一、基本概念
k8s集群中,ingress作为集群内服务对外暴漏的访问接入点,几乎承载着集群内服务访问的所有流量。ingress是k8s中的一个资源对象,用来管理集群外部访问集群内部服务的方式。可以通过ingress资源来配置不同的转发规则,从而达到根据不同的规则设置访问集群内不同的Service后端Pod。
Ingress资源仅支持http流量的规则,无法配置一些高级特性。如:负载均衡的算法,Sessions Affinity等,这些高级特性都需要再ingress Controller中进行配置。
二、原理
为了是得ingress资源正常工作,集群中必须要有个ingress controller来解析ingress的转发规则。ingress controller收到请求,匹配ingress转发规则到后端service,而service转发到pod,最终由pod处理请求。k8s中service、ingress、ingress controller有着以下关系:
- service是后端真是服务的抽象,一个serivce可以代表多个相同的后端服务。
- ingress是反向代理规则,用来规定http/https请求因该被转发到那个service上。如根据请求中不同的host和url路径,让请求落到不同的service上。
- ingress controller是一个反向代理程序,负责解析ingress的反向代理规则。如果ingress有增删改的变动,ingress Controller会及时更新自己相应的转发规则,当ingress Controller收到请求后就会根据这些规则将请求转发到对应的service。
ingressController通过api server获取ingress资源的变化,动态生成load Balancer(如nginx)所需要的配置文件(如nginx.conf),然后重新加载load Balancer(r如:nginx -s reload重新加载nginx)来生成新的路由转发规则。
三、修改文件
# egrep -v "^$|^#|^ *#" values.yaml
global:
image:
registry: k8s.kubesre.xyz
namespaceOverride: ""
commonLabels: {}
controller:
name: controller
enableAnnotationValidations: true
image:
chroot: false
registry: registry-cn-hangzhou.ack.aliyuncs.com
image: acs/aliyun-ingress-controller
tag: "v1.11.5-aliyun.1"
pullPolicy: IfNotPresent
runAsNonRoot: true
runAsUser: 101
runAsGroup: 82
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
containerName: controller
containerPort:
http: 80
https: 443
config: {}
configAnnotations: {}
proxySetHeaders: {}
addHeaders: {}
dnsConfig: {}
hostAliases: []
hostname: {}
dnsPolicy: ClusterFirst
reportNodeInternalIp: false
watchIngressWithoutClass: false
ingressClassByName: false
enableTopologyAwareRouting: false
disableLeaderElection: false
electionTTL: ""
allowSnippetAnnotations: false
hostNetwork: true
hostPort:
enabled: false
ports:
http: 80
https: 443
networkPolicy:
enabled: false
electionID: ""
ingressClassResource:
name: nginx
enabled: true
default: false
annotations: {}
controllerValue: k8s.io/ingress-nginx
aliases: []
parameters: {}
ingressClass: nginx
podLabels: {}
podSecurityContext: {}
sysctls: {}
containerSecurityContext: {}
publishService:
enabled: true
pathOverride: ""
scope:
enabled: false
namespace: ""
namespaceSelector: ""
configMapNamespace: ""
tcp:
configMapNamespace: ""
annotations: {}
udp:
configMapNamespace: ""
annotations: {}
maxmindLicenseKey: ""
extraArgs: {}
extraEnvs: []
kind: DaemonSet
annotations: {}
labels: {}
updateStrategy: {}
progressDeadlineSeconds: 0
minReadySeconds: 0
tolerations:
- key: ""
operator: "Exists"
value: ""
affinity: {}
topologySpreadConstraints: []
terminationGracePeriodSeconds: 300
nodeSelector:
kubernetes.io/os: linux
boge/ingress-controller-ready: "true"
livenessProbe:
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
healthCheckPath: "/healthz"
healthCheckHost: ""
podAnnotations: {}
replicaCount: 1
minAvailable: 1
unhealthyPodEvictionPolicy: ""
resources:
limits:
cpu: 6
memory: 12Gi
requests:
cpu: 2
memory: 4Gi
autoscaling:
enabled: false
annotations: {}
minReplicas: 1
maxReplicas: 11
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
behavior: {}
autoscalingTemplate: []
keda:
apiVersion: "keda.sh/v1alpha1"
enabled: false
minReplicas: 1
maxReplicas: 11
pollingInterval: 30
cooldownPeriod: 300
restoreToOriginalReplicaCount: false
scaledObject:
annotations: {}
triggers: []
behavior: {}
enableMimalloc: true
customTemplate:
configMapName: ""
configMapKey: ""
service:
enabled: true
external:
enabled: true
annotations: {}
labels: {}
type: ClusterIP
clusterIP: ""
externalIPs: []
loadBalancerIP: ""
loadBalancerSourceRanges: []
loadBalancerClass: ""
externalTrafficPolicy: ""
sessionAffinity: ""
ipFamilyPolicy: SingleStack
ipFamilies:
- IPv4
enableHttp: true
enableHttps: true
ports:
http: 80
https: 443
targetPorts:
http: http
https: https
appProtocol: true
nodePorts:
http: ""
https: ""
tcp: {}
udp: {}
internal:
enabled: false
annotations: {}
type: ""
clusterIP: ""
externalIPs: []
loadBalancerIP: ""
loadBalancerSourceRanges: []
loadBalancerClass: ""
externalTrafficPolicy: ""
sessionAffinity: ""
ipFamilyPolicy: SingleStack
ipFamilies:
- IPv4
ports: {}
targetPorts: {}
appProtocol: true
nodePorts:
http: ""
https: ""
tcp: {}
udp: {}
shareProcessNamespace: false
extraContainers: []
extraVolumeMounts: []
extraVolumes: []
extraInitContainers: []
extraModules: []
admissionWebhooks:
name: admission
annotations: {}
enabled: true
extraEnvs: []
failurePolicy: Fail
port: 8443
certificate: "/usr/local/certificates/cert"
key: "/usr/local/certificates/key"
namespaceSelector: {}
objectSelector: {}
labels: {}
service:
annotations: {}
externalIPs: []
loadBalancerSourceRanges: []
servicePort: 443
type: ClusterIP
createSecretJob:
name: create
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
patchWebhookJob:
name: patch
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
patch:
enabled: true
image:
registry: registry.k8s.io
image: ingress-nginx/kube-webhook-certgen
tag: v1.5.2
pullPolicy: IfNotPresent
priorityClassName: ""
podAnnotations: {}
networkPolicy:
enabled: false
nodeSelector:
kubernetes.io/os: linux
boge/ingress-controller-ready: "true"
tolerations:
- operator: Exists
labels: {}
securityContext: {}
rbac:
create: true
serviceAccount:
create: true
name: ""
automountServiceAccountToken: true
certManager:
enabled: false
rootCert:
duration: ""
admissionCert:
duration: ""
metrics:
port: 10254
portName: metrics
enabled: false
service:
enabled: true
annotations: {}
labels: {}
externalIPs: []
loadBalancerSourceRanges: []
servicePort: 10254
type: ClusterIP
serviceMonitor:
enabled: false
additionalLabels: {}
annotations: {}
namespace: ""
namespaceSelector: {}
scrapeInterval: 30s
targetLabels: []
relabelings: []
metricRelabelings: []
prometheusRule:
enabled: false
additionalLabels: {}
annotations: {}
rules: []
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
priorityClassName: ""
revisionHistoryLimit: 10
defaultBackend:
enabled: false
name: defaultbackend
image:
registry: registry.k8s.io
image: defaultbackend-amd64
tag: "1.5"
pullPolicy: IfNotPresent
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
extraArgs: {}
serviceAccount:
create: true
name: ""
automountServiceAccountToken: true
extraEnvs: []
port: 8080
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 6
initialDelaySeconds: 0
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
updateStrategy: {}
minReadySeconds: 0
tolerations:
- key: ""
operator: "Exists"
value: ""
affinity: {}
topologySpreadConstraints: []
podSecurityContext: {}
containerSecurityContext: {}
podLabels: {}
nodeSelector:
kubernetes.io/os: linux
boge/ingress-controller-ready: "true"
podAnnotations: {}
replicaCount: 1
minAvailable: 1
unhealthyPodEvictionPolicy: ""
resources: {}
extraVolumeMounts: []
extraVolumes: []
extraConfigMaps: []
autoscaling:
annotations: {}
enabled: false
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
networkPolicy:
enabled: false
service:
annotations: {}
externalIPs: []
loadBalancerSourceRanges: []
servicePort: 80
type: ClusterIP
priorityClassName: ""
labels: {}
rbac:
create: true
scope: false
serviceAccount:
create: true
name: ""
automountServiceAccountToken: true
annotations: {}
imagePullSecrets: []
tcp: {}
udp: {}
portNamePrefix: ""
dhParam: ""# helm upgrade --install ingress-nginx -n ingress-nginx . -f values.yaml
