随着Kubernetes在容器编排领域的广泛应用,有效管理集群中的网络入口变得至关重要。Ingress-Nginx作为Kubernetes中非常流行的Ingress控制器之一,提供了强大的功能来处理复杂的路由规则。为了进一步增强对Ingress-Nginx实例的操作能力,社区开发了一个名为kubectl ingress-nginx的官方插件。本文将引导您完成该插件的安装过程,并展示几个实用的例子来说明其强大之处。
【面对生产环境】谨慎操作,三思而行,确保安全,步步为营
Krew 是 kubectl 命令行工具的插件管理器。
Krew 可帮助您:
发现 kubectl 插件,
将它们安装在您的计算机上,
并使已安装的插件保持最新状态。
1、下载krew包
$ curl -LO https://github.com/kubernetes-sigs/krew/releases/download/v0.4.4/krew-linux_amd64.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 4444k 100 4444k 0 0 246k 0 0:00:18 0:00:18 --:--:-- 279k
2、下载krew安装文件
$ curl -LO https://github.com/kubernetes-sigs/krew/releases/download/v0.4.4/krew.yaml
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 3534 100 3534 0 0 1824 0 0:00:01 0:00:01 --:--:-- 3451k
3、安装krew
$ tempDir=$(mktemp -d)
$ tar xvf krew-linux_amd64.tar.gz -C ${tempDir}
$ ${tempDir}/krew-linux_amd64 install --manifest=krew.yaml --archive=krew-linux_amd64.tar.gz
Installing plugin: krew
Installed plugin: krew
\
| Use this plugin:
| kubectl krew
| Documentation:
| https://krew.sigs.k8s.io/
| Caveats:
| \
| | krew is now installed! To start using kubectl plugins, you need to add
| | krew's installation directory to your PATH:
| |
| | * macOS/Linux:
| | - Add the following to your ~/.bashrc or ~/.zshrc:
| | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
| | - Restart your shell.
| |
| | * Windows: Add %USERPROFILE%\.krew\bin to your PATH environment variable
| |
| | To list krew commands and to get help, run:
| | $ kubectl krew
| | For a full list of available plugins, run:
| | $ kubectl krew search
| |
| | You can find documentation at
| | https://krew.sigs.k8s.io/docs/user-guide/quickstart/.
| /
/
$ rm -rf ${tempDir}
4、设置环境变量
# 临时生效
$ export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
# 永久生效
$ echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> ~/.bashrc
1、下载ingress-nginx包
$ curl -LO https://github.com/kubernetes/ingress-nginx/releases/download/controller-0.31.0/kubectl-ingress_nginx-linux-amd64.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 8892k 100 8892k 0 0 216k 0 0:00:41 0:00:41 --:--:-- 177k
2、下载ingress-nginx安装文件
$ curl -LO https://github.com/kubernetes-sigs/krew-index/raw/refs/heads/master/plugins/ingress-nginx.yaml
3、安装ingress-nginx
$ kubectl krew install --manifest ingress-nginx.yaml --archive kubectl-ingress_nginx-linux-amd64.tar.gz
Installing plugin: ingress-nginx
Installed plugin: ingress-nginx
\
| Use this plugin:
| kubectl ingress-nginx
| Documentation:
| https://kubernetes.github.io/ingress-nginx/kubectl-plugin/
/
1、查看ingress后端
$ kubectl ingress-nginx -n kube-system backends --list
default-simple-80
$ $ kubectl ingress-nginx -n kube-system backends --backend default-simple-80
{
"endpoints": [
{
"address": "10.244.135.161",
"port": "1234"
}
],
"name": "default-simple-80",
"noServer": false,
"port": 80,
"service": {
"metadata": {
"creationTimestamp": null
},
"spec": {
"clusterIP": "10.98.15.159",
"clusterIPs": [
"10.98.15.159"
],
"internalTrafficPolicy": "Cluster",
"ipFamilies": [
"IPv4"
],
"ipFamilyPolicy": "SingleStack",
"ports": [
{
"name": "http",
"port": 80,
"protocol": "TCP",
"targetPort": 1234
}
],
"selector": {
"app": "simple"
},
"sessionAffinity": "None",
"type": "ClusterIP"
},
"status": {
"loadBalancer": {}
}
},
"sessionAffinityConfig": {
"cookieSessionAffinity": {
"name": ""
},
"mode": "",
"name": ""
},
"sslPassthrough": false,
"trafficShapingPolicy": {
"cookie": "",
"header": "",
"headerPattern": "",
"headerValue": "",
"weight": 0,
"weightTotal": 0
},
"upstreamHashByConfig": {
"upstream-hash-by-subset-size": 3
}
}
2、查看ingress证书
$ kubectl ingress-nginx -n kube-system certs --host simple.jiaxzeng.com
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
3、查看ingress对应的nginx配置文件
$ kubectl ingress-nginx -n kube-system conf --host simple.jiaxzeng.com
server {
server_name simple.jiaxzeng.com ;
http2 on;
listen 80 ;
listen [::]:80 ;
listen 442 proxy_protocol ssl;
listen [::]:442 proxy_protocol ssl;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "default";
set $ingress_name "simple";
set $service_name "simple";
set $service_port "80";
set $location_path "/";
set $global_rate_limit_exceeding n;
rewrite_by_lua_block {
lua_ingress.rewrite({
force_ssl_redirect = false,
ssl_redirect = true,
force_no_ssl_redirect = false,
preserve_trailing_slash = false,
use_port_in_redirects = false,
global_throttle = { namespace = "", limit = 0, window_size = 0, key = { }, ignored_cidrs = { } },
})
balancer.rewrite()
plugins.run()
}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
header_filter_by_lua_block {
lua_ingress.header()
plugins.run()
}
body_filter_by_lua_block {
plugins.run()
}
log_by_lua_block {
balancer.log()
monitor.call()
plugins.run()
}
port_in_redirect off;
set $balancer_ewma_score -1;
set $proxy_upstream_name "default-simple-80";
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;
set $pass_server_port $server_port;
set $best_http_host $http_host;
set $pass_port $pass_server_port;
set $proxy_alternative_upstream_name "";
client_max_body_size 1m;
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Forwarded-Scheme $pass_access_scheme;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
# Custom Response Headers
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
}
https://github.com/kubernetes-sigs/krew-index/tree/master/plugins
https://krew.sigs.k8s.io/plugins/
通过上述介绍,我们可以看到kubectl ingress-nginx插件为日常运维工作带来了极大的便利性。它不仅使得监控和调试Ingress-Nginx变得更加直观简便,同时也增强了我们对于整个Kubernetes环境的理解与掌控力。希望每位读者都能够从这篇文章中学到有用的知识,并且能够在实际工作中灵活运用这些技巧。让我们一起迈向更高效的云原生之旅吧!
别忘了,关注我们的公众号,获取更多关于容器技术和云原生领域的深度洞察和技术实战,让我们携手在技术的海洋中乘风破浪!
文章转载自Linux运维智行录,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
