K8S nginx-ingress配置集锦-摩杜云开发者社区

1.设置IP白名单

#设置只能通过192.168.0.0/24和127.0.0.1网段才能访问，否则报403

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rabbitmq
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.0.0/24,127.0.0.1
spec:
  rules:
  - host: rabbitmq.abc.com
    http: &http_rules
      paths:
      - backend:
          service:
            name: rabbitmq
            port:
              number: 15672
        path: /
        pathType: ImplementationSpecific

2.http认证

#某些情况下，需要打开HTTP认证用于某些系统的开放

A.生成密码文件,文件名称必须是auth

yum -y install httpd-tools

htpasswd -c auth user

#然后输入2次密码，即可创建一个auth的密码文件

B.创建K8S secret,创建一个webauth的密码配置，--from-file必须为auth，否则访问直接报503

kubectl create secret generic webauth --from-file=auth

C.ingress配置文件

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: php74-qilinadm-auth
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: webauth   #密码配置的名称
    nginx.ingress.kubernetes.io/auth-realm: 'Trust Login'
spec:
  rules:
  - host: admin.abc.com
    http: &http_rules
      paths:
      - backend:
          service:
            name: admin-service
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific

3.流量复制

有时候需要将我们的服务，引流到测试环境进行测试，这个时候就需要使用nginx的流量复制功能

我的需求是，将www.abc.com/api/的流量，复制到192.168.0.2的负载均衡上，另外主机名与原主机一致

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-mirror
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/mirror-host: "www.abc.com"
    nginx.ingress.kubernetes.io/mirror-target: http://192.168.0.2$request_uri
spec:
  rules:
  - host: www.abc.com
    http: &http_rules
      paths:
      - backend:
          service:
            name: web-service
            port:
              number: 80
        path: /api/
        pathType: ImplementationSpecific

4.转发

由于微信限制一个域名问题，需要我们将原先www.abc.com/api/weixin/转发到api.abc.com/api/weixin/

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: www-api-weixin
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/upstream-vhost: "api.abc.com"
spec:
  rules:
  - host: www.abc.com
    http: &http_rules
      paths:
      - backend:
          service:
            name: api-service
            port:
              number: 80
        path: /api/weixin/
        pathType: ImplementationSpecific

5.直接返回字符串，比如我们使用微信的txt文件验证时，就可以使用

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: face-geturl
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
        #default_type application/json;  #返回类型
        return 200 'helloworld';  #直接返回字符
spec:
  rules:
  - host: www.abc.com
    http: &http_rules
      paths:
      - backend:
          service:
            name: web-service
            port:
              number: 80
        path: /21321312sa1231.txt
        pathType: ImplementationSpecific