Kubernetes Ingress配置与最佳实践:构建高效的入口流量管理
Kubernetes Ingress配置与最佳实践:构建高效的入口流量管理
一、Ingress概述
Ingress是Kubernetes中用于管理外部访问集群服务的资源对象。它提供了HTTP/HTTPS路由、SSL/TLS终止、虚拟主机等功能,是实现服务暴露的核心组件。
1.1 Ingress架构
外部请求 ↓ LoadBalancer/Nodeport ↓ Ingress Controller (nginx/traefik/istio) ↓ Ingress Resource (路由规则) ↓ Backend Services1.2 Ingress类型对比
| 类型 | 特点 | 适用场景 |
|---|---|---|
| nginx-ingress | 功能丰富、社区成熟 | 通用场景 |
| traefik | 自动配置、动态更新 | 云原生场景 |
| istio-ingress | 服务网格集成、高级流量管理 | 复杂微服务 |
| haproxy-ingress | 高性能、负载均衡 | 高并发场景 |
二、基础Ingress配置
2.1 简单Ingress配置
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: simple-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: example.com http: paths: - path: /app pathType: Prefix backend: service: name: my-service port: number: 802.2 多域名配置
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: multi-host-ingress spec: rules: - host: app1.example.com http: paths: - path: / pathType: Prefix backend: service: name: app1-service port: number: 80 - host: app2.example.com http: paths: - path: / pathType: Prefix backend: service: name: app2-service port: number: 802.3 TLS配置
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tls-ingress spec: tls: - hosts: - secure.example.com secretName: tls-secret rules: - host: secure.example.com http: paths: - path: / pathType: Prefix backend: service: name: secure-service port: number: 4432.4 TLS Secret创建
kubectl create secret tls tls-secret \ --cert=path/to/tls.crt \ --key=path/to/tls.key三、高级Ingress配置
3.1 路径重写
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: rewrite-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/use-regex: "true" spec: rules: - host: api.example.com http: paths: - path: /api/v1/(.*) pathType: Prefix backend: service: name: api-v1-service port: number: 803.2 限流配置
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: rate-limit-ingress annotations: nginx.ingress.kubernetes.io/limit-connections: "100" nginx.ingress.kubernetes.io/limit-rps: "50" nginx.ingress.kubernetes.io/limit-rpm: "2000" spec: rules: - host: api.example.com http: paths: - path: / pathType: Prefix backend: service: name: api-service port: number: 803.3 跨域配置
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cors-ingress annotations: nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/cors-allow-origin: "*" nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS" nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization" spec: rules: - host: api.example.com http: paths: - path: / pathType: Prefix backend: service: name: api-service port: number: 803.4 客户端IP保持
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ip-preserve-ingress annotations: nginx.ingress.kubernetes.io/use-forwarded-headers: "true" nginx.ingress.kubernetes.io/real-ip-header: "X-Forwarded-For" nginx.ingress.kubernetes.io/proxy-real-ip-cidr: "0.0.0.0/0" spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app-service port: number: 80四、Ingress Controller部署
4.1 Nginx Ingress Controller
apiVersion: v1 kind: ServiceAccount metadata: name: nginx-ingress namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: nginx-ingress rules: - apiGroups: [""] resources: ["services", "endpoints", "pods"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch"] --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-ingress namespace: kube-system spec: replicas: 2 selector: matchLabels: app: nginx-ingress template: metadata: labels: app: nginx-ingress spec: serviceAccountName: nginx-ingress containers: - name: nginx-ingress image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:latest args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace ports: - name: http containerPort: 80 - name: https containerPort: 4434.2 Traefik Ingress Controller
apiVersion: helm.sh/v2 kind: Chart metadata: name: traefik version: 9.18.2 spec: values: deployment: replicas: 2 service: type: LoadBalancer ingressRoute: dashboard: enabled: true五、Ingress最佳实践
5.1 蓝绿部署
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: blue-green-ingress spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app-blue port: number: 805.2 金丝雀发布
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: canary-ingress annotations: nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-weight: "10" spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app-canary port: number: 805.3 基于Header的路由
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: header-routing-ingress annotations: nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-by-header: "X-User-Type" nginx.ingress.kubernetes.io/canary-by-header-value: "internal" spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app-internal port: number: 80六、Ingress监控与调试
6.1 状态检查
# 查看Ingress状态 kubectl get ingress kubectl describe ingress <ingress-name> # 查看Ingress Controller日志 kubectl logs -n kube-system -l app=nginx-ingress # 测试Ingress配置 curl -H "Host: app.example.com" http://<ingress-ip>/path6.2 配置验证
# 验证Ingress语法 kubectl apply --dry-run=client -f ingress.yaml # 查看生成的nginx配置 kubectl exec -n kube-system <nginx-pod> -- cat /etc/nginx/nginx.conf6.3 监控指标
apiVersion: v1 kind: Service metadata: name: nginx-ingress-metrics namespace: kube-system spec: selector: app: nginx-ingress ports: - name: metrics port: 10254 targetPort: 10254七、常见问题与解决方案
7.1 Ingress未生效
问题:配置Ingress后无法访问服务
原因分析:
- Ingress Controller未部署或未就绪
- 后端服务未就绪
- 域名解析问题
- 路径配置错误
解决方案:
kubectl get pods -n kube-system -l app=nginx-ingress kubectl get svc -n kube-system nginx-ingress nslookup app.example.com7.2 TLS证书问题
问题:HTTPS访问时证书无效
原因分析:
- Secret不存在或配置错误
- 证书过期
- 域名不匹配
解决方案:
kubectl get secret tls-secret -o yaml openssl x509 -in /path/to/cert -text -noout7.3 路径重写问题
问题:路径重写后404错误
原因分析:
- rewrite-target配置错误
- 正则表达式问题
- 后端服务路径不匹配
解决方案:
# 查看nginx配置 kubectl exec -n kube-system <nginx-pod> -- grep -A 10 "location" /etc/nginx/nginx.conf八、性能优化
8.1 连接复用
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: optimized-ingress annotations: nginx.ingress.kubernetes.io/proxy-connect-timeout: "10" nginx.ingress.kubernetes.io/proxy-read-timeout: "60" nginx.ingress.kubernetes.io/proxy-send-timeout: "60" nginx.ingress.kubernetes.io/keepalive-requests: "10000" nginx.ingress.kubernetes.io/keepalive-timeout: "65" spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app-service port: number: 808.2 缓存配置
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cache-ingress annotations: nginx.ingress.kubernetes.io/proxy-cache: "on" nginx.ingress.kubernetes.io/proxy-cache-path: "/var/cache/nginx" nginx.ingress.kubernetes.io/proxy-cache-key: "$scheme$request_method$host$request_uri" nginx.ingress.kubernetes.io/proxy-cache-valid: "200 10m" spec: rules: - host: static.example.com http: paths: - path: /static pathType: Prefix backend: service: name: static-service port: number: 80九、总结
Ingress是Kubernetes集群暴露服务的核心组件,合理配置可以实现:
- 统一入口管理:通过单个IP暴露多个服务
- HTTPS支持:SSL/TLS终止和证书管理
- 流量控制:限流、熔断、重试
- 高级路由:基于路径、域名、Header的路由
- 部署策略:蓝绿部署、金丝雀发布
建议根据业务需求选择合适的Ingress Controller,并遵循最佳实践配置。
参考资料:
- Kubernetes Ingress官方文档
- Nginx Ingress Controller文档
- Traefik官方文档