Kubernetes集群——(k8s)ingress+加密认证+地址重写
一、ingress的认证参考官网信息https://kubernetes.github.io/ingress-nginx/examples/auth/basic/首先安装工具,生成一个基于Basic认证的用户和密码[root@server2 ~]# yum install -y httpd-tools注意:第一次创建用户需要使用-c参数,当文件中含有其他用户时,不要使用-c参数,否则会覆盖之前的信
一、ingress的认证
参考官网信息
https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
首先安装工具,生成一个基于Basic认证的用户和密码
[root@server2 ~]# yum install -y httpd-tools
注意:第一次创建用户需要使用-c参数,当文件中含有其他用户时,不要使用-c参数,否则会覆盖之前的信息
htpasswd生成的文件的秘钥在Ingress规则中添加身份验证。生成的文件必须命名为auth(实际上,这个秘钥有一个key: data.auth),否则入口控制器将返回一个503。
认证信息导入文件
[root@server2 ~]# kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created
[root@server2 ~]# kubectl get secrets 查看
NAME TYPE DATA AGE
basic-auth Opaque 1 13s
default-token-754fk kubernetes.io/service-account-token 3 27h
tls-secret kubernetes.io/tls 2 3h58m
[root@server2 ~]# kubectl describe secrets basic-auth 查看
Name: basic-auth
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
auth: 41 bytes 认证信息已经添加完成
查看详细信息输出成yaml文件
[root@server2 ~]# kubectl get secret basic-auth -o yaml
apiVersion: v1
data:
auth: d2M6JGFwcjEkcERtaWpJQ1EkVjR6WVBDczlxakRvYlkvMVNjbFA0Lgo=
kind: Secret
metadata:
creationTimestamp: "2020-07-01T22:12:53Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:auth: {}
f:type: {}
manager: kubectl
operation: Update
time: "2020-07-01T22:12:53Z"
name: basic-auth
namespace: default
resourceVersion: "129787"
selfLink: /api/v1/namespaces/default/secrets/basic-auth
uid: 46d42acc-0d41-4395-8064-8181550ef327
type: Opaque
参考官网文档编辑secret.yaml文件
vim secret.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic 认证类型
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth 认证secret
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - wc' 终端显示
spec:
rules:
- host: www1.westos.org 针对的主机域名
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
要清除之前的实验操作
[root@server2 ~]# kubectl apply -f secret.yaml
ingress.networking.k8s.io/ingress-with-auth created
[root@server2 ~]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-with-auth <none> www1.westos.org 172.25.254.3 80 2m25s
默认认证之后是强制加密访问:https
自定义加密访问:前面已经完后成了认证文件的生成,接下来结合在一起使用。
[root@server2 ~]# vim secret.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - wc'
spec:
tls: 指定加密认证查看之前tls.yal文件
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
[root@server2 ~]# kubectl delete -f secret.yaml
[root@server2 ~]# kubectl apply -f secret.yaml
设置session会话保持
[root@server2 ~]# vim secret.yaml
二、地址重写
前面访问的www1.westos.org的时候,没有直接跳转到pod容器,如下图所示
实现自动跳转到访问pod容器
参考官网
[root@server2 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 29h
myservice NodePort 10.96.85.103 <none> 80:31853/TCP 49m
myservice2 NodePort 10.100.14.113 <none> 80:32313/TCP 49m
[root@server2 ~]# vim rewrite.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/app-root: /hostname.html 指定跳转地址
name: approot
namespace: default
spec:
rules:
- host: www2.westos.org 指定域名
http:
paths:
- backend:
serviceName: myservice2 指定service
servicePort: 80
path: /
[root@server2 ~]# kubectl apply -f rewrite.yaml
ingress.networking.k8s.io/approot created
2.2annotations参数
2.2.1重定向流量的目标URI:nginx.ingress.kubernetes.io/rewrite-target:
vim rewrite.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
name: approot
namespace: default
spec:
rules:
- host: rewrite.westos.org
http:
paths:
- backend:
serviceName: myservice
servicePort: 80
path: /v1
- backend:
serviceName: myservice2
servicePort: 80
path: /v2
当访问rewrite.westos.org时需要重定向到v1/v2当前是没有v1/v2的
2.2.2使用重写注释创建一个Ingress规则
以$1,
2...
2...
2...n的形式保存在编号占位符中。这些占位符可以在重写目标注释中用作参数
捕获的任何字符(.*)将被分配到占位符$2,然后在rewrite-target注释中用作一个参数
vim rewrite.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: approot
namespace: default
spec:
rules:
- host: rewrite.westos.org
http:
paths:
- backend:
serviceName: myservice
servicePort: 80
path: /redhat(/|$)(.*)
访问流程:用户访问ingress-Nginx(反向代理)——svc(service:myservice)——pod
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
1
0- 0
已为社区贡献8条内容
所有评论(0)