2. 技术
    3. Kubernetes集群——(k8s)ingress+加密认证+地址重写

    Kubernetes集群——(k8s)ingress+加密认证+地址重写

    技术2022-07-11  73

    一、ingress的认证 参考官网信息 https://kubernetes.github.io/ingress-nginx/examples/auth/basic/

    首先安装工具,生成一个基于Basic认证的用户和密码 [root@server2 ~]# yum install -y httpd-tools

    注意:第一次创建用户需要使用-c参数,当文件中含有其他用户时,不要使用-c参数,否则会覆盖之前的信息 htpasswd生成的文件的秘钥在Ingress规则中添加身份验证。生成的文件必须命名为auth(实际上,这个秘钥有一个key: data.auth),否则入口控制器将返回一个503。

    认证信息导入文件 [root@server2 ~]# kubectl create secret generic basic-auth --from-file=auth secret/basic-auth created [root@server2 ~]# kubectl get secrets 查看 NAME TYPE DATA AGE basic-auth Opaque 1 13s default-token-754fk kubernetes.io/service-account-token 3 27h tls-secret kubernetes.io/tls 2 3h58m [root@server2 ~]# kubectl describe secrets basic-auth 查看 Name: basic-auth Namespace: default Labels: <none> Annotations: <none> Type: Opaque Data ==== auth: 41 bytes 认证信息已经添加完成 查看详细信息输出成yaml文件 [root@server2 ~]# kubectl get secret basic-auth -o yaml apiVersion: v1 data: auth: d2M6JGFwcjEkcERtaWpJQ1EkVjR6WVBDczlxakRvYlkvMVNjbFA0Lgo= kind: Secret metadata: creationTimestamp: "2020-07-01T22:12:53Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:auth: {} f:type: {} manager: kubectl operation: Update time: "2020-07-01T22:12:53Z" name: basic-auth namespace: default resourceVersion: "129787" selfLink: /api/v1/namespaces/default/secrets/basic-auth uid: 46d42acc-0d41-4395-8064-8181550ef327 type: Opaque

    参考官网文档编辑secret.yaml文件

    vim secret.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ingress-with-auth annotations: # type of authentication nginx.ingress.kubernetes.io/auth-type: basic 认证类型 # name of the secret that contains the user/password definitions nginx.ingress.kubernetes.io/auth-secret: basic-auth 认证secret # message to display with an appropriate context why the authentication is required nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - wc' 终端显示 spec: rules: - host: www1.westos.org 针对的主机域名 http: paths: - path: / backend: serviceName: myservice servicePort: 80

    要清除之前的实验操作

    [root@server2 ~]# kubectl apply -f secret.yaml ingress.networking.k8s.io/ingress-with-auth created [root@server2 ~]# kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS AGE ingress-with-auth <none> www1.westos.org 172.25.254.3 80 2m25s

    默认认证之后是强制加密访问:https 自定义加密访问:前面已经完后成了认证文件的生成,接下来结合在一起使用。

    [root@server2 ~]# vim secret.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ingress-with-auth annotations: # type of authentication nginx.ingress.kubernetes.io/auth-type: basic # name of the secret that contains the user/password definitions nginx.ingress.kubernetes.io/auth-secret: basic-auth # message to display with an appropriate context why the authentication is required nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - wc' spec: tls: 指定加密认证查看之前tls.yal文件 - hosts: - www1.westos.org secretName: tls-secret rules: - host: www1.westos.org http: paths: - path: / backend: serviceName: myservice servicePort: 80 [root@server2 ~]# kubectl delete -f secret.yaml [root@server2 ~]# kubectl apply -f secret.yaml

    设置session会话保持

    [root@server2 ~]# vim secret.yaml

    二、地址重写 前面访问的www1.westos.org的时候,没有直接跳转到pod容器,如下图所示 实现自动跳转到访问pod容器

    参考官网

    [root@server2 ~]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 29h myservice NodePort 10.96.85.103 <none> 80:31853/TCP 49m myservice2 NodePort 10.100.14.113 <none> 80:32313/TCP 49m [root@server2 ~]# vim rewrite.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/app-root: /hostname.html 指定跳转地址 name: approot namespace: default spec: rules: - host: www2.westos.org 指定域名 http: paths: - backend: serviceName: myservice2 指定service servicePort: 80 path: / [root@server2 ~]# kubectl apply -f rewrite.yaml ingress.networking.k8s.io/approot created

    2.2annotations参数 2.2.1重定向流量的目标URI:nginx.ingress.kubernetes.io/rewrite-target:

    vim rewrite.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: approot namespace: default spec: rules: - host: rewrite.westos.org http: paths: - backend: serviceName: myservice servicePort: 80 path: /v1 - backend: serviceName: myservice2 servicePort: 80 path: /v2

    当访问rewrite.westos.org时需要重定向到v1/v2当前是没有v1/v2的 2.2.2使用重写注释创建一个Ingress规则 以$1, 2... 2... 2...n的形式保存在编号占位符中。这些占位符可以在重写目标注释中用作参数

    捕获的任何字符(.*)将被分配到占位符$2,然后在rewrite-target注释中用作一个参数 vim rewrite.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: /$2 name: approot namespace: default spec: rules: - host: rewrite.westos.org http: paths: - backend: serviceName: myservice servicePort: 80 path: /redhat(/|$)(.*)

    访问流程:用户访问ingress-Nginx(反向代理)——svc(service:myservice)——pod

    Processed: 0.011, SQL: 12