Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How does Kubernetes use ingress-nginx as a reverse proxy?

2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/03 Report--

Kubernetes of the Kubernetes series uses ingress-nginx as a reverse proxy

# I. introduction to Ingress

In Kubernetes, the IP addresses of services and Pod can only be used within the cluster network, and are not visible to applications outside the cluster. In order to enable external applications to access services within the cluster, the following solutions are currently provided in Kubernetes:

NodePort

LoadBalancer

Ingress

# 1. Ingress composition

Ingress controller

Convert the newly added Ingress into a configuration file for Nginx and make it effective

Ingress service

Abstract the configuration of Nginx into an Ingress object, and you only need to write a new yaml file of Ingress for each new service added.

# 2. How Ingress works

1.ingress controller dynamically perceives the changes of ingress rules in the cluster by interacting with kubernetes api.

two。 Then read it. According to the custom rules, the rule is to specify which domain name corresponds to which service, and generate a nginx configuration.

3. Then write to the pod of nginx-ingress-control, where there is a Nginx service running in the pod of Ingress controller, and the controller will write the generated nginx configuration to the / etc/nginx.conf file.

4. Then reload to make the configuration take effect. In order to achieve the problem of domain name configuration and dynamic update.

# 3. What problems can be solved by Ingress

1. Dynamic configuration service

If we follow the traditional way, when we add a new service, we may need to add a reverse proxy at the traffic entrance to point to our new K8s service. If you use Ingress, you only need to configure the service. When the service starts, it will automatically register in Ingress without any additional operation.

two。 Reduce unnecessary port exposure

Anyone who has configured K8s knows that the first step is to turn off the firewall, mainly because many services of K8s will be mapped out in NodePort, which is tantamount to drilling a lot of holes into the host, which is neither safe nor elegant. While Ingress can avoid this problem, except that Ingress's own services may need to be mapped out, other services should not use NodePort mode.

# II. Deploy and configure ingress-nginx

1. Download configuration file (downloaded integration file)

# cd / data/kubernetes/ingress-nginx# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml

2. Document description

Can be divided into five separate files 1.namespace.yaml to create a separate namespace ingress-nginx

2.configmap.yaml

ConfigMap stores common configuration variables, similar to configuration files, so that users can unify the environment variables used for different modules in the distributed system into one object to manage; but it is different from the configuration file in that it exists in the "environment" of the cluster and supports all common operation calls in the K8S cluster.

From a data perspective, the type of ConfigMap is just a key-value group, which is used to store information accessed by Pod or other resource objects such as RC. This is similar to the design philosophy of secret, the main difference is that ConfigMap is not usually used to store sensitive information, but only simple text information.

ConfigMap can save the properties of environment variables, or you can save configuration files.

When creating a pod, bind the configmap, and the applications in the pod can directly refer to the configuration of the ConfigMap. It is equivalent to configmap encapsulating the configuration for the application / runtime environment.

Pod uses ConfigMap, which is commonly used to set the value of environment variables, set command-line parameters, and create configuration files.

3.default-backend.yaml

If the domain name accessed by the outside world does not exist, it will be forwarded to the Service default-http-backend by default, which will directly return 404:

4.rbac.yaml

Responsible for the control of RBAC authorization for Ingress, which creates ServiceAccount, ClusterRole, Role, RoleBinding, ClusterRoleBinding used in Ingress

5.with-rbac.yaml

Is the core of Ingress and is used to create ingress-controller. As mentioned earlier, the role of ingress-controller is to convert the newly added Ingress into a Nginx configuration

3. Select the node to be deployed

# tag master002 and master003

Kubectl label nodes huoban-k8s-master02 kubernetes.io=nginx-ingress

Kubectl label nodes huoban-k8s-master03 kubernetes.io=nginx-ingress

4. Modify the configuration file vim mandatory.yaml

ApiVersion: v1

Kind: Namespace

Metadata:

Name: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

Kind: ConfigMap

ApiVersion: v1

Metadata:

Name: nginx-configuration

Namespace: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginxs

Data:

Proxy-body-size: "200m"

Kind: ConfigMap

ApiVersion: v1

Metadata:

Name: tcp-services

Namespace: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

Kind: ConfigMap

ApiVersion: v1

Metadata:

Name: udp-services

Namespace: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

ApiVersion: v1

Kind: ServiceAccount

Metadata:

Name: nginx-ingress-serviceaccount

Namespace: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

ApiVersion: rbac.authorization.k8s.io/v1beta1

Kind: ClusterRole

Metadata:

Name: nginx-ingress-clusterrole

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

Rules:

ApiGroups: ""

Resources:configmapsendpointsnodespodssecrets

Verbs:listwatchapiGroups: ""

Resources:nodes

Verbs:getapiGroups: ""

Resources:services

Verbs:getlistwatchapiGroups: ""

Resources:events

Verbs:createpatchapiGroups: "extensions"networking.k8s.io"

Resources:ingresses

Verbs:getlistwatchapiGroups: "extensions"networking.k8s.io"

Resources:ingresses/status

Verbs:update

ApiVersion: rbac.authorization.k8s.io/v1beta1

Kind: Role

Metadata:

Name: nginx-ingress-role

Namespace: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

Rules:

ApiGroups: ""

Resources:configmapspodssecretsnamespaces

Verbs:getapiGroups: ""

Resources:configmaps

ResourceNames:Defaults to "-" Here: "-" This has to be adapted if you change either parameterwhen launching the nginx-ingress-controller. "ingress-controller-leader-nginx"

Verbs:getupdateapiGroups: ""

Resources:configmaps

Verbs:createapiGroups: ""

Resources:endpoints

Verbs:get

ApiVersion: rbac.authorization.k8s.io/v1beta1

Kind: RoleBinding

Metadata:

Name: nginx-ingress-role-nisa-binding

Namespace: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

RoleRef:

ApiGroup: rbac.authorization.k8s.io

Kind: Role

Name: nginx-ingress-role

Subjects:

Kind: ServiceAccount

Name: nginx-ingress-serviceaccount

Namespace: ingress-nginx

ApiVersion: rbac.authorization.k8s.io/v1beta1

Kind: ClusterRoleBinding

Metadata:

Name: nginx-ingress-clusterrole-nisa-binding

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

RoleRef:

ApiGroup: rbac.authorization.k8s.io

Kind: ClusterRole

Name: nginx-ingress-clusterrole

Subjects:

Kind: ServiceAccount

Name: nginx-ingress-serviceaccount

Namespace: ingress-nginx

ApiVersion: apps/v1

Kind: Deployment

Metadata:

Name: nginx-ingress-controller

Namespace: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

Spec:

Replicas: 2

Selector:

MatchLabels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

Template:

Metadata:

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

Annotations:

Prometheus.io/port: "10254"

Prometheus.io/scrape: "true"

Spec:

NodeSelector:

Kubernetes.io: nginx-ingress

Tolerations:

Effect: NoSchedule

Operator: Exists

HostNetwork: true

ServiceAccountName: nginx-ingress-serviceaccount

Containers:name: nginx-ingress-controller

Image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.25.1

ImagePullPolicy: IfNotPresent

Args:/nginx-ingress-controller--configmap=$ (POD_NAMESPACE) / nginx-configuration--tcp-services-configmap=$ (POD_NAMESPACE) / tcp-services--udp-services-configmap=$ (POD_NAMESPACE) / udp-services--publish-service=$ (POD_NAMESPACE) / ingress-nginx--annotations-prefix=nginx.ingress.kubernetes.io

SecurityContext:

AllowPrivilegeEscalation: true

Capabilities:

Drop:ALL

Add:NET_BIND_SERVICEwww-data-> 33

RunAsUser: 33

Env:

Name: POD_NAME

ValueFrom:

FieldRef:

FieldPath: metadata.namename: POD_NAMESPACE

ValueFrom:

FieldRef:

FieldPath: metadata.namespace

Ports:name: http

ContainerPort: 80name: https

ContainerPort: 443

VolumeMounts:name: ssl

MountPath: / etc/ingress-controller/ssl

LivenessProbe:

FailureThreshold: 3

HttpGet:

Path: / healthz

Port: 10254

Scheme: HTTP

InitialDelaySeconds: 10

PeriodSeconds: 10

SuccessThreshold: 1

TimeoutSeconds: 10

ReadinessProbe:

FailureThreshold: 3

HttpGet:

Path: / healthz

Port: 10254

Scheme: HTTP

PeriodSeconds: 10

SuccessThreshold: 1

TimeoutSeconds: 10

Volumes:name: ssl

Nfs:

Path: / conf/global_sign_ssl

Server: 0a52248244-vcq8.cn-hangzhou.nas.aliyuncs.com

ApiVersion: v1

Kind: Service

Metadata:

Name: ingress-nginx

Namespace: ingress-nginx

Labels:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx

Spec:

Ports:

Name: http

Port: 80

TargetPort: 80

Protocol: TCPname: https

Port: 443

TargetPort: 443

Protocol: TCP

Selector:

App.kubernetes.io/name: ingress-nginx

App.kubernetes.io/part-of: ingress-nginx5, deploy kubectl apply-f mandatory.yaml

Namespace/ingress-nginx created

Configmap/nginx-configuration created

Configmap/tcp-services created

Configmap/udp-services created

Serviceaccount/nginx-ingress-serviceaccount created

Clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created

Role.rbac.authorization.k8s.io/nginx-ingress-role created

Rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created

Clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created

Deployment.apps/nginx-ingress-controller created

Service/ingress-nginx created

6. Access test kubectl get pods-n ingress-nginx-o wide

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

Nginx-ingress-controller-b44c4d4d7-9rprz 1 huoban-k8s-master03 1 Running 0 63s 172.16.17.192

Nginx-ingress-controller-b44c4d4d7-zfj5n 1/1 Running 0 63s 172.16.17.193 huoban-k8s-master02

[root@HUOBAN-K8S-MASTER01 mq1] # curl 172.16.17.192

404 Not Found

404 Not Found

Openresty/1.15.8.1

[root@HUOBAN-K8S-MASTER01 mq1] # curl 172.16.17.193

404 Not Found

404 Not Found

Openresty/1.15.8.1

Kubectl get svc-n ingress-nginx-o wide

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGE SELECTOR

Ingress-nginx ClusterIP 10.100.243.171 80/TCP,443/TCP 112s app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx

Curl http://10.100.243.171

404 Not Found

404 Not Found

Openresty/1.15.8.1

7. Deploy an application to test it

1. Create a nginx application

Vim app-nginx.yaml

ApiVersion: v1

Kind: Service

Metadata:

Name: app-nginx

Labels:

App: app-nginx

Spec:

Ports:

Port: 80

Selector:

App: app-nginx

Tier: productionapiVersion: autoscaling/v1

Kind: HorizontalPodAutoscaler

Metadata:

Name: app-nginx

Spec:

MaxReplicas: 3

MinReplicas: 1

ScaleTargetRef:

ApiVersion: extensions/v1beta1

Kind: Deployment

Name: app-nginx

TargetCPUUtilizationPercentage: 80

ApiVersion: apps/v1

Kind: Deployment

Metadata:

Name: app-nginx

Labels:

App: app-nginx

Spec:

Replicas: 1

Selector:

MatchLabels:

App: app-nginx

Tier: production

Template:

Metadata:

Labels:

App: app-nginx

Tier: production

Spec:

Containers:

Name: app-nginx

Image: harbor.huoban.com/open/huoban-nginx:v1.1

ImagePullPolicy: IfNotPresent

Resources:

Requests:

Memory: "50Mi"

Cpu: "25m"

Ports:

ContainerPort: 80

Name: nginx

VolumeMounts:

Name: html

MountPath: / usr/share/nginx/html

Name: conf

MountPath: / etc/nginx/conf.d

Volumes:

Name: html

Nfs:

Path: / open/web/app

Server: 192.168.101.11

Name: conf

Nfs:

Path: / open/conf/app/nginx

Server: 192.168.101.11

2. Create a TLS certificate

Kubectl create secret tls bjwf-ingress-secret-- cert=server.crt-- key=server.key-- dry-run-o yaml > bjwf-ingress-secret.yaml

3. Create the ingress of the application

Vim app-nginx-ingress.yaml

ApiVersion: extensions/v1beta1

Kind: Ingress

Metadata:

Name: app-ingress

Namespace: default

Spec:

Tls:

Hosts:www.bjwf125.com

SecretName: bjwf-ingress-secret

Rules:host: www.bjwf125.com

Http:

Paths:path: /

Backend:

ServiceName: app-nginx

ServicePort: 808, visit the service (no screenshot in this section. Has been able to jump to 443)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report