All Documents
Current Document
Content is empty
If you don't find the content you expect, please try another search term
Content is empty
If you don't find the content you expect, please try another search term
Last updated:2021-05-11 10:41:27
An Ingress is a collection of rules for authorizing access to Services in a cluster. You can configure forwarding rules to redirect different URLs to different Services in the cluster. This implements the business routing mechanism at the HTTP layer.
To ensure proper running of an Ingress, an Ingress Controller must be deployed within a cluster to provide a unified portal for all backend Services. This example uses Traefik as the Ingress Controller in the cluster. The YAML file for deploying Traefik is as follows:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
nodeSelector:
kubernetes.io/role: "node"
tolerations:
- operator: Exists
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: hub.kce.ksyun.com/ksyun/traefik:v1.6.5-mp
name: traefik-ingress-lb
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
- --entryPoints=Name:https Address::443 TLS
- --entryPoints=Name:http Address::80
- --defaultentrypoints=https,http
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
type: LoadBalancer
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 443
name: tls
- protocol: TCP
port: 8080
name: adminTo allow the Traefik Service to be accessed outside the cluster, you need to change the access type of the Service corresponding to the Traefik Ingress Controller to LoadBalancer.
Check the deployment of Traefik.
[root@vm10-0-33-13 ~]# kubectl get ds -n kube-system | grep traefik
traefik-ingress-controller 2 2 2 2 2 kubernetes.io/role=node 3m16sCheck the corresponding Service.
[root@vm10-0-33-13 ~]# kubectl get svc -n kube-system | grep traefik
traefik-ingress-service LoadBalancer 10.254.67.8 120.92.123.155 80:32676/TCP,443:31720/TCP,8080:31840/TCP 105mThe Traefik Ingress Controller is exposed to the Internet through Kingsoft Cloud SLB. Ports 80, 8080, and 443 are enabled. Ports 80 and 443 are service ports, and port 8080 is a UI port. You can access the UI of Traefik by using the IP address and port 8080 of SLB.
Two applications are created for testing.
The hello-world.yaml file is as follows:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: hello-world
spec:
replicas: 1
template:
metadata:
labels:
app: hello-world
spec:
containers:
- name: hello-world
image: hub.kce.ksyun.com/kingsoft/hello-world:latest
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hello-world
name: hello-world-svc
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: hello-world
type: ClusterIPThe hello-k8s.yaml file is as follows:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: hello-k8s
spec:
replicas: 1
template:
metadata:
labels:
app: hello-k8s
spec:
containers:
- name: hello-k8s
image: hub.kce.ksyun.com/kingsoft/hello-k8s:latest
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hello-k8s
name: hello-k8s-svc
spec:
ports:
- port: 8080
protocol: TCP
targetPort: 8080
selector:
app: hello-k8s
type: ClusterIPCreate the corresponding Deployment and Service.
[root@vm10-0-33-13 hello]# kubectl create -f hello-k8s.yaml
deployment.extensions/hello-k8s created
service/hello-k8s-svc created
[root@vm10-0-33-13 hello]# kubectl create -f hello-world.yaml
deployment.extensions/hello-world created
service/hello-world-svc created
[root@vm10-0-33-13 hello]# kubectl get deploy
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
hello-k8s 1 1 1 1 5m2s
hello-world 1 1 1 1 4m50s
[root@vm10-0-33-13 hello]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-k8s-svc ClusterIP 10.254.131.29 <none> 8080/TCP 5m31s
hello-world-svc ClusterIP 10.254.244.96 <none> 80/TCP 5m19s
kubernetes ClusterIP 10.254.0.1 <none> 443/TCP 52d
An Ingress policy can be configured based on different distribution methods to achieve flexible distribution. The following section describes common Ingress forwarding policies.
Typically, this configuration is used when a website uses different URLs to provide different Services.
Access configuration:
http://my.k8s.traefik/hello-k8s is routed to the backend Service named "hello-k8s-svc".http://my.k8s.traefik/hello-world is routed to the backend Service named "hello-world-svc".The ingress.yaml file is as follows:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-k8s-traefik
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
rules:
- host: my.k8s.traefik
http:
paths:
- path: /hello-world
backend:
serviceName: hello-world-svc
servicePort: 80
- path: /hello-k8s
backend:
serviceName: hello-k8s-svc
servicePort: 8080Create an Ingress policy.
[root@vm10-0-33-13 hello]# kubectl create -f ingres.yaml
ingress.extensions/my-k8s-traefik created
[root@vm10-0-33-13 hello]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
my-k8s-traefik my.k8s.traefik 80 73sNotes:
traefik.frontend.rule.type: PathPrefixStrip.The following figures show access verification in a browser.
Typically, this configuration is used when a website uses different domains or virtual hosts to provide different Services.
Access configuration:
http://traefik.hello.k8s is routed to the backend Service named "hello-k8s-svc".http://traefik.hello.world is routed to the backend Service named "hello-world-svc".The ingress2.yaml file is as follows:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-k8s-traefik-1
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik.hello.k8s
http:
paths:
- path: /
backend:
serviceName: hello-k8s-svc
servicePort: 8080
- host: traefik.hello.world
http:
paths:
- path: /
backend:
serviceName: hello-world-svc
servicePort: 80[root@vm10-0-33-13 hello]# kubectl create -f ingress2.yaml
ingress.extensions/my-k8s-traefik-1 created
[root@vm10-0-33-13 hello]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
my-k8s-traefik-1 traefik.hello.k8s,traefik.hello.world 80 21s
The following figures show access verification in a browser.
You can check the configured Ingress policy on the UI of Traefik.
For more information about Traefik, see Kubernetes Ingress Controller.
Pure Mode