Kubernetes Ingress 入口控制
Kubernetes Ingress 入口控制
什么是 Ingress
Ingress 是 Kubernetes 中管理外部 HTTP/HTTPS 访问集群内 Service 的 API 对象。它提供域名路由、SSL 终止和基于名称的虚拟主机功能,是替代 NodePort 和 LoadBalancer 的更高级方案。
安装 Ingress Controller
Ingress 本身不处理流量,需要安装 Ingress Controller。常用的是 Nginx Ingress Controller:
# 使用 Helm 安装
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx
# 或使用 kubectl 安装
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml
查看 Ingress Controller 状态:
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx
创建 Ingress 资源
基本配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port:
number: 80
多路径配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-path-ingress
spec:
ingressClassName: nginx
rules:
- host: myapp.example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 80
多域名配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-host-ingress
spec:
ingressClassName: nginx
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
配置 HTTPS
使用 TLS Secret
# 创建 TLS Secret
kubectl create secret tls my-tls-secret \
--cert=tls.crt \
--key=tls.key
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- myapp.example.com
secretName: my-tls-secret
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app
port:
number: 80
强制 HTTPS 重定向
metadata:
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
常用 Ingress 注解
metadata:
annotations:
# 重写路径
nginx.ingress.kubernetes.io/rewrite-target: /
# 限流
nginx.ingress.kubernetes.io/limit-rps: "10"
# 超时设置
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
# 跨域设置
nginx.ingress.kubernetes.io/enable-cors: "true"
# 大小限制
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
管理 Ingress
# 查看 Ingress 列表
kubectl get ingress
# 查看 Ingress 详情
kubectl describe ingress my-ingress
# 查看后端 Endpoints
kubectl get endpoints my-app
# 删除 Ingress
kubectl delete ingress my-ingress
常见问题排查
# 检查 Ingress Controller 日志
kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
# 检查 Ingress 配置
kubectl get ingress my-ingress -o yaml
# 测试域名解析
curl -H "Host: myapp.example.com" http://<Ingress Controller IP>
总结
Ingress 是 Kubernetes 中管理外部访问的推荐方式,提供了灵活的域名路由、SSL 终止和高级流量管理功能。配合 Ingress Controller 可以实现生产级的流量管理。