我们需要通过端口提供应用程序。 例如,
http://example.com:8180
和 http://example.com:8181
应解析为应用程序。listen-ports
注释打开:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}, {"HTTP":8180}, {"HTTP":8181}]'
我尝试了以下规则:
rules:
- host: example.com
http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- path: /1.0/*
backend:
serviceName: some-server-side-app
servicePort: 8080
- path: /*
backend:
serviceName: some-webpage
servicePort: 80
8180:
paths:
- path: /*
backend:
serviceName: app-reachable-via-port
servicePort: 8180
8181:
paths:
- path: /*
backend:
serviceName: app-reachable-via-port
servicePort: 8181
由于入口配置格式错误,这会引发错误
我还在 github 上找到了 ingress-nginx 的指南 https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/exusing-tcp-udp-services.md 并尝试类似,但到目前为止还没有运气。
有人知道如何通过 ALB-Ingress 实现这一点吗?
如果我理解您正在寻找的内容,您希望区分入站流量并根据入站流量进入的端口发送到服务吗?
您也许可以使用 AWS 负载均衡器控制器 来完成此任务。我还没有使用 http-header 在此配置中测试下面的对象,但我自己确实使用了非常相似的东西。我认为这可能值得根据来自 AWS 的文档进行测试。不过,您需要对此进行试验。此示例还假设集群中的每个服务都在侦听用于引导流量的同一端口 - 这可以轻松更改为您的服务实际侦听的任何端口。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/group.name: example
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/security-groups: sg-01234567898765432
alb.ingress.kubernetes.io/ip-address-type: ipv4
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}, {"HTTP": 8180}, {"HTTP": 8181}]'
alb.ingress.kubernetes.io/actions.response-503: >
{"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"503","messageBody":"Unknown Host"}}
alb.ingress.kubernetes.io/actions.some-webpage: >
{"type":"forward","forwardConfig":{"targetGroups":[{"serviceName":"some-webpage","servicePort":80,"weight":100}]}}
alb.ingress.kubernetes.io/conditions.some-webpage: >
[{"field":"http-header","HttpHeaderConfig":{"HttpHeaderName":"Host","Values":["example.com:80"]}}]
alb.ingress.kubernetes.io/actions.app1-reachable-via-port: >
{"type":"forward","forwardConfig":{"targetGroups":[{"serviceName":"app1-reachable-via-port","servicePort":8180,"weight":100}]}}
alb.ingress.kubernetes.io/conditions.app1-reachable-via-port: >
[{"field":"http-header","HttpHeaderConfig":{"HttpHeaderName":"Host","Values":["example.com:8180"]}}]
alb.ingress.kubernetes.io/actions.app2-reachable-via-port: >
{"type":"forward","forwardConfig":{"targetGroups":[{"serviceName":"app2-reachable-via-port","servicePort":8181,"weight":100}]}}
alb.ingress.kubernetes.io/conditions.app2-reachable-via-port: >
[{"field":"http-header","HttpHeaderConfig":{"HttpHeaderName":"Host","Values":["example.com:8181"]}}]
alb.ingress.kubernetes.io/target-type: instance
alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true,idle_timeout.timeout_seconds=600
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:999999999999:certificate/11111111-1111-1111-1111-111111111111,arn:aws:acm:us-east-2:999999999999:certificate/22222222-2222-2222-2222-222222222222
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-2016-08
spec:
backend:
serviceName: response-503
servicePort: use-annotation
rules:
- http:
paths:
- backend:
serviceName: ssl-redirect
servicePort: use-annotation
- backend:
serviceName: some-webpage
servicePort: use-annotation
- backend:
serviceName: app1-reachable-via-port
servicePort: use-annotation
- backend:
serviceName: app2-reachable-via-port
servicePort: use-annotation
另一个解决方案可能是 ALB TargetGroupBinding。您失去了允许 EKS 代表您配置和管理 ALB 和目标组的一些优势,但您仍然可以完全控制 ALB 和目标组配置。使用 TargetGroupBinding,您的集群中仍然需要 AWS 负载均衡器控制器,但您可以自行创建 ALB 和目标组,然后使用 TargetGroupBinding 对象将服务从集群映射到特定的目标组 ARN:
apiVersion: elbv2.k8s.aws/v1beta1
kind: TargetGroupBinding
metadata:
name: demo1-tgb
spec:
serviceRef:
name: demo1-service
port: 80
targetGroupARN: arn:aws:elasticloadbalancing:us-east-2:121212121212:targetgroup/my-target-group/cbc9f05b05caea6b
祝你好运 - 一旦您按要求工作,请再次更新。
这件事让我很烦恼。我找到了一个解决方法。解决方案是为每个端口设置不同的入口。 这是例子:
http://example.com:80 -> Redirect to 443
https://example.com:443 -> Forward to service-3000
http://example.com:8180 -> Forward to service-8180
http://example.com:8181 -> Forward to service-8181
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ssl-redirect
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]'
alb.ingress.kubernetes.io/group.name: ingress-group
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
spec:
ingressClassName: alb
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ssl-redirect
port:
name: use-annotation
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: https-ingress
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
external-dns.alpha.kubernetes.io/hostname: example.com
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/group.name: ingress-group
spec:
ingressClassName: alb
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service-3000
port:
number: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: port-8180-rules
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 8180}]'
alb.ingress.kubernetes.io/group.name: ingress-group
spec:
ingressClassName: alb
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service-8180
port:
number: 8180
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: port-8181-rules
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":8181}]'
alb.ingress.kubernetes.io/group.name: ingress-group
spec:
ingressClassName: alb
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service-8181
port:
number: 8181
对于每个端口,入口规则都不同,但由于我使用相同的
alb.ingress.kubernetes.io/group.name
名称,因此只会创建一个 ALB。但是当我添加 SSL 重定向注释(alb.ingress.kubernetes.io/ssl-redirect: '443'
)时,所有端口的规则都已更新,端口 8180
和 8181
也将请求转发到 443
。所以我必须手动添加 ssl-redirection
规则。
(此处 AWS Loadbalancer 控制器版本:1.26)