当前位置: 首页 > news >正文

Kubernetes Ingress Controller 深度解析:从入门到精通

news 2026/6/3 23:49:26

Kubernetes Ingress Controller 深度解析:从入门到精通

引言

在 Kubernetes 生态中,Ingress 是实现外部访问集群服务的核心组件。作为 Kubernetes 的标准 API 资源,Ingress 提供了一种灵活的方式来管理 HTTP/HTTPS 流量路由。本文将深入探讨 Ingress Controller 的工作原理、配置方式以及最佳实践。

Ingress 基础概念

什么是 Ingress

Ingress 是 Kubernetes 中用于管理外部访问集群服务的 API 对象,它提供了:

  • HTTP/HTTPS 路由规则:将外部请求路由到集群内的不同服务
  • SSL/TLS 终止:在入口处处理加密通信
  • 虚拟主机支持:基于域名的路由
  • 路径重写:灵活的 URL 路径匹配和重写

Ingress Controller 的作用

Ingress Controller 是实现 Ingress 功能的组件,它监听 Ingress 资源的变化,并相应地配置负载均衡器。常见的 Ingress Controller 包括:

  • NGINX Ingress Controller:最流行的开源方案
  • Traefik:云原生边缘路由器
  • HAProxy Ingress Controller:高性能负载均衡方案
  • AWS ALB Ingress Controller:AWS 云原生方案
  • GKE Ingress Controller:Google Cloud 原生方案

NGINX Ingress Controller 实战

安装 NGINX Ingress Controller

# 使用 Helm 安装 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm install nginx-ingress ingress-nginx/ingress-nginx \ --namespace ingress-nginx \ --create-namespace \ --set controller.replicaCount=2 \ --set controller.nodeSelector."kubernetes\.io/os"=linux \ --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux

验证安装

kubectl get pods -n ingress-nginx kubectl get svc -n ingress-nginx

Ingress 资源配置详解

基础路由配置

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: basic-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: example.com http: paths: - path: /app pathType: Prefix backend: service: name: my-app-service port: number: 80

HTTPS 配置

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: tls-ingress spec: tls: - hosts: - secure.example.com secretName: tls-secret rules: - host: secure.example.com http: paths: - path: / pathType: Prefix backend: service: name: secure-service port: number: 443

创建 TLS Secret:

kubectl create secret tls tls-secret \ --key=./tls.key \ --cert=./tls.crt

路径重写配置

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: rewrite-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: /$2 spec: rules: - host: example.com http: paths: - path: /api(/|$)(.*) pathType: Prefix backend: service: name: api-service port: number: 80

高级配置技巧

基于权重的流量分配

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: canary-ingress annotations: nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-weight: "30" spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: my-app-canary port: number: 80

客户端 IP 保留

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ip-whitelist-ingress annotations: nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.1.0/24,10.0.0.0/8" nginx.ingress.kubernetes.io/use-forwarded-headers: "true" spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: protected-service port: number: 80

自定义 NGINX 配置

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: custom-config-ingress annotations: nginx.ingress.kubernetes.io/proxy-read-timeout: "300" nginx.ingress.kubernetes.io/proxy-send-timeout: "300" nginx.ingress.kubernetes.io/client-max-body-size: "10m" spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: large-file-service port: number: 80

Ingress Controller 高可用配置

部署多个副本

apiVersion: apps/v1 kind: Deployment metadata: name: nginx-ingress-controller namespace: ingress-nginx spec: replicas: 3 selector: matchLabels: app: nginx-ingress template: metadata: labels: app: nginx-ingress spec: containers: - name: nginx-ingress image: k8s.gcr.io/ingress-nginx/controller:v1.5.1 args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/nginx-ingress - --election-id=ingress-controller-leader - --leader-elect=true ports: - name: http containerPort: 80 - name: https containerPort: 443

配置服务类型

apiVersion: v1 kind: Service metadata: name: nginx-ingress namespace: ingress-nginx spec: type: LoadBalancer selector: app: nginx-ingress ports: - name: http port: 80 targetPort: 80 protocol: TCP - name: https port: 443 targetPort: 443 protocol: TCP

Ingress Controller 监控与日志

启用 Prometheus 监控

apiVersion: v1 kind: Service metadata: name: nginx-ingress-metrics namespace: ingress-nginx annotations: prometheus.io/scrape: "true" prometheus.io/port: "10254" spec: selector: app: nginx-ingress ports: - name: metrics port: 10254 targetPort: 10254

日志配置

apiVersion: apps/v1 kind: Deployment metadata: name: nginx-ingress-controller namespace: ingress-nginx spec: template: spec: containers: - name: nginx-ingress env: - name: NGINX_LOG_LEVEL value: "info" - name: NGINX_ENABLE_ACCESS_LOG value: "true"

Ingress Controller 性能优化

连接复用配置

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: optimized-ingress annotations: nginx.ingress.kubernetes.io/keepalive-requests: "10000" nginx.ingress.kubernetes.io/keepalive-timeout: "65" spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: high-traffic-service port: number: 80

限流配置

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: rate-limited-ingress annotations: nginx.ingress.kubernetes.io/limit-rps: "100" nginx.ingress.kubernetes.io/limit-rpm: "5000" nginx.ingress.kubernetes.io/limit-connections: "1000" spec: rules: - host: example.com http: paths: - path: / pathType: Prefix backend: service: name: api-service port: number: 80

常见问题与解决方案

问题 1:Ingress 配置不生效

排查步骤

# 检查 Ingress Controller 日志 kubectl logs -n ingress-nginx -l app=nginx-ingress # 验证 Ingress 资源 kubectl describe ingress my-ingress # 检查后端服务状态 kubectl get endpoints my-service

问题 2:SSL 证书配置问题

解决方案

# 验证证书格式 openssl x509 -in tls.crt -text -noout # 检查 Secret 是否正确创建 kubectl get secret tls-secret -o yaml # 验证证书有效期 openssl x509 -in tls.crt -checkend 0

问题 3:性能瓶颈

解决方案

  • 增加 Ingress Controller 副本数
  • 配置连接复用
  • 启用压缩
  • 使用缓存策略

总结

Ingress Controller 是 Kubernetes 集群对外暴露服务的关键组件。通过合理配置 Ingress 资源,可以实现灵活的流量路由、安全的 HTTPS 访问和高效的负载均衡。在生产环境中,需要关注高可用配置、性能优化和安全加固,以确保服务的稳定运行。

参考文献

  • NGINX Ingress Controller Documentation: https://kubernetes.github.io/ingress-nginx/
  • Kubernetes Ingress Documentation: https://kubernetes.io/docs/concepts/services-networking/ingress/
  • Traefik Documentation: https://doc.traefik.io/traefik/
http://www.cnnetsun.cn/news/2464109.html

相关文章:

  • OpenCV实战:用Triangle和Maxentropy算法搞定文档扫描与OCR预处理
  • 【独家首发】Gemini Ultra未公开API限流机制曝光:3类高频报错代码对应的真实QPS阈值与绕过方案
  • Rust内存安全:所有权、借用与生命周期深度解析
  • 从光伏MPPT到手机快充:拆解Boost电路在不同场景下的Matlab建模核心差异
  • 深入解析Arm Cortex-A53 Cache架构:从原理到多核一致性与性能优化实践
  • ARM PMU性能监控原理与缓存优化实战
  • 为什么你的Gemini Gmail智能回复总在关键邮件失效?——从LLM token截断到上下文窗口压缩的底层归因分析
  • 苹果app上架卡审核的底层逻辑(经验分享)
  • Spring Cloud Gateway配置HTTPS后,微服务调用报NotSslRecordException?一个配置项帮你搞定
  • 手把手教你无损转换:把老电脑的Legacy启动盘改成UEFI+GPT(附DiskGenius详细操作图)
  • C# CAD二次开发实战:掌握Editor类核心选择方法,实现高效范围选择
  • 2024实战指南 | 拆解BombLab:从汇编调试到系统理解
  • 麒麟V10 SP2服务器mate-indicators内存泄漏?别慌,手把手教你定位和修复(附离线包下载)
  • Autodesk Eagle vs. Altium Designer:轻量级PCB工具入门,聊聊界面、库和操作逻辑的真实差异
  • 一文详解供应链:华为的供应链怎么做?
  • ARM PMU架构解析与性能优化实践
  • Redis分布式锁进阶第一十三篇
  • 别再手动敲了!用C#写个程序,让倍加福RFID读头自动填表(附TCP通讯源码)
  • Stegsolve隐写分析从入门到实战:除了LSB,这些Analyse功能你都会用了吗?
  • MySQl安装
  • 全志V853开发板驱动7寸RGB屏:Linux DRM设备树配置与调试实战
  • AI硬件能效革命:光子计算与自旋电子技术解析
  • 告别Bundle包:手把手教你用tar.gz源码方式安装Horizon Client for Linux(附依赖清单)
  • ARMv8/v9架构TLB原理与优化实践
  • Simscape Electrical电机控制仿真完整教程:从入门到精通的5步实践指南
  • 推挽 开漏 高阻
  • Qt新手也能搞定的GPU加速图片渲染:用QOpenGLWidget和QImage实现高性能显示
  • 别再为资源发愁!我整理的M芯片Mac装Win10+Office全套资源包与避坑要点
  • 区块链安全提醒:如何应对2026年钱包交互风险?
  • 预算5万以内选智能语音电话客服:哪款性价比最高?真实数据对比