在 Azure Kubernetes Service (AKS) 中建立內部虛擬網路的輸入控制器Create an ingress controller to an internal virtual network in Azure Kubernetes Service (AKS)

輸入控制器是一項可為 Kubernetes 服務提供反向 Proxy、可設定的流量路由和 TLS 終止的軟體。An ingress controller is a piece of software that provides reverse proxy, configurable traffic routing, and TLS termination for Kubernetes services. Kubernetes 輸入資源可用來設定個別 Kubernetes 服務的輸入規則和路由。Kubernetes ingress resources are used to configure the ingress rules and routes for individual Kubernetes services. 透過輸入控制器和輸入規則,您可以使用單一 IP 位址將流量路由至 Kubernetes 叢集中的多個服務。Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster.

本文說明如何在 Azure Kubernetes Service (AKS) 叢集中部署NGINX 輸入控制器This article shows you how to deploy the NGINX ingress controller in an Azure Kubernetes Service (AKS) cluster. 輸入控制器設定於內部私人虛擬網路和 IP 位址上。The ingress controller is configured on an internal, private virtual network and IP address. 不允許外部存取。No external access is allowed. 然後,會有兩個應用程式在 AKS 叢集中執行,且均可透過單一 IP 位址來存取。Two applications are then run in the AKS cluster, each of which is accessible over the single IP address.

您也可以:You can also:

開始之前Before you begin

本文使用 Helm 來安裝 NGINX 輸入控制器、cert-manager 及範例 Web 應用程式。This article uses Helm to install the NGINX ingress controller, cert-manager, and a sample web app. 您需要在 AKS 叢集內將 Helm 初始化,並使用適用於 Tiller 的服務帳戶。You need to have Helm initialized within your AKS cluster and using a service account for Tiller. 如需設定和使用 Helm 的詳細資訊, 請參閱在 Azure Kubernetes Service (AKS) 中使用 Helm 安裝應用程式For more information on configuring and using Helm, see Install applications with Helm in Azure Kubernetes Service (AKS).

本文也會要求您執行 Azure CLI 版本2.0.64 或更新版本。This article also requires that you are running the Azure CLI version 2.0.64 or later. 執行 az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

建立輸入控制器Create an ingress controller

根據預設,NGINX 輸入控制器會使用靜態公用 IP 位址指派來建立。By default, an NGINX ingress controller is created with a dynamic public IP address assignment. 常見的設定需求是使用內部私人網路和 IP 位址。A common configuration requirement is to use an internal, private network and IP address. 此方法可讓您將對服務的存取限定於內部使用者,而不提供外部存取。This approach allows you to restrict access to your services to internal users, with no external access.

使用下列範例資訊清單檔建立名為 internal-ingress.yaml 的檔案。Create a file named internal-ingress.yaml using the following example manifest file. 此範例會將 10.240.0.42 指派給 loadBalancerIP 資源。This example assigns 10.240.0.42 to the loadBalancerIP resource. 請提供您自己的內部 IP 位址,用於輸入控制器。Provide your own internal IP address for use with the ingress controller. 請確定此 IP 位址在您的虛擬網路內尚未被使用。Make sure that this IP address is not already in use within your virtual network.

controller:
  service:
    loadBalancerIP: 10.240.0.42
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: "true"

現在,使用 Helm 部署 nginx-ingress 圖表。Now deploy the nginx-ingress chart with Helm. 若要使用在上一個步驟中建立的資訊清單檔,請新增 -f internal-ingress.yaml 參數。To use the manifest file created in the previous step, add the -f internal-ingress.yaml parameter. 為了新增備援,您必須使用 --set controller.replicaCount 參數部署兩個 NGINX 輸入控制器複本。For added redundancy, two replicas of the NGINX ingress controllers are deployed with the --set controller.replicaCount parameter. 為充分享有執行輸入控制器複本的好處,請確定 AKS 叢集中有多個節點。To fully benefit from running replicas of the ingress controller, make sure there's more than one node in your AKS cluster.

輸入控制器也必須在 Linux 節點上排程。The ingress controller also needs to be scheduled on a Linux node. Windows Server 節點 (目前在 AKS 中處於預覽狀態) 不應執行輸入控制器。Windows Server nodes (currently in preview in AKS) shouldn't run the ingress controller. 使用--set nodeSelector參數來指定節點選取器, 以指示 Kubernetes 排程器在以 Linux 為基礎的節點上執行 NGINX 輸入控制器。A node selector is specified using the --set nodeSelector parameter to tell the Kubernetes scheduler to run the NGINX ingress controller on a Linux-based node.

提示

下列範例會建立名為「輸入 -基本」的輸入資源的 Kubernetes 命名空間。The following example creates a Kubernetes namespace for the ingress resources named ingress-basic. 視需要指定您自己環境的命名空間。Specify a namespace for your own environment as needed. 如果您的 AKS 叢集未啟用 RBAC, 請--set rbac.create=false將新增至 Helm 命令。If your AKS cluster is not RBAC enabled, add --set rbac.create=false to the Helm commands.

提示

如果您想要為叢集中的容器要求啟用用戶端來源 IP 保留, 請將--set controller.service.externalTrafficPolicy=Local新增至 Helm install 命令。If you would like to enable client source IP preservation for requests to containers in your cluster, add --set controller.service.externalTrafficPolicy=Local to the Helm install command. 用戶端來源 IP 會儲存在要求標頭的 [ X-轉送- ] 下。The client source IP is stored in the request header under X-Forwarded-For. 當使用已啟用用戶端來源 IP 保留的輸入控制器時, SSL 傳遞將無法運作。When using an ingress controller with client source IP preservation enabled, SSL pass-through will not work.

# Create a namespace for your ingress resources
kubectl create namespace ingress-basic

# Use Helm to deploy an NGINX ingress controller
helm install stable/nginx-ingress \
    --namespace ingress-basic \
    -f internal-ingress.yaml \
    --set controller.replicaCount=2 \
    --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux

為 NGINX 輸入控制器建立 Kubernetes 負載平衡器服務時,會指派您的內部 IP 位址,如下列範例輸出所示:When the Kubernetes load balancer service is created for the NGINX ingress controller, your internal IP address is assigned, as shown in the following example output:

$ kubectl get service -l app=nginx-ingress --namespace ingress-basic

NAME                                              TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)                      AGE
alternating-coral-nginx-ingress-controller        LoadBalancer   10.0.97.109   10.240.0.42   80:31507/TCP,443:30707/TCP   1m
alternating-coral-nginx-ingress-default-backend   ClusterIP      10.0.134.66   <none>        80/TCP                       1m

尚未建立任何輸入規則,因此,如果您瀏覽至內部 IP 位址,將會顯示 NGINX 輸入控制器的預設 404 頁面。No ingress rules have been created yet, so the NGINX ingress controller's default 404 page is displayed if you browse to the internal IP address. 輸入規則會於下列步驟中進行設定。Ingress rules are configured in the following steps.

執行示範應用程式Run demo applications

為了檢視運作中的輸入控制器,我們將在 AKS 叢集中執行兩個示範應用程式。To see the ingress controller in action, let's run two demo applications in your AKS cluster. 在此範例中,會使用 Helm 來部署簡單 'Hello world' 應用程式的兩個執行個體。In this example, Helm is used to deploy two instances of a simple 'Hello world' application.

在您可以安裝範例 Helm 圖表之前,先將 Azure 範例存放庫新增至您的 Helm 環境,如下所示:Before you can install the sample Helm charts, add the Azure samples repository to your Helm environment as follows:

helm repo add azure-samples https://azure-samples.github.io/helm-charts/

使用下列命令,從 Helm 圖表建立第一個示範應用程式:Create the first demo application from a Helm chart with the following command:

helm install azure-samples/aks-helloworld --namespace ingress-basic

現在,請安裝示範應用程式的第二個執行個體。Now install a second instance of the demo application. 對第二個執行個體指定新的標題,以便在視覺上區分這兩個應用程式。For the second instance, you specify a new title so that the two applications are visually distinct. 您也要指定唯一的服務名稱:You also specify a unique service name:

helm install azure-samples/aks-helloworld \
    --namespace ingress-basic \
    --set title="AKS Ingress Demo" \
    --set serviceName="ingress-demo"

建立輸入路由Create an ingress route

這兩個應用程式現在都已在您的 Kubernetes 叢集上執行。Both applications are now running on your Kubernetes cluster. 若要將流量路由至每個應用程式,請建立 Kubernetes 輸入資源。To route traffic to each application, create a Kubernetes ingress resource. 輸入資源會設定將流量路由至這兩個應用程式之一的規則。The ingress resource configures the rules that route traffic to one of the two applications.

在下列範例中,傳至位址 http://10.240.0.42/ 的流量會路由傳送至名為 aks-helloworld 的服務。In the following example, traffic to the address http://10.240.0.42/ is routed to the service named aks-helloworld. 傳至位址 http://10.240.0.42/hello-world-two 的流量會路由至 ingress-demo 服務。Traffic to the address http://10.240.0.42/hello-world-two is routed to the ingress-demo service.

建立名為 hello-world-ingress.yaml 的檔案,並複製到下列範例 YAML 中。Create a file named hello-world-ingress.yaml and copy in the following example YAML.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-world-ingress
  namespace: ingress-basic
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: aks-helloworld
          servicePort: 80
        path: /(.*)
      - backend:
          serviceName: ingress-demo
          servicePort: 80
        path: /hello-world-two(/|$)(.*)

使用 kubectl apply -f hello-world-ingress.yaml 命令建立輸入資源。Create the ingress resource using the kubectl apply -f hello-world-ingress.yaml command.

$ kubectl apply -f hello-world-ingress.yaml

ingress.extensions/hello-world-ingress created

測試輸入控制器Test the ingress controller

若要測試輸入控制器的路由,請使用 Web 用戶端瀏覽至這兩個應用程式。To test the routes for the ingress controller, browse to the two applications with a web client. 如有需要,您可以從 AKS 叢集上的 Pod 快速測試此僅供內部使用的功能。If needed, you can quickly test this internal-only functionality from a pod on the AKS cluster. 建立測試 Pod,並將終端機工作階段與它連結:Create a test pod and attach a terminal session to it:

kubectl run -it --rm aks-ingress-test --image=debian --namespace ingress-basic

使用 apt-get 在 Pod 中安裝 curlInstall curl in the pod using apt-get:

apt-get update && apt-get install -y curl

現在,請使用 curl 存取 Kubernetes 輸入控制器的位址,例如 http://10.240.0.42Now access the address of your Kubernetes ingress controller using curl, such as http://10.240.0.42. 請提供您自己在本文的第一個步驟中部署輸入控制器時所指定的內部 IP 位址。Provide your own internal IP address specified when you deployed the ingress controller in the first step of this article.

curl -L http://10.240.0.42

先前並未提供位址的其他路徑,因此輸入控制器預設為 / 路由。No additional path was provided with the address, so the ingress controller defaults to the / route. 此時會傳回第一個示範應用程式,如下列簡要範例輸出所示:The first demo application is returned, as shown in the following condensed example output:

$ curl -L 10.240.0.42

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <link rel="stylesheet" type="text/css" href="/static/default.css">
    <title>Welcome to Azure Kubernetes Service (AKS)</title>
[...]

現在,將 /hello-world-two 路徑新增至位址,例如 http://10.240.0.42/hello-world-twoNow add /hello-world-two path to the address, such as http://10.240.0.42/hello-world-two. 此時會傳回含有自訂標題的第二個示範應用程式,如下列簡要範例輸出所示:The second demo application with the custom title is returned, as shown in the following condensed example output:

$ curl -L -k http://10.240.0.42/hello-world-two

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <link rel="stylesheet" type="text/css" href="/static/default.css">
    <title>AKS Ingress Demo</title>
[...]

清除資源Clean up resources

本文使用 Helm 來安裝輸入元件和範例應用程式。This article used Helm to install the ingress components and sample apps. 部署 Helm 圖表時會建立一些 Kubernetes 資源。When you deploy a Helm chart, a number of Kubernetes resources are created. 這些資源包含 Pod、部署和服務。These resources includes pods, deployments, and services. 若要清除這些資源, 您可以刪除整個範例命名空間或個別資源。To clean up these resources, you can either delete the entire sample namespace, or the individual resources.

刪除範例命名空間和所有資源Delete the sample namespace and all resources

若要刪除整個範例命名空間, 請kubectl delete使用命令並指定您的命名空間名稱。To delete the entire sample namespace, use the kubectl delete command and specify your namespace name. 命名空間中的所有資源都會被刪除。All the resources in the namespace are deleted.

kubectl delete namespace ingress-basic

然後, 移除 AKS hello world 應用程式的 Helm 存放庫:Then, remove the Helm repo for the AKS hello world app:

helm repo remove azure-samples

個別刪除資源Delete resources individually

或者, 更細微的方法是刪除所建立的個別資源。Alternatively, a more granular approach is to delete the individual resources created. 使用helm list命令來列出 Helm 版本。List the Helm releases with the helm list command. 尋找名為nginx-ingress 和 aks-helloworld 的圖表,如下列範例輸出所示:Look for charts named nginx-ingress and aks-helloworld, as shown in the following example output:

$ helm list

NAME                REVISION    UPDATED                     STATUS      CHART                   APP VERSION NAMESPACE
kissing-ferret      1           Tue Oct 16 17:13:39 2018    DEPLOYED    nginx-ingress-0.22.1    0.15.0      kube-system
intended-lemur      1           Tue Oct 16 17:20:59 2018    DEPLOYED    aks-helloworld-0.1.0                default
pioneering-wombat   1           Tue Oct 16 17:21:05 2018    DEPLOYED    aks-helloworld-0.1.0                default

使用 helm delete 命令刪除版本。Delete the releases with the helm delete command. 下列範例會刪除 NGINX 輸入部署和兩個範例 AKS hello world 應用程式。The following example deletes the NGINX ingress deployment, and the two sample AKS hello world apps.

$ helm delete kissing-ferret intended-lemur pioneering-wombat

release "kissing-ferret" deleted
release "intended-lemur" deleted
release "pioneering-wombat" deleted

接下來,移除 AKS hello world 應用程式的 Helm 存放庫:Next, remove the Helm repo for the AKS hello world app:

helm repo remove azure-samples

移除將流量導向範例應用程式的輸入路由:Remove the ingress route that directed traffic to the sample apps:

kubectl delete -f hello-world-ingress.yaml

最後, 您可以刪除本身的命名空間。Finally, you can delete the itself namespace. kubectl delete使用命令, 並指定您的命名空間名稱:Use the kubectl delete command and specify your namespace name:

kubectl delete namespace ingress-basic

後續步驟Next steps

本文包含 AKS 的一些外部元件。This article included some external components to AKS. 若要深入了解這些元件,請參閱下列專案頁面:To learn more about these components, see the following project pages:

您也可以:You can also: