官方文档:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/
url重写(rewrite)
在某些场景下,后端服务中暴露的 URL 与 Ingress 规则中指定的路径不同。如果没有重写,任何请求都将返回 404。或者是一些前后端分离的项目,但是后端没有指定路径,将annotations nginx.ingress.kubernetes.io/rewrite-target 设置为服务期望的路径
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
name: ingress-test
namespace: default
spec:
ingressClassName: nginx
rules:
- host: rewrite.test.com
http:
paths:
- backend:
serviceName: nginx-svc
servicePort: 80
path: /something(/|$)(.*)
status:
loadBalancer: {}
访问
http://rewrite.test.com:27324/something
域名重定向(redirect)
Permanent Redirect
此annotations允许返回永久重定向(返回代码 301)。一般将http重定向到https 例如 nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com 会将所有内容重定向到 Google
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com
name: ingress-redirect-test
namespace: default
spec:
ingressClassName: nginx
rules:
- host: redirect.test.com
http:
paths:
- backend:
servicePort: 80
path: /
status:
loadBalancer: {}
访问
http://redirect.test.com:27324
https访问配置
- 购买或生成证书
#生成证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=tls.test.com/O=tls.test.com"
#创建secret
kubectl create secret tls ca-cert --key tls.key --cert tls.crt
- 创建ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-test
namespace: default
spec:
ingressClassName: nginx
rules:
- host: tls.test.com
http:
paths:
- backend:
service:
name: nginx-svc
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- tls.test.com
secretName: ca-cert
访问
https://tls.test.com:15660
默认是开启强制跳转到https的,如果需要使用http访问需要在annotations里添加nginx.ingress.kubernetes.io/ssl-redirect: "false"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
name: tls-test
namespace: default
spec:
ingressClassName: nginx
rules:
- host: tls.test.com
http:
paths:
- backend:
service:
name: nginx-svc
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- tls.test.com
secretName: ca-cert
SSL Passthrough
此功能是通过拦截配置的 HTTPS 端口(默认值:443)上的所有流量并将其移交给本地 TCP 代理来实现的(和端口转发差不多)。这完全绕过了NGINX,并引入了不可忽视的性能损失。
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: true
backend-protocol
可以指示NGINX应该如何与后端服务通信。有效值:HTTP、HTTPS、GRPC、GRPCS、AJP 和 FCGI
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
dashboard自定义证书
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: normal
operator: In
values:
- "true"
containers:
- args:
- --auto-generate-certificates=false # 使用默认证书改成false
- --tls-key-file=tls.key # 证书key
- --tls-cert-file=tls.crt # 证书cert
- --token-ttl=21600
- --authentication-mode=basic,token
- --namespace=kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.0-rc5
imagePullPolicy: Always
lifecycle: {}
livenessProbe:
failureThreshold: 3
httpGet:
path: /
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
name: kubernetes-dashboard
ports:
- containerPort: 8443
protocol: TCP
resources: {}
securityContext:
privileged: false
procMount: Default
runAsNonRoot: false
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs #证书挂载路径
name: kubernetes-dashboard-new
- mountPath: /tmp
name: tmp-volume
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: kubernetes-dashboard
serviceAccountName: kubernetes-dashboard
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
volumes: #将secret挂载进来
- name: kubernetes-dashboard-new
secret:
defaultMode: 420
secretName: kubernetes-dashboard-new
- emptyDir: {}
name: tmp-volume
创建ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
name: dashboard-test
namespace: kubernetes-dashboard
spec:
ingressClassName: nginx
rules:
- host: dashboard.test.com
http:
paths:
- backend:
service:
name: kubernetes-dashboard
port:
number: 443
path: /
pathType: Prefix
黑白名单配置
Annotations:只对指定的ingress生效
ConfigMap:全局生效
黑名单可以使用ConfigMap去配置,白名单建议使用Annotations去配置。
(实测单个ip不管用,网段可以,ingrss版本1.3.1)
白名单
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/24,172.10.0.1
黑名单
kubectl edit cm ingress-nginx-controller -n ingress-nginx
data:
block-cidrs: 192.168.0.11/24
添加自定义配置
配置user_agent
如果是手机端就跳到百度
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
set $agentflag 0;
if ($http_user_agent ~* "(Mobile)" ){
set $agentflag 1;
}
if ( $agentflag = 1 ) {
return 301 https://m.baidu.com;
}
速率限制
annotations:
nginx.ingress.kubernetes.io/limit-connections: 1 #单个ip最大连接数
nginx.ingress.kubernetes.io/limit-rps: 5 #每秒的请求数
nginx.ingress.kubernetes.io/limit-whitelist: 192.168.0.0/24 #速率限制白名单
基本认证
- 创建密码文件
htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo
- 生成secret
kubectl create secret generic basic-auth --from-file=auth
- ingress添加annotations
annotations:
# 定义认证类型
nginx.ingress.kubernetes.io/auth-type: basic
# 定义用户名密码的secret
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# 定义提示信息
nginx.ingress.kubernetes.io/auth-realm: '请登录!'
