Lokacin ƙaddamar da gungu na Kubernetes don takamaiman aikace-aikacen, kuna buƙatar fahimtar abin da aikace-aikacen kanta, kasuwanci, da masu haɓakawa ke haifar da wannan albarkatu. Tare da wannan bayanin, zaku iya fara yin yanke shawara na gine-gine kuma, musamman, zabar takamaiman mai sarrafa Ingress, wanda akwai adadi mai yawa a yau. Don samun ainihin ra'ayi game da zaɓuɓɓukan da ake da su ba tare da yin amfani da labarai / takardu da yawa ba, da dai sauransu, mun shirya wannan bayyani, gami da manyan (samar da shirye-shiryen) Masu sarrafa Ingress.
Muna fatan zai taimaka wa abokan aiki wajen zabar mafita na gine-gine - aƙalla zai zama mafari don samun ƙarin cikakkun bayanai da gwaje-gwaje masu amfani. A baya can, mun yi nazarin wasu kayan aiki irin wannan akan gidan yanar gizon kuma, abin banƙyama, ba mu sami guda ɗaya ko žasa da cikakke ba, kuma mafi mahimmanci - tsari - bita. Don haka bari mu cike wannan gibin!
Jagora
A ka'ida, don yin kwatancen da samun kowane sakamako mai amfani, kuna buƙatar fahimtar ba kawai batun batun ba, har ma da takamaiman jerin ma'auni waɗanda za su saita vector na bincike. Ba tare da yin riya don bincika duk maganganun da za a iya amfani da su na amfani da Ingress / Kubernetes ba, mun yi ƙoƙarin haskaka mafi yawan buƙatun gabaɗaya don masu sarrafawa - ku kasance cikin shiri cewa a kowace harka dole ne ku yi nazarin duk ƙayyadaddun ƙayyadaddun bayanan ku daban.
Amma zan fara da halayen da suka zama sanannun cewa ana aiwatar da su a cikin duk mafita kuma ba a la'akari da su:
- gano ayyuka masu ƙarfi (ganowar sabis);
- Ƙarshen SSL;
- aiki tare da websockets.
Yanzu ga abubuwan kwatanta:
Ka'idojin tallafi
Ɗaya daga cikin mahimman ma'auni na zaɓi. Maiyuwa software ɗinku baya aiki akan daidaitaccen HTTP, ko yana iya buƙatar aiki akan ƙa'idodi da yawa a lokaci ɗaya. Idan shari'ar ku ba ta dace ba, tabbatar da yin la'akari da wannan batu don kada ku sake saita gungu daga baya. Ga duk masu sarrafawa, jerin ƙa'idodi masu goyan baya sun bambanta.
software a cikin core
Akwai nau'ikan aikace-aikace da yawa waɗanda mai sarrafa ya dogara da su. Shahararrun su ne nginx, traefik, haproxy, manzo. A cikin yanayin gabaɗaya, ƙila ba zai sami tasiri sosai kan yadda ake karɓar zirga-zirgar ababen hawa da kuma watsa shi ba, amma yana da amfani koyaushe don sanin yuwuwar nuances da fasali na abin da ke "ƙarƙashin hood".
Hanyar zirga-zirga
A kan abin da zai yiwu a yanke shawara game da jagorancin zirga-zirga zuwa wani sabis na musamman? Yawancin lokaci waɗannan su ne mai masaukin baki da kuma hanya, amma akwai ƙarin dama.
Wurin suna a cikin tari
Namespace (namespace) - ikon raba albarkatu cikin hankali a cikin Kubernetes (misali, akan mataki, samarwa, da sauransu). Akwai masu sarrafa Ingress waɗanda dole ne a sanya su daban a cikin kowane filin suna (sannan kuma yana iya jagorantar zirga-zirga kawai zuwa ga kwandon wannan sarari). Kuma akwai waɗancan (da mafi yawansu bayyane) waɗanda ke aiki a duniya don ɗaukacin gungu - a cikinsu ana karkatar da zirga-zirga zuwa kowane kwas ɗin gungun, ba tare da la'akari da sunan suna ba.
Samfurori na sama
Ta yaya ake karkatar da zirga-zirga zuwa wuraren kiwon lafiya na aikace-aikacen, ayyuka? Akwai zaɓuɓɓuka tare da bincike mai aiki da m, sakewa, masu watsewa (Don ƙarin bayani, duba, misali, ), aiwatar da nasu aiwatar da duba lafiyar lafiya (cakulan kiwon lafiya na al'ada), da sauransu. Mahimmin ma'auni mai mahimmanci idan kuna da manyan buƙatu don samuwa da kuma cire ayyukan da suka gaza kan lokaci daga daidaitawa.
Daidaita algorithms
Akwai zaɓuɓɓuka da yawa: daga gargajiya zuwa ga m , da kuma daidaikun siffofi kamar .
Gasktawa
Wadanne tsare-tsare na izini mai sarrafawa ke tallafawa? Na asali, narkar da, rantsuwa, waje-auth - Ina tsammanin ya kamata waɗannan zaɓuɓɓuka su zama saba. Wannan muhimmin ma'auni ne idan akwai madaukai masu haɓakawa da yawa (da/ko masu zaman kansu) waɗanda ake samun dama ta hanyar Ingress.
Rarraba zirga-zirga
Shin mai sarrafawa yana tallafawa irin waɗannan hanyoyin rarraba zirga-zirgar ababen hawa da aka saba amfani da su kamar canary rollouts (canary), gwajin A/B, madubin zirga-zirga (mirroring/ shadowing)? Wannan babban batu ne mai zafi don aikace-aikacen da ke buƙatar ingantaccen tsarin tafiyar da zirga-zirga don ingantaccen gwaji, gyara kurakurai a kan layi (ko tare da ƙarancin asara), nazarin zirga-zirga, da sauransu.
Biyan kuɗi
Shin akwai zaɓin da aka biya don mai sarrafawa, tare da ayyuka na ci gaba da / ko tallafin fasaha?
Mai amfani da zane mai zane (UI)
Shin akwai GUI don sarrafa saitin mai sarrafawa? Yafi don "hannun hannu" da / ko ga waɗanda ke buƙatar yin wasu canje-canje ga tsarin Ingress'a, amma aiki tare da samfuran "raw" ba shi da daɗi. Zai iya zama da amfani idan masu haɓakawa suna so su gudanar da wasu gwaje-gwaje tare da zirga-zirga a kan tashi.
Tabbatar da JWT
Kasancewar ginannen ingantattun alamun yanar gizo na JSON don izini da tabbatar da mai amfani zuwa aikace-aikacen ƙarshe.
Yiwuwar daidaitawa
Ƙimar samfuri ta ma'anar samun hanyoyin da ke ba ku damar ƙara umarnin ku, tutoci, da sauransu zuwa daidaitattun samfuran daidaitawa.
Asalin hanyoyin kariya na DDOS
Ƙayyadaddun ƙayyadaddun ƙididdiga masu sauƙi ko ƙarin hadaddun zaɓuɓɓukan tace zirga-zirga dangane da adireshi, masu ba da izini, ƙasashe, da sauransu.
Neman safa
Ikon saka idanu, waƙa da buƙatun buƙatun daga Ingresses zuwa takamaiman ayyuka / kwasfa, da dacewa tsakanin sabis / kwas ɗin ma.
waff
goyon bayan .
Masu sarrafawa
An kafa jerin masu sarrafawa bisa ga и . Mun cire wasu daga cikinsu daga bita saboda ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun bayanai (matakin farko na haɓakawa). Sauran an tattauna a kasa. Bari mu fara da cikakken bayanin mafita kuma mu ci gaba da tebur taƙaice.
Shiga daga Kubernetes
Yanar Gizo:
Lasisi: Apache 2.0
Wannan shine hukuma mai kula da Kubernetes kuma al'umma ke haɓakawa. A bayyane yake daga sunan, yana dogara ne akan nginx kuma an haɗa shi da wani saitin plugins na Lua daban-daban da ake amfani da su don aiwatar da ƙarin fasali. Saboda shaharar nginx kanta da ƙananan gyare-gyare zuwa gare shi lokacin amfani da shi azaman mai sarrafawa, wannan zaɓi na iya zama mafi sauƙi kuma mafi sauƙi don daidaitawa ga matsakaicin injiniya (tare da ƙwarewar yanar gizo).
Abubuwan da aka bayar na NGINX Inc.
Yanar Gizo:
Lasisi: Apache 2.0
Samfurin hukuma na masu haɓaka nginx. Yana da sigar biya bisa ga . Babban ra'ayin babban tsari ne na kwanciyar hankali, akai-akai na baya, saurin saurin sarrafawa (idan aka ayyana shi da mai sarrafawa), wanda aka samu saboda kin amincewa da Lua.
An rage sigar kyauta sosai, gami da koda idan aka kwatanta da na hukuma (saboda rashin samfuran Lua iri ɗaya). A lokaci guda, wanda aka biya yana da ƙarin fa'idan ƙarin ayyuka: ma'auni na ainihi, ingantaccen JWT, duba lafiyar lafiya, da ƙari. Wani muhimmin fa'ida akan NGINX Ingress shine cikakken tallafi ga zirga-zirgar TCP / UDP (kuma a cikin sigar al'umma ma!). Rage - fasalin rarraba zirga-zirga, wanda, duk da haka, "yana da fifiko mafi girma ga masu haɓakawa," amma yana ɗaukar lokaci don aiwatarwa.
Kong Ingress
Yanar Gizo:
Lasisi: Apache 2.0
Samfurin ya haɓaka ta Kong Inc. a cikin nau'i biyu: kasuwanci da kyauta. Dangane da nginx, wanda aka tsawaita tare da ɗimbin samfuran Lua.
Da farko, an mai da hankali ne kan aiki da sarrafa buƙatun API, watau. a matsayin Ƙofar API, amma a halin yanzu ya zama cikakken mai sarrafa Ingress. Babban abũbuwan amfãni: da yawa ƙarin kayayyaki (ciki har da waɗanda daga masu haɓakawa na ɓangare na uku) waɗanda suke da sauƙin shigarwa da daidaitawa kuma tare da taimakon abin da aka aiwatar da ƙarin fasali. Koyaya, ginanniyar ayyuka sun riga sun ba da dama da yawa. Ana yin tsarin aiki ta amfani da albarkatun CRD.
Wani muhimmin fasali na samfurin - yin aiki a cikin kwane-kwane ɗaya (maimakon sunan giciye) batu ne mai rikitarwa: ga wasu zai zama kamar hasara (dole ne ku samar da ƙungiyoyi ga kowane kwane-kwane), kuma ga wani yana da fasali ( bоBabban matakin keɓewa, kamar idan mai sarrafawa ɗaya ya karye, to matsalar ta iyakance ga kewaye kawai).
Traefik
Yanar Gizo:
lasisi: MIT
Wakili wanda aka ƙirƙiri asali don yin aiki tare da buƙatun buƙatun don ƙananan sabis da mahallinsu mai ƙarfi. Don haka, yawancin fasalulluka masu amfani: sabunta tsarin ba tare da sake kunnawa kwata-kwata ba, goyan bayan ɗimbin hanyoyin daidaitawa, ƙirar gidan yanar gizo, isar da awo, goyan bayan ka'idoji daban-daban, REST API, sakewar canary, da ƙari mai yawa. Wani fasali mai kyau shine goyan bayan Takaddun shaida Bari Mu Encrypt daga cikin akwatin. Rashin hasara shine don tsara babban samuwa (HA), mai sarrafawa zai buƙaci shigarwa da haɗa ma'ajin KV na kansa.
HAProxy
Yanar Gizo:
Lasisi: Apache 2.0
HAProxy ya daɗe da saninsa azaman wakili da ma'aunin zirga-zirga. A matsayin wani ɓangare na gungu na Kubernetes, yana ba da sabuntawar daidaitawa na "laushi" (ba tare da asarar zirga-zirga ba), gano sabis dangane da DNS, daidaitawa mai ƙarfi ta amfani da API. Yana iya zama mai ban sha'awa don keɓance samfurin saitin gaba ɗaya ta hanyar maye gurbin CM, da kuma ikon yin amfani da ayyukan ɗakin karatu na Sprig a ciki. Gabaɗaya, babban mahimmancin maganin shine akan babban sauri, haɓakawa da haɓakawa a cikin albarkatun da aka cinye. Amfanin mai sarrafawa shine goyon bayan lambar rikodin hanyoyin daidaitawa daban-daban.
Voyager
Yanar Gizo:
Lasisi: Apache 2.0
Bisa ga mai kula da HAproxy, wanda aka sanya shi azaman bayani na duniya wanda ke goyan bayan nau'i-nau'i masu yawa akan yawancin masu samarwa. Ana ba da dama don daidaita zirga-zirga akan L7 da L4, da kuma daidaita zirga-zirgar TCP L4 gaba ɗaya ana iya kiransa ɗaya daga cikin mahimman fasalulluka na mafita.
Kwane-kwane
Yanar Gizo:
Lasisi: Apache 2.0
Wannan maganin ba wai kawai ya ginu ne akan Manzo ba: an inganta shi a hade tare da marubutan wannan mashahurin wakili. Wani muhimmin fasali shine ikon raba ikon sarrafa albarkatun Ingress ta amfani da albarkatun IngressRoute CRD. Ga ƙungiyoyi tare da ƙungiyoyin ci gaba da yawa masu amfani da gungu iri ɗaya, wannan yana taimakawa haɓaka tsaro na aiki tare da zirga-zirga a cikin madaukai maƙwabta da kuma kare su daga kurakurai lokacin canza albarkatun Ingress.
Hakanan yana ba da ƙarin saiti na hanyoyin daidaitawa (akwai kamannin buƙatun, maimaitawa ta atomatik, iyakance ƙimar buƙatun, da ƙari mai yawa), cikakken sa ido kan zirga-zirgar ababen hawa da gazawa. Wataƙila ga wani zai zama babban koma baya ga rashin goyon baya ga zaman m (ko da yake aikin ).
Istio Ingress
Yanar Gizo:
Lasisi: Apache 2.0
Cikakken bayani na ragamar sabis wanda ba kawai mai sarrafa Ingress ba ne wanda ke sarrafa zirga-zirga mai shigowa daga waje, amma kuma yana sarrafa duk zirga-zirga a cikin tari. Ƙarƙashin murfin, Ana amfani da Manzo azaman wakili na gefen mota don kowane sabis. Ainihin, wannan babban haɗin gwiwa ne wanda "zai iya yin wani abu", kuma babban ra'ayinsa shine mafi girman sarrafawa, haɓakawa, tsaro da bayyana gaskiya. Tare da shi, zaku iya daidaita hanyar zirga-zirgar ababen hawa, samun izini tsakanin sabis, daidaitawa, saka idanu, sakewar canary, da ƙari mai yawa. Kara karantawa game da Istio a cikin jerin labaran "".
Ambassador
Yanar Gizo:
Lasisi: Apache 2.0
Wata mafita bisa ga Manzo. Yana da nau'ikan kyauta da na kasuwanci. An sanya shi a matsayin "cikakken ɗan ƙasa zuwa Kubernetes", wanda ke kawo fa'idodi masu dacewa (haɗin kai tare da hanyoyin da mahallin ƙungiyar K8s).
kwatanta tebur
Don haka, ƙarshen labarin shine wannan babban tebur:
Ana iya dannawa don kallon kusa, kuma ana samunsa a cikin tsari .
Bari mu ƙayyade
Manufar wannan labarin shine don samar da cikakkiyar fahimta (duk da haka, ba ma'ana ba!) na wane zaɓi da za ku yi a cikin yanayin ku na musamman. Kamar yadda aka saba, kowane mai sarrafawa yana da nasa fa'idodi da rashin amfani…
Ingress na yau da kullun daga Kubernetes yana da kyau don samuwa da tabbatarwa, isassun abubuwa masu wadatarwa - a cikin yanayin gabaɗaya, yakamata ya zama “isa ga idanu”. Koyaya, idan akwai ƙarin buƙatu don kwanciyar hankali, matakin fasali da haɓakawa, yakamata ku kula da Ingress tare da NGINX Plus da biyan kuɗi da aka biya. Kong yana da mafi kyawun saiti na toshe-ins (kuma, bisa ga haka, damar da suke bayarwa), kuma a cikin sigar da aka biya akwai ma fiye da haka. Yana da isasshen dama don yin aiki azaman Ƙofar API, ƙayyadaddun tsari bisa albarkatun CRD, da kuma mahimman ayyukan Kubernetes.
Tare da ƙarin buƙatun don daidaitawa da hanyoyin izini, duba Traefik da HAProxy. Waɗannan ayyukan Buɗewa ne, waɗanda aka tabbatar tsawon shekaru, suna da ƙarfi sosai kuma suna haɓaka rayayye. Contour ya fita tsawon shekaru biyu a yanzu, amma har yanzu yana kama da ƙarami kuma yana da ƙarin fasali na asali kawai a saman Manzo. Idan akwai buƙatu don kasancewar / saka WAF a gaban aikace-aikacen, ya kamata ku kula da Ingress iri ɗaya daga Kubernetes ko HAProxy.
Kuma mafi arziki ta fuskar fasali sune samfuran da aka gina a saman Manzo, musamman Istio. Da alama ya zama cikakkiyar bayani wanda "zai iya yin wani abu", wanda, duk da haka, yana nufin ma'anar mafi girma mafi girma na shigarwa don daidaitawa / ƙaddamarwa / gudanarwa fiye da sauran mafita.
Mun zaɓi kuma har yanzu muna amfani da Ingress daga Kubernetes azaman daidaitaccen mai sarrafawa, wanda ke rufe 80-90% na buƙatu. Abin dogara ne, mai sauƙin daidaitawa da faɗaɗawa. Gabaɗaya, in babu takamaiman buƙatu, yakamata ya dace da yawancin gungu / aikace-aikace. Daga cikin samfuran duniya iri ɗaya da ingantattun samfuran, Traefik da HAProxy ana iya ba da shawarar.
PS
Karanta kuma a kan shafinmu:
- "Komawa zuwa microservices tare da Istio": , , ;
- «";
- «".
source: www.habr.com