Paunotanga Kubernetes cluster kune chaiyo application, iwe unofanirwa kunzwisisa izvo iyo application pachayo, bhizinesi, uye vanogadzira vanoisa kune iyi sosi. Neruzivo urwu, unogona kutanga kuita sarudzo yekuvaka uye, kunyanya, kusarudza chaiyo Ingress controller, iyo yatove nenhamba huru nhasi. Kuti uwane zano rekutanga rezvisarudzo zviripo pasina kuenda kuburikidza nezvakawanda zvinyorwa / zvinyorwa, nezvimwewo, isu takagadzirira iyi ongororo, kusanganisira iyo huru (yakagadzirira kugadzirwa) Ingress controllers.
Tinovimba kuti ichabatsira vatinoshanda navo pakusarudza mhinduro yekuvaka - zvirinani ichave nzvimbo yekutanga yekuwana ruzivo rwakadzama uye ongororo dzinoshanda. Pakutanga, takadzidza zvimwe zvinhu zvakafanana pamambure uye, zvisingaite, hatina kuwana imwe yakawedzera kana kushoma yakakwana, uye inonyanya kukosha - yakarongeka - kuongorora. Saka ngatizadze mukaha iwoyo!
Zvinotarisirwa
Muchidimbu, kuitira kuti uenzanise uye uwane chero mhedzisiro inobatsira, haufanirwe kunzwisisa kwete nzvimbo yezvidzidzo chete, asi zvakare kuve nerunyorwa rwemaitiro anozoseta vector yekutsvagisa. Pasina kunyepedzera kuongorora ese angangoita nyaya dzekushandisa Ingress / Kubernetes, isu takaedza kuratidza izvo zvakajairwa zvinodikanwa zvevatongi - gadzirira kuti chero zvazvingava iwe uchafanirwa kudzidza zvese zvako uye ruzivo zvakasiyana.
Asi ini ndichatanga nehunhu hwave kujairana zvekuti hunoitwa mumhinduro dzese uye hahutariswe:
- kuwanikwa kwesimba kwemasevhisi (kuwanikwa kwesevhisi);
- SSL kuguma;
- kushanda nemawebsockets.
Zvino kune pfungwa dzekuenzanisa:
Maprotocol anotsigirwa
Imwe yemaitiro akakosha ekusarudza. Software yako inogona kusashanda pane yakajairwa HTTP, kana ingangoda kushanda pane akawanda maprotocol kamwechete. Kana nyaya yako isiri-yakajairwa, ita chokwadi chekutora ichi chinhu kuitira kuti usazofanira kugadzirisa zvakare cluster gare gare. Kune vese vatongi, runyorwa rwemaprotocol anotsigirwa anosiyana.
software pakati pepakati
Pane misiyano yakati wandei yemaapplication iyo controller yakavakirwa pairi. Akakurumbira ndeayi nginx, traefik, haproxy, nhume. Muzhinji, inogona kunge isina mhedzisiro yakawanda pamafambisirwo anogamuchirwa uye kufambiswa kwemotokari, asi zvinogara zvichibatsira kuziva zvingangoita nuances uye maficha ezviri "pasi pehodhi".
Traffic routing
Pamusoro pezvazvinogoneka kuita sarudzo pamusoro pekutungamira kwetraffic kune imwe sevhisi? Kazhinji aya ndiwo anotambira uye nzira, asi pane mamwe mikana.
Namespace mukati mechikwata
Namespace (namespace) - kugona kupatsanura zvine musoro zviwanikwa muKubernetes (semuenzaniso, pachikuva, kugadzira, nezvimwewo). Kune maIngress controllers anofanirwa kuisirwa zvakasiyana munzvimbo yega yega (uye ipapo inogona kutungamira traffic chete kumapodhi enzvimbo ino). Uye kune izvo (uye ruzhinji rwazvo rwakajeka) zvinoshanda pasi rose kune iyo cluster yese - mukati mavo traffic inotungamirwa kune chero pod yesumbu, zvisinei nenzvimbo yezita.
Samples kune kumusoro kwemvura
Ko traffic inotungamirwa sei kune hutano zviitiko zvekushandisa, masevhisi? Pane zvingasarudzwa neanoshanda uye passive cheki, anoedzazve, edunhu mabreak (Kuti uwane rumwe ruzivo, ona, semuenzaniso, ), mashandisirwo ako ehutano cheki (custom health checks), nezvimwe. Iyo inonyanya kukosha parameter kana iwe uine zvakakwirira zvinodiwa zvekuwanikwa uye kubviswa panguva yeakakundikana masevhisi kubva pakuyera.
Kuenzanisa algorithms
Pane zvakawanda zvingasarudzwa: kubva kune zvechinyakare kune exotic , pamwe chete nemaitiro ega ega akadai .
Kusimbiswa
Ndezvipi zvirongwa zvemvumo zvinotsigirwa nemutongi? Basic, digest, mhiko, yekunze-munyori - ndinofunga sarudzo idzi dzinofanira kujaira. Ichi chiyedzo chakakosha kana paine akawanda anovandudza (uye/kana angozvimiririra) zvishwe zvinowanikwa kuburikidza neIngress.
Traffic distribution
Iyo controller inotsigira nzira dzinowanzo shandiswa dzekuparadzira traffic se canary rollouts (canary), A / B kuyedza, traffic mirroring (mirroring / shadowing)? Iyi inyaya inorwadza kumashandisirwo ayo anoda kwakaringana uye kwakaringana manejimendi emumigwagwa yekuyedza kugadzirwa, kugadzirisa mabugs echigadzirwa off-line (kana nekurasikirwa kushoma), kuongororwa kwetraffic, zvichingodaro.
Kubhadhara kubhadhara
Pane yakabhadharwa sarudzo yemutungamiriri, ine mashandiro epamberi uye / kana tsigiro yehunyanzvi?
Graphical mushandisi interface (Webhu UI)
Pane chero GUI yekubata controller kumisikidza? Zvikuru zve "handness" uye / kana kune avo vanoda kuita shanduko kune Ingress'a configuration, asi kushanda ne "raw" templates hazvibatsiri. Zvinogona kubatsira kana vagadziri vakada kuita zvimwe zviedzo netraffic panhunzi.
Kusimbiswa kweJWT
Kuvapo kwekusimbiswa kwakavakirwa-mukati kweJSON web tokens yemvumo uye kusimbiswa kwemushandisi kune yekupedzisira application.
Mikana ye config customization
Template extensibility mupfungwa yekuve nematanho anokutendera kuti uwedzere ako ega mirairo, mireza, nezvimwe kune akajairwa matemplate ekugadzirisa.
Basic DDOS kuchengetedza nzira
Rakareruka mwero muganho algorithms kana mamwe akaomarara ekusefa traffic anoenderana nemakero, whitelists, nyika, nezvimwe.
Kumbira kutsvaga
Iko kugona kutarisa, kuteedzera uye kugadzirisa zvikumbiro kubva kuIngresses kune chaiwo masevhisi / pods, uye zvakanaka pakati pemasevhisi / pods futi.
waff
tsigira .
Controllers
Rondedzero yevatongi vakaumbwa zvichibva pa ΠΈ . Isu takabvisa mamwe acho kubva muongororo nekuda kwehumwe kana kuwanda kwakaderera (danho rekutanga rebudiriro). Mamwe ose anokurukurwa pasi apa. Ngatitangei netsanangudzo yakajairika yemhinduro uye tienderere mberi netafura yepfupiso.
Ingress kubva Kubernetes
Website:
Rezinesi: Apache 2.0
Uyu ndiye mutungamiriri wepamutemo weKubernetes uye ari kuvandudzwa nenharaunda. Zviripachena kubva pazita, yakavakirwa panginx uye inowedzerwa neyakasiyana seti yeLua plugins inoshandiswa kuita mamwe maficha. Nekuda kwekufarirwa kwenginx pachayo uye kushoma kugadziridzwa kwairi kana yakashandiswa semutongi, iyi sarudzo inogona kunge iri nyore uye iri nyore kugadzirisa kune avhareji mainjiniya (ane ruzivo rwewebhu).
Ingress kubva NGINX Inc.
Website:
Rezinesi: Apache 2.0
Chigadzirwa chepamutemo chevagadziri ve nginx. Iine shanduro yakabhadharwa yakavakirwa pa . Pfungwa huru ndeyekugadzikana kwepamusoro, kugarisa kumashure kunoenderana, kusavapo kwemamwe mamodule ekunze uye iyo yakaziviswa yakawedzera kukurumidza (ichienzaniswa nemukuru wekutonga), yakawanikwa nekuda kwekuramba Lua.
Iyo yemahara vhezheni yakaderedzwa zvakanyanya, kusanganisira kunyangwe kana ichienzaniswa neiyo official controller (nekuda kwekushaikwa kweiyo maLua modules). Panguva imwecheteyo, iyo yakabhadharwa ine yakaringana yakawedzera mashandiro ekuita: real-time metrics, JWT kusimbiswa, inoshanda hutano cheki, nezvimwe. Mukana wakakosha pamusoro peNGINX Ingress itsigiro yakazara yeTCP / UDP traffic (uye munharaunda vhezheni futi!). Minus - traffic yekugovera chimiro, icho, zvisinei, "chine chinonyanya kukosha kune vanogadzira," asi zvinotora nguva kuita.
Kong Ingress
Website:
Rezinesi: Apache 2.0
Chigadzirwa chakagadzirwa neKong Inc. mushanduro mbiri: zvekutengesa uye zvemahara. Kubva pane nginx, iyo yakawedzerwa nehuwandu hukuru hweLua modules.
Pakutanga, yaive yakatarisana nekugadzirisa uye kufambisa zvikumbiro zveAPI, i.e. se API Gateway, asi panguva ino yave yakazara-yakazara Ingress controller. Mabhenefiti makuru: akawanda ekuwedzera mamodule (kusanganisira aya kubva kune wechitatu-bato vagadziri) ari nyore kuisa nekugadzirisa uye nerubatsiro rwekuti huwandu hwakawanda hwekuwedzera hunoitwa. Nekudaro, akavakirwa-mukati mabasa atopa akawanda mikana. Kugadziriswa kwebasa kunoitwa uchishandisa CRD zviwanikwa.
Chinhu chakakosha chechigadzirwa - kushanda mukati meiyo contour (panzvimbo yekuyambuka-mazita) inyaya inopokana: kune vamwe ichaita seyakashata (iwe unofanirwa kuburitsa masangano ega ega contour), uye kune mumwe munhu chimiro ( bΠΎHukuru mwero wekuzviparadzanisa nevamwe, se kana mumwe mutongi akaputsika, ipapo dambudziko rinogumira kudunhu chete).
Traefik
Website:
License: MIT
Proxy iyo yakatanga kugadzirwa kuti ishande nekukumbira nzira yemicroservices uye nharaunda yavo ine simba. Nekudaro, akawanda anobatsira maficha: kugadzirisa iyo gadziriso pasina kudzoreredza zvachose, tsigiro yenhamba huru yekuenzanisa nzira, webhu interface, metrics kutumira, kutsigirwa kweakasiyana maprotocol, REST API, canary kuburitswa, nezvimwe zvakawanda. Chimwe chinhu chakanaka kutsigira Let's Encrypt zvitupa kunze kwebhokisi. Izvo zvakashata ndezvekuti kuitira kuronga kuwanikwa kwepamusoro (HA), mutongi anozoda kuisa uye kubatanidza yayo yega KV kuchengetedza.
HAProxy
Website:
Rezinesi: Apache 2.0
HAProxy yagara ichizivikanwa seproxy uye traffic balancer. Sechikamu cheKubernetes cluster, inopa "yakapfava" gadziriso yekuvandudza (pasina kurasikirwa kwetraffic), kuwanikwa kwesevhisi kwakavakirwa paDNS, dhizaini dhizaini uchishandisa API. Inogona kukwezva kunyatsogadzirisa iyo config template nekutsiva iyo CM, pamwe nekugona kushandisa Sprig raibhurari mabasa mairi. Kazhinji, kusimbiswa kukuru kwemhinduro ndeyekumhanya kwepamusoro, kugadzirisa kwayo uye kubudirira mune zvakadyiwa zviwanikwa. Kubatsira kwemutongi ndiko kutsigirwa kwenhamba yerekodhi yenzira dzakasiyana dzekuenzanisa.
Voyager
Website:
Rezinesi: Apache 2.0
Kubva paHAproxy controller, iyo yakamisikidzwa semhinduro yepasirese inotsigira huwandu hwakasiyana hwezvinhu pahuwandu hukuru hwevanopa. Mukana unopihwa wekuenzanisa traffic paL7 neL4, uye kuenzanisa TCP L4 traffic yese inogona kunzi chimwe chezvinhu zvakakosha zvemhinduro.
Contour
Website:
Rezinesi: Apache 2.0
Iyi mhinduro haina kungobva paEnvoy: yakagadzirwa na pamwe chete nevanyori veiyi proxy ine mukurumbira. Chinhu chakakosha kugona kuparadzanisa kutonga kweIngress zviwanikwa uchishandisa IngressRoute CRD zviwanikwa. Kune masangano ane zvikwata zvakawanda zvekusimudzira anoshandisa sumbu rimwe chete, izvi zvinobatsira kuwedzera kuchengetedzeka kwekushanda netraffic muzvishwe zvevavakidzani uye kuvadzivirira kubva mukukanganisa pakuchinja Ingress zviwanikwa.
Inopawo yakawedzera seti yekuenzanisa nzira (kune chikumbiro chegirazi, otomatiki-kudzokorora, chikumbiro chekumisikidza, uye zvimwe zvakawanda), yakadzama yekutarisa kuyerera kwetraffic uye kutadza. Zvichida kune mumwe munhu ichave yakakosha dhiraivha kushaikwa kwerutsigiro rwezvinamira zvikamu (kunyangwe basa racho ).
Istio Ingress
Website:
Rezinesi: Apache 2.0
Iyo yakazara sevhisi mesh mhinduro iyo isiri chete Ingress controller iyo inodzora inouya traffic kubva kunze, asi zvakare inodzora traffic yese mukati mesumbu. Pasi pehodhi, Nhume inoshandiswa semumiriri wepadivi pesevhisi yega yega. Muchidimbu, iyi inobatanidza hombe iyo "inogona kuita chero chinhu", uye pfungwa yayo huru ndeyekukwanisa kutonga, kuwedzera, kuchengeteka uye pachena. Nayo, unogona kunyatso-tune traffic routing, mvumo yekuwana pakati pesevhisi, kuenzanisa, kutarisa, kuburitswa kwecanary, uye zvimwe zvakawanda. Verenga zvakawanda nezve Istio munhevedzano yezvinyorwa "".
Ambassador
Website:
Rezinesi: Apache 2.0
Imwe mhinduro yakavakirwa paNhumwa. Iine zvinyorwa zvepachena uye zvekutengeserana. Iyo yakamisikidzwa se "yakazara yekuzvarwa kuKubernetes", iyo inounza iyo inoenderana mabhenefiti (yakasimba kubatanidzwa nemaitiro uye masangano eK8s cluster).
Kuenzanisa tafura
Saka, magumo echinyorwa itafura huru iyi:
Iyo inodzvanya kuti utarise padyo, uye inowanikwawo mune iyo fomati .
Ngatizvipedzei
Chinangwa chechinyorwa chino ndechekupa kunzwisisa kwakazara (zvisinei, kwete zvachose!) Semazuva ese, mutongi wega wega ane zvawo zvakanakira uye zvazvakaipiraβ¦
Iyo yekare Ingress kubva Kubernetes yakanakira kuwanikwa kwayo uye kuratidzwa, akapfuma zvakakwana maficha - mune yakajairika kesi, inofanirwa "kukwana maziso". Nekudaro, kana paine zvakawedzera zvinodiwa zvekugadzikana, nhanho yezvimiro uye kusimudzira, iwe unofanirwa kuterera kune Ingress ne NGINX Plus uye kunyoreswa kwakabhadharwa. Kong ine yakapfuma seti ye plug-ins (uye, maererano, mikana yavanopa), uye mune yakabhadharwa vhezheni kune zvakatowanda zvadzo. Iyo ine mikana yakawanda yekushanda se API Gateway, inosimba gadziriso yakavakirwa pane CRD zviwanikwa, pamwe neakakosha Kubernetes masevhisi.
Nekuwedzera zvinodiwa zvekuenzanisa uye nzira dzekubvumidza, tarisa Traefik uye HAProxy. Aya ndiwo mapurojekiti eOpen Source, anoratidzwa nekufamba kwemakore, akatsiga uye anoshingaira kukura. Contour yave kunze kwemakore akati wandei ikozvino, asi ichiri kutaridzika kunge idiki uye ine chete zvakakosha maficha akawedzerwa pamusoro peEnvoy. Kana paine zvinodikanwa zvekuvapo / kuisirwa kweWAF pamberi pechikumbiro, iwe unofanirwa kuterera kune imwechete Ingress kubva Kubernetes kana HAProxy.
Uye iyo yakapfuma maererano nemaitiro zvigadzirwa zvakavakwa pamusoro peEnvoy, kunyanya Istio. Zvinoita senge mhinduro yakazara iyo "inogona kuita chero chinhu", iyo, zvisinei, zvakare inoreva yakanyanya kukwirisa yekupinda chikumbaridzo chekugadzirisa / kutanga / kutonga pane mamwe mhinduro.
Isu takasarudza uye tichiri kushandisa Ingress kubva Kubernetes seyakajairwa controller, iyo inovhara 80-90% yezvinodiwa. Iyo yakavimbika, iri nyore kugadzirisa uye kuwedzera. Kazhinji, mukushaikwa kwezvinodiwa chaizvo, inofanirwa kuenderana nemasumbu mazhinji / maapplication. Pazvinhu zvakafanana zvepasirese uye zviri nyore zvigadzirwa, Traefik uye HAProxy inogona kukurudzirwa.
PS
Verenga zvakare pablog yedu:
- "Kudzokera kumamicroservices neIstio": , , ;
- Β«";
- Β«".
Source: www.habr.com