Kubernetes Ingress配置与最佳实践:构建高效的入口流量管理
统一入口管理:通过单个IP暴露多个服务HTTPS支持:SSL/TLS终止和证书管理流量控制:限流、熔断、重试高级路由:基于路径、域名、Header的路由部署策略:蓝绿部署、金丝雀发布建议根据业务需求选择合适的Ingress Controller,并遵循最佳实践配置。参考资料Kubernetes Ingress官方文档Nginx Ingress Controller文档Traefik官方文档。
·
Kubernetes Ingress配置与最佳实践:构建高效的入口流量管理
一、Ingress概述
Ingress 是Kubernetes中用于管理外部访问集群服务的资源对象。它提供了HTTP/HTTPS路由、SSL/TLS终止、虚拟主机等功能,是实现服务暴露的核心组件。
1.1 Ingress架构
外部请求
↓
LoadBalancer/Nodeport
↓
Ingress Controller (nginx/traefik/istio)
↓
Ingress Resource (路由规则)
↓
Backend Services
1.2 Ingress类型对比
| 类型 | 特点 | 适用场景 |
|---|---|---|
| nginx-ingress | 功能丰富、社区成熟 | 通用场景 |
| traefik | 自动配置、动态更新 | 云原生场景 |
| istio-ingress | 服务网格集成、高级流量管理 | 复杂微服务 |
| haproxy-ingress | 高性能、负载均衡 | 高并发场景 |
二、基础Ingress配置
2.1 简单Ingress配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: simple-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: example.com
http:
paths:
- path: /app
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
2.2 多域名配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-host-ingress
spec:
rules:
- host: app1.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app1-service
port:
number: 80
- host: app2.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app2-service
port:
number: 80
2.3 TLS配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
tls:
- hosts:
- secure.example.com
secretName: tls-secret
rules:
- host: secure.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-service
port:
number: 443
2.4 TLS Secret创建
kubectl create secret tls tls-secret \
--cert=path/to/tls.crt \
--key=path/to/tls.key
三、高级Ingress配置
3.1 路径重写
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rewrite-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
rules:
- host: api.example.com
http:
paths:
- path: /api/v1/(.*)
pathType: Prefix
backend:
service:
name: api-v1-service
port:
number: 80
3.2 限流配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rate-limit-ingress
annotations:
nginx.ingress.kubernetes.io/limit-connections: "100"
nginx.ingress.kubernetes.io/limit-rps: "50"
nginx.ingress.kubernetes.io/limit-rpm: "2000"
spec:
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
3.3 跨域配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cors-ingress
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization"
spec:
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
3.4 客户端IP保持
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ip-preserve-ingress
annotations:
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/real-ip-header: "X-Forwarded-For"
nginx.ingress.kubernetes.io/proxy-real-ip-cidr: "0.0.0.0/0"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
四、Ingress Controller部署
4.1 Nginx Ingress Controller
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-ingress
rules:
- apiGroups: [""]
resources: ["services", "endpoints", "pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress
namespace: kube-system
spec:
replicas: 2
selector:
matchLabels:
app: nginx-ingress
template:
metadata:
labels:
app: nginx-ingress
spec:
serviceAccountName: nginx-ingress
containers:
- name: nginx-ingress
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:latest
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
4.2 Traefik Ingress Controller
apiVersion: helm.sh/v2
kind: Chart
metadata:
name: traefik
version: 9.18.2
spec:
values:
deployment:
replicas: 2
service:
type: LoadBalancer
ingressRoute:
dashboard:
enabled: true
五、Ingress最佳实践
5.1 蓝绿部署
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: blue-green-ingress
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-blue
port:
number: 80
5.2 金丝雀发布
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: canary-ingress
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "10"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-canary
port:
number: 80
5.3 基于Header的路由
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: header-routing-ingress
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-by-header: "X-User-Type"
nginx.ingress.kubernetes.io/canary-by-header-value: "internal"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-internal
port:
number: 80
六、Ingress监控与调试
6.1 状态检查
# 查看Ingress状态
kubectl get ingress
kubectl describe ingress <ingress-name>
# 查看Ingress Controller日志
kubectl logs -n kube-system -l app=nginx-ingress
# 测试Ingress配置
curl -H "Host: app.example.com" http://<ingress-ip>/path
6.2 配置验证
# 验证Ingress语法
kubectl apply --dry-run=client -f ingress.yaml
# 查看生成的nginx配置
kubectl exec -n kube-system <nginx-pod> -- cat /etc/nginx/nginx.conf
6.3 监控指标
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress-metrics
namespace: kube-system
spec:
selector:
app: nginx-ingress
ports:
- name: metrics
port: 10254
targetPort: 10254
七、常见问题与解决方案
7.1 Ingress未生效
问题:配置Ingress后无法访问服务
原因分析:
- Ingress Controller未部署或未就绪
- 后端服务未就绪
- 域名解析问题
- 路径配置错误
解决方案:
kubectl get pods -n kube-system -l app=nginx-ingress
kubectl get svc -n kube-system nginx-ingress
nslookup app.example.com
7.2 TLS证书问题
问题:HTTPS访问时证书无效
原因分析:
- Secret不存在或配置错误
- 证书过期
- 域名不匹配
解决方案:
kubectl get secret tls-secret -o yaml
openssl x509 -in /path/to/cert -text -noout
7.3 路径重写问题
问题:路径重写后404错误
原因分析:
- rewrite-target配置错误
- 正则表达式问题
- 后端服务路径不匹配
解决方案:
# 查看nginx配置
kubectl exec -n kube-system <nginx-pod> -- grep -A 10 "location" /etc/nginx/nginx.conf
八、性能优化
8.1 连接复用
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: optimized-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
nginx.ingress.kubernetes.io/keepalive-requests: "10000"
nginx.ingress.kubernetes.io/keepalive-timeout: "65"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
8.2 缓存配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cache-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-cache: "on"
nginx.ingress.kubernetes.io/proxy-cache-path: "/var/cache/nginx"
nginx.ingress.kubernetes.io/proxy-cache-key: "$scheme$request_method$host$request_uri"
nginx.ingress.kubernetes.io/proxy-cache-valid: "200 10m"
spec:
rules:
- host: static.example.com
http:
paths:
- path: /static
pathType: Prefix
backend:
service:
name: static-service
port:
number: 80
九、总结
Ingress是Kubernetes集群暴露服务的核心组件,合理配置可以实现:
- 统一入口管理:通过单个IP暴露多个服务
- HTTPS支持:SSL/TLS终止和证书管理
- 流量控制:限流、熔断、重试
- 高级路由:基于路径、域名、Header的路由
- 部署策略:蓝绿部署、金丝雀发布
建议根据业务需求选择合适的Ingress Controller,并遵循最佳实践配置。
参考资料:
AtomGit AI 社区提供模型库、数据集、Agent、Token等资源
更多推荐
0
0- 0
已为社区贡献1条内容
所有评论(0)