Lapho wethula iqoqo le-Kubernetes kuhlelo lokusebenza oluthile, udinga ukuqonda ukuthi uhlelo lokusebenza ngokwalo, ibhizinisi, nabathuthukisi benzani kulo mthombo. Ngalolu lwazi, ungaqala ukwenza isinqumo sezakhiwo futhi, ikakhulukazi, ukhethe isilawuli esithile se-Ingress, okukhona kakade inombolo enkulu namuhla. Ukuze uthole umbono oyisisekelo wezinketho ezitholakalayo ngaphandle kokudlula kuma-athikili / imibhalo eminingi, njll., silungiselele lokhu kubuka konke, kufaka phakathi izilawuli eziyinhloko (ezilungile zokukhiqiza) ze-Ingress.
Sithemba ukuthi kuzosiza ozakwethu ekukhetheni isixazululo sezakhiwo - okungenani kuzoba isiqalo sokuthola ulwazi oluningiliziwe kanye nokuhlolwa okusebenzayo. Ngaphambilini, safunda ezinye izinto ezifanayo enetheni futhi, ngokungavamile, asizange sithole okukodwa okungaphezulu noma okuncane okuphelele, futhi okubaluleke kakhulu - okuhleliwe - ukubuyekezwa. Ngakho-ke, masigcwalise lesi sikhala!
Izindlela
Empeleni, ukuze wenze isiqhathaniso futhi uthole noma yimuphi umphumela owusizo, udinga ukuqonda hhayi nje indawo yesifundo, kodwa futhi ube nohlu oluthile lwezinqubo ezizosetha i-vector yocwaningo. Ngaphandle kokwenza sengathi sihlaziya wonke amacala okusebenzisa i-Ingress / Kubernetes, sizamile ukugqamisa izidingo ezijwayelekile zabalawuli - zilungiselele ukuthi kunoma yikuphi kuzofanele ufunde yonke imininingwane yakho kanye nemininingwane ngokwehlukana.
Kodwa ngizoqala ngezici esezijwayeleke kangangokuthi zisetshenziswa kuzo zonke izixazululo futhi azibhekwa:
- ukutholwa kwesevisi enamandla;
- Ukuqedwa kwe-SSL;
- ukusebenza nama-websockets.
Manje mayelana namaphuzu wokuqhathanisa:
Amaphrothokholi asekelwe
Enye yezindlela zokukhetha eziyisisekelo. Isofthiwe yakho ingase ingasebenzi ku-HTTP evamile, noma ingase idinge umsebenzi kumaphrothokholi amaningi ngesikhathi esisodwa. Uma ikesi lakho lingekho ezingeni, qiniseka ukuthi ucabangela lesi sici ukuze ungadingi ukulungisa kabusha iqoqo ngokuhamba kwesikhathi. Kubo bonke abalawuli, uhlu lwamaphrothokholi asekelwayo luyahlukahluka.
isoftware emqondweni
Kunezinketho ezimbalwa zohlelo lokusebenza lapho isilawuli sisekelwe khona. Ezidumile yi-nginx, traefik, haproxy, envoy. Ngokuvamile, kungase kungabi nomthelela omkhulu ekutheni ithrafikhi yamukelwe futhi idluliswa kanjani, kodwa kuhle ngaso sonke isikhathi ukwazi ama-nuances angenzeka kanye ne-idiosyncrasies yalokho okungaphansi kwe-hood.
Umzila wethrafikhi
Ngesisekelo salokho okungenzeka ukwenza isinqumo mayelana nokuqondisa kwethrafikhi enkonzweni ethile? Imvamisa lezi kuba umsingathi kanye nendlela, kodwa akhona amanye amathuba.
Isikhala segama ngaphakathi kweqoqo
Isikhala segama (indawo yegama) - ikhono lokuhlukanisa izinsiza ngokunengqondo ku-Kubernetes (isibonelo, esiteji, ukukhiqiza, njll.). Kukhona izilawuli ze-Ingress okufanele zifakwe ngokuhlukana endaweni ngayinye yamagama (bese ingaqondisa ithrafikhi kuphela emigodini yalesi sikhala). Futhi kukhona lezo (kanye neningi lazo elicacile) elisebenza emhlabeni wonke kulo lonke iqoqo - kuzo, ithrafikhi ithunyelwa kunoma iyiphi i-pod yeqoqo, ngaphandle kokunaka indawo yamagama.
Amasampula omfula okhuphukayo
I-traffic iqondiswa kanjani ezimweni ezinempilo zesicelo, izinsizakalo? Kukhona izinketho ezinokuhlola okusebenzayo nokungenzi lutho, ukuzama kabusha, ama-circuit breaker (ukuthola imininingwane eyengeziwe, bheka, isibonelo, ), ukusetshenziswa kwakho kokuhlolwa kwezempilo (ukuhlolwa kwezempilo ngokwezifiso), njll. Ipharamitha ebaluleke kakhulu uma unezidingo eziphezulu zokutholakala kanye nokususwa okufika ngesikhathi kwezinsizakalo ezihlulekile kusukela ekulinganiseni.
Ukulinganisa ama-algorithms
Ziningi ongakhetha kuzo: kusukela bendabuko kwabangaphandle , kanye nezici zomuntu ngamunye ezifana .
Ukufakazela ubuqiniso
Yiziphi izikimu zokugunyaza isilawuli esizisekelayo? Okuyisisekelo, inhlabamkhosi, isifungo, i-external-auth - ngicabanga ukuthi lezi zinketho kufanele zazi. Lesi umbandela obalulekile uma kukhona amaluphu kanjiniyela amaningi (kanye/noma ayimfihlo) afinyelelwa nge-Ingress.
Ukusatshalaliswa kwethrafikhi
Ingabe isilawuli sisekela izindlela zokusabalalisa ithrafikhi ezivame ukusetshenziswa njengokukhishwa kwe-canary (canary), ukuhlolwa kwe-A / B, ukubukisa kwethrafikhi (ukulingisa / ukwenza ithunzi)? Lesi yisihloko esibuhlungu kakhulu sezinhlelo zokusebenza ezidinga ukuphathwa kwethrafikhi okunembile nokunembayo ukuze kuhlolwe okukhiqizayo, ukulungisa amaphutha omkhiqizo ungaxhunyiwe ku-inthanethi (noma ngokulahlekelwa okuncane), ukuhlaziywa kwethrafikhi, nokunye.
Ukubhalisa okukhokhelwayo
Ingabe ikhona inketho ekhokhelwayo yesilawuli, enokusebenza okuthuthukile kanye/noma nokusekelwa kobuchwepheshe?
Isixhumi esibonakalayo somsebenzisi (i-Web UI)
Ingabe ikhona i-GUI yokuphatha ukucushwa kwesilawuli? Ikakhulukazi "izandla" kanye / noma kulabo abadinga ukwenza izinguquko ezithile ekucushweni kwe-Ingress'a, kodwa ukusebenza ngezifanekiso "eziluhlaza" akulula. Kungaba usizo uma onjiniyela befuna ukwenza noma yikuphi ukuhlola ngethrafikhi ngokushesha.
Ukuqinisekiswa kwe-JWT
Ukuba khona kokuqinisekiswa okwakhelwe ngaphakathi kwamathokheni ewebhu e-JSON ukuze kugunyazwe futhi kuqinisekiswe umsebenzisi kuze kube sekugcineni kwesicelo.
Amathuba okwenza ngokwezifiso
Ukwandiswa kwesifanekiso ngomqondo wokuba nezinqubo ezikuvumela ukuthi ungeze iziqondiso zakho, amafulegi, njll. kuzifanekiso zokumisa ezijwayelekile.
Izindlela eziyisisekelo zokuvikela i-DDOS
Ama-algorithms alula womkhawulo wesilinganiso noma izinketho zokuhlunga zethrafikhi eziyinkimbinkimbi ngokusekelwe kumakheli, izinhlu ezigunyaziwe, amazwe, njll.
Cela ukulandelelwa
Ikhono lokuqapha, ukulandelela kanye nokulungisa izicelo ezivela ku-Ingresses kuya ezinsizeni ezithile / ama-pods, futhi phakathi kwamasevisi / ama-pods nawo.
I-WAF
ukweseka .
Abalawuli
Uhlu lwabalawuli lwakhiwe ngokusekelwe и . Asizibandakanyi ezinye zazo ekubuyekezweni ngenxa yokucaciswa noma ukuvama okuphansi (isigaba sokuqala sokuthuthuka). Okunye kuxoxwa ngakho ngezansi. Ake siqale ngencazelo evamile yezixazululo futhi siqhubeke nethebula lesifinyezo.
I-Ingress evela ku-Kubernetes
Iwebhusayithi:
Ilayisensi: Apache 2.0
Lesi isilawuli esisemthethweni se-Kubernetes futhi sithuthukiswa umphakathi. Ngokusobala kusukela egameni, isekelwe ku-nginx futhi ihambisana nesethi ehlukahlukene yama-plugin e-Lua asetshenziselwa ukufaka izici ezengeziwe. Ngenxa yokuduma kwe-nginx ngokwayo kanye nokulungiswa okuncane kuyo lapho isetshenziswa njengesilawuli, le nketho ingaba ukulungiselelwa okulula nokuqondakalayo konjiniyela omaphakathi (onolwazi kuwebhu).
I-Ingress ngu-NGINX Inc.
Iwebhusayithi:
Ilayisensi: Apache 2.0
Umkhiqizo osemthethweni wabathuthukisi be-nginx. Inenguqulo ekhokhelwayo esekelwe . Umqondo oyinhloko yizinga eliphezulu lokuzinza, ukuhambisana njalo emuva, ukungabi khona kwanoma yimaphi amamojula angaphandle kanye nesivinini esimenyezelwe (uma kuqhathaniswa nesilawuli esisemthethweni), esifinyelelwe ngenxa yokwenqatshwa kwe-Lua.
Inguqulo yamahhala inqanyuliwe kakhulu, kufaka phakathi noma iqhathaniswa nesilawuli esisemthethweni (ngenxa yokuntuleka kwamamojula we-Lua afanayo). Inguqulo ekhokhelwe inobubanzi obuningi bokusebenza okwengeziwe: amamethrikhi esikhathi sangempela, ukuqinisekiswa kwe-JWT, ukuhlolwa kwezempilo okusebenzayo nokunye. Inzuzo ebalulekile ngaphezu kwe-NGINX Ingress ukusekelwa okugcwele kwethrafikhi ye-TCP/UDP (kanye nenguqulo yomphakathi futhi!). Susa - isici sokusabalalisa ithrafikhi, nokho, “okubaluleke kakhulu konjiniyela,” kodwa kuthatha isikhathi ukusisebenzisa.
I-Kong Ingress
Iwebhusayithi:
Ilayisensi: Apache 2.0
Umkhiqizo othuthukiswe yi-Kong Inc. ezinguqulweni ezimbili: commercial futhi free. Ngokusekelwe ku-nginx, enwetshwe ngenani elikhulu lamamojula we-Lua.
Ekuqaleni, ibigxile ekucubunguleni nasekuhambiseni izicelo ze-API, i.e. njengesango le-API, kodwa okwamanje isibe isilawuli esigcwele se-Ingress. Izinzuzo eziyinhloko: amamojula amaningi engeziwe (kuhlanganise nalawo avela kubathuthukisi bezinkampani zangaphandle) okulula ukuwafaka nokuwalungiselela futhi ngosizo olwengeziwe lwezici ezengeziwe ezisetshenziswayo. Nokho, imisebenzi eyakhelwe ngaphakathi kakade inikeza amathuba amaningi. Ukucushwa komsebenzi kwenziwa kusetshenziswa izinsiza ze-CRD.
Isici esibalulekile somkhiqizo - ukusebenza ngaphakathi kwekhonta efanayo (esikhundleni sokuhlukaniswa kwamagama) kuyisihloko esiyimpikiswano: kwabanye kuzobonakala kuwukubi (kufanele ukhiqize amabhizinisi ekhonsathini ngayinye), kanti kothile kuyisici ( bоizinga eliphezulu lokwahlukanisa, ngoba uma isilawuli esisodwa siphukile, khona-ke inkinga ilinganiselwe kumjikelezo owodwa kuphela).
Traefik
Iwebhusayithi:
Ilayisensi: MIT
Ummeleli owadalelwa ekuqaleni ukuthi asebenze nomgudu wesicelo wama-microservices kanye nendawo yawo eguqukayo. Ngakho-ke izici eziningi eziwusizo: ukuvuselela ukucushwa ngaphandle kokuqalisa kabusha nhlobo, ukusekelwa kwenani elikhulu lezindlela zokulinganisa, isixhumi esibonakalayo sewebhu, amamethrikhi okudlulisela phambili, ukusekelwa kwezivumelwano ezihlukahlukene, i-REST API, ukukhishwa kwe-canary nokunye okuningi. Isici esihle siwusekelo lwezitifiketi ze-Let's Bethela ngaphandle kwebhokisi. Ububi - ukuhlela ukutholakala okuphezulu (HA), isilawuli sizodinga ukufaka nokuxhuma isitoreji saso se-KV.
HAProxy
Iwebhusayithi:
Ilayisensi: Apache 2.0
I-HAProxy kudala yaziwa njenge-proxy kanye ne-traffic balancer. Ngaphakathi kweqoqo le-Kubernetes, ihlinzeka ngezibuyekezo zokumisa “ezithambile” (ngaphandle kokulahlekelwa ithrafikhi), ukutholwa kwesevisi okusekelwe ku-DNS, nokucushwa okuguquguqukayo kusetshenziswa i-API. Kungase kukhange ukwenza ngokwezifiso isifanekiso sokusetha ngokwezifiso ngokufaka esikhundleni se-CM, kanye nethuba lokusebenzisa imisebenzi yelabhulali ye-Sprig kuyo. Ngokuvamile, ukugcizelelwa okuyinhloko kwesixazululo kujubane eliphezulu, ukwenziwa kahle kwayo kanye nokusebenza kahle kwezinsiza ezisetshenzisiwe. Inzuzo yesilawuli ukuthi isekela inombolo yerekhodi yezindlela ezihlukene zokulinganisa.
travel
Iwebhusayithi:
Ilayisensi: Apache 2.0
Ngokusekelwe kusilawuli se-HAproxy, esibekwe njengesixazululo sendawo yonke esisekela izici eziningi ngenani elikhulu labahlinzeki. Kunikezwa ithuba lokulinganisa ithrafikhi ku-L7 ne-L4, futhi ukulinganisa ithrafikhi ye-TCP L4 iyonke kungabizwa ngokuthi esinye sezici ezibalulekile zesixazululo.
Contour
Iwebhusayithi:
Ilayisensi: Apache 2.0
Lesi sixazululo asisekelwe kuphela ku-Envoy: sakhiwe ngokuhlanganyela nababhali balo mmeleli odumile. Isici esibalulekile yikhono lokuhlukanisa abaphathi bezinsiza ze-Ingress usebenzisa izinsiza ze-IngressRoute CRD. Ezinhlanganweni ezinamathimba amaningi okuthuthukisa ezisebenzisa iqoqo elilodwa, lokhu kusiza ukukhulisa ukuvikeleka kokuphatha ithrafikhi kumaluphu angomakhelwane futhi kuwavikela kumaphutha lapho kushintshwa izinsiza ze-Ingress.
Iphinde inikeze isethi eyandisiwe yezindlela zokulinganisa (kukhona ukwenza isibuko kwesicelo, ukuphindaphinda okuzenzakalelayo, ukukhawulelwa kwezinga lesicelo, nokunye okuningi), ukuqapha okunemininingwane kokugeleza kwethrafikhi nokwehluleka. Mhlawumbe kothile kuzoba yisiphazamiso esibalulekile ukuntuleka kokusekelwa kwezikhathi ezinamathelayo (yize umsebenzi ).
I-Istio Ingress
Iwebhusayithi:
Ilayisensi: Apache 2.0
Isixazululo esiphelele semeshi yesevisi okungesona nje isilawuli se-Ingress esilawula ithrafikhi engenayo evela ngaphandle, kodwa futhi esilawula yonke ithrafikhi ngaphakathi kweqoqo. Ngaphansi kwe-hood, i-Envoy isetshenziswa njenge-proxy ye-sidecar yesevisi ngayinye. Ngamafuphi, lokhu kuyinhlanganisela enkulu "engenza noma yini", futhi umqondo wayo oyinhloko ukulawula okuphezulu, ukunwebeka, ukuphepha nokubeka izinto obala. Ngayo, ungakwazi ukulungisa kahle umzila wethrafikhi, ukugunyazwa kokufinyelela phakathi kwamasevisi, ukulinganisa, ukuqapha, ukukhishwa kwe-canary, nokunye okuningi. Funda kabanzi nge-Istio ochungechungeni lwezihloko "".
Ambassador
Iwebhusayithi:
Ilayisensi: Apache 2.0
Esinye isixazululo esisekelwe ku-Envoy. Inezinguqulo zamahhala nezentengiso. Ibekwe "njengendabuko ngokuphelele e-Kubernetes", eletha izinzuzo ezihambisanayo (ukuhlanganiswa okuqinile nezindlela nezinhlangano zeqoqo le-K8s).
itafula lokuqhathanisa
Ngakho-ke, umvuthwandaba we-athikili yileli thebula elikhulu:
Iyachofozeka ukuze uyibuke eduze, futhi iyatholakala nangefomethi .
Ake sihlanganise
Inhloso yalesi sihloko ukunikeza ukuqonda okuphelele (kodwa-ke, akupheleli nhlobo!) kokuthi yikuphi ukukhetha okufanele ukwenze esimweni sakho esithile. Njengokujwayelekile, isilawuli ngasinye sinezinzuzo kanye nokubi…
I-Classic Ingress evela ku-Kubernetes ilungele ukufinyeleleka kwayo nokuthembeka, amakhono acebile - esimweni esijwayelekile, kufanele "yanele amehlo". Kodwa-ke, uma unezidingo ezingeziwe zokuzinza, izinga lezici nokuthuthukiswa, kufanele unake i-Ingress nge-NGINX Plus kanye nokubhalisa okukhokhelwayo. I-Kong inesethi ecebile yama-plugin (futhi, ngokufanele, amakhono abawanikezayo), futhi kukhona ngisho nangaphezulu enguqulweni ekhokhelwayo. Inamandla anele okusebenza njengesango le-API, ukumiswa okuguquguqukayo okusekelwe kuzinsiza ze-CRD, kanye nezinsizakalo eziyisisekelo ze-Kubernetes.
Uma unezidingo ezengeziwe zokulinganisa kanye nezindlela zokugunyaza, bhekisisa i-Traefik ne-HAProxy. Lawa amaphrojekthi womthombo ovulekile, afakazelwe ngokuhamba kweminyaka, azinzile futhi athuthuka ngenkuthalo. I-Contour isineminyaka embalwa manje, kodwa isabukeka isencane kakhulu futhi inezici eziyisisekelo kuphela ezingezwe phezu kwe-Envoy. Uma kunezidingo zokuba khona/ukushumeka kwe-WAF ngaphambi kwesicelo, kufanele unake i-Ingress efanayo evela ku-Kubernetes noma i-HAProxy.
Futhi okucebe kakhulu ngokwezici yimikhiqizo eyakhelwe phezulu kwe-Envoy, ikakhulukazi i-Istio. Kubukeka kuyisixazululo esibanzi sokuthi "singenza noma yini", okusho ukuthi, nokho, futhi kusho umkhawulo wokungena ophakeme kakhulu wokucushwa / ukuqaliswa / ukuphatha kunezinye izixazululo.
Sikhethe futhi sisasebenzisa i-Ingress evela ku-Kubernetes njengesilawuli esijwayelekile, esihlanganisa u-80-90% wezidingo. Ithembekile impela, kulula ukuyimisa futhi yandise. Ngokuvamile, lapho zingekho izidingo ezithile, kufanele ivumelane namaqoqo / izinhlelo zokusebenza eziningi. Emikhiqizweni efanayo yendawo yonke futhi elula, i-Traefik ne-HAProxy inganconywa.
PS
Funda futhi kubhulogi yethu:
- "Buyela kuma-microservices nge-Istio": , , ;
- «";
- «".
Source: www.habr.com