Ingress入口 #
一、Ingress概述 #
Ingress是Kubernetes中管理外部访问集群服务的API对象,提供HTTP/HTTPS路由、负载均衡、TLS终止等功能。
1.1 Ingress功能 #
text
Ingress功能
│
├── HTTP/HTTPS路由
│ ├── 基于路径路由
│ └── 基于主机名路由
│
├── TLS终止
│ └── SSL/TLS证书管理
│
├── 负载均衡
│ └── 流量分发
│
└── 虚拟主机
└── 多域名托管
1.2 Ingress架构 #
text
Ingress架构
│
├── 客户端请求
│
├── Ingress Controller
│ ├── Nginx Ingress
│ ├── Traefik
│ ├── HAProxy
│ └── Kong
│
├── Ingress规则
│ └── 路由配置
│
└── Service
└── 后端服务
二、安装Ingress Controller #
2.1 安装Nginx Ingress #
bash
# 使用Helm安装
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx
# 或使用YAML安装
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.0/deploy/static/provider/cloud/deploy.yaml
2.2 验证安装 #
bash
# 查看Ingress Controller Pod
kubectl get pods -n ingress-nginx
# 查看Ingress Controller Service
kubectl get svc -n ingress-nginx
# 查看Ingress类
kubectl get ingressclass
三、创建Ingress #
3.1 基本示例 #
yaml
# basic-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: basic-ingress
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service
port:
number: 80
bash
# 创建Ingress
kubectl apply -f basic-ingress.yaml
# 查看Ingress
kubectl get ingress
# 输出示例
NAME CLASS HOSTS ADDRESS PORTS AGE
basic-ingress nginx example.com 192.168.1.10 80 1m
3.2 多路径路由 #
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-path-ingress
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- path: /web
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
- path: /
pathType: Prefix
backend:
service:
name: default-service
port:
number: 80
3.3 多主机路由 #
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-host-ingress
spec:
ingressClassName: nginx
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
四、路径类型 #
4.1 PathType说明 #
| 类型 | 说明 |
|---|---|
| Exact | 精确匹配 |
| Prefix | 前缀匹配 |
| ImplementationSpecific | 实现特定 |
4.2 路径匹配示例 #
yaml
# Exact精确匹配
paths:
- path: /exact
pathType: Exact
backend:
service:
name: exact-service
port:
number: 80
# Prefix前缀匹配
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
五、TLS配置 #
5.1 创建TLS Secret #
bash
# 创建TLS Secret
kubectl create secret tls tls-secret \
--cert=path/to/cert.crt \
--key=path/to/cert.key
5.2 配置TLS Ingress #
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
- www.example.com
secretName: tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service
port:
number: 80
5.3 多证书配置 #
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-tls-ingress
spec:
ingressClassName: nginx
tls:
- hosts:
- api.example.com
secretName: api-tls-secret
- hosts:
- web.example.com
secretName: web-tls-secret
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
六、注解配置 #
6.1 Nginx Ingress注解 #
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: annotated-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
6.2 常用注解 #
| 注解 | 说明 |
|---|---|
| rewrite-target | 重写目标路径 |
| ssl-redirect | SSL重定向 |
| proxy-body-size | 请求体大小限制 |
| proxy-connect-timeout | 连接超时 |
| proxy-send-timeout | 发送超时 |
| proxy-read-timeout | 读取超时 |
| limit-rate | 限速 |
| limit-connections | 连接数限制 |
6.3 认证配置 #
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-ingress
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
ingressClassName: nginx
rules:
- host: secure.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-service
port:
number: 80
bash
# 创建认证Secret
htpasswd -c auth admin
kubectl create secret generic basic-auth --from-file=auth
七、默认后端 #
7.1 默认后端配置 #
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: default-backend-ingress
spec:
ingressClassName: nginx
defaultBackend:
service:
name: default-http-backend
port:
number: 80
7.2 自定义错误页面 #
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: default-http-backend
spec:
replicas: 1
selector:
matchLabels:
app: default-http-backend
template:
metadata:
labels:
app: default-http-backend
spec:
containers:
- name: default-http-backend
image: gcr.io/google_containers/defaultbackend:1.4
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
spec:
selector:
app: default-http-backend
ports:
- port: 80
targetPort: 8080
八、完整配置示例 #
8.1 生产级Ingress #
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: production-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/rate-limit-window: "1m"
spec:
tls:
- hosts:
- api.example.com
- www.example.com
secretName: production-tls
rules:
- host: api.example.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api-v1-service
port:
number: 8080
- path: /v2
pathType: Prefix
backend:
service:
name: api-v2-service
port:
number: 8080
- host: www.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
九、Ingress管理 #
9.1 查看Ingress #
bash
# 查看Ingress列表
kubectl get ingress
# 查看Ingress详情
kubectl describe ingress <ingress-name>
# 查看Ingress YAML
kubectl get ingress <ingress-name> -o yaml
9.2 测试Ingress #
bash
# 获取Ingress地址
kubectl get ingress
# 测试HTTP访问
curl -H "Host: example.com" http://<ingress-ip>
# 测试HTTPS访问
curl -k -H "Host: example.com" https://<ingress-ip>
# 本地hosts配置
echo "<ingress-ip> example.com" >> /etc/hosts
十、故障排查 #
10.1 常见问题 #
bash
# 查看Ingress Controller日志
kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
# 查看Ingress事件
kubectl describe ingress <ingress-name>
# 检查后端服务
kubectl get svc <service-name>
kubectl get endpoints <service-name>
# 测试后端连通性
kubectl run test --image=busybox --rm -it -- wget -qO- <service-name>:<port>
10.2 问题诊断 #
| 问题 | 原因 | 解决方案 |
|---|---|---|
| 404错误 | 路径不匹配 | 检查path配置 |
| 502错误 | 后端服务不可用 | 检查Service和Pod |
| 503错误 | 后端服务无Pod | 检查Pod状态 |
| SSL错误 | 证书问题 | 检查TLS Secret |
十一、总结 #
11.1 核心要点 #
| 要点 | 说明 |
|---|---|
| Ingress Controller | 必须先安装 |
| 路由规则 | 基于主机和路径 |
| TLS | Secret存储证书 |
| 注解 | 扩展功能配置 |
11.2 下一步 #
掌握了Ingress后,让我们学习 网络策略,了解如何控制Pod间的网络通信。
最后更新:2026-03-28