前言
Ingress 是 Kubernetes 中的一种资源对象,用于管理从集群外部到内部服务的 HTTP 和 HTTPS 路由。它提供了灵活的路由功能、SSL/TLS 终止、负载均衡和虚拟主机支持。Ingress 需要一个 Ingress 控制器来实际处理路由,并且可以通过配置不同的控制器来满足不同的需求,目前公司内在使用微服务项目部署的时候也是使用该组件进行的路由配置,这里做下学习记录,了解基本使用和原理即可。
一、Ingress是什么?
Ingress 是 Kubernetes 中的一种资源对象,用于管理从集群外部访问集群内服务的 HTTP 和 HTTPS 路由。它提供了一种灵活的方式来定义如何将外部请求路由到集群内部的服务,通常用于暴露 HTTP 和 HTTPS 服务。
-
为什么使用 Ingress?
在 Kubernetes 中,虽然可以通过 Service 的类型为 NodePort 或 LoadBalancer 将服务暴露给外部,但 Ingress 提供了更高级和灵活的流量管理功能,包括:
- 基于主机名和路径的路由:可以根据请求的 URL 路径和主机名将流量路由到不同的服务。
- TLS/SSL 终止:可以在 Ingress 层处理 SSL/TLS,加密外部到 Ingress 的流量。
- 负载均衡:可以在多个服务之间分配流量。
- 虚拟主机:可以在同一个 IP 地址上处理多个域名(虚拟主机)。
-
Ingress 控制器
Ingress 资源本身并不直接管理流量,它需要一个 Ingress 控制器来实际处理路由。Ingress 控制器是集群中的一个组件,负责根据 Ingress 资源的定义配置负载均衡器或代理服务器。常见的 Ingress 控制器有:- NGINX Ingress Controller
- Traefik
- HAProxy
- Istio Ingress Gateway
我们这里使用了 NGINX Ingress controller。
二、使用步骤
1. 使用 kubectl安装 ingress
➜ ~ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
serviceaccount/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
configmap/ingress-nginx-controller created
service/ingress-nginx-controller created
service/ingress-nginx-controller-admission created
deployment.apps/ingress-nginx-controller created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
2. 创建部署资源
- 创建资源
- example-deployment.yaml
定义一个名为 example-deployment 的 Deployment 资源。这个资源会创建并管理一组 Nginx 容器。如下所示:
apiVersion: apps/v1 # API 版本,apps/v1 用于描述 Deployment 资源
kind: Deployment # 资源类型,这里是 Deployment
metadata:
name: example-deployment # Deployment 的名称
spec:
replicas: 2 # 副本数量,这里指定创建 2 个 Pod 实例
selector:
matchLabels:
app: example # 选择器,匹配具有 app=example 标签的 Pod
template:
metadata:
labels:
app: example # Pod 模板的标签,确保 Pod 拥有 app=example 标签
spec:
containers:
- name: nginx # 容器的名称
image: nginx:latest # 使用的 Docker 镜像,这里是最新版本的 nginx
ports:
- containerPort: 80 # 容器暴露的端口,这里是 80 端口
关键点:
其中replicas: 2,这告诉 Kubernetes 部署控制器(Deployment Controller)创建 2 个运行 nginx 容器的 Pod,并确保它们始终处于运行状态。如果其中一个 Pod 出现故障,Deployment 控制器会自动重新创建它,以维持指定的副本数。
- example-service.yaml
这个 Service 会找到所有带有 app=example 标签的 Pod(即 example-deployment 创建的 2 个 Pod),并将请求转发到这些 Pod 的 80 端口。Service 本身是一个负载均衡器,可以将流量均匀分布到所有匹配的 Pod 上。
apiVersion: v1 # API 版本,v1 用于描述 Service 资源
kind: Service # 资源类型,这里是 Service
metadata:
name: example-service # Service 的名称
spec:
selector:
app: example # 选择器,匹配具有 app=example 标签的 Pod
ports:
- protocol: TCP # 使用的协议,这里是 TCP
port: 80 # Service 暴露的端口
targetPort: 80 # 目标容器的端口,Service 会将请求转发到这个端口
- example-ingress.yaml
在 example-ingress.yaml 中,定义了一个 Ingress 对象,它管理外部访问到集群内服务的 HTTP 和 HTTPS 路由。
将访问 example.local 主机名和 / 路径的 HTTP 请求转发到名为 example-service 的 Service 的 80 端口。Ingress 控制器会根据这些规则配置负载均衡器,并处理外部流量的路由。
apiVersion: networking.k8s.io/v1 # API 版本,networking.k8s.io/v1 用于描述 Ingress 资源
kind: Ingress # 资源类型,这里是 Ingress
metadata:
name: example-ingress # Ingress 的名称
annotations:
nginx.ingress.kubernetes.io/rewrite-target: / # 这是一个 NGINX Ingress 特有的注解,用于将匹配的路径重写为根路径。
spec:
rules:
- host: example.local # 规则中的主机名
http:
paths:
- path: / # 路径规则
pathType: Prefix # 路径类型,这里是前缀匹配
backend:
service:
name: example-service # 后端服务的名称
port:
number: 80 # 后端服务的端口
- 执行命令
➜ k8s-ingress-demo kubectl apply -f example-deployment.yaml
deployment.apps/example-deployment created
➜ k8s-ingress-demo kubectl apply -f example-service.yaml
service/example-service created
➜ k8s-ingress-demo kubectl apply -f example-ingress.yaml
ingress.networking.k8s.io/example-ingress created
-
更新本地 host 映射:
➜ k8s-ingress-demo sudo vim /etc/hosts
127.0.0.1 example.local -
验证 Ingress 设置:
打开浏览器,访问 http://example.local,可以看到 Nginx 的欢迎页面。
至此,一个 demo就
查看服务的状态
现在我们来看它会启动几个 example-deployment,example-service,example-ingress
查看deployment
# 查看启动了几个deployment,如下,共启动了 2 个
➜ k8s-ingress-demo k get deployments
NAME READY UP-TO-DATE AVAILABLE AGE
example-deployment 2/2 2 2 29m
nginx-deployment 3/3 3 3 7d7h
# 详细查看example-deployment
➜ k8s-ingress-demo kubectl describe deployment example-deployment
Name: example-deployment
Namespace: default
CreationTimestamp: Sat, 22 Jun 2024 16:33:52 +0800
Labels: <none>
Annotations: deployment.kubernetes.io/revision: 1
Selector: app=example
Replicas: 2 desired | 2 updated | 2 total | 2 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app=example
Containers:
nginx:
Image: nginx:latest
Port: 80/TCP
Host Port: 0/TCP
Environment: <none>
Mounts: <none>
Volumes: <none>
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: <none>
NewReplicaSet: example-deployment-6678c6f87f (2/2 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScalingReplicaSet 32m deployment-controller Scaled up replica set example-deployment-6678c6f87f to 2
查看Pod状态
# 查看pod状态
➜ k8s-ingress-demo kubectl get pods -l app=example
NAME READY STATUS RESTARTS AGE
example-deployment-6678c6f87f-7vnfp 1/1 Running 0 34m
example-deployment-6678c6f87f-h5jsm 1/1 Running 0 34m
# 查看单个pod详情
➜ k8s-ingress-demo kubectl describe pod example-deployment-6678c6f87f-7vnfp
Name: example-deployment-6678c6f87f-7vnfp
Namespace: default
Priority: 0
Service Account: default
Node: docker-desktop/192.168.65.3
Start Time: Sat, 22 Jun 2024 16:33:53 +0800
Labels: app=example
pod-template-hash=6678c6f87f
Annotations: <none>
Status: Running
IP: 10.1.0.131
IPs:
IP: 10.1.0.131
Controlled By: ReplicaSet/example-deployment-6678c6f87f
Containers:
nginx:
Container ID: docker://e61df1f25e486f85176c4e84269090f768873084e03b9bc36f4dac70203b2637
Image: nginx:latest
Image ID: docker-pullable://nginx@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Sat, 22 Jun 2024 16:34:34 +0800
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-952jq (ro)
Conditions:
Type Status
PodReadyToStartContainers True
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-952jq:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 35m default-scheduler Successfully assigned default/example-deployment-6678c6f87f-7vnfp to docker-desktop
Normal Pulling 35m kubelet Pulling image "nginx:latest"
Normal Pulled 34m kubelet Successfully pulled image "nginx:latest" in 8.892s (41.029s including waiting)
Normal Created 34m kubelet Created container nginx
Normal Started 34m kubelet Started container nginx
查看service状态
➜ k8s-ingress-demo kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
example-service ClusterIP 10.99.210.105 <none> 80/TCP 38m
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21d
nginx-service LoadBalancer 10.110.142.82 localhost 80:30452/TCP 7d7h
# 查看更详细的信息
➜ k8s-ingress-demo kubectl describe service example-service
Name: example-service
Namespace: default
Labels: <none>
Annotations: <none>
Selector: app=example
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.99.210.105
IPs: 10.99.210.105
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.1.0.130:80,10.1.0.131:80
Session Affinity: None
Events: <none>
查看Ingress状态
➜ k8s-ingress-demo kubectl get ingresses
NAME CLASS HOSTS ADDRESS PORTS AGE
example-ingress <none> example.local 80 37m
➜ k8s-ingress-demo kubectl get ingress example-ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
example-ingress <none> example.local 80 38m
# 查看更详细的 ingress 状态
➜ k8s-ingress-demo kubectl describe ingress example-ingress
Name: example-ingress
Labels: <none>
Namespace: default
Address:
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
example.local
/ example-service:80 (10.1.0.130:80,10.1.0.131:80)
Annotations: nginx.ingress.kubernetes.io/rewrite-target: /
Events: <none>
清理不需要的资源
➜ k8s-demo k get pods
NAME READY STATUS RESTARTS AGE
example-deployment-6678c6f87f-7vnfp 1/1 Running 0 52m
example-deployment-6678c6f87f-h5jsm 1/1 Running 0 52m
nginx-deployment-765d7cffb-5zv7k 1/1 Running 7 (4d17h ago) 7d7h
nginx-deployment-765d7cffb-dl6p4 1/1 Running 7 (4d17h ago) 7d7h
nginx-deployment-765d7cffb-nsckc 1/1 Running 7 (4d17h ago) 7d7h
我们看这里有我上次测试的nginx-deployment部署资源,而且还启动了 3 个 pod,有点费资源,我现在查看明细。
➜ k8s-demo kubectl get deployment nginx-deployment -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app":"nginx"},"name":"nginx-deployment","namespace":"default"},"spec":{"replicas":3,"selector":{"matchLabels":{"app":"nginx"}},"template":{"metadata":{"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"nginx:1.17.1","name":"nginx","ports":[{"containerPort":80}]}]}}}}
creationTimestamp: "2024-06-15T01:36:46Z"
generation: 1
labels:
app: nginx
name: nginx-deployment
namespace: default
resourceVersion: "66130"
uid: 988e5ed1-453b-4a62-97bf-25f879be893e
spec:
progressDeadlineSeconds: 600
replicas: 3
revisionHistoryLimit: 10
selector:
matchLabels:
app: nginx
.......
这里有完整 YAML 定义,这是之前创建 pod,给个 3 个副本做演示使用的,没有什么用来,现在删除。
➜ k8s-demo kubectl delete deployment nginx-deployment
deployment.apps “nginx-deployment” deleted
➜ k8s-demo kubectl get pods
NAME READY STATUS RESTARTS AGE
example-deployment-6678c6f87f-7vnfp 1/1 Running 0 57m
example-deployment-6678c6f87f-h5jsm 1/1 Running 0 57m
已删除
我们刚才做了删除动作,也可以查看集群的历史,如下所示 pod/nginx-deployment 被 kill 了。
➜ k8s-demo kubectl get events --sort-by=.metadata.creationTimestamp
LAST SEEN TYPE REASON OBJECT MESSAGE
58m Normal Scheduled pod/example-deployment-6678c6f87f-7vnfp Successfully assigned default/example-deployment-6678c6f87f-7vnfp to docker-desktop
58m Normal Pulling pod/example-deployment-6678c6f87f-7vnfp Pulling image "nginx:latest"
58m Normal ScalingReplicaSet deployment/example-deployment Scaled up replica set example-deployment-6678c6f87f to 2
58m Normal SuccessfulCreate replicaset/example-deployment-6678c6f87f Created pod: example-deployment-6678c6f87f-7vnfp
58m Normal SuccessfulCreate replicaset/example-deployment-6678c6f87f Created pod: example-deployment-6678c6f87f-h5jsm
58m Normal Scheduled pod/example-deployment-6678c6f87f-h5jsm Successfully assigned default/example-deployment-6678c6f87f-h5jsm to docker-desktop
58m Normal Pulling pod/example-deployment-6678c6f87f-h5jsm Pulling image "nginx:latest"
57m Normal Pulled pod/example-deployment-6678c6f87f-h5jsm Successfully pulled image "nginx:latest" in 32.14s (32.141s including waiting)
57m Normal Created pod/example-deployment-6678c6f87f-h5jsm Created container nginx
57m Normal Started pod/example-deployment-6678c6f87f-h5jsm Started container nginx
57m Normal Started pod/example-deployment-6678c6f87f-7vnfp Started container nginx
57m Normal Created pod/example-deployment-6678c6f87f-7vnfp Created container nginx
57m Normal Pulled pod/example-deployment-6678c6f87f-7vnfp Successfully pulled image "nginx:latest" in 8.892s (41.029s including waiting)
56s Normal Killing pod/nginx-deployment-765d7cffb-5zv7k Stopping container nginx
56s Normal Killing pod/nginx-deployment-765d7cffb-dl6p4 Stopping container nginx
56s Normal Killing pod/nginx-deployment-765d7cffb-nsckc Stopping container nginx
三、 Ingress 的工作原理
Ingress 是 Kubernetes 中的一种资源,用于管理从集群外部访问集群内部服务的 HTTP 和 HTTPS 路由。它的工作原理涉及多个组件和步骤,包括 Ingress 控制器、负载均衡、路由规则等。以下是 Ingress 的工作原理详细解释:
1. 定义 Ingress 资源
创建一个 Ingress 资源来定义外部访问的规则。这些规则包括主机名、路径、目标服务等。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: example.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
在这个示例中,Ingress 定义了将 example.local 主机名下的 / 路径的请求路由到名为 example-service 的 Service 的 80 端口。
2. 部署 Ingress 控制器
Ingress 控制器是一个运行在 Kubernetes 集群中的组件,它负责解释和实现 Ingress 资源中的规则。常见的 Ingress 控制器包括 NGINX、Traefik、HAProxy、Istio 等。
安装 NGINX Ingress 控制器的示例命令:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
3. Ingress 控制器的工作
3.1 监听 Ingress 资源变化
Ingress 控制器会监控 Kubernetes 集群中的 Ingress 资源的变化。一旦检测到新的 Ingress 资源或已有资源的更新,它会自动重新配置自己以匹配这些变化。
3.2 配置负载均衡器
根据 Ingress 资源定义的规则,Ingress 控制器会配置其内部的负载均衡器或代理服务器(例如 NGINX)。这包括设置主机名、路径匹配规则、后端服务等。
3.3 处理流量
Ingress 控制器接收到外部流量时,会根据配置的规则将流量路由到相应的后端服务。具体的流程如下:
- 解析主机名:根据请求的主机名,确定应该使用的 Ingress 规则。
- 路径匹配:根据请求的路径,找到最匹配的路径规则。
- 转发请求:将请求转发到对应的后端服务和端口。
4. TLS/SSL 终止
Ingress 可以配置 TLS/SSL 终止,确保外部流量以加密方式传输到 Ingress 控制器,然后在 Ingress 控制器处解密,再转发到后端服务。示例如下:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
spec:
tls:
- hosts:
- example.local
secretName: example-tls
rules:
- host: example.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
在这个示例中,example-tls 是一个包含 TLS 证书和私钥的 Kubernetes Secret。
5. 高可用和扩展
Ingress 控制器本身通常作为 Deployment 运行,具有高可用性和可扩展性。你可以调整副本数来扩展 Ingress 控制器的容量,确保其能够处理大量的外部请求。
6. 集群内部的通信
当 Ingress 控制器决定将流量转发到后端服务时,它会使用 Kubernetes Service 进行服务发现和负载均衡。Service 会根据标签选择器找到相应的 Pod,并将请求分发给这些 Pod。
总结
本文主要讲解了 ingress 的基本介绍和使用 demo,最后将工作原理总如如下六大部分。
Ingress 的工作原理涉及以下关键步骤和组件:
- 定义 Ingress 资源:定义外部访问规则。
- 部署 Ingress 控制器:安装和配置 Ingress 控制器。
- Ingress 控制器的工作:
- 监听 Ingress 资源变化。
- 配置内部负载均衡器或代理服务器。
- 处理外部流量并路由到后端服务。
- TLS/SSL 终止:处理加密流量。
- 高可用和扩展:通过 Deployment 提供高可用性和扩展能力。
- 集群内部的通信:使用 Kubernetes Service 进行服务发现和负载均衡。
通过以上机制,Ingress 提供了一种灵活、高效的方式来管理 Kubernetes 集群中服务的外部访问。
