使用 nginx 的 kubernetes 入口控制器和资源

Question

谁能给我一个完整的例子，说明如何使用 nginx 运行不安全（没有 TLS）入口控制器和资源以远程访问在 kubernetes 集群中运行的服务？我没有找到有用的东西。

PS：我的 kubernetes 集群在裸机上运行，​​而不是在云提供商上。 下一个可能是关于我所做的有用信息：

$kubectl 获取服务

NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE attachmentservice 10.254.111.232 <none> 80/TCP 3d financeservice 10.254.38.228 <none> 80/TCP 3d gatewayservice 10.254.38.182 nodes 80/TCP 3d hrservice 10.254.61.196 <none> 80/TCP 3d kubernetes 10.254.0.1 <none> 443/TCP 31d messageservice 10.254.149.125 <none> 80/TCP 3d redis-service 10.254.201.241 <none> 6379/TCP 15d settingservice 10.254.157.155 <none> 80/TCP 3d trainingservice 10.254.166.92 <none> 80/TCP 3d

nginx-ingress-rc.yml

apiVersion: v1 kind: ReplicationController metadata: name: nginx-ingress-rc labels: app: nginx-ingress spec: replicas: 1 selector: app: nginx-ingress template: metadata: labels: app: nginx-ingress spec: containers: - image: nginxdemos/nginx-ingress:0.6.0 imagePullPolicy: Always name: nginx-ingress ports: - containerPort: 80 hostPort: 80

services-ingress.yml

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: services-ingress spec: rules: - host: ctc-cicd2 http: paths: - path: /gateway backend: serviceName: gatewayservice servicePort: 80 - path: /training backend: serviceName: trainingservice servicePort: 80 - path: /attachment backend: serviceName: attachmentservice servicePort: 80 - path: /hr backend: serviceName: hrservice servicePort: 80 - path: /message backend: serviceName: messageservice servicePort: 80 - path: /settings backend: serviceName: settingservice servicePort: 80 - path: /finance backend: serviceName: financeservice servicePort: 80

nginx.conf 新增内容

upstream default-services-ingress-ctc-cicd2-trainingservice {

    server 12.16.64.5:8190;
    server 12.16.65.6:8190;

} upstream default-services-ingress-ctc-cicd2-attachmentservice {

    server 12.16.64.2:8095;

} upstream default-services-ingress-ctc-cicd2-hrservice {

    server 12.16.64.7:8077;

} upstream default-services-ingress-ctc-cicd2-messageservice {

    server 12.16.64.9:8065;

} upstream default-services-ingress-ctc-cicd2-settingservice {

    server 12.16.64.10:8098;
    server 12.16.65.4:8098;

} upstream default-services-ingress-ctc-cicd2-financeservice {

    server 12.16.64.4:8092;

} upstream default-services-ingress-ctc-cicd2-gatewayservice {

    server 12.16.64.6:8090;
    server 12.16.65.7:8090;

}`

server { listen 80;

    server_name ctc-cicd2;





    location /gateway {
            proxy_http_version 1.1;

            proxy_connect_timeout 60s;
            proxy_read_timeout 60s;
            client_max_body_size 1m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_buffering on;

            proxy_pass http://default-services-ingress-ctc-cicd2-gatewayservice;

    }
    location /training {
            proxy_http_version 1.1;

            proxy_connect_timeout 60s;
            proxy_read_timeout 60s;
            client_max_body_size 1m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_buffering on;

            proxy_pass http://default-services-ingress-ctc-cicd2-trainingservice;

    }
    location /attachment {
            proxy_http_version 1.1;

            proxy_connect_timeout 60s;
            proxy_read_timeout 60s;
            client_max_body_size 1m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_buffering on;

            proxy_pass http://default-services-ingress-ctc-cicd2-attachmentservice;

    }
    location /hr {
            proxy_http_version 1.1;

            proxy_connect_timeout 60s;
            proxy_read_timeout 60s;
            client_max_body_size 1m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_buffering on;

            proxy_pass http://default-services-ingress-ctc-cicd2-hrservice;

    }
    location /message {
            proxy_http_version 1.1;

            proxy_connect_timeout 60s;
            proxy_read_timeout 60s;
            client_max_body_size 1m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_buffering on;

            proxy_pass http://default-services-ingress-ctc-cicd2-messageservice;

    }
    location /settings {
            proxy_http_version 1.1;

            proxy_connect_timeout 60s;
            proxy_read_timeout 60s;
            client_max_body_size 1m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_buffering on;

            proxy_pass http://default-services-ingress-ctc-cicd2-settingservice;

    }
    location /finance {
            proxy_http_version 1.1;

            proxy_connect_timeout 60s;
            proxy_read_timeout 60s;
            client_max_body_size 1m;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_buffering on;

            proxy_pass http://default-services-ingress-ctc-cicd2-financeservice;

    }

}

Answer 1

根据the Kubernetes ingress documentation，Ingress 是允许入站连接到达集群服务的规则集合。当然，这需要您在集群中部署一个入口控制器。虽然有很多方法可以实现入口控制器，但可以在here 找到一种可以帮助您理解该概念的简单方法。这个是用golang写的，基本上是监听kubeapi获取新的入口资源。当它获得一个新的传入入口资源时，它将根据该配置重新创建一个新的 nginx conf，并重新加载构成入口控制器的 nginx 容器：

const (
    nginxConf = `
events {
  worker_connections 1024;
}
http {
  # http://nginx.org/en/docs/http/ngx_http_core_module.html
  types_hash_max_size 2048;
  server_names_hash_max_size 512;
  server_names_hash_bucket_size 64;
{{range $ing := .Items}}
{{range $rule := $ing.Spec.Rules}}
  server {
    listen 80;
    server_name {{$rule.Host}};
{{ range $path := $rule.HTTP.Paths }}
    location {{$path.Path}} {
      proxy_set_header Host $host;
      proxy_pass http://{{$path.Backend.ServiceName}}.{{$ing.Namespace}}.svc.cluster.local:{{$path.Backend.ServicePort}};
    }{{end}}
  }{{end}}{{end}}
}`
)

这允许在您的集群中使用一个单一入口点，将流量代理到您的 Kubernetes 集群内的所有服务。

假设您在命名空间bar 中有一个名为foo 的服务。 Kube-DNS 允许我们通过 DNS 地址foo.bar.svc.cluster.local 从 kubernetes 集群内部访问该服务。这基本上就是 Ingress 为我们所做的。我们指定一个路径，用于访问服务，然后入口控制器将该路径代理到集群中的服务 foo。