02 - Ingress 详解
为什么需要 Ingress?
NodePort 和 LoadBalancer 都有局限:
- NodePort:端口范围有限,URL 不美观
- LoadBalancer:每个 Service 一个公网 IP,成本高
Ingress 提供了七层路由,用一个入口点服务多个后端:
互联网 → Ingress Controller (唯一入口)
│
├── /api/* → API Service
├── /web/* → Web Service
└── /admin/* → Admin Service
或者按域名:
├── api.example.com → API Service
├── www.example.com → Web Service
└── admin.example.com → Admin ServiceIngress 的两个部分
1. Ingress Controller(实际干活的)
- 需要单独安装
- 最常用:Nginx Ingress Controller、Traefik、HAProxy
- 阿里云 ACK 内置 ALB Ingress Controller
2. Ingress 资源(路由规则定义)
- YAML 声明路由规则
- Ingress Controller 监听并应用这些规则
安装 Nginx Ingress Controller
bash
# Docker Desktop 上安装
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.0/deploy/static/provider/cloud/deploy.yaml
# 验证安装
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginxIngress 资源示例
基于路径路由
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: myapp.local
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 5000
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80基于域名路由
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-host-ingress
spec:
ingressClassName: nginx
rules:
- host: api.myapp.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 5000
- host: web.myapp.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80TLS 终止
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
ingressClassName: nginx
tls:
- hosts:
- myapp.example.com
secretName: tls-secret
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80pathType 解释
| 类型 | 说明 | 示例 |
|---|---|---|
Prefix | 前缀匹配 | /api 匹配 /api、/api/v1 |
Exact | 精确匹配 | /api 只匹配 /api |
ImplementationSpecific | 由 Controller 决定 | 取决于具体实现 |
常用 Annotations
yaml
annotations:
# 重写路径
nginx.ingress.kubernetes.io/rewrite-target: /$1
# SSL 重定向
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# 上传大小限制
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
# 超时设置
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
# 限流
nginx.ingress.kubernetes.io/limit-rps: "10"
# CORS
nginx.ingress.kubernetes.io/enable-cors: "true"本地测试(修改 hosts 文件)
bash
# 添加本地域名解析
echo "127.0.0.1 myapp.local api.myapp.local web.myapp.local" | sudo tee -a /etc/hosts
# 访问
curl http://myapp.local/api
curl http://web.myapp.local实操练习
详见 ../manifests/ 目录中的 Ingress YAML 文件。