Kubernetes(K8S)(九)——ingress认证配置、地址重写
文章目录1.Ingress认证配置2.Ingress地址重写1.Ingress认证配置在master(server1):yum install -y httpd-tools2.Ingress地址重写
·
文章目录
1.Ingress认证配置
参考官网:https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
1.1 配置认证auth
在master(server1):
yum install -y httpd-tools安装工具
Ingress认证配置
[kubeadm@server1 ~]$ cd mainfest/
[kubeadm@server1 mainfest]$ htpasswd -c auth red ##创建用户认证文件,-c会覆盖
New password:
Re-type new password:
Adding password for user red
[kubeadm@server1 mainfest]$ ls
auth cronjob.yml deployment.yml ingress.yml job.yml pod2.yml rs.yml tls.crt tls.yml
calico.yaml daemonset.yml deploy.yaml init.yml kube-flannel.yml pod.yml service.yml tls.key
[kubeadm@server1 mainfest]$ kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created ##通过secret卷使认证注入容器
[kubeadm@server1 mainfest]$ kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 12s
default-token-5qqxc kubernetes.io/service-account-token 3 8d
tls-secret kubernetes.io/tls 2 14h
[kubeadm@server1 mainfest]$ kubectl get secrets basic-auth -o yaml
apiVersion: v1
data:
auth: cmVkOiRhcHIxJEdmMU9Tb3JqJG5jUy9TZGFrRkxsbThwejZtNDdhLzAK
kind: Secret
metadata:
creationTimestamp: "2020-06-27T09:51:46Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:auth: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-06-27T09:51:46Z"
name: basic-auth
namespace: default
resourceVersion: "361577"
selfLink: /api/v1/namespaces/default/secrets/basic-auth
uid: 08b86093-539a-4c39-9a05-b7e9fbb9ec41
type: Opaque
[kubeadm@server1 mainfest]$ kubectl describe secrets basic-auth
Name: basic-auth
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
auth: 42 bytes
[kubeadm@server1 mainfest]$ cat pod2.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-example
spec:
replicas: 2
selector:
matchLabels:
app: myappv1
template:
metadata:
labels:
app: myappv1
spec:
containers:
- name: myappv1
image: myapp:v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-example2
spec:
replicas: 2
selector:
matchLabels:
app: myappv2
template:
metadata:
labels:
app: myappv2
spec:
containers:
- name: myappv2
image: myapp:v2
[kubeadm@server1 mainfest]$ kubectl apply -f pod2.yml[kubeadm@server1 mainfest]$ cat service.yml
kind: Service
apiVersion: v1
metadata:
name: myservice
spec:
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
app: myappv1
type: ClusterIP
---
kind: Service
apiVersion: v1
metadata:
name: myservice2
spec:
ports:
- protocol: TCP
port: 80
targetPort: 80
selector:
app: myappv2
type: ClusterIP
[kubeadm@server1 mainfest]$ kubectl apply -f service.yml[kubeadm@server1 mainfest]$ vim secret.yml
[kubeadm@server1 mainfest]$ cat secret.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - red'
spec:
rules:
- host: www1.red.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
[kubeadm@server1 mainfest]$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 8d
myservice ClusterIP 10.110.45.54 <none> 80/TCP 15h
myservice2 ClusterIP 10.103.62.115 <none> 80/TCP 15h
[kubeadm@server1 mainfest]$ kubectl apply -f secret.yml
ingress.networking.k8s.io/ingress-with-auth created
[kubeadm@server1 mainfest]$ kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-with-auth <none> www1.red.org 80 39s
[kubeadm@server1 mainfest]$ kubectl describe ingress ingress-with-auth
Name: ingress-with-auth
Namespace: default
Address: 172.25.1.3
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
www1.red.org
/ myservice:80 (10.244.1.59:80,10.244.2.85:80)
Annotations: nginx.ingress.kubernetes.io/auth-realm: Authentication Required - red
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 49s nginx-ingress-controller Ingress default/ingress-with-auth
Normal UPDATE 7s nginx-ingress-controller Ingress default/ingress-with-auth
访问:
1.2 配置加密认证auth+tls
[kubeadm@server1 mainfest]$ kubectl delete ingress ingress-with-auth
ingress.extensions "ingress-with-auth" deleted
[kubeadm@server1 mainfest]$ vim secret.yml
[kubeadm@server1 mainfest]$ cat secret.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - red'
spec:
tls:
- hosts:
- www1.red.org
secretName: tls-secret
rules:
- host: www1.red.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
[kubeadm@server1 mainfest]$ kubectl apply -f secret.yml
ingress.networking.k8s.io/ingress-with-auth created
[kubeadm@server1 mainfest]$ kubectl get secrets
NAME TYPE DATA AGE
basic-auth Opaque 1 3d16h
default-token-5qqxc kubernetes.io/service-account-token 3 12d
mysecret Opaque 2 3d2h
tls-secret kubernetes.io/tls 2 4d6h
[kubeadm@server1 mainfest]$ kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-with-auth <none> www1.red.org 172.25.1.3 80, 443 28s
[kubeadm@server1 mainfest]$ kubectl describe ingress ingress-with-auth
Name: ingress-with-auth
Namespace: default
Address: 172.25.1.3
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
tls-secret terminates www1.red.org
Rules:
Host Path Backends
---- ---- --------
www1.red.org
/ myservice:80 (10.244.1.74:80,10.244.2.90:80)
Annotations: nginx.ingress.kubernetes.io/auth-realm: Authentication Required - red
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 59s nginx-ingress-controller Ingress default/ingress-with-auth
Normal UPDATE 38s nginx-ingress-controller Ingress default/ingress-with-auth
访问:
1.3 配置加密认证+会话保持
[kubeadm@server1 mainfest]$ kubectl delete -f secret.yml
ingress.networking.k8s.io "ingress-with-auth" deleted
[kubeadm@server1 mainfest]$ vim secret.yml
[kubeadm@server1 mainfest]$ cat secret.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
nginx.ingress.kubernetes.io/affinity: cookie
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - red'
spec:
tls:
- hosts:
- www1.red.org
secretName: tls-secret
rules:
- host: www1.red.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
[kubeadm@server1 mainfest]$ kubectl apply -f secret.yml
ingress.networking.k8s.io/ingress-with-auth created
2.Ingress地址重写
参考官网:https://kubernetes.github.io/ingress-nginx/examples/rewrite/
annotations参数
2.1 重定向应用程序根
访问不一样的url,重定向不同的中断
[kubeadm@server1 mainfest]$ vim rewrite.yml
[kubeadm@server1 mainfest]$ cat rewrite.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/app-root:: /hostname.html ##当访问域名是直接访问此页面
name: approot
namespace: default
spec:
rules:
- host: www2.red.org
http:
paths:
- backend:
serviceName: myservice2
servicePort: 80
path: /
[kubeadm@server1 mainfest]$ kubectl apply -f rewrite.yml
ingress.networking.k8s.io/approot created
[kubeadm@server1 mainfest]$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 12d
myservice ClusterIP 10.111.37.16 <none> 80/TCP 44m
myservice2 ClusterIP 10.103.206.141 <none> 80/TCP 44m
[kubeadm@server1 mainfest]$ kubectl describe ingress approot
Name: approot
Namespace: default
Address: 172.25.1.3
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
www2.red.org
/ myservice2:80 (10.244.1.73:80,10.244.2.91:80)
Annotations: nginx.ingress.kubernetes.io/app-root: /hostname.html
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 19m nginx-ingress-controller Ingress default/approot
Normal UPDATE 5m28s (x3 over 18m) nginx-ingress-controller Ingress default/approot
2.2 流量重定向到目标URI
[kubeadm@server1 mainfest]$ cat rewrite.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
name: approot
namespace: default
spec:
rules:
- host: rewrite.red.org
http:
paths:
- backend:
serviceName: myservice
servicePort: 80
path: /v1
- backend:
serviceName: myservice2
servicePort: 80
path: /v2
[kubeadm@server1 mainfest]$ kubectl apply -f rewrite.yml
ingress.networking.k8s.io/approot configured
[kubeadm@server1 mainfest]$ kubectl describe ingress approot
Name: approot
Namespace: default
Address: 172.25.1.3
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
rewrite.red.org
/v1 myservice:80 (10.244.1.74:80,10.244.2.90:80)
/v2 myservice2:80 (10.244.1.73:80,10.244.2.91:80)
Annotations: nginx.ingress.kubernetes.io/rewrite-target: /
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 34m nginx-ingress-controller Ingress default/approot
Normal UPDATE 20s (x4 over 33m) nginx-ingress-controller Ingress default/approot
[kubeadm@server1 mainfest]$ cat rewrite.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: approot
namespace: default
spec:
rules:
- host: rewrite.red.org
http:
paths:
- backend:
serviceName: myservice
servicePort: 80
path: /redhat(/|$)(.*)
[kubeadm@server1 mainfest]$ kubectl apply -f rewrite.yml
ingress.networking.k8s.io/approot configured
[kubeadm@server1 mainfest]$ kubectl describe ingress approot
Name: approot
Namespace: default
Address: 172.25.1.3
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
rewrite.red.org
/redhat(/|$)(.*) myservice:80 (10.244.1.74:80,10.244.2.90:80)
Annotations: nginx.ingress.kubernetes.io/rewrite-target: /$2
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 43m nginx-ingress-controller Ingress default/approot
Normal UPDATE 2s (x5 over 42m) nginx-ingress-controller Ingress default/approot
在此入口定义中,(。*)捕获的所有字符都将分配给占位符$ 2,然后将其用作重写目标注释中的参数
[kubeadm@server1 mainfest]$ kubectl -n ingress-nginx get pod
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-lp2pr 0/1 Completed 0 3d15h
ingress-nginx-admission-patch-nxchx 0/1 Completed 1 3d15h
ingress-nginx-controller-4vq57 1/1 Running 0 3d15h
[kubeadm@server1 mainfest]$ kubectl -n ingress-nginx exec -it ingress-nginx-controller-4vq57 -- sh
/etc/nginx $ ls
fastcgi.conf koi-utf modsecurity owasp-modsecurity-crs uwsgi_params.default
fastcgi.conf.default koi-win modules scgi_params win-utf
fastcgi_params lua nginx.conf scgi_params.default
fastcgi_params.default mime.types nginx.conf.default template
geoip mime.types.default opentracing.json uwsgi_params
/etc/nginx $ vi nginx.conf
[kubeadm@server1 mainfest]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
deployment-example-6ffc7db887-k2lv6 1/1 Running 0 80m
deployment-example-6ffc7db887-v56ff 1/1 Running 0 80m
deployment-example2-7b87677f64-cllvq 1/1 Running 0 80m
deployment-example2-7b87677f64-r9smq 1/1 Running 0 80m
my-nginx-56794ff6cb-5qxlq 1/1 Running 0 94m
[kubeadm@server1 mainfest]$ kubectl exec -it deployment-example-6ffc7db887-k2lv6 -- sh
/ # cd /etc/nginx/
/etc/nginx # ls
conf.d fastcgi_params.default mime.types.default scgi_params win-utf
fastcgi.conf koi-utf modules scgi_params.default
fastcgi.conf.default koi-win nginx.conf uwsgi_params
fastcgi_params mime.types nginx.conf.default uwsgi_params.default
/etc/nginx # vi nginx.conf
/etc/nginx # cd conf.d/
/etc/nginx/conf.d # ls
default.conf
/etc/nginx/conf.d # vi default.conf 
访问的顺序是:
user -> ingress-nginx -> svc -> pod
开源、云原生的融合云平台
更多推荐
0
0- 0
已为社区贡献6条内容
所有评论(0)