«

K8S Ingress-nginx高级用法总结

myluzh 发布于 阅读:579 Kubernetes


0x01 Ingress-nginx的域名重定向(Redirect)

# 关键配置
#annotations:
#  nginx.ingress.kubernetes.io/permanent-redirect: 'https://www.baidu.com/'
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/permanent-redirect: 'https://www.baidu.com'
  name: ingress-xfsh
  namespace:xfsh
spec:
  rules:
    - host: ingress.xfsh.com
      http:
        paths:
          - backend:
              serviceName: ingress-xfsh
              servicePort: 80
            path: /
            pathType: ImplementationSpecific

0x02 Ingress-nginx的前后端分离(Rewrite)

# 关键配置
# annotations:
#    nginx.ingress.kubernetes.io/rewrite-target: /$2
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: ingress-xfsh
  namespace: xfsh
spec:
  rules:
    - host: ingress.xfsh.com
      http:
        paths:
          - backend:
              serviceName: ingress-xfsh
              servicePort: 80
            path: /prod-api(/|$)(.*)
            pathType: ImplementationSpecific

如果你发送GET请求到ingress.xfsh.com/prod-api/code,根据上述Ingress配置和注解,请求将被重写为ingress-xfsh的服务:
原始请求路径:/prod-api/code
重写规则:nginx.ingress.kubernetes.io/rewrite-target: /$2
重写后的路径:/code

0x03 Ingress-nginx的SSL配置

1、没有证书的可以通过openssl创建测试证书,但是浏览器是不认的。

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=ingress.xfsh.com/O=ingress.xfsh.com"
kubectl create secret tls ca-ceart --key tls.key --cert tls.cert -n xfsh

2、ssl配置的yaml如下:

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: ingress-xfsh
  namespace: xfsh
spec:
  rules:
    - host: ingress.xfsh.com
      http:
        paths:
          - backend:
              serviceName: ingress-xfsh
              servicePort: 80
            path: /something(/|$)(.*)
            pathType: ImplementationSpecific
  tls:
    - hosts:
        - ingress.xfsh.com
      secretName: ca-ceart

3、禁用https强制跳转

annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"

4、设置默认证书:

--default-ssl-certificate=default/foo-tls

更改的ingress-controller的启动参数

0x04 黑白名单配置

Annotations:只对指定的ingress生效
ConfigMap:全局生效
黑名单可以使用ConfigMap去配置,白名单建议使用Annotations去配置。
1、白名单 添加白名单的方式可以直接写annotation,也可以配置在ConfigMap中。
写在annotation中:

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 annotations:
   nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.0.100
 name: ingress-xfsh
 namespace: xfsh
spec:
 rules:
   - host: ingress.xfsh.com
     http:
       paths:
         - backend:
             serviceName: ingress-xfsh
             servicePort: 80
           path: /
           pathType: ImplementationSpecific

也可以写固定IP,也可以写网段。 配置到ConfigMap中:

apiVersion: v1
kind: ConfigMap
metadata:
 labels:
   helm.sh/chart: ingress-nginx-2.1.0
   app.kubernetes.io/name: ingress-nginx
   app.kubernetes.io/instance: ingress-nginx
   app.kubernetes.io/version: 0.32.0
   app.kubernetes.io/managed-by: Helm
   app.kubernetes.io/component: controller
 name: ingress-nginx-controller
 namespace: ingress-nginx
data:
 whitelist-source-range: 10.1.10.0/24

2、黑名单(黑名单就只能通过ConfigMap来配置)
ConfigMap配置如下:

apiVersion: v1
kind: ConfigMap
metadata:
 labels:
   helm.sh/chart: ingress-nginx-2.1.0
   app.kubernetes.io/name: ingress-nginx
   app.kubernetes.io/instance: ingress-nginx
   app.kubernetes.io/version: 0.32.0
   app.kubernetes.io/managed-by: Helm
   app.kubernetes.io/component: controller
 name: ingress-nginx-controller
 namespace: ingress-nginx
data:
 whitelist-source-range: 10.1.10.0/24
 block-cidrs: 10.1.10.100

annotation配置

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 annotations:
   kubernetes.io/ingress.class: nginx
   nginx.ingress.kubernetes.io/server-snippet: |-
     deny 192.168.0.1;
     deny 192.168.0.100;
     allow all;
 creationTimestamp: null
 name: ingress-xfsh
spec:
 rules:
 - host: ingress.xfsh.com
   http:
     paths:
     - backend:
         serviceName: ingress-xfsh
         servicePort: 80
       path: /
       pathType: ImplementationSpecific
status:
 loadBalancer: {}

0x05 Ingress-nginx的匹配请求头

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/server-snippet: |-
      set $agentflag 0;

              if ($http_user_agent ~* "(iPhone)" ){
                set $agentflag 1;
              }

              if ( $agentflag = 1 ) {
                return 301 https://m.xfsh.com;
              }
  creationTimestamp: null
  name: ingress-xfsh
spec:
  rules:
  - host: ingress.xfsh.com
    http:
      paths:
      - backend:
          serviceName: ingress-xfsh
          servicePort: 80
        path: /
        pathType: ImplementationSpecific
status:
  loadBalancer: {}

0x06 Ingress-nginx的速率限制

关于速率限制的一些参数:

nginx.ingress.kubernetes.io/limit-connections:# 单个IP地址允许的并发连接数。超出此限制时,将返回503错误。
nginx.ingress.kubernetes.io/limit-rps:# 每秒从给定IP接受的请求数。突发限制设置为此限制乘以突发乘数,默认乘数为5。当客户端超过此限制时,将 返回limit-req-status-code默认值: 503。
nginx.ingress.kubernetes.io/limit-rpm:# 每分钟从给定IP接受的请求数。突发限制设置为此限制乘以突发乘数,默认乘数为5。当客户端超过此限制时,将 返回limit-req-status-code默认值: 503。
nginx.ingress.kubernetes.io/limit-burst-multiplier:# 突发大小限制速率的倍数。默认的脉冲串乘数为5,此注释将覆盖默认的乘数。当客户端超过此限制时,将 返回limit-req-status-code默认值: 503。
nginx.ingress.kubernetes.io/limit-rate-after:# 最初的千字节数,在此之后,对给定连接的响应的进一步传输将受到速率的限制。必须在启用代理缓冲的情况下使用此功能。
nginx.ingress.kubernetes.io/limit-rate:# 每秒允许发送到给定连接的千字节数。零值禁用速率限制。必须在启用代理缓冲的情况下使用此功能。
nginx.ingress.kubernetes.io/limit-whitelist:# 客户端IP源范围要从速率限制中排除。该值是逗号分隔的CIDR列表。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-nginx
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/limit-rate: 100K
    nginx.ingress.kubernetes.io/limit-whitelist: 10.1.10.100
    nginx.ingress.kubernetes.io/limit-rps: 1
    nginx.ingress.kubernetes.io/limit-rpm: 30
spec:
  rules:
  - host: iphone.coolops.cn 
    http:
      paths:
      - path: 
        backend:
          serviceName: ng-svc
          servicePort: 80

# nginx.ingress.kubernetes.io/limit-rate:限制客户端每秒传输的字节数
# nginx.ingress.kubernetes.io/limit-whitelist:白名单中的IP不限速
# nginx.ingress.kubernetes.io/limit-rps:单个IP每秒的连接数
# nginx.ingress.kubernetes.io/limit-rpm:单个IP每分钟的连接数

0x07 Ingress-nginx的基本认证

1、创建密码,我这里用http的命令工具来生成

[root@k8s-master01 ingress]# htpasswd -c auth xfsh
New password:
Re-type new password:
Adding password for user xfsh
[root@k8s-master01 ingress]# ls
auth  tls.cert  tls.key
[root@k8s-master01 ingress]# cat auth
xfsh:$apr1$8LffOJL7$ZIGV4XRNSuginqO5GMxAZ.

2、创建secret

[root@k8s-master01 ingress]# kubectl create secret generic basic-auth --from-file=auth -n xfsh
secret/basic-auth created

3、配置Ingress

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 annotations:
   kubernetes.io/ingress.class: nginx
   nginx.ingress.kubernetes.io/auth-realm: Need to longin
   nginx.ingress.kubernetes.io/auth-secret: basic-auth
   nginx.ingress.kubernetes.io/auth-type: basic
 creationTimestamp: null
 name: ingress-xfsh
spec:
 rules:
 - host: ingress.xfsh.com
   http:
     paths:
     - backend:
         serviceName: ingress-xfsh
         servicePort: 80
       path: /
       pathType: ImplementationSpecific
status:
 loadBalancer: {}

k8s kubernetes nginx Ingress


正文到此结束
版权声明:若无特殊注明,本文皆为 Myluzh Blog 原创,转载请保留文章出处。
文章内容:https://itho.cn/k8s/372.html
文章标题:《K8S Ingress-nginx高级用法总结