K8S Ingress-nginx高级用法总结
myluzh 发布于 阅读:579 Kubernetes
0x01 Ingress-nginx的域名重定向(Redirect)
# 关键配置
#annotations:
# nginx.ingress.kubernetes.io/permanent-redirect: 'https://www.baidu.com/'
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: 'https://www.baidu.com'
name: ingress-xfsh
namespace:xfsh
spec:
rules:
- host: ingress.xfsh.com
http:
paths:
- backend:
serviceName: ingress-xfsh
servicePort: 80
path: /
pathType: ImplementationSpecific
0x02 Ingress-nginx的前后端分离(Rewrite)
# 关键配置
# annotations:
# nginx.ingress.kubernetes.io/rewrite-target: /$2
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: ingress-xfsh
namespace: xfsh
spec:
rules:
- host: ingress.xfsh.com
http:
paths:
- backend:
serviceName: ingress-xfsh
servicePort: 80
path: /prod-api(/|$)(.*)
pathType: ImplementationSpecific
如果你发送GET请求到ingress.xfsh.com/prod-api/code,根据上述Ingress配置和注解,请求将被重写为ingress-xfsh的服务:
原始请求路径:/prod-api/code
重写规则:nginx.ingress.kubernetes.io/rewrite-target: /$2
重写后的路径:/code
0x03 Ingress-nginx的SSL配置
1、没有证书的可以通过openssl创建测试证书,但是浏览器是不认的。
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=ingress.xfsh.com/O=ingress.xfsh.com"
kubectl create secret tls ca-ceart --key tls.key --cert tls.cert -n xfsh
2、ssl配置的yaml如下:
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: ingress-xfsh
namespace: xfsh
spec:
rules:
- host: ingress.xfsh.com
http:
paths:
- backend:
serviceName: ingress-xfsh
servicePort: 80
path: /something(/|$)(.*)
pathType: ImplementationSpecific
tls:
- hosts:
- ingress.xfsh.com
secretName: ca-ceart
3、禁用https强制跳转
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
4、设置默认证书:
--default-ssl-certificate=default/foo-tls
更改的ingress-controller的启动参数
0x04 黑白名单配置
Annotations:只对指定的ingress生效
ConfigMap:全局生效
黑名单可以使用ConfigMap去配置,白名单建议使用Annotations去配置。
1、白名单 添加白名单的方式可以直接写annotation,也可以配置在ConfigMap中。
写在annotation中:
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.0.100
name: ingress-xfsh
namespace: xfsh
spec:
rules:
- host: ingress.xfsh.com
http:
paths:
- backend:
serviceName: ingress-xfsh
servicePort: 80
path: /
pathType: ImplementationSpecific
也可以写固定IP,也可以写网段。 配置到ConfigMap中:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-2.1.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
whitelist-source-range: 10.1.10.0/24
2、黑名单(黑名单就只能通过ConfigMap来配置)
ConfigMap配置如下:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
helm.sh/chart: ingress-nginx-2.1.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.32.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
data:
whitelist-source-range: 10.1.10.0/24
block-cidrs: 10.1.10.100
annotation配置
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/server-snippet: |-
deny 192.168.0.1;
deny 192.168.0.100;
allow all;
creationTimestamp: null
name: ingress-xfsh
spec:
rules:
- host: ingress.xfsh.com
http:
paths:
- backend:
serviceName: ingress-xfsh
servicePort: 80
path: /
pathType: ImplementationSpecific
status:
loadBalancer: {}
0x05 Ingress-nginx的匹配请求头
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/server-snippet: |-
set $agentflag 0;
if ($http_user_agent ~* "(iPhone)" ){
set $agentflag 1;
}
if ( $agentflag = 1 ) {
return 301 https://m.xfsh.com;
}
creationTimestamp: null
name: ingress-xfsh
spec:
rules:
- host: ingress.xfsh.com
http:
paths:
- backend:
serviceName: ingress-xfsh
servicePort: 80
path: /
pathType: ImplementationSpecific
status:
loadBalancer: {}
0x06 Ingress-nginx的速率限制
关于速率限制的一些参数:
nginx.ingress.kubernetes.io/limit-connections:# 单个IP地址允许的并发连接数。超出此限制时,将返回503错误。
nginx.ingress.kubernetes.io/limit-rps:# 每秒从给定IP接受的请求数。突发限制设置为此限制乘以突发乘数,默认乘数为5。当客户端超过此限制时,将 返回limit-req-status-code默认值: 503。
nginx.ingress.kubernetes.io/limit-rpm:# 每分钟从给定IP接受的请求数。突发限制设置为此限制乘以突发乘数,默认乘数为5。当客户端超过此限制时,将 返回limit-req-status-code默认值: 503。
nginx.ingress.kubernetes.io/limit-burst-multiplier:# 突发大小限制速率的倍数。默认的脉冲串乘数为5,此注释将覆盖默认的乘数。当客户端超过此限制时,将 返回limit-req-status-code默认值: 503。
nginx.ingress.kubernetes.io/limit-rate-after:# 最初的千字节数,在此之后,对给定连接的响应的进一步传输将受到速率的限制。必须在启用代理缓冲的情况下使用此功能。
nginx.ingress.kubernetes.io/limit-rate:# 每秒允许发送到给定连接的千字节数。零值禁用速率限制。必须在启用代理缓冲的情况下使用此功能。
nginx.ingress.kubernetes.io/limit-whitelist:# 客户端IP源范围要从速率限制中排除。该值是逗号分隔的CIDR列表。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-nginx
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/limit-rate: 100K
nginx.ingress.kubernetes.io/limit-whitelist: 10.1.10.100
nginx.ingress.kubernetes.io/limit-rps: 1
nginx.ingress.kubernetes.io/limit-rpm: 30
spec:
rules:
- host: iphone.coolops.cn
http:
paths:
- path:
backend:
serviceName: ng-svc
servicePort: 80
# nginx.ingress.kubernetes.io/limit-rate:限制客户端每秒传输的字节数
# nginx.ingress.kubernetes.io/limit-whitelist:白名单中的IP不限速
# nginx.ingress.kubernetes.io/limit-rps:单个IP每秒的连接数
# nginx.ingress.kubernetes.io/limit-rpm:单个IP每分钟的连接数
0x07 Ingress-nginx的基本认证
1、创建密码,我这里用http的命令工具来生成
[root@k8s-master01 ingress]# htpasswd -c auth xfsh
New password:
Re-type new password:
Adding password for user xfsh
[root@k8s-master01 ingress]# ls
auth tls.cert tls.key
[root@k8s-master01 ingress]# cat auth
xfsh:$apr1$8LffOJL7$ZIGV4XRNSuginqO5GMxAZ.
2、创建secret
[root@k8s-master01 ingress]# kubectl create secret generic basic-auth --from-file=auth -n xfsh
secret/basic-auth created
3、配置Ingress
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-realm: Need to longin
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
creationTimestamp: null
name: ingress-xfsh
spec:
rules:
- host: ingress.xfsh.com
http:
paths:
- backend:
serviceName: ingress-xfsh
servicePort: 80
path: /
pathType: ImplementationSpecific
status:
loadBalancer: {}