Ingress高级配置

一.配置ingress路径重写

若后端路径是/app 默认访问是不带路径的会导致出现404的情况 因此需要配置下路径重写

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/app-root: /nacos
  name: nacos-discovery-ingress
  namespace: port-forward
spec:
  rules:
  - host: nacos.huhuhahei.cn
    http:
      paths:
      - backend:
          serviceName: nacos
          servicePort: 8080
        path: /nacos

---

二.配置ingress白名单访问

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: 117.50.34.153
  name: prometheus-ingress
  namespace: monitoring
spec:
  rules:
  - host: prometheus.huhuhahei.cn
    http:
      paths:
      - backend:
          serviceName: prometheus-k8s
          servicePort: 9090
        path: /
        pathType: Prefix

其他ip访问测试

curl -I prometheus.huhuhahei.cn
HTTP/1.1 403 Forbidden
Date: Fri, 04 Mar 2022 03:08:38 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive

白名单访问测试

curl -I prometheus.huhuhahei.cn
HTTP/1.1 405 Method Not Allowed
Date: Fri, 04 Mar 2022 03:10:19 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 19
Connection: keep-alive
Allow: GET, OPTIONS
X-Content-Type-Options: nosniff

---

三. 配置登录验证

首先需要创建密码文件

htpasswd -c auth admin
New password: 
Re-type new password: 
Adding password for user admin

创建secret

kubectl create secret generic  kibana-auth --from-file=auth -n logs
secret/kibana-auth created

配置ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-realm: Need to longin
    nginx.ingress.kubernetes.io/auth-secret: kibana-auth
    nginx.ingress.kubernetes.io/auth-type: basic
  name: kibana-ingress
  namespace: logs
spec:
  rules:
  - host: kibana.huhuhahei.cn
    http:
      paths:
      - backend:
          serviceName: kibana
          servicePort: 5601
        path: /

登录测试

---

四.配置域名重定向

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/permanent-redirect: https://www.huhuhahei.cn
  name: test-ingress
  namespace: logs
spec:
  rules:
  - host: web.huhuhahei.cn
    http:
      paths:
      - backend:
          serviceName: kibana
          servicePort: 5601
        path: /

测试

curl -I web.huhuhahei.cn
HTTP/1.1 301 Moved Permanently
Date: Fri, 04 Mar 2022 03:30:07 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.huhuhahei.cn

五.配置跨域

    nginx.ingress.kubernetes.io/Access-Control-Allow-Origin: '*'
    nginx.ingress.kubernetes.io/cors-allow-headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
    nginx.ingress.kubernetes.io/cors-allow-methods: PUT, GET, POST, OPTIONS
    nginx.ingress.kubernetes.io/cors-allow-origin: '*'

六.配置限速

• nginx.ingress.kubernetes.io/limit-connections：允许来自单个 IP 地址的并发连接数。超过此限制时返回 503 错误。
• nginx.ingress.kubernetes.io/limit-rps：每秒从给定 IP 接受的请求数。突发限制设置为此限制乘以突发倍数，默认倍数为 5。当客户端超过此限制时，返回limit-req-status-code *default:* 503。
• nginx.ingress.kubernetes.io/limit-rpm：每分钟从给定 IP 接受的请求数。突发限制设置为此限制乘以突发倍数，默认倍数为 5。当客户端超过此限制时，返回limit-req-status-code *default:* 503。
• nginx.ingress.kubernetes.io/limit-burst-multiplier: 突发大小限制率的乘数。默认突发乘数为 5，此注释覆盖默认乘数。当客户端超过此限制时，返回limit-req-status-code *default:* 503。
• nginx.ingress.kubernetes.io/limit-rate-after：初始千字节数，之后对给定连接的响应的进一步传输将受到速率限制。此功能必须在启用代理缓冲的情况下使用。
• nginx.ingress.kubernetes.io/limit-rate：每秒允许发送到给定连接的千字节数。零值禁用速率限制。此功能必须在启用代理缓冲的情况下使用。
• nginx.ingress.kubernetes.io/limit-whitelist：要从速率限制中排除的客户端 IP 源范围。该值是一个逗号分隔的 CIDR 列表。

七.强制跳转https

    annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"