kkwen

kubernetes之ingress
kubernetes提供了两种內建的云端负载均衡机制,用于发布公共应用,一种是工作于传输层的Service资源,它...
扫描右侧二维码阅读全文
21
2019/03

kubernetes之ingress

kubernetes提供了两种內建的云端负载均衡机制,用于发布公共应用,一种是工作于传输层的Service资源,它实现的是TCP负载均衡器,另一种是Ingress资源,它实现的是HTTP(S)负载均衡器

HTTP(S)负载均衡器是应用层负载均衡机制的一种,支持根据环境做出更好的调度决策,与传输层调度器相比,它提供了诸如可自定义URL映射和TLS卸载等功能,并能够支持多种类型的后端服务器健康状态检查机制

Service模型

  • 工作模式:
    userspace
    iptables
    ipvs
  • 类型
ClusterIP: 用于集群内部访问
NodePort:(用于节点级访问)client -> NodeIP:NodePort -> ClusterIP:ServicePort -> PodIP:containerPort
LoadBalancer: 云环境提供的负载均衡器,可用于外部访问
ExternelName: 引入外部服务给集群内部访问
  • No ClusterIP: Headless Service
ServiceName -> PodIP  # 无头Service,没有Service IP,直接将请求转发给(Endpoints)=> 后端Pod

调度器代理HTTPS会话

  • 基本实现
用户访问外部调度器
调度器调度至集群Node
Node将请求转交至Service(NodePort)
Service将请求交给后端Pod(HTTPS 会话携带器)
会话携带器Pod将请求调度至后端真实Web Pod,完成HTTPS的会话

https实现方式一.png

  • 将Ingress Pod直接部署为共享宿主机网络
将会话携带器Pod直接共享宿主机的网络,
而后使用daemonSet将其部署在一部分节点之上,必须选取三节点做专门的七层调度

调度器共享宿主机网络.png

图示工作原理

  • Ingress基本原理
    Ingress流程.png

    • 需要在集群中部署

      Service(Ingress自己的名称空间中)
      Ingress Controller(Pod)(Ingress自己的名称空间中)
      Ingress 组件
      提供服务的Pod应用(例如tomcat应用)
      Service(为了关联Pod,归类,供Ingress使用)
      
  • Ingress调度原理
    Ingress控制器和Service.png

    • 后端Pod变化之后,由Service检测变动,将变化反应给Ingress
    • Ingress发现Service后端Pod变动时,将修改注入到Ingress Controller中
    • Ingress Controller通过URL或PATH去对应相应调度规则以及后端upstream

部署一个Ingress-nginx(Controller) Pod

  1. 官方github deploy 目录
    https://github.com/kubernetes/ingress-nginx/tree/master/deploy

官方ingress-nginx仓库.png

  1. 先创建名称空间
    可使用仓库中的namespace.yaml,也可自己手动创建,后续配置清单依赖于此名称空间
~]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/namespace.yaml
~]# kubectl apply -f namespace.yaml 
namespace/ingress-nginx created

若希望使用简单配置应用,可以应用mandatory.yaml配置清单,里面包含所有配置

  1. 下载其他配置清单
~]# for i in namespace.yaml configmap.yaml rbac.yaml with-rbac.yaml ; do wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/$i ; done

应用配置

~]# kubectl apply -f .
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
namespace/ingress-nginx unchanged
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.apps/nginx-ingress-controller created
  1. 创建后端提供web服务的Pod
apiVersion: v1
kind: Service
metadata:
     name: myapp
     namespace: default
spec:
     selector:
       app: myapp
       release: canary
     ports:
     - name: http
       targetPort: 80
       port: 80
 ---
apiVersion: apps/v1
kind: Deployment
metadata:
     name: myapp-deploy
     namespace: default
spec:
     replicas: 3
     selector:
       matchLabels:
         app: myapp
         release: canary
     template:
       metadata:
         labels:
           app: myapp
           release: canary
       spec:
         containers:
         - name: myapp
           image: ikubernetes/myapp:v2
           ports:
           - name: http
             containerPort: 80
]# kubectl apply -f deployment-myapp.yaml
  1. 若想将ingress-nginx部署为共享node网络,则将with-rbac.yaml中的kind修改为DaemonSet,将replicas字段去掉,在配置中加入hostNetwork
  2. 下载Service-nodeport
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml

修改该配置,加入NodePort,以便在集群外部访问测试

~]# cat service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
     name: ingress-nginx
     namespace: ingress-nginx
     labels:
       app.kubernetes.io/name: ingress-nginx
       app.kubernetes.io/part-of: ingress-nginx
spec:
     type: NodePort
     ports:
       - name: http
         port: 80
         targetPort: 80
         protocol: TCP
         nodePort: 30080
       - name: https
         port: 443
         targetPort: 443
         protocol: TCP
         nodePort: 30443
     selector:
       app.kubernetes.io/name: ingress-nginx
       app.kubernetes.io/part-of: ingress-nginx

此时访问该service地址,出现404,因为后端pod没有关联

  1. 创建并应用ingress
[root@ _18_ ~]# cat k8s/ingress/pod/ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myapp
  namespace: default
  annotations: 
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myapp.maghedu.com
    http:
      paths:
      - path:
        backend:
          serviceName: myapp
          servicePort: 80
[root@ _18_ ~]# kubectl apply -f k8s/ingress/pod/ingress-myapp.yaml
  1. 使用域名访问
先绑定Host myapp.magedu.com => 节点IP
$ curl -s http://myapp.magedu.com:30080/
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
创建tomcat应用
  1. 创建Pod和Service
[root@ _47_ ~/k8s/ingress/pod]# cat tomcat-deploy.yaml 
apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: default
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    targetPort: 8080
    port: 8080
  - name: ajp
    targetPort: 8009
    port: 8009
 ---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: myapp
        image: tomcat:8.5.32-jre8-alpine
        ports:
        - name: http
          containerPort: 8080
        - name: ajp
          containerPort: 8009
应用
[root@ _47_ ~/k8s/ingress/pod]# kubectl apply -f tomcat-deploy.yaml
  1. 创建ingress
[root@ _48_ ~/k8s/ingress/pod]# cat ingress-tomcat.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
     name: ingress-tomcat
     namespace: default
     annotations: 
       kubernetes.io/ingress.class: "nginx"
spec:
     rules:
     - host: tomcat.magedu.com
       http:
         paths:
         - path:
           backend:
             serviceName: tomcat
             servicePort: 8080
  1. 浏览器测试访问
先绑定Host tomcat.magedu.com => 节点IP
访问 http://tomcat.magedu.com:30080  看到tomcat默认页面
给tomcat配置https,使用secret
  • 生成自签CA
    openssl genrsa -out tls.key 2048
  • 签署
    openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=Devops/CN=tomcat.magedu.com
  • 生成secret
    kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
  • 查看secret
[root@ _55_ ~/k8s/ingress/pod]# kubectl get secret
NAME                    TYPE                                  DATA   AGE
default-token-l4sc9     kubernetes.io/service-account-token   3      70d
tomcat-ingress-secret   kubernetes.io/tls                     2      16s
[root@ _56_ ~/k8s/ingress/pod]# kubectl describe secret tomcat-ingress-secret
Name:         tomcat-ingress-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>
 -
Type:  kubernetes.io/tls
 -
Data
====
tls.crt:  1294 bytes
tls.key:  1675 bytes
  • 修改ingress,增加tls
[root@ _5_ ~/k8s/ingress/pod]# vim ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
    name: ingress-tomcat-tls
    namespace: default
    annotations:
      kubernetes.io/ingress.class: "nginx"
spec:
    rules:
    - host: tomcat.magedu.com
      http:
        paths:
        - path:
          backend:
            serviceName: tomcat
            servicePort: 8080
    tls:
      - hosts:
        - tomcat.magedu.com
        secretName: ingress-tomcat-secret
  • 应用ingress
    kubectl apply -f ingress-tomcat-tls.yaml
  • 浏览器访问
    测试访问 http://tomcat.magedu.com:30443,能看到HTTPS会话标志,访问成功
最后修改:2019 年 03 月 21 日 09 : 26 AM
如果觉得我的文章对你有用,请随意赞赏

发表评论