k8s! Ingress service

Keywords: Operation & Maintenance Kubernetes

I. ingress

  • Background:

The way service exposes services is not appropriate in the actual production environment:

ClusterIP Can only be accessed within the cluster.
NodePort In this way, the test environment is OK. When dozens or hundreds of services are running in the cluster, NodePort Port management is a disaster.
LoadBalance The method is limited by the cloud platform and is usually deployed on the cloud platform ELB Additional costs are required.
  • introduce:

Ingress can be simply understood as the service of a service. It formulates request forwarding rules (routing and proxy rules) through independent ingress objects to route requests to one or more services (L4). In this way, the service and request rules are decoupled, and the business exposure can be considered uniformly from the business dimension (NGINX domain name), rather than for each service
Consider separately.
For example, the cluster now has three service s: api, file store and front end. The request forwarding in the figure can be realized through an ingress object:
The ingress rule is very flexible. It can forward requests to different service s according to different domain names and different path s, and supports https/http (Alibaba cloud ingress will bring you an encrypted HTTPS certificate when using this technology)
ng + tomcat
www.ky11.com/ --> Nginx
www.ky11.com/tomcat ->tomcat
And / and / tomcat are determined by defining PATH in the yml file of ingress

  • Ingress structure in K8S:

ingress(L7) service(L4) label selector pods
port: 80 -- domain name 1 -- app Service -- app selector -- app

1.1 introduction to ingress

  • Inress API and inress controller

  • Ingress is divided into two concepts, ingress API and ingress controller

① Ingress api: refers to an api object in k8s, which is generally configured with yaml. Its general function is to define the rules of how requests are forwarded to the service, that is, the configured rules (which can be routed and forwarded according to http header, path, etc.)
There are various types of Ingress controllers, including Google Cloud Load Balancer, Nginx, Contour, Istio, and so on. It also has various plug-ins
② Ingress controller: a container in which load balancing programs are running, such as ingress nginx and ingress haproxy. The ingress controller will parse the rules defined by ingress (configuration items / list in yml file) (inject the rules of reverse proxy and the way of matching path into the configuration file of load balancing service in the container), and realize request forwarding according to the configured rules.
Common deployment paradigms of ingress
PS: reasons for consideration

Ingress controller is run as a pod. How is it better to deploy it
ingress solves how to route requests to the inside of the cluster. How can it expose itself to the outside

  1. Service in Deployment+LoadBalancer mode
    This method is suitable for deploying inress controller in the public cloud. Create a service with type LoadBalancer to associate this group of services with pod2. Deployment+NodePort mode

2. Deploy ingress controller in the deployment mode and create the corresponding service, but the type is nodeport. In this way, ingress is exposed to the specific port of the cluster node ip. Since the ports exposed by nodeport are random ports, a set of load balancer will be built in front to forward requests

  1. DaemonSet+HostNetwork+nodeSelector
    Use the daemon set and nodeselector to deploy the ingress controller to a specific node, and then use the host network to connect the pod directly with the network of the host node, and directly use the 80 / 433 port of the host to access the service.

1.2 advantages and working principle of ingress

1. Dynamic configuration service
In the traditional way, when a new service is added, we may need to add a reverse proxy at the traffic entry
Provide us with a new k8s service. If you use ingress nginx, you only need to configure (define the YML file) the service when the service is started
It will be automatically registered (the yml configuration list will be injected into the configuration of the load balancing service in the Ingress container) into the Ingress, and no external operations are required.

2. Reduce unnecessary port mapping
It is clear to all who have configured k8s. The first step is to turn off the firewall. The main reason is that many services of k8s will fail
It is mapped in NodePort mode, which is equivalent to punching many holes in the host, which is neither safe nor elegant
Ingress can avoid this problem. Except that ingress's own services may need to be mapped out, other services are not required
Use NodePort mode

3. How ingress nginx works

1) The ingress controller interacts with kubernetes api to dynamically sense the changes of ingress rules in the cluster
2) Then read it. According to the custom rules, the rules specify which domain name corresponds to which service, and generate an nginx configuration
3) Then write it to the pod of nginx Ingress controller. An nginx service is running in the pod of Ingress controller. The Ingress controller will write the generated nginx configuration into the / etc/nginx.conf file, which will be injected into nginx by the Ingress controller_ In pod
4) Then reload to make the configuration effective. So as to achieve the problem of domain name configuration and dynamic update respectively. - > Overloaded nginx_Pod configuration

2, Experiment

  • 1. Create ns
kubectl create ns ky11
kubectl get namespaces
  • 2. Create deploy and service resources
vim httpd.yml
kind: Deployment
apiVersion: extensions/v1beta1
  name: web01
  namespace: ky11
  replicas: 3 
        app: httpd01
      - name: httpd
        image: httpd
apiVersion: v1
kind: Service
  name: httpd-svc
  namespace: ky11
    app: httpd01
  - protocol: TCP
    port: 80
    targetPort: 80

kubectl apply -f httpd.yml
  • 3. Create tomcat and its service
kind: Deployment
apiVersion: extensions/v1beta1
  name: web02
  namespace: ky11
  replicas: 3
        app: tomcat01
      - name: tomcat
        image: tomcat:8.5.45 
apiVersion: v1
kind: Service
  name: tomcat-svc
  namespace: ky11
    app: tomcat01
  - protocol: TCP
    port: 8080
    targetPort: 8080


kubectl apply -f tomcat.yml
  • inspect
kubectl get svc -n ky11

CURL -I "httpd-svc"
CURL -I "tomcat-svc"
  • 4. Create ingress nginx resource object
    Download website:
#Modify 212 lines
  spec:                               #spec field in line 212
      hostNetwork: true      #Add this line to indicate that the host network is used
      # wait up to five minutes for the drain of connections
      terminationGracePeriodSeconds: 300
      serviceAccountName: nginx-ingress-serviceaccount
        kubernetes.io/os: linux
        - name: nginx-ingress-controller
          image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:0.29.0
##Modify the above image
  • Publish and view
kubectl  apply  -f mandatory.yaml

kubectl  get  pod -n ingress-nginx -o wide

############Define ingress rules

vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
  name: test-ingress
  namespace: ky11
    nginx.ingress.kubernetes.io/rewrite-target: /
  - host: www.test01.com
      - path: /
          serviceName: httpd-svc
          servicePort: 80
      - path: /tomcat
          serviceName: tomcat-svc
          servicePort: 8080

kubectl apply -f ingress.yaml

kubectl get ingresses -n ky11
  • Configure mapping on win10 host
visit www.test01.com and www.test01.com/tomcat
  • PS:

In the above access test, although the corresponding service is accessed, there is a disadvantage that when DNS resolution is performed, only the node IP where the ingress nginx container is located can be specified. The IP addresses (including the master) of other nodes in the specified k8s cluster are inaccessible. If this node goes down and the ingress nginx container is transferred to other nodes for operation (regardless of the node label, if the default label in the yaml file of ingress nginx is maintained, then each node has that label). Then we have to manually change the IP of DNS resolution (to change to the IP of the node where the ingress nginx container is located, you can view the node through the command "kubectl get Pod - N ingress nginx - O wide").
Therefore, you need to create another Service of nodePort type for the ingress nginx rule, so that when configuring DNS resolution, you can use www.test01.com to bind the IP of all node nodes, including the master node.


cat service-nodeport.yaml 
apiVersion: v1
kind: Service
  name: ingress-nginx
  namespace: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  type: NodePort
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

 kubectl apply -f service-nodeport.yaml
kubectl  get  svc -n ingress-nginx

Visit www.test1.com again: Port

2.1 jenkins common plug-ins

 Git Parameter:This is a parameter build extension that can be selected at build time git To build a service.

  Docker: utilize Docker Container dynamic creation Jenkins Slave. If so Kubernetes/Openshift Cluster, you don't need this plug-in. Directly use the following Kubernetes plug-in unit.
jenkins wrong root If started, in order to run docker Need to execute sudo chmod 777 /var/run/docker.sock

 Kubernetes: This plug-in can Jenkins Slave Node Dynamic configuration as Kubernetes On Cluster pod. 

  Openshift: This plug-in supports scheduling Openshift Objects, including triggers BuildConfig,Deployment,Scale up a Deployment,to ImageStream Make a new one Tag,And creating new objects, deleting existing objects, etc.

 GitLab:  to configure Gitlab Relevant certification, but also support GitLab of Webhook Trigger.

 GitLab Hook:  support GitLab Better trigger.

Gogs WebHook:  support Gogs Code warehouse trigger.

Maven: This plugin is Maven 2 / 3 The project provides advanced integration capabilities.

Pyenv Pipeline: Convenient to python Project level environmental isolation.

jenkins It needs to be installed on the machine python,pip,virtualenv
Python: This plug-in supports Jenkins Executed during the build of Python script.

SonarQube Scanner: support SonarQube Code scan for.

Ansible: Can be performed in a build task Ansible Mission.

Publish Over SSH: adopt SSH Copy files to the target machine and execute scripts on the target machine

Publish Over SSH: The access mode of the target machine should be added to the settings in advance.

Job Generator: Define a parameterized template through which you can quickly Jenkins Create task on

Pipeline:Job: Add a new Job Type: Pipeline. 

Multijob: Put multiple Job Organize.

Parameterized Trigger: This is an extended plug-in that enables each job You can pass some information when connecting job Relevant information.

Join: This is also a trigger job The highlight of the plug-in is that it triggers job The condition is to wait for all current job Downstream of job It won't happen until it's done.

Build Pipeline: This plug-in provides a view of the build pipeline. It also provides a manual trigger for the task.

Monitoring Monitoring: monitoring Jenkins Nodal CPU,System load, average response time, and memory usage.

2.2 types of plug-ins used

① User and authority
② Code managed
③ Project view
④ Build trigger
⑤ Build task environment
⑥ Build notification

Jenkins user rights management is a very important part of Jenkins Administration. Since most enterprises have their own domain control management, it is an important content of enterprise Jenkins practice to integrate with LDAP and realize the design and management of rights model based on user groups.

l  LDAP (https://plugins.jenkins.io/ldap), which allows users to authenticate using LDAP. The LDAP server can be Active Directory or OpenLDAP.
l  Active Directory https://plugins.jenkins.io/active-directory. This plug-in allows users to authenticate using Active Directory. At the same time, combined with plug-ins such as Matrix Authorization Strategy, it can identify all user groups where users belong and flexibly configure user authorization.
l  be based on Windows Active Directory Recommended for enterprises with domain management Active Directory. 
l  GitHub Authentication https://plugins.jenkins.io/github-oauth, which provides a scheme for user authentication and authorization using GitHub.
l  Gitlab Authentication https://plugins.jenkins.io/gitlab-oauth, which provides a scheme for user authentication and authorization using GitLab.
l  Matrix Authorization Strategy https://plugins.jenkins.io/matrix-auth, which provides matrix based authorization policies and supports global and project level configurations.
l  Role-based Authorization Strategy https://plugins.jenkins.io/role-strategy. This plug-in provides a Role-based user permission management policy. It supports the creation of global roles, Project roles and Slave roles, and the assignment of these roles to users. This plug-in is the most commonly used Jenkins permission policy and management plug-in.
  • Code management

It is a very common application scenario to configure Source Code Management in Jenkins project to download code for construction tasks. The Jenkins plug-in supports many SCM systems, most commonly Git and SVN.

l  Git https://plugins.jenkins.io/git, which supports the use of Github, GitLab, Gerrit and other systems to manage the code warehouse.
l  Subversion https://plugins.jenkins.io/subversion, which supports Subversion system management source code.
  • Project and view
    The management of Project and view in Jenkins is a lot of functions used by users in their daily work.
l  Folder https://plugins.jenkins.io/cloudbees-folder. This plug-in supports users to use the directory to manage projects. The directory supports nesting and supports the creation of views in the directory.
l  List view Jenkins Default support List Type of view that you can create List View filters items of interest.
l  Sectioned View https://plugins.jenkins.io/sectioned-view. This plug-in supports a new view. The view can be divided into multiple parts, and each part can be configured to display the selected project information separately.
l   Nested View https://plugins.jenkins.io/nested-view. This plug-in supports a new view, which indicates that the project is displayed directly, but the included sub views are displayed with directory icons, and each sub view displays the information of the selected project.
l  Build Pipeline https://plugins.jenkins.io/build-pipeline-plugin. This plug-in provides a Build Pipeline view to display the relationship between upstream and downstream projects.
  • Build trigger

Jenkins supports a variety of Build trigger modes, especially some automatic trigger modes, which are very useful

l  Build periodically,Jenkins Built in function, you can set similar crontab Time, periodically and automatically trigger the build.
l  Poll SCM,Jenkins Built in functions, similar to Build periodically,Similar settings can be set crontab The difference in time is not to build directly, but to periodically check the configured in the background SCM There is no update. The build is triggered only when there is a code update.
l  Trigger builds remotely (e.g., from scripts),Jenkins Built in function, remote trigger construction, through setting token Can support triggering in remote scripts Jenkins Build.
l  Gerrit Trigger https://Plugins.jenkins.io/gerrit trigger, which integrates Jenkins into Gerrit code review, supports Jenkins to configure Gerrit server and other information, and enables Gerrit event to trigger Jenkins construction.
l  GitLab https://plugins.jenkins.io/gitlab-plugin, which integrates Jenkins into GitLab web hook and supports Gitlab branch, Merge Request and other related events to trigger Jenkins construction.
l  GitHub Integration https://plugins.jenkins.io/github-pullrequest, which integrates Jenkins into GitHub and supports GitHub branch and Pull requests to trigger Jenkins construction.
l  JIRA Trigger https://Plugins.jenkins.io/jira trigger. This plug-in integrates Jenkins into Jira WebHooks and supports triggering Jenkins construction when the status of Jira issue changes.
  • Construction parameters

Jenkins not only supports common parameter types (Boolean, string, multiline text, optional and file), but also some plug-ins support more rich and practical parameter types, such as dynamic association between parameters, multi-level parameters, hidden parameters, etc.

l  nodelabelparameter  https://plugins.jenkins.io/nodelabelparameter. This plug-in adds a new parameter type, Node and Label, so that users can select the Node for project construction and operation through parameters.
l  Other plug-ins are not listed one by one. You can view the plug-in description
Ø  https://plugins.jenkins.io/hidden-parameter

Ø  https://plugins.jenkins.io/extended-choice-parameter

Ø  https://plugins.jenkins.io/validating-string-parameter

Ø  https://plugins.jenkins.io/extensible-choice-parameter

Ø  https://wiki.jenkins.io/display/JENKINS/Active+Choices+Plugin
  • Construction task and environment

There are many small plug-ins around the construction task, but they provide some practical functions

l  Workspace Cleanup https://plugins.jenkins.io/ws-cleanup, which supports deleting or partially deleting workspace before and after construction
l  description setter https://plugins.jenkins.io/description-setter. This plug-in supports regular expression matching to build log output and set the description of the build
l  build-name-setter https://plugins.jenkins.io/build-name-setter. This plug-in supports setting the display name of the build instead of #1, #2,..., #buildnum by default
l  Environment Injector https://plugins.jenkins.io/envinject. This plug-in supports the functions of inserting environment variables at different stages of the construction task and exporting all environment variables at the end of the construction.
  • Build notification

It is an essential function of Jenkins to inform users of the construction status in time. Jenkins supports a variety of active and passive notification methods.

l  Mailer  https://plugins.jenkins.io/mailer. This plug-in supports basic email notification functions, such as failed build and successful build recovery. You can send email notifications to relevant personnel.
l  Email Extension https://plugins.jenkins.io/email-ext, which is an extension of email notification. It supports customizing email content, trigger conditions and email recipients. Its function is much more flexible and powerful than basic email notification.
l  Slack Notification https://plugins.jenkins.io/slack, which supports pushing the build results to the Slack channel.
Containerization Slave
Jenkins of Master-Slave The architecture realizes distributed construction and can be fully expanded horizontally Slave To improve the ability to build Slave Containerization is the mainstream way of building environment standardization, clustering and flexibility.

l  https://plugins.jenkins.io/docker-plugin. This plug-in can configure docker host to dynamically provide Jenkins Agent (slave) and destroy the slave after running the build.
l  https://plugins.jenkins.io/kubernetes. This plug-in supports the use of Kubernetes cluster to dynamically provide Jenkins Agent (Slave), and the use of Kubernetes scheduling mechanism to optimize Jenkins load.
  • gAdmin related plug-ins
l  Configuration Slicing  https://plugins.jenkins.io/configurationslicing, which supports batch modification of project configuration
l  Mask Passwords https://plugins.jenkins.io/mask-passwords. This plug-in supports masking sensitive information such as password output from the build log
l  Backup https://plugins.jenkins.io/backup. This plug-in adds the backup function to Jenkins management

Posted by dreamscape on Tue, 12 Oct 2021 20:12:23 -0700