SundayHK
https://kubernetes.github.io/ingress-nginx/
Install
https://kubernetes.github.io/ingress-nginx/deploy/
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm search repo ingress-nginx
# helm pull ingress-nginx/ingress-nginx
helm pull ingress-nginx/ingress-nginx --version 4.10.3
tar xf ingress-nginx-4.10.3.tgz
cd ingress-nginx
# 修改后
vim values.yaml
# 94行 false -> true
hostNetwork: true
# 73行 ClusterFirst -> ClusterFirstWithHostNet
dnsPolicy: ClusterFirstWithHostNet
# 204行 Deployment -> DaemonSet
kind: DaemonSet
# 466行 LoadBalancer -> ClusterIP
type: ClusterIP
# 若指定在Master节点则需要设置标签和容忍
# 307、804、1000行 有3个 指定标签
nodeSelector:
kubernetes.io/os: linux
isIngress: "true"打标签
kubectl label node k8s-master01 isIngress=true
kubectl label node k8s-master02 isIngress=true
kubectl label node k8s-master03 isIngress=true容忍
[root@harbor ingress-nginx]# kubectl describe nodes k8s-master01 | grep Taints
Taints: node-role.kubernetes.io/master:NoSchedule
# 229、806、982行 注意有多个tolerations,或者全加
tolerations:
- key: "" # 注 空字符
operator: "Exists"
effect: "NoSchedule"修改镜像
registry: registry.k8s.io
修改为
registry.aliyuncs.com/google_containers安装
helm install ingress-nginx -n ingress-nginx --create-namespace .此时上面命令会卡住,直到创建完成就才释放
卡住时可以看下pod状态,如镜像拉取不下来
[root@harbor ingress-nginx]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-n7l8m 1/1 Running 0 1m17s
ingress-nginx-controller-nrk4q 1/1 Running 0 1m17s
ingress-nginx-controller-t47ph 1/1 Running 0 1m17s
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
http proxy
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-demo
namespace: default
spec:
ingressClassName: nginx
rules:
- host: demo.sundayhk.com
http:
paths:
- pathType: Prefix
backend:
service:
name: nginx-demo
port:
number: 80
path: /Annotations 即时更新 ConfigMap 一般需要手动更新
Redirect
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
nginx.ingress.kubernetes.io/permanent-redirect-code: '308' # 可选,rancher ui不需加引号Rewrite
https://kubernetes.github.io/ingress-nginx/examples/rewrite/
SSL
HOST=test.sundayhk.com
KEY_FILE=$HOST.key
CERT_FILE=$HOST.pem
CERT_NAME=$HOST
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-prod
namespace: default
spec:
ingressClassName: nginx
rules:
- host: web.sundayhk.com
http:
paths:
- backend:
service:
name: web-prod
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- web.sundayhk.com
secretName: web.sundayhk.com禁止http自动跳转https
nginx.ingress.kubernetes.io/ssl-redirect: "false"ingress https直通 kubernetes-dashboard使用service ssl
#
nginx.ingress.kubernetes.io/ssl-passthrough: "true"Limit
黑白名单:
- Annotations: 只对指定的ingress生效
- ConfigMap: 全局生效
configmap 默认为滚动升级不安全,设置为手动删除pod才生效 Ingress imagePolicy: OnDelete
白名单
nginx.ingress.kubernetes.io/whitelist-source-range: 127.0.0.1,192.168.10.250黑名单
单个域名ingress限制IP
nginx.ingress.kubernetes.io/server-snippet: deny 192.168.1.171; allow all;所有域名ingress限制 在ingress-nginx configmap配置
data:
block-cidrs: ip/cidrs
kubectl edit configmap -n ingress-nginx ingress-nginx-controller
# data 配置keys: values
apiVersion: v1
data:
allow-snippet-annotations: "true"
block-cidrs: 192.168.10.0/24Rate-limiting
Rewrite
Cancary
Nginx Annotations 支持以下 4 种 Canary 规则:
nginx.ingress.kubernetes.io/canary-by-header:基于 Request Header 的流量切分,适用于灰度发布以及 A/B 测试。当 Request Header 设置为always时,请求将会被一直发送到 Canary 版本;当 Request Header 设置为never时,请求不会被发送到 Canary 入口;对于任何其他 Header 值,将忽略 Header,并通过优先级将请求与其他金丝雀规则进行优先级的比较。nginx.ingress.kubernetes.io/canary-by-header-value:要匹配的 Request Header 的值,用于通知 Ingress 将请求路由到 Canary Ingress 中指定的服务。当 Request Header 设置为此值时,它将被路由到 Canary 入口。该规则允许用户自定义 Request Header 的值,必须与上一个 annotation (即:canary-by-header) 一起使用。nginx.ingress.kubernetes.io/canary-weight:基于服务权重的流量切分,适用于蓝绿部署,权重范围 0 - 100 按百分比将请求路由到 Canary Ingress 中指定的服务。权重为 0 意味着该金丝雀规则不会向 Canary 入口的服务发送任何请求,权重为 100 意味着所有请求都将被发送到 Canary 入口。nginx.ingress.kubernetes.io/canary-by-cookie:基于 cookie 的流量切分,适用于灰度发布与 A/B 测试。用于通知 Ingress 将请求路由到 Canary Ingress 中指定的服务的cookie。当 cookie 值设置为always时,它将被路由到 Canary 入口;当 cookie 值设置为never时,请求不会被发送到 Canary 入口;对于任何其他值,将忽略 cookie 并将请求与其他金丝雀规则进行优先级的比较。
注意:金丝雀规则按优先顺序进行如下排序:
canary-by-header - > canary-by-cookie - > canary-weight
nginx.ingress.kubernetes.io/canary "true" or "false"
nginx.ingress.kubernetes.io/canary-by-header string
nginx.ingress.kubernetes.io/canary-by-header-value string
nginx.ingress.kubernetes.io/canary-by-header-pattern string
nginx.ingress.kubernetes.io/canary-by-cookie string
nginx.ingress.kubernetes.io/canary-weight number正式版本
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-prod
namespace: default
spec:
ingressClassName: nginx
rules:
- host: web.sundayhk.com
http:
paths:
- backend:
service:
name: web-prod
port:
number: 80
path: /
pathType: Prefix灰度版本
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-gray
namespace: default
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-by-header: canary # value 自定义
nginx.ingress.kubernetes.io/canary-by-header-value: "true" # value 自定义
spec:
ingressClassName: nginx
rules:
- host: web.sundayhk.com
http:
paths:
- backend:
service:
name: web-gray
port:
number: 80
path: /
pathType: Prefix测试
curl http://web.sundayhk.com
hello web prod@!!!
curl -H "canary: true" http://web.sundayhk.com
hello web gray@xxx
