K8s配置4层转发nginx

一 四层转发和七层转发

1.1四层负载均衡

四层负载均衡工作在OSI模型的传输层，由于在传输层，只有TCP/UDP协议，这两种协议中除了包含源IP、目标IP以外，还包含源端口号及目的端口号。四层负载均衡服务器在接受到客户端请求后，以后通过修改数据包的地址信息（IP+端口号）将流量转发到应用服务器。

1.2七层负载均衡

七层负载均衡工作在OSI模型的应用层，应用层协议较多，常用http、radius、dns等。七层负载就可以基于这些协议来负载。这些应用层协议中会包含很多有意义的内容。比如同一个Web服务器的负载均衡，除了根据IP加端口进行负载外，还可根据七层的URL、浏览器类别、语言来决定是否要进行负载均衡。

二 Nginx4层转发的配置

生产业务中很多端口只能使用tcp连接 比如mysql ssh 这些端口是无法使用普通的7层代理进行转发的 因此需要我们配置nginx的四层转发

2.1 Nginx Dockerfile配置

创建Nginx Dockerfile nginx编译需要–with-stream 模块 否则无法配置

FROM centos:7.8.2003
MAINTAINER huhuhahei
ADD nginx-1.12.0.tar.gz /opt
RUN yum -y install gcc gcc-c++ lrzsz pcre-devel zlib-devel openssl openssl-devel && useradd -M -s /sbin/nologin nginx && cd /opt/nginx-1.12.0/ && ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-stream && make && make install

2.2 创建转发的配置文件

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-conf
  namespace: proxy
data:
  nginx.conf: |
    user  root;
    worker_processes  auto;
    error_log  logs/error.log  info;
    pid        logs/nginx.pid;

    events {
        use epoll;
    }
    stream {
      upstream backend {
          server *****:8080 max_fails=3 fail_timeout=30s;
      }
      server {
          listen 8080;
          proxy_connect_timeout 1s;
          proxy_timeout 3s;
          proxy_pass backend;
      }
      log_format proxy '$remote_addr [$time_local]'
                '$protocol $status $bytes_sent $bytes_received'
                '$session_time "$upstream_addr" '
                '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
      
      access_log /usr/local/nginx/logs/tcp-access.log proxy ;
      error_log  /usr/local/nginx/logs/tcp-error.log warn ;
      
    }

    http {
        include       /usr/local/nginx/conf/mime.types;
        default_type  application/octet-stream;
      }

2.3 创建Nginx deploy文件

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx-proxy
  namespace: proxy
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      volumes:
        - name: ngin-conf
          configMap:
            name: ngin-conf
            items:
              - key: nginx.conf
                path: nginx.conf
            defaultMode: 420
        - name: logs
          emptyDir: {}
      containers:
        - name: nginx
          image: 'harbor.huhuhahei.cn/test/nginx_proxy:v2'
          command:
            - ./usr/local/nginx/sbin/nginx
          args:
            - '-g daemon off;'
            - '-c'
            - /opt/nginx.conf
          ports:
            - containerPort: 8080
              protocol: TCP
          env:
            - name: aliyun_logs_proxy-access-log
              value: /usr/local/nginx/logs/tcp-access.log
            - name: aliyun_logs_proxy-error-log
              value: /usr/local/nginx/logs/tcp-error.log
            - name: TZ
              value: Asia/Shanghai
          resources: {}
          volumeMounts:
            - name: nginx-conf
              mountPath: /opt
            - name: logs
              mountPath: /usr/local/nginx/logs/
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

kind: Service
apiVersion: v1
metadata:
  name: nginx-proxy
  namespace: proxy
spec:
  ports:
    - name: proxy
      protocol: TCP
      port: 8080
      targetPort: 8080
  selector:
    app: nginx
  type: NodePort