k8s cka 09 networking - ingress
ingress
ingress helps to access applications. a single url can be routed to different services based on url path. has to be exposed as NodePort
or LoadBalancer
. auth, ssl and url based routing has to be done on the ingress layer.
a deployed solution is called ingress-controller
- the config is called ingress-resources
. a k8s cluster does not come with an ingress-controller by default.
a few ingress-controller are
- gcp - gce (maintained by k8s project)
- nginx (maintained by k8s project)
- contour
- haproxy
- traefik
- istio
nginx ingress-controller
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
spec:
replicas: 1
selector:
matchLabels:
name: nginx-ingress
template:
metadata:
name: nginx
labels:
name: nginx-ingress
spec:
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
args:
- /nginx-ingress-controller
- --configmap-$(POD_NAMESPACE)/nginx-configuration
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
will need a config map
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configuration
to observe the api about changes in ingress-ressources we need a ServiceAccount
with correct rules and roles
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
create a service for it
---
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress
spec:
type: NodePort
ports:
- targetPort: 80
port: 80
protocol: TCP
name: http
- targetPort: 443
port: 443
protocol: TCP
name: https
selector:
name: nginx-ingress
ingress-ressources
ingress-ressources
can be configured to redirect to a single pod, url-path based routing and subdomain based routing. multi configurations are possible in one ingress-role.
redirect to a single pod
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear
spec:
backend:
serviceName: wear-service
servicePort: 80
apply config
path based ingress rule
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear-watch
spec:
rules:
- http:
paths:
- path: /wear
backend:
serviceName: wear-service
servicePort: 80
- path: /watch
backend:
serviceName: watch-service
servicePort: 80
check default backend by describe ingress service
domain based ingress rule
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-wear-watch
spec:
rules:
- host: wear.my-online-store.com
http:
paths:
- backend:
serviceName: wear-service
servicePort: 80
- host: wear.my-online-store.com
http:
paths:
- backend:
serviceName: watch-service
servicePort: 80
host: *
is allowed