Service Proxy
ingress => gateway api
- envoy
- contour
- traefik proxy
- haproxy
- metaLB
- nginx
- openelb
ingress controller
- Ingress-nginx(nginx)
- aws-load-balancer-controller(alb)
- ingress-gce
- Traefik
The kubernetes.io/ingress.class annotation is deprecated from kubernetes v1.22+.通过IngressClasses来选择ingress controller。
ingressClassName: nginx
ingress 语法
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx-example
defaultBackend:
resource:
apiGroup: k8s.example.com
kind: StorageBucket
name: static-assets
rules:
- http:
paths:
- path: /testpath
pathType: Prefix
backend:
service:
name: test
port:
number: 80
ImplementationSpecific:对于这种路径类型,匹配方法取决于 IngressClass。 具体实现可以将其作为单独的 pathType 处理或者与 Prefix 或 Exact 类型作相同处理。
Exact:精确匹配 URL 路径,且区分大小写。
Prefix:基于以 / 分隔的 URL 路径前缀匹配。匹配区分大小写,并且对路径中的元素逐个完成。 路径元素指的是由 / 分隔符分隔的路径中的标签列表。 如果每个 p 都是请求路径 p 的元素前缀,则请求与路径 p 匹配。
ingressclass没有namespace。
gateway api controller
- cilium
- contour
- GKE
- EKS
- kong
- traefik
ingress-nginx
https://github.com/kubernetes/ingress-nginx
// 部署
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/baremetal/deploy.yaml
// 验证部署
$ kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx --watch
// Detect installed version
POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[0].metadata.name}')
$ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
tls:
https://kubernetes.github.io/ingress-nginx/user-guide/tls/
https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/
traefik
traefik2.2+
https://github.com/traefik/traefik
install with helm:
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
helm install --create-namespace traefik -n traefik traefik traefik/traefik -f ./value.yaml
# expose dashboard:
kubectl port-forward -n traefik $(kubectl get pods -n traefik --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000 --address 0.0.0.0
请求模型
Client => Traefik => Backend
端口:
9000: traefik管理页面端口
重要组件
- Providers: 自动发现平台上的服务.
- Entrypoints: 监听传入的流量,定义接受请求的端口.
- Routers: 分析请求,负责将传入请求连接到负责处理的服务上.
- Middlewares: 在routers转给services之前修改请求.
- Services/LB: 将请求转给应用, 负责配置处理请求的实际服务.
配置
两种配置类型
- 静态配置: 启动时的配置,通过配置文件(/etc/traefik/traefik.[toml|yaml],环境变量或命令行参数配置 providers和entrypoints等.
- 动态配置: 动态的路由配置,定义系统如何处理请求,从providers获取动态配置.
静态配置:
- entrypoints
- providers
- servertransport
- certificatesresolvers
- api
- ping
- experimental
- hostresolver
- accesslog
- log
- metrics(datadog, influxdb, prometheus,statsd)
- tracing(datadog, elastic, haystack, instana, jaeger, zipkin)
全局配置:
--global.checknewversion
--global.sendanonymoususagge
控制Traefik到Backend的连接的参数serversTransport:
--serversTransport.insecureSkipVerify=true
# self-signed TLS CA.
--serversTransport.rootCAs=foo.crt,bar.crt
--serversTransport.maxIdleConnsPerHost=7
--serversTransport.forwardingTimeouts.dialTimeout=1s
--serversTransport.forwardingTimeouts.responseHeaderTimeout=1s
--serversTransport.forwardingTimeouts.idleConnTimeout=1s
kubernetes provider
kubernetes provider有三种类型
- Ingress
- IngressRoute
- Gateway API
https & tls
traefik的证书可以是手动创建证书,也可以通过let’s encrypt自动创建
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: name
namespace: ns
spec:
tls:
secretName: my-tls
通过Let’s encrypt来自动创建证书有三种验证方式(tls, http, dns).
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.tlschallenge.entrypoint=websecure"
- "--certificatesresolvers.myresolver.acme.email=canux.cheng@arm.com"
- "--certificatesresolvers.myresolver.acme.storage=acme.json"