.100 为 Ingress 中的 Address

Kubernetes Service &amp; LB &amp; Networking :Ingress

Anoyi 的个人博客

Kubernetes Service &amp; LB &amp; Networking :Ingress

科学Jia 的个人博客

3、Simple fanout

apiVersion: extensions/v1beta1 kind: Ingress metadata:   name: blog-ingress   annotations:     nginx.ingress.kubernetes.io/rewrite-target: / spec:   rules:   - host: anoy.com     http:       paths:       - path: /anoyi         backend:           serviceName: blog-anoyi           servicePort: 8080       - path: /science         backend:           serviceName: blog-science           servicePort: 8080 

简单路径转发,将 http://anoy.com/anoyi 路径的请求转发到服务 blog-anoyi ,将 http://anoy.com/science 转发到服务 blog-science,ingress 规则如下:

Name:             blog-ingress Namespace:        default Address:          192.168.99.100 Default backend:  default-http-backend:80 () Rules:   Host      Path  Backends   ----      ----  --------   anoy.com             /anoyi     blog-anoyi:8080 (<none>)             /science   blog-science:8080 (<none>) Annotations:   nginx.ingress.kubernetes.io/rewrite-target:  / Events:   Type    Reason  Age   From                      Message   ----    ------  ----  ----                      -------   Normal  CREATE  26s   nginx-ingress-controller  Ingress default/blog-ingress   Normal  UPDATE  4s    nginx-ingress-controller  Ingress default/blog-ingress 

因该博客镜像的路径跳转不适应此场景,所以此处不截图具体效果。

TLS

您可以通过指定包含 TLS 私钥和证书的 Secure 来保护 Ingress。目前,Ingress 只支持一个 TLS 端口 443。如果 Ingress 中 TLS 的配置部分指定了不同的主机,则它们将根据通过 SNI TLS 扩展指定的主机名(在 Ingress Controller 支持 SNI 的情况下)在同一端口进行多路复用。TLS 密钥必须包含名为 tls.crttls.key 的密钥,其中包含用于 TLS 的证书和私钥。

示例:为 “Name based virtual hosting” 类型的 Ingress 添加 TLS

生成 CA 私钥与证书

openssl genrsa -out tls.key 2048 
openssl req -x509 -new -key tls.key -out tls.crt 

查看 tls.keytls.crt 的 base64 值:

cat tls.key | base64 
cat tls.crt | base64 

创建包含 tls.keytls.crt 的 Secret

apiVersion: v1 kind: Secret metadata:   name: ingress-tls type: Opaque data:    tls.key: <上述 tls.key 的 Base64 值>   tls.crt: <上述 tls.crt 的 Base64 值> 

创建带 TLS 的 Ingress

apiVersion: extensions/v1beta1 kind: Ingress metadata:   name: blog-ingress spec:   tls:   - secretName: ingress-tls   rules:   - host: anoyi.anoy.com     http:       paths:       - backend:           serviceName: blog-anoyi           servicePort: 8080   - host: science.anoy.com     http:       paths:       - backend:           serviceName: blog-science           servicePort: 8080 

访问 https://anoyi.anoy.com/ 发现浏览器显示 “不安全”,因为这个证书没有通过提三方认证

Kubernetes Service &amp; LB &amp; Networking :Ingress

Kubernetes Service &amp; LB &amp; Networking :Ingress

如何解决呢?很简单,将 tls.crt 添加到系统受信任的证书列表。

相关文档

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Kubernetes Service & LB & Networking :Ingress

分享到:更多 ()