Ingress實現虛擬主機
虛擬主機,也叫“網站空間”,就是把一臺運行在互聯網上的物理服務器劃分成多個“虛擬”服務器。虛擬主機技術極大的促進了網絡技術的應用和普及。同時虛擬主機的租用服務也成了網絡時代的一種新型經濟形式
1、首先確定要運行Ingress-nginx-controller服務
[root@master ~]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-5954d475b6-ktpf9 1/1 Running 1 43h
2、將Ingress-nginx-controller暴露爲一個service資源對象
[root@master ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.100.97.246 <none> 80:32007/TCP,443:30741/TCP 43h
3、創建一個Deployment資源和一個Service資源,並相互關聯
[root@master ~]# vim deploy1.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy1
spec:
replicas: 2
template:
metadata:
labels:
app: nginx1
spec:
containers:
- name: nginx1
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: svc-1
spec:
selector:
app: nginx1
ports:
- port: 80
targetPort: 80
[root@master ~]# kubectl apply -f deploy1.yaml
deployment.extensions/deploy1 created
service/svc-1 created
[root@master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
deploy1-7df6778547-v6ww9 1/1 Running 0 2m33s
deploy1-7df6778547-vkvwf 1/1 Running 0 2m33s
[root@master ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 52d
svc-1 ClusterIP 10.109.213.247 <none> 80/TCP 3m17s
4、創建另外“一對”服務(delpoy2.yaml和svc-2)
[root@master ~]# vim deploy2.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy2
spec:
replicas: 2
template:
metadata:
labels:
app: nginx2
spec:
containers:
- name: nginx2
image: nginx #這裏沒有更換鏡像,使用相同的nginx鏡像
---
apiVersion: v1
kind: Service
metadata:
name: svc-2
spec:
selector:
app: nginx2
ports:
- port: 80
targetPort: 80
[root@master ~]# kubectl apply -f deploy2.yaml
deployment.extensions/deploy2 created
service/svc-2 created
[root@master ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
deploy2-7b6786d8bf-6xnjs 1/1 Running 0 19s
deploy2-7b6786d8bf-dvjqt 1/1 Running 0 19s
[root@master ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 52d
svc-2 ClusterIP 10.106.67.155 <none> 80/TCP 24s
4、創建Ingress規則
[root@master ~]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-1
spec:
rules:
- host: www1.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-1
servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-2
spec:
rules:
- host: www2.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
[root@master ~]# kubectl apply -f ingress.yaml
ingress.extensions/ingress-1 created
ingress.extensions/ingress-2 created
[root@master ~]# kubectl describe ingresses. ingress-1
Rules:
Host Path Backends
---- ---- --------
www1.bdqn.com
/ svc-1:80 (10.244.1.4:80,10.244.2.4:80)
[root@master ~]# kubectl describe ingresses. ingress-1
Rules:
Host Path Backends
---- ---- --------
www2.bdqn.com
/ svc-2:80 (10.244.1.5:80,10.244.2.5:80)
[root@master ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.100.97.246 <none> 80:32007/TCP,443:30741/TCP 43h
5、由於實驗環境限制(這個域名是假的),所以自己用來模擬一個域名
在windows上添加域名解析:C:\Windows\System32\drivers\etc
192.168.1.70 www1.bdqn.com
192.168.1.70 www2.bdqn.com
Ingress資源實現https代理訪問
在上面的操作中,實現了使用ingress-nginx爲後端所有pod提供一個統一的入口,那麼,有一個非常嚴肅的問題需要考慮,就是如何爲我們的pod配置CA證書來實現HTTPS訪問?在pod中直接配置CA麼?那需要進行多少重複性的操作?而且,pod是隨時可能被kubelet殺死再創建的。當然這些問題有很多解決方法,比如直接將CA配置到鏡像中,但是這樣又需要很多個CA證書。
這裏有更簡便的一種方法,就拿上面的情況來說,後端有多個pod,pod與service進行關聯,service又被ingress規則發現並動態寫入到ingress-nginx-controller容器中,然後又爲ingress-nginx-controller創建了一個Service映射到羣集節點上的端口,來供client來訪問。
在上面的一系列流程中,關鍵的點就在於Ingress規則,我們只需要在Ingress的yaml文件中,爲域名配置CA證書即可,只要可以通過HTTPS訪問到域名,至於這個域名是怎麼關聯到後端提供服務的pod,這就是屬於k8s羣集內部的通信了,即便是使用http來通信,也無傷大雅
1、生成一個證書:
[root@master ~]# mkdir https
[root@master ~]# cd https
[root@master https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=testsvc /0=testsvc"
Generating a 2048 bit RSA private key
......................................................................................+++
............+++
writing new private key to 'tls.key'
-----
Subject Attribute 0 has no known NID, skipped
[root@master https]# ls
tls.crt tls.key
2、創建secret資源,保存證書:
[root@master https]# kubectl create secret tls tls-secret --key=tls.key --cert tls.crt
secret/tls-secret created
3、創建一個Deployment資源對象,用來模擬web服務
[root@master https]# vim deploy3.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy3
spec:
replicas: 2
template:
metadata:
labels:
app: nginx3
spec:
containers:
- name: nginx3
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: svc-3
spec:
selector:
app: nginx3
ports:
- port: 80
targetPort: 80
[root@master https]# kubectl apply -f deploy3.yaml
deployment.extensions/deploy3 created
service/svc-3 created
[root@master https]# kubectl get pod
NAME READY STATUS RESTARTS AGE
deploy3-5c545fcc5f-4n9bw 1/1 Running 0 17s
deploy3-5c545fcc5f-7b4g2 1/1 Running 0 17s
[root@master https]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 52d
svc-3 ClusterIP 10.97.212.56 <none> 80/TCP 22m
[root@master https]# curl -I 10.97.212.56
HTTP/1.1 200 OK
4、創建對應的Ingress規則
[root@master https]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-3
spec:
tls: #引用CA證書
- hosts:
- www3.bdqn.com
secretName: tls-secret
rules:
- host: www3.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-3
servicePort: 80
[root@master https]# kubectl apply -f ingress.yaml
ingress.extensions/ingress-3 created
//同樣,添加域名解析
192.168.1.70 www3.bdqn.com
5、查找對應service-NodePort的443端口映射的端口,直接用瀏覽器訪問即可
[root@master https]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.100.97.246 <none> 80:32007/TCP,443:30741/TCP 44h
通過瀏覽器訪問:https://www3.bdqn.com:30741