一、三款主流控制器
1、ingress control
2、traefik 是一款反向代理、负载均衡服务,使用 golang 实现的。和 nginx 最大的不同是,它支持自动化更新反向代理和负载均衡配置。在微服务架构越来越流行的今天,一个业务恨不得有好几个数据库、后台服务和 webapp,开发团队拥有一款 “智能” 的反向代理服务,为他们简化服务配置。
https://jimmysong.io/kubernetes-handbook/practice/traefik-ingress-installation.html traefik-ingress
3、Istio 服务治理,入口流量控制
提供一种简单的方式来为已部署的服务建立网络,该网络具有负载均衡、服务间认证、监控等功能,而不需要对服务的代码做任何改动。
Istio的核心功能概述:
• HTTP、gRPC、WebSocket 和 TCP 流量的自动负载均衡。 • 通过丰富的路由规则、重试、故障转移和故障注入,可以对流量行为进行细粒度控制。 • 可插入的策略层和配置 API,支持访问控制、速率限制和配额。 • 对出入集群入口和出口中所有流量的自动度量指标、日志记录和追踪。 • 通过强大的基于身份的验证和授权,在集群中实现安全的服务间通信。
二、通过ingress暴露一个服务
1、部署 ingress control
Github:https://github.com/kubernetes/ingress-nginx kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml
镜像地址是国外的,可修改成阿良的地址lizhenliang/nginx-ingress-controller:0.30.0
在containers上面添加 hostNetwork: true #将pod使用宿主机网络命名空间
修改完,执行apply
# kubectl apply -f mandatroy.yaml namespace/ingress-nginx created configmap/nginx-configuration created configmap/tcp-services created configmap/udp-services created serviceaccount/nginx-ingress-serviceaccount created clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created role.rbac.authorization.k8s.io/nginx-ingress-role created rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created deployment.apps/nginx-ingress-controller created limitrange/ingress-nginx created # kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-766fb9f77-mb6zh 1/1 Running 0 64s
2、ingress control 所在的节点自动监听宿主机443和80 端口
# ss -antp |grep 80 LISTEN 0 128 *:80 *:* users:(("nginx",pid=35664,fd=31),("nginx",pid=35652,fd=31)) LISTEN 0 128 *:80 *:* users:(("nginx",pid=35663,fd=23),("nginx",pid=35652,fd=23)) TIME-WAIT 0 0 127.0.0.1:10246 127.0.0.1:48800 TIME-WAIT 0 0 127.0.0.1:10246 127.0.0.1:48802 TIME-WAIT 0 0 127.0.0.1:53080 127.0.0.1:9099 LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=35663,fd=24),("nginx",pid=35652,fd=24)) LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=35664,fd=32),("nginx",pid=35652,fd=32))
# ss -antp |grep 443 LISTEN 0 128 *:443 *:* users:(("nginx",pid=35664,fd=33),("nginx",pid=35652,fd=33)) LISTEN 0 128 *:443 *:* users:(("nginx",pid=35663,fd=25),("nginx",pid=35652,fd=25)) ESTAB 0 0 10.96.0.1:44200 10.96.0.1:443 users:(("nginx-ingress-c",pid=35589,fd=3)) ESTAB 0 0 192.168.40.134:59370 192.168.40.132:6443 users:(("kubelet",pid=700,fd=37)) ESTAB 0 0 10.96.0.1:36974 10.96.0.1:443 users:(("calico-node",pid=6021,fd=5)) ESTAB 0 0 192.168.40.134:59486 192.168.40.132:6443 users:(("kube-proxy",pid=5284,fd=11)) ESTAB 0 0 10.96.0.1:36966 10.96.0.1:443 users:(("calico-node",pid=6025,fd=5)) ESTAB 0 0 10.96.0.1:36968 10.96.0.1:443 users:(("calico-node",pid=6024,fd=5)) LISTEN 0 128 [::]:443 [::]:* users:(("nginx",pid=35663,fd=26),("nginx",pid=35652,fd=26)) LISTEN 0 128 [::]:443 [::]:* users:(("nginx",pid=35664,fd=34),("nginx",pid=35652,fd=34))
3、准备一个java-demo应用
# kubectl create deployment java-web1 --image=java-demo:v1 # kubectl scale deployment java-web1 --replicas=3 # kubectl expose deployment java-web1 --port=80 --target-port=8080 --type=NodePort
4、基于http方式发布java-demo应用
windos hosts域名解析
192.168.40.134 foo1.bar.com #ingress control 所在节点ip
创建ingress规则
# cat ingress.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: simple-example annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: foo1.bar.com http: paths: - path: / backend: serviceName: java-web1 servicePort: 80 - path: /bar backend: serviceName: nginx-web servicePort: 80
5、查看ingress control的nginx负载规则
# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-766fb9f77-mb6zh 1/1 Running 0 75m
# kubectl exec -it nginx-ingress-controller-766fb9f77-mb6zh -n ingress-nginx
error: you must specify at least one command for the container
# kubectl exec -it nginx-ingress-controller-766fb9f77-mb6zh -n ingress-nginx bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
bash-5.0$ cat /etc/nginx/nginx.conf |grep -C 10 foo1.bar.com
deny all;
access_log off;
stub_status on;
}
}
## end server _
## start server foo1.bar.com
server {
server_name foo1.bar.com ;
listen 80 ;
listen [::]:80 ;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
--
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
}
## end server foo1.bar.com
# backend for when default-backend-service is not configured or it does not have endpoints
server {
listen 8181 default_server reuseport backlog=511;
listen [::]:8181 default_server reuseport backlog=511;
set $proxy_upstream_name "internal";
access_log off;
location / {
6、浏览器访问
http://foo1.bar.com/
http://foo1.bar.com/bar
注意:站点放在 / 下正常,放在/zjz-web就没有渲染效果,没有搞懂为啥。
7、基于https发布
有待整理
总结
ingress规则相当于在nginx里创建了一个基于域名虚拟主机。
upstream web { server pod1; server pod2; server pod3; } server { listen 80; server_name foo.bar.com; location / { cert key proxy_pass http://web; } }
用户 -> 域名 -> 负载均衡器(公网IP) -> ingress controller(nginx实现负载均衡) -> pod
证书:
1、自签证书,例如openssl、cfssl
2、通过第三方权威CA机构颁发,一般都是收费
crt 数字证书,用于让客户端效验和加密数据
key 服务端解密
https://blog.csdn.net/jacksonary/article/details/94756633 有待研究