Xa usungula iqela le-Kubernetes kwisicelo esithile, kufuneka uqonde ukuba yintoni isicelo ngokwalo, ishishini, kunye nabaphuhlisi babeka kulo mthombo. Ngolu lwazi, ungaqala ukwenza isigqibo sokwakha kwaye, ngokukodwa, ukhethe umlawuli othile we-Ingress, apho sele kukho inani elikhulu namhlanje. Ukuze ufumane ingcamango esisiseko yeenketho ezikhoyo ngaphandle kokudlula amanqaku amaninzi / amaxwebhu, njl., silungiselele le nkcazo, kuquka neyona nto iphambili (imveliso ilungile) abalawuli be-Ingress.
Siyathemba ukuba kuya kunceda oogxa ekukhetheni isisombululo soyilo-ubuncinci kuya kuba sisiqalo sokufumana ulwazi oluthe kratya kunye novavanyo olusebenzayo. Ngaphambili, safunda ezinye izinto ezifanayo kumnatha kwaye, ngokungaqhelekanga, asizange sifumane enye engaphezulu okanye engaphantsi, kwaye okona kubaluleke kakhulu - ihlelwe - ukuphononongwa. Ngoko ke masivale eso sikhewu!
Criteria
Ngokomgaqo, ukuze wenze uthelekiso kwaye ufumane nayiphi na isiphumo esiluncedo, kufuneka uqonde kungekhona nje ummandla wesifundo, kodwa ube noluhlu oluthile lwemilinganiselo eya kuseka i-vector yophando. Ngaphandle kokwenza ngathi sihlalutya zonke iimeko ezinokwenzeka zokusebenzisa i-Ingress / Kubernetes, sizame ukuqaqambisa ezona mfuno ziqhelekileyo kubalawuli-zilungiselele ukuba kuyo nayiphi na imeko kuya kufuneka ufunde zonke iinkcukacha zakho kunye neenkcukacha ngokwahlukeneyo.
Kodwa ndiza kuqala ngeempawu ezisele ziqhelekile kangangokuba ziphunyezwe kuzo zonke izisombululo kwaye azithathelwa ngqalelo:
- ukufunyanwa okuguquguqukayo kweenkonzo (ukufunyanwa kwenkonzo);
- Ukupheliswa kwe-SSL;
- ukusebenza ngeesokethi zewebhu.
Ngoku kumanqaku othelekiso:
Iiprothokholi ezixhaswayo
Enye yeendlela eziphambili zokukhetha. Isoftware yakho isenokungasebenzi kwi-HTTP eqhelekileyo, okanye inokufuna umsebenzi kwiiprothokholi ezininzi ngaxeshanye. Ukuba ityala lakho alikho emgangathweni, qiniseka ukuba uyithathela ingqalelo le nto ukuze ungaphinde uqwalasele iqela kamva. Kubo bonke abalawuli, uluhlu lweprothokholi ezixhaswayo ziyahluka.
isoftware kwi core
Kukho iinguqulelo ezininzi zezicelo umlawuli asekelwe kuzo. Ezona zidumileyo zi-nginx, traefik, haproxy, envoy. Kwimeko eqhelekileyo, ayinakuba nempembelelo enkulu malunga nendlela i-traffic efunyenwe ngayo kwaye idluliselwe ngayo, kodwa ihlala iluncedo ukwazi ama-nuances kunye neempawu zento "phantsi kwe-hood".
Indlela yetrafikhi
Ngokusekelwe kwinto enokwenzeka ukuba wenze isigqibo malunga nolwalathiso lwendlela yendlela ukuya kwinkonzo ethile? Ngokuqhelekileyo ezi zibamba kunye nendlela, kodwa kukho izinto ezinokwenzeka ezongezelelweyo.
Isithuba segama phakathi kweqela
I-Namespace (indawo yegama) - ukukwazi ukwahlula ngengqiqo izixhobo kwi-Kubernetes (umzekelo, kwinqanaba, imveliso, njl.). Kukho abalawuli be-Ingress ekufuneka bafakelwe ngokwahlukeneyo kwindawo yegama ngalinye (kwaye ke inokwalathisa itrafikhi kuphela kwiipod zale ndawo). Kwaye kukho ezo (kunye nesininzi sazo esicacileyo) esisebenza kwihlabathi liphela kwiqela lonke - kuzo itrafikhi ibhekiswa kuyo nayiphi na i-pod yeqela, nokuba yeyiphi na indawo yamagama.
Iisampulu zemisinga ephezulu
Ingaba itrafikhi ijoliswa njani kwiimeko eziphilileyo zesicelo, iinkonzo? Kukho iinketho kunye nokutshekishwa okusebenzayo kunye ne-passive, ukuzama kwakhona, abaphuli beesekethe (Ukufumana iinkcukacha ezingaphezulu, bona, umzekelo, ), ukuhlolwa kwempilo yesiko, njl. Iparameter ebaluleke kakhulu ukuba uneemfuno eziphezulu zokufumaneka kunye nokususwa kwangethuba kweenkonzo ezingaphumelelanga ukusuka ekulinganiseni.
Ukulinganisa i-algorithms
Kukho iinketho ezininzi: ukusuka kwimveli ukuya kwamanye amazwe , kunye neempawu zomntu ezifana .
Uqinisekiso
Ziziphi izikimu zogunyaziso ezixhaswa ngumlawuli? Isiseko, i-digest, isifungo, isifungo sangaphandle-Ndicinga ukuba ezi zikhetho kufuneka ziqheleke. Lo ngumlinganiselo obalulekileyo ukuba kukho abaphuhlisi abaninzi (kunye / okanye nje bucala) iilophu ezifumaneka nge-Ingress.
Ukuhanjiswa kwetrafikhi
Ngaba umlawuli uyazixhasa iindlela zokuhanjiswa kwetrafikhi ezisetyenziswa ngokuqhelekileyo njengokukhutshwa kwe-canary (i-canary), uvavanyo lwe-A / B, isipili se-traffic (isipili / isithunzi)? Esi sisifundo esibuhlungu kakhulu kwizicelo ezifuna ulawulo oluchanekileyo noluchanekileyo lwetrafikhi kuvavanyo olunemveliso, ukulungisa iimpazamo zemveliso ngaphandle kwe-line (okanye ngelahleko encinci), uhlalutyo lwetrafikhi, njalo njalo.
Umrhumo ohlawulwayo
Ngaba kukho ukhetho oluhlawulelwayo lomlawuli, kunye nokusebenza okuphezulu kunye / okanye inkxaso yobugcisa?
Ujongano lomsebenzisi womzobo (UI yeWebhu)
Ngaba kukho nayiphi na i-GUI yokulawula uqwalaselo lomlawuli? Ikakhulu "isandla" kunye / okanye abo bafuna ukwenza utshintsho oluthile kuqwalaselo lwe-Ingress'a, kodwa ukusebenza ngeetemplates "eluhlaza" akulula. Inokuba luncedo ukuba abaphuhlisi bafuna ukwenza imifuniselo ethile ngetrafikhi ngokubhabha.
Ukuqinisekiswa kweJWT
Ubukho bokuqinisekiswa okwakhelwe ngaphakathi kwe-JSON iithokheni zewebhu zogunyaziso kunye nokuqinisekiswa komsebenzisi kwisicelo sokugqibela.
Amathuba olungelelwaniso loqwalaselo
Ukwandiswa kwetemplate ngengqiqo yokuba neendlela ezikuvumela ukuba wongeze eyakho imiyalelo, iiflegi, njl.
Iindlela ezisisiseko zokukhusela iDDOS
Iindlela ezilula zomda we-algorithms okanye iindlela ezintsonkothileyo zokucoca izithuthi ezisekwe kwiidilesi, uluhlu olumhlophe, amazwe, njl.
Cela umkhondo
Ukukwazi ukubeka iliso, ukulandelela kunye nokulungisa izicelo ezivela kwi-Ingresses ukuya kwiinkonzo ezithile / iipod, kwaye ngokufanelekileyo phakathi kweenkonzo / iipod nazo.
I-WAF
inkxaso .
Abalawuli
Uluhlu lwabalawuli lwenziwe ngokusekelwe ΠΈ . Asizibandakanyi ezinye zazo kuphononongo ngenxa yokuchaneka okanye ukuxhaphaka okuphantsi (inqanaba lokuqala lophuhliso). Okunye kuxoxwe ngezantsi. Masiqale ngenkcazo ngokubanzi yezisombululo kwaye siqhubeke netafile yesishwankathelo.
Ingress evela Kubernetes
website:
Ilayisensi: Apache 2.0
Lo ngumlawuli osemthethweni we-Kubernetes kwaye uphuhliswa luluntu. Ngokucacileyo ukusuka kwigama, isekelwe kwi-nginx kwaye incediswa yisethi eyahlukileyo yeeplagi zeLua ezisetyenziselwa ukuphumeza iimpawu ezongezelelweyo. Ngenxa yokuthandwa kwenginx ngokwayo kunye nohlengahlengiso oluncinci kuyo xa lusetyenziswa njengomlawuli, olu khetho lunokuba lolona lulula kwaye lulula ukuyiqwalasela injineli eqhelekileyo (ngamava ewebhu).
Ukungena ngu-NGINX Inc.
website:
Ilayisensi: Apache 2.0
Imveliso esemthethweni yabaphuhlisi be-nginx. Inoguqulelo oluhlawulelwayo olusekelwe kwi . Ingcamango ephambili yinqanaba eliphezulu lokuzinza, ukuhambelana rhoqo ngasemva, ukungabikho kwazo naziphi na iimodyuli ezingaphandle kunye nokuvakaliswa kwesantya esongeziweyo (xa kuthelekiswa nomlawuli osemthethweni), okuphunyeziweyo ngenxa yokugatywa kweLua.
Uguqulelo lwamahhala luncitshiswe kakhulu, kubandakanywa naxa kuthelekiswa nomlawuli osemthethweni (ngenxa yokungabikho kweemodyuli ezifanayo zeLua). Kwangelo xesha, lowo uhlawulweyo unomsebenzi owongezelelekileyo obanzi: iimethrikhi zexesha lokwenyani, ukuqinisekiswa kwe-JWT, ukuhlolwa kwezempilo okusebenzayo, kunye nokunye. Inzuzo ebalulekileyo ngaphezu kwe-NGINX Ingress yinkxaso epheleleyo yetrafikhi ye-TCP / UDP (kunye nenguqulo yoluntu nayo!). thabatha - into yokusasazwa kwetrafikhi, nangona kunjalo, "eyona nto iphambili kubaphuhlisi," kodwa ithatha ixesha ukuyiphumeza.
Kong Ingress
website:
Ilayisensi: Apache 2.0
Imveliso ephuhliswe ngu Kong Inc. kwiinguqulelo ezimbini: yorhwebo kunye simahla. Ngokusekwe kwi nginx, eyongezwe ngenani elikhulu leemodyuli zeLua.
Ekuqaleni, yayigxininise ekuqhubeni nasekuhambiseni izicelo ze-API, okt. njengeSango le-API, kodwa okwangoku ibe ngumlawuli we-Ingress ogcweleyo. Iinzuzo eziphambili: iimodyuli ezininzi ezongezelelweyo (kubandakanywa nabaphuhlisi beqela lesithathu) ekulula ukuyifaka kunye nokuqwalasela kwaye ngoncedo olubanzi lweempawu ezongezelelweyo ziphunyezwa. Nangona kunjalo, imisebenzi eyakhelwe-ngaphakathi sele inikezela ngamathuba amaninzi. Ubumbeko lomsebenzi lwenziwa ngokusebenzisa izixhobo zeCRD.
Inqaku elibalulekileyo lemveliso - ukusebenza ngaphakathi kwi-contour efanayo (endaweni yokunqunyulwa kwamagama) sisihloko esiphikisanayo: kwabanye kuya kubonakala ngathi yinto engafanelekanga (kufuneka uvelise amaqumrhu kwi-contour nganye), kwaye kumntu luphawu ( bΠΎInqanaba elikhulu lokuzihlukanisa, njengoko ukuba umlawuli omnye uphukile, ke ingxaki inqunyelwe kwisekethe yodwa).
Traefik
website:
Ilayisensi: MIT
Ummeli owadalelwa kuqala ukusebenza kunye nesicelo somzila wee-microservices kunye nokusingqongileyo okuguquguqukayo. Ngenxa yoko, izinto ezininzi eziluncedo: ukuhlaziya uqwalaselo ngaphandle kokuqalisa kwakhona, inkxaso yeendlela ezininzi zokulinganisa, ujongano lwewebhu, ukuhanjiswa kweemetrics, inkxaso yeeprotocol ezahlukeneyo, i-REST API, ukukhutshwa kwe-canary, kunye nokunye okuninzi. Enye into entle yinkxaso yezatifikethi ze-Let Encrypted out of the box. Ukungalungi kukuba ukwenzela ukuba uququzelele ukufumaneka okuphezulu (HA), umlawuli uya kufuneka afake kwaye adibanise isitoreji sakhe se-KV.
HAProxy
website:
Ilayisensi: Apache 2.0
I-HAProxy kudala yaziwa njenge-proxy kunye ne-traffic balancer. Njengenxalenye yeqela le-Kubernetes, inikezela ngohlaziyo "oluthambileyo" lokucwangciswa (ngaphandle kokulahleka kwetrafikhi), ukufunyanwa kwenkonzo okusekwe kwi-DNS, ukucwangciswa okuguquguqukayo usebenzisa i-API. Kunokuba nomtsalane ukwenza ngokwezifiso ngokupheleleyo itemplate ye-config ngokutshintsha iCM, kunye nokukwazi ukusebenzisa imisebenzi yelayibrari yaseSprig kuyo. Ngokuqhelekileyo, ugxininiso oluphambili lwesisombululo lukwisantya esiphezulu, ukulungiswa kwayo kunye nokusebenza kakuhle kwizibonelelo ezisetyenzisiweyo. Inzuzo yomlawuli yinkxaso yenombolo yerekhodi yeendlela ezahlukeneyo zokulinganisa.
Uhambo
website:
Ilayisensi: Apache 2.0
Ngokusekelwe kumlawuli we-HAproxy, obekwe njengesisombululo sendalo yonke esixhasa uluhlu olubanzi lweempawu kwinani elikhulu lababoneleli. Ithuba linikezelwa ukulinganisa i-traffic kwi-L7 kunye ne-L4, kunye nokulinganisa i-TCP L4 ye-traffic ngokubanzi ingabizwa ngokuba enye yezinto eziphambili zesisombululo.
Ukuhamba
website:
Ilayisensi: Apache 2.0
Esi sisombululo asisekelwanga kuphela kuMthunywa: saphuhliswa ngu kunye kunye nababhali bale proxy idumileyo. Isici esibalulekileyo kukukwazi ukwahlula ulawulo lwemithombo ye-Ingress usebenzisa izixhobo ze-IngressRoute CRD. Kwimibutho enamaqela amaninzi ophuhliso asebenzisa i-cluster efanayo, oku kunceda ukwandisa ukhuseleko lokusebenza kunye ne-traffic kwi-loops engummelwane kwaye ubakhusele kwiimpazamo xa utshintsha izixhobo ze-Ingress.
Ikwabonelela ngeseti eyandisiweyo yeendlela zokulinganisa (kukho isicelo sokujonga isipili, ukuphinda-phinda ngokuzenzekelayo, ukunciphisa izinga lesicelo, kunye nokunye okuninzi), ukubekwa esweni kweenkcukacha zokuhamba kwetrafikhi kunye nokusilela. Mhlawumbi komnye umntu iya kuba ngumqobo obalulekileyo wokunqongophala kwenkxaso yeeseshoni ezincamathelayo (nangona umsebenzi ).
Istio Ingress
website:
Ilayisensi: Apache 2.0
Isisombululo esibanzi se-mesh yenkonzo engeyena kuphela umlawuli we-Ingress olawula i-traffic engenayo evela ngaphandle, kodwa ulawula zonke izithuthi ngaphakathi kweqela. Ngaphantsi kwe-hood, uMthunywa usetyenziswa njenge-sidecar proxy kwinkonzo nganye. Ngokwenene, oku kukudibanisa okukhulu "kunokwenza nantoni na", kwaye ingcamango yayo ephambili kulawulo oluphezulu, ukwandiswa, ukhuseleko kunye nokungafihli. Ngayo, unokwenza uhlengahlengiso kwindlela yetrafikhi, ugunyaziso lokufikelela phakathi kweenkonzo, ukulinganisa, ukubeka iliso, ukukhutshwa kwe-canary, kunye nokunye okuninzi. Funda ngakumbi malunga ne-Istio kuthotho lwamanqaku "Β».
I-ambassador
website:
Ilayisensi: Apache 2.0
Esinye isisombululo esisekwe kuMthunywa. Ineenguqulelo zasimahla kunye nezorhwebo. Ibekwe "njengenzalelwane ngokupheleleyo eKubernetes", ezisa iingenelo ezihambelanayo (ukuhlanganiswa okuqinileyo kunye neendlela kunye nemibutho yeqela le-K8s).
Ukuthelekisa itafile
Ke, incopho yenqaku yile theyibhile inkulu:
Iyacofa ukuze ijongwe ngokusondeleyo, kwaye iyafumaneka nakwifomathi .
Masiqokelele
Injongo yeli nqaku kukubonelela ngokuqonda okupheleleyo (nangona kunjalo, akukho nto ipheleleyo!) Yeyiphi ukhetho onokuyenza kwimeko yakho. Njengesiqhelo, umlawuli ngamnye uneengenelo zakhe kunye nokungalungangaβ¦
I-Ingress yakudala evela ku-Kubernetes ilungile kubukho bayo kunye nobungqina, iimpawu ezityebileyo ngokwaneleyo - kwimeko eqhelekileyo, kufuneka "yanele emehlweni". Nangona kunjalo, ukuba kukho iimfuno ezongeziweyo zokuzinza, izinga leempawu kunye nophuhliso, kufuneka ubeke ingqalelo kwi-Ingress nge-NGINX Plus kunye nokubhaliselwa okuhlawulwayo. I-Kong inesethi ecebileyo yeeplagi (kwaye, ngokufanelekileyo, amathuba ababonelela ngawo), kwaye kwinguqu ehlawulwayo kukho nangakumbi kubo. Inamathuba amaninzi okusebenza njengeSango le-API, ulungelelwaniso oluguquguqukayo olusekelwe kwizixhobo zeCRD, kunye neenkonzo ezisisiseko zeKubernetes.
Ngokunyuka kweemfuno zokulinganisa kunye neendlela zokugunyazisa, jonga kwiTraefik kunye ne-HAProxy. Ezi ziiprojekthi zoMthombo oVulekileyo, ezingqiniweyo ukutyhubela iminyaka, zizinzile kwaye ziphuhla ngokusebenzayo. I-Contour iphumile iminyaka embalwa ngoku, kodwa isajongeka incinci kakhulu kwaye ineempawu ezisisiseko ezongeziweyo ngaphezulu koMthunywa. Ukuba kukho iimfuno zobukho / ukufakwa kwe-WAF phambi kwesicelo, kufuneka ubeke ingqalelo kwi-Ingress efanayo evela kwi-Kubernetes okanye i-HAProxy.
Kwaye izityebi ngokubhekiselele kwiimpawu zimveliso ezakhiwe phezulu kwe-Envoy, ngakumbi i-Istio. Kubonakala ngathi sisisombululo esibanzi "esinokwenza nantoni na", nto leyo, nangona kunjalo, ithetha ukuba umda wokungena ophezulu kakhulu woqwalaselo / ukuqaliswa / ulawulo kunezinye izisombululo.
Siye sakhetha kwaye sisasebenzisa i-Ingress evela kwi-Kubernetes njengomlawuli oqhelekileyo, oquka i-80-90% yeemfuno. Ithembekile, kulula ukuyiqwalasela kunye nokwandisa. Ngokubanzi, ngokungabikho kweemfuno ezithile, kufuneka ilungele uninzi lwamaqela / izicelo. Kwiimveliso ezifanayo zehlabathi jikelele kunye nezilula, i-Traefik kunye ne-HAProxy inokucetyiswa.
PS
Funda nakwibhlog yethu:
- "Buyela kwiinkonzo ezincinci kunye ne-Istio": , , ;
- Β«";
- «».
umthombo: www.habr.com