上一篇文章介绍了 ingress vhost这个annotation的使用,趁热打铁我们一口气介绍 9 个常用的annotation。
1、ingress class
如果一个k8s 集群里面部署多个ingress controller的时候,如果配置ingress 希望指定到某个ingress controller的时候,ingress claas就发挥巨大作用了。
一方面在controller启动的时候需要通过参数指定ingress class
- --ingress-class=ngx-ds
另一方面,在创建ingress的时候,通过annotation指定ingress class,如下所示
- apiVersion: extensions/v1beta1
- kind: Ingress
- metadata:
- name: other-ngx-k8s
- namespace: other-ngx
- annotations:
- kubernetes.io/ingress.class: "ngx-ds"
- spec:
- rules:
- - host: other-ngx-k8s.demo.com.cn
- http:
- paths:
- - path: /
- backend:
- serviceName: other-ngx-k8s-ngx-svc
- servicePort: 9001
2、 强制https
- apiVersion: networking.k8s.io/v1beta1
- kind: Ingress
- metadata:
- name: test-ingress
- annotations:
- nginx.ingress.kubernetes.io/rewrite-target: /
- nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
- nginx.ingress.kubernetes.io/ssl-redirect: "true"
- nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"
- spec:
- rules:
- - http:
- paths:
- - path: /testpath
- backend:
- serviceName: test
- servicePort: 80
3、请求超时
- apiVersion: networking.k8s.io/v1beta1
- kind: Ingress
- metadata:
- name: cafe-ingress-with-annotations
- annotations:
- nginx.org/proxy-connect-timeout: "30s"
- nginx.org/proxy-read-timeout: "20s"
- spec:
- rules:
- - host: cafe.example.com
- http:
- paths:
- - path: /tea
- backend:
- serviceName: tea-svc
- servicePort: 80
- - path: /coffee
- backend:
- serviceName: coffee-svc
- servicePort: 80
4、跨域访问
我们经常将nginx作为api的网关,支持跨域必不可少。通过
- apiVersion: networking.k8s.io/v1beta1
- kind: Ingress
- metadata:
- name: test-ingress
- annotations:
- nginx.ingress.kubernetes.io/enable-cors: "true"
- nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
- nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For, X-app123-XPTO"
- nginx.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"
- nginx.ingress.kubernetes.io/cors-max-age: 600
- nginx.ingress.kubernetes.io/cors-allow-credentials: "false"
- spec:
- rules:
- - http:
- paths:
- - path: /testpath
- backend:
- serviceName: test
- servicePort: 80
5、限流
限流也经常使用,通过 rps 限制每秒请求数,rpm 限制每分钟请求数,connections限制连接数。
- apiVersion: networking.k8s.io/v1beta1
- kind: Ingress
- metadata:
- name: test-ingress
- annotations:
- nginx.ingress.kubernetes.io/limit-rps: "5"
- nginx.ingress.kubernetes.io/limit-rpm: "300"
- nginx.ingress.kubernetes.io/limit-connections: "10"
- spec:
- rules:
- - http:
- paths:
- - path: /testpath
- backend:
- serviceName: test
- servicePort: 80
6、最大body
这个主要是针对外部请求,防止将流量打满,proxy-body-size 设置最大请求 body,如果超过则会返回 413 请求错误。
- apiVersion: networking.k8s.io/v1beta1
- kind: Ingress
- metadata:
- name: test-ingress
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: 8m
- spec:
- rules:
- - http:
- paths:
- - path: /testpath
- backend:
- serviceName: test
7、客户端白名单
这个主要是用于安全限制,只允许特定的客户端请求,但由于现在网络中NAT的广泛应用,这个参数使用的场景比较有限。
- apiVersion: networking.k8s.io/v1beta1
- kind: Ingress
- metadata:
- name: test-ingress
- annotations:
- ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/24,172.10.0.1"
- spec:
- rules:
- - http:
- paths:
- - path: /testpath
- backend:
- serviceName: test
8、默认服务
这个经常使用,当客户端请求一个不存在的path的时候,我们不希望返回 404 ,跳转到一个默认的服务上。
- apiVersion: networking.k8s.io/v1beta1
- kind: Ingress
- metadata:
- name: test-ingress
- annotations:
- nginx.ingress.kubernetes.io/default-backend: <svc name>
- spec:
- rules:
- - http:
- paths:
- - path: /testpath
- backend:
- serviceName: test
9、access log开关
nginx ingress 默认是开启access log的,如果你想关闭,可以通过将
- apiVersion: networking.k8s.io/v1beta1
- kind: Ingress
- metadata:
- name: test-ingress
- annotations:
- nginx.ingress.kubernetes.io/enable-access-log: "false"
- spec:
- rules:
- - http:
- paths:
- - path: /testpath
- backend:
- serviceName: test