在ACK Serverless叢集中,ALB Ingress對叢集服務(Service)中外部可訪問的API對象進行管理,提供七層負載平衡能力。本文介紹如何使用ALB Ingress將來自不同網域名稱或URL路徑的請求轉寄給不同的後端伺服器組、將HTTP訪問重新導向至HTTPS及實現灰階發布等功能。
索引
前提條件
已建立一個ACK Serverless叢集,叢集的VPC需要配置NAT Gateway,從而可以訪問外網,下載容器鏡像。具體操作,請參見Container Service Serverless 版使用快速入門。
- 已通過Kubectl工具串連叢集。具體操作,請參見通過kubectl串連Kubernetes叢集。
已建立AlbConfig,具體操作,請參見建立AlbConfig。
基於網域名稱轉寄請求
通過建立一個簡單的Ingress,根據指定的正常網域名稱或空網域名稱轉寄請求,樣本如下。
基於正常網域名稱轉寄請求
部署以下模板,分別建立Service、Deployment和Ingress,將訪問請求通過Ingress的網域名稱轉寄至Service。
1.19及之後版本叢集
apiVersion: v1 kind: Service metadata: name: demo-service namespace: default spec: ports: - name: port1 port: 80 protocol: TCP targetPort: 8080 selector: app: demo sessionAffinity: None type: NodePort --- apiVersion: apps/v1 kind: Deployment metadata: name: demo namespace: default spec: replicas: 1 selector: matchLabels: app: demo template: metadata: labels: app: demo spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1 imagePullPolicy: IfNotPresent name: demo ports: - containerPort: 8080 protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: demo namespace: default spec: ingressClassName: alb rules: - host: demo.domain.ingress.top http: paths: - backend: service: name: demo-service port: number: 80 path: /hello pathType: ImplementationSpecific
1.19版本之前叢集
apiVersion: v1 kind: Service metadata: name: demo-service namespace: default spec: ports: - name: port1 port: 80 protocol: TCP targetPort: 8080 selector: app: demo sessionAffinity: None type: NodePort --- apiVersion: apps/v1 kind: Deployment metadata: name: demo namespace: default spec: replicas: 1 selector: matchLabels: app: demo template: metadata: labels: app: demo spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1 imagePullPolicy: IfNotPresent name: demo ports: - containerPort: 8080 protocol: TCP --- apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: demo namespace: default spec: ingressClassName: alb rules: - host: demo.domain.ingress.top http: paths: - backend: serviceName: demo-service servicePort: 80 path: /hello pathType: ImplementationSpecific
執行以下命令,通過指定的正常網域名稱訪問服務。
替換ADDRESS為ALB執行個體對應的網域名稱地址,可通過
kubectl get ing
擷取。curl -H "host: demo.domain.ingress.top" <ADDRESS>/hello
預期輸出:
{"hello":"coffee"}
基於空網域名稱轉寄請求
部署以下模板,建立Ingress。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: demo namespace: default spec: ingressClassName: alb rules: - host: "" http: paths: - backend: service: name: demo-service port: number: 80 path: /hello
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: demo namespace: default spec: ingressClassName: alb rules: - host: "" http: paths: - backend: serviceName: demo-service servicePort: 80 path: /hello pathType: ImplementationSpecific
執行以下命令,通過空網域名稱訪問服務。
替換ADDRESS為ALB執行個體對應的網域名稱地址,可通過
kubectl get ing
擷取。curl <ADDRESS>/hello
預期輸出:
{"hello":"coffee"}
基於URL路徑轉寄請求
ALB Ingress支援按照URL轉寄請求,可以通過pathType
欄位設定不同的URL匹配策略。pathType
支援Exact、ImplementationSpecific和Prefix三種匹配方式。
URL匹配策略可能存在衝突的情況,此時將會按照轉寄規則優先順序進行排序,然後再轉寄請求,詳情請參見配置轉寄規則優先順序。
匹配方式 | 規則路徑 | 請求路徑 | 路徑和請求路徑是否匹配 |
Prefix | / | (所有路徑) | 是 |
Prefix | /foo |
| 是 |
Prefix | /foo/ |
| 是 |
Prefix | /aaa/bb | /aaa/bbb | 否 |
Prefix | /aaa/bbb | /aaa/bbb | 是 |
Prefix | /aaa/bbb/ | /aaa/bbb | 是,請求路徑忽略規則路徑的尾部斜線 |
Prefix | /aaa/bbb | /aaa/bbb/ | 是,規則路徑匹配請求路徑的尾部斜線 |
Prefix | /aaa/bbb | /aaa/bbb/ccc | 是,規則路徑匹配請求路徑的子路徑 |
Prefix | 同時設定兩個規則路徑:
| /aaa/ccc | 是,請求路徑匹配規則路徑的 |
Prefix | 同時設定兩個規則路徑:
| /aaa/ccc | 是,請求路徑匹配規則路徑的 |
Prefix | 同時設定兩個規則路徑:
| /ccc | 是,請求路徑匹配規則路徑的 |
Prefix | /aaa | /ccc | 否,未匹配首碼 |
Exact或ImplementationSpecific | /foo | /foo | 是 |
Exact或ImplementationSpecific | /foo | /bar | 否 |
Exact或ImplementationSpecific | /foo | /foo/ | 否 |
Exact或ImplementationSpecific | /foo/ | /foo | 否 |
三種匹配方式的樣本如下:
Exact
部署以下模板,建立Ingress。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: demo-path namespace: default spec: ingressClassName: alb rules: - http: paths: - path: /hello backend: service: name: demo-service port: number: 80 pathType: Exact
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: demo-path namespace: default spec: ingressClassName: alb rules: - http: paths: - path: /hello backend: serviceName: demo-service servicePort: 80 pathType: Exact
執行以下命令,訪問服務。
替換ADDRESS為ALB執行個體對應的網域名稱地址,可通過
kubectl get ing
擷取。curl <ADDRESS>/hello
預期輸出:
{"hello":"coffee"}
(預設)ImplementationSpecific
在ALB Ingress中與Exact
做相同處理。
部署以下模板,建立Ingress。
執行以下命令,訪問服務。
替換ADDRESS為ALB執行個體對應的網域名稱地址,可通過
kubectl get ing
擷取。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-path
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /hello
backend:
service:
name: demo-service
port:
number: 80
pathType: ImplementationSpecific
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: demo-path
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /hello
backend:
serviceName: demo-service
servicePort: 80
pathType: ImplementationSpecific
curl <ADDRESS>/hello
預期輸出:
{"hello":"coffee"}
Prefix
以/
分隔的URL路徑進行首碼匹配。匹配區分大小寫,並且對路徑中的元素逐個完成匹配。
部署以下模板,建立Ingress。
執行以下命令,訪問服務。
替換ADDRESS為ALB執行個體對應的網域名稱地址,可通過
kubectl get ing
擷取。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-path-prefix
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /
backend:
service:
name: demo-service
port:
number: 80
pathType: Prefix
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: demo-path-prefix
namespace: default
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /
backend:
serviceName: demo-service
servicePort: 80
pathType: Prefix
curl <ADDRESS>/hello
預期輸出:
{"hello":"coffee"}
配置健全狀態檢查
ALB Ingress支援配置健全狀態檢查,可以通過設定以下註解來實現。
配置健全狀態檢查的YAML樣本如下所示:
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/healthcheck-enabled: "true"
alb.ingress.kubernetes.io/healthcheck-path: "/"
alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
alb.ingress.kubernetes.io/healthcheck-httpcode: "http_2xx"
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
alb.ingress.kubernetes.io/healthy-threshold-count: "3"
alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
spec:
ingressClassName: alb
rules:
- http:
paths:
# 配置Context Path
- path: /tea
backend:
service:
name: tea-svc
port:
number: 80
# 配置Context Path
- path: /coffee
backend:
service:
name: coffee-svc
port:
number: 80
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/healthcheck-enabled: "true"
alb.ingress.kubernetes.io/healthcheck-path: "/"
alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
alb.ingress.kubernetes.io/healthcheck-httpcode: "http_2xx"
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
alb.ingress.kubernetes.io/healthy-threshold-count: "3"
alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
spec:
ingressClassName: alb
rules:
- http:
paths:
# 配置Context Path。
- path: /tea
backend:
serviceName: tea-svc
servicePort: 80
# 配置Context Path。
- path: /coffee
backend:
serviceName: coffee-svc
servicePort: 80
相關參數解釋如下表所示。
參數 | 說明 |
alb.ingress.kubernetes.io/healthcheck-enabled | (可選)表示是否開啟健全狀態檢查。預設開啟(true)。 |
alb.ingress.kubernetes.io/healthcheck-path | (可選)表示健全狀態檢查路徑。預設/。
|
alb.ingress.kubernetes.io/healthcheck-protocol | (可選)表示健全狀態檢查協議。
|
alb.ingress.kubernetes.io/healthcheck-method | (可選)選擇一種健全狀態檢查方法。
|
alb.ingress.kubernetes.io/healthcheck-httpcode | 設定健全狀態檢查正常的狀態代碼。 可以選擇http_2xx(預設)、http_3xx、http_4xx和http_5xx。 |
alb.ingress.kubernetes.io/healthcheck-timeout-seconds | 表示接收健全狀態檢查的響應需要等待的時間。如果後端ECS在指定的時間內沒有正確響應,則判定為健全狀態檢查失敗。取值範圍為[1, 300],單位為秒,預設值為5。 |
alb.ingress.kubernetes.io/healthcheck-interval-seconds | 健全狀態檢查的時間間隔。取值範圍1~50秒,預設為2秒。 |
alb.ingress.kubernetes.io/healthy-threshold-count | 表示健全狀態檢查連續成功所設定的次數後會將後端伺服器的健全狀態檢查狀態由失敗判定為成功。取值範圍2~10,預設為3次。 |
alb.ingress.kubernetes.io/unhealthy-threshold-count | 表示健全狀態檢查連續失敗所設定的次數後會將後端伺服器的健全狀態檢查狀態由成功判定為失敗。取值範圍2~10,預設為3次。 |
配置HTTP重新導向至HTTPS
ALB Ingress通過設定註解alb.ingress.kubernetes.io/ssl-redirect: "true"
,可以將HTTP請求重新導向到HTTPS 443連接埠。
ALB不支援直接在Ingress中建立新的監聽。為確保Ingress能夠正常工作,您需要先在Albconfig中建立所需的監聽連接埠和協議,然後在Ingress中將這些監聽與服務關聯起來。關於如何建立ALB監聽,請參見通過AlbConfig配置ALB監聽。
1.19版本之前叢集
apiVersion: v1
kind: Service
metadata:
name: demo-service-ssl
namespace: default
spec:
ports:
- name: port1
port: 80
protocol: TCP
targetPort: 8080
selector:
app: demo-ssl
sessionAffinity: None
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-ssl
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: demo-ssl
template:
metadata:
labels:
app: demo-ssl
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
imagePullPolicy: IfNotPresent
name: demo-ssl
ports:
- containerPort: 8080
protocol: TCP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/ssl-redirect: "true"
name: demo-ssl
namespace: default
spec:
ingressClassName: alb
tls:
- hosts:
- ssl.alb.ingress.top
rules:
- host: ssl.alb.ingress.top
http:
paths:
- backend:
serviceName: demo-service-ssl
servicePort: 80
path: /
pathType: Prefix
1.19及之後版本叢集
apiVersion: v1
kind: Service
metadata:
name: demo-service-ssl
namespace: default
spec:
ports:
- name: port1
port: 80
protocol: TCP
targetPort: 8080
selector:
app: demo-ssl
sessionAffinity: None
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo-ssl
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: demo-ssl
template:
metadata:
labels:
app: demo-ssl
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
imagePullPolicy: IfNotPresent
name: demo-ssl
ports:
- containerPort: 8080
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/ssl-redirect: "true"
name: demo-ssl
namespace: default
spec:
ingressClassName: alb
tls:
- hosts:
- ssl.alb.ingress.top
rules:
- host: ssl.alb.ingress.top
http:
paths:
- backend:
service:
name: demo-service-ssl
port:
number: 80
path: /
pathType: Prefix
支援後端HTTPS和gRPC協議
當前ALB後端協議支援HTTPS和gRPC協議,通過ALB Ingress只需要在註解中配置alb.ingress.kubernetes.io/backend-protocol: "grpc"
或alb.ingress.kubernetes.io/backend-protocol: "https"
即可。使用Ingress轉寄gRPC服務需要對應網域名稱擁有SSL認證,使用TLS協議進行通訊。配置gRPC協議的樣本如下:
後端協議不支援修改,如果您需要變更協議,請刪除重建Ingress。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/backend-protocol: "grpc"
name: lxd-grpc-ingress
spec:
ingressClassName: alb
tls:
- hosts:
- demo.alb.ingress.top
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grpc-demo-svc
port:
number: 9080
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/backend-protocol: "grpc"
name: lxd-grpc-ingress
spec:
ingressClassName: alb
tls:
- hosts:
- demo.alb.ingress.top
rules:
- host: demo.alb.ingress.top
http:
paths:
- backend:
serviceName: grpc-demo-svc
servicePort: 9080
path: /
pathType: Prefix
配置正則表達
自訂轉寄條件中配置,需要使用者自己在path
路徑上編寫Regex。配置樣本如下:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/use-regex: "true" # 允許path欄位使用Regex。
alb.ingress.kubernetes.io/conditions.service-a: | # 該註解中的服務為叢集中已存在的服務,且服務名稱必須和rule欄位backend下的服務名稱保持一致。
[{
"type": "Path",
"pathConfig": {
"values": [
"~*^/pathvalue1", # Regex前需要添加~*作為正則標誌,~*後的內容為實際生效的Regex。
"/pathvalue2" # 精確匹配前無需添加~*。
]
}
}]
name: ingress-example
spec:
ingressClassName: alb
rules:
- http:
paths:
- path: /test
pathType: Prefix
backend:
service:
name: service-a
port:
number: 88
支援Rewrite重寫
當前ALB支援Rewrite重寫,通過ALB Ingress只需要在註解中配置alb.ingress.kubernetes.io/rewrite-target: /path/${2}
即可。規則如下:
在
rewrite-target
註解中,${number}
類型的變數需要在路徑為Prefix類型的path
上配置。path
預設無法配置正則符號,例如*
、?
等,您需要通過配置rewrite-target
註解使用正則符號。path
必須以/
開頭。
ALB的Rewrite重寫支援Regex替換,規則如下:
您可以在Ingress的
path
中寫入一個或多個Regex,支援寫入多個()
,但是rewrite-target
註解中重寫路徑最多可以配置${1}
、${2}
和${3}
變數中的一個或多個,最多可擷取三個變數。Rewrite重寫支援Regex匹配的結果作為參數自由組合,自由拼接出您想要的重寫規則。
Rewrite重寫通過Regex替換的邏輯是:用戶端的請求匹配到Regex,Regex中有多個
()
,且rewrite-target
註解含有${1}
、${2}
和${3}
變數中的一個或多個。
例如Ingress的path
配置為/sys/(.*)/(.*)/aaa
,rewrite-target
註解配置為/${1}/${2}
。當用戶端發送請求的路徑為/sys/ccc/bbb/aaa
時,path
會匹配到/sys/(.*)/(.*)/aaa
,rewrite-target
註解生效會把${1}
替換為ccc
,${2}
替換為bbb
,最終後端伺服器接收到的請求路徑為/ccc/bbb
。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/use-regex: "true" # 允許path欄位使用Regex。
alb.ingress.kubernetes.io/rewrite-target: /path/${2} # 該註解支援Regex替換。
name: rewrite-ingress
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /something(/|$)(.*)
pathType: Prefix
backend:
service:
name: rewrite-svc
port:
number: 9080
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/use-regex: "true" # 允許path欄位使用Regex。
alb.ingress.kubernetes.io/rewrite-target: /path/${2} # 該註解支援Regex替換。
name: rewrite-ingress
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- backend:
serviceName: rewrite-svc
servicePort: 9080
path: /something(/|$)(.*)
pathType: Prefix
配置自訂監聽連接埠
當前支援Ingress配置自訂監聽連接埠。通過該方式,可以將服務同時暴露80連接埠和443連接埠,配置樣本如下:
ALB不支援直接在Ingress中建立新的監聽。為確保Ingress能夠正常工作,您需要先在Albconfig中建立所需的監聽連接埠和協議,然後在Ingress中將這些監聽與服務關聯起來。關於如何建立ALB監聽,請參見通過AlbConfig配置ALB監聽。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
spec:
ingressClassName: alb
tls:
- hosts:
- demo.alb.ingress.top
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
name: cafe-ingress
spec:
ingressClassName: alb
tls:
- hosts:
- demo.alb.ingress.top
rules:
- host: demo.alb.ingress.top
http:
paths:
- backend:
serviceName: tea-svc
servicePort: 80
path: /tea-svc
pathType: ImplementationSpecific
配置轉寄規則優先順序
預設情況下,Ingress按照以下規則進行ALB轉寄規則優先順序排序:
不同Ingress按照
namespace/name
的字典順序優先順序進行排列,字典順序小的優先順序高。同一個Ingress按照
rule
欄位先後順序進行排序,配置在上面的優先順序高。
如果您不想修改Ingress的namespace/name
欄位,可以配置以下Ingress註解定義ALB轉寄規則優先順序:
同一個監聽內規則優先順序必須唯一。您可以使用alb.ingress.kubernetes.io/order
標識Ingress之間的優先順序順序,取值範圍為1~1000,值越小表示優先順序越高。Ingress預設標識為數字10,如果您想優先順序更高,您可以調小數字。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/order: "2"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/order: "2"
name: cafe-ingress
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- backend:
serviceName: tea-svc
servicePort: 80
path: /tea-svc
pathType: ImplementationSpecific
通過註解實現灰階發布
ALB提供複雜路由處理能力,支援基於Header、Cookie以及權重的灰階發布功能。灰階發布功能可以通過設定註解來實現,為了啟用灰階發布功能,需要設定註解alb.ingress.kubernetes.io/canary: "true"
,通過不同註解可以實現不同的灰階發布功能:
灰階優先順序順序:基於Header>基於Cookie>基於權重(從高到低)。
灰階過程中不能刪除原有的規則,否則會導致服務異常。待灰階驗證無誤後,將原有Ingress中的後端服務Service更新為新的Service,最後將灰階的Ingress刪除。
alb.ingress.kubernetes.io/canary-by-header
和alb.ingress.kubernetes.io/canary-by-header-value
:匹配的Request Header的值,該規則允許您自訂Request Header的值,但必須與alb.ingress.kubernetes.io/canary-by-header
一起使用。當請求中的
header
和header-value
與設定的值匹配時,請求流量會被分配到灰階服務入口。對於其他
header
值,將會忽略header
,並通過灰階優先順序將請求流量分配到其他規則設定的灰階服務。
當請求Header為
location: hz
時將訪問灰階服務;其他Header將根據灰階權重將流量分配給灰階服務。配置樣本如下:1.19及之後版本叢集
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/order: "1" alb.ingress.kubernetes.io/canary: "true" alb.ingress.kubernetes.io/canary-by-header: "location" alb.ingress.kubernetes.io/canary-by-header-value: "hz" name: demo-canary namespace: default spec: ingressClassName: alb rules: - http: paths: - backend: service: name: demo-service-hello port: number: 80 path: /hello pathType: ImplementationSpecific
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/order: "1" alb.ingress.kubernetes.io/canary: "true" alb.ingress.kubernetes.io/canary-by-header: "location" alb.ingress.kubernetes.io/canary-by-header-value: "hz" name: demo-canary namespace: default spec: ingressClassName: alb rules: - http: paths: - backend: serviceName:demo-service-hello servicePort: 80 path: /hello pathType: ImplementationSpecific
alb.ingress.kubernetes.io/canary-by-cookie
:基於Cookie的流量切分。當配置的
cookie
值為always
時,請求流量將被分配到灰階服務入口。當配置的
cookie
值為never
時,請求流量將不會分配到灰階服務入口。
說明基於Cookie的灰階不支援設定自訂,只有
always
和never
。請求的Cookie為
demo=always
時將訪問灰階服務。配置樣本如下:1.19及之後版本叢集
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/order: "2" alb.ingress.kubernetes.io/canary: "true" alb.ingress.kubernetes.io/canary-by-cookie: "demo" name: demo-canary-cookie namespace: default spec: ingressClassName: alb rules: - http: paths: - backend: service: name: demo-service-hello port: number: 80 path: /hello pathType: ImplementationSpecific
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/order: "2" alb.ingress.kubernetes.io/canary: "true" alb.ingress.kubernetes.io/canary-by-cookie: "demo" name: demo-canary-cookie namespace: default spec: ingressClassName: alb rules: - http: paths: - backend: serviceName:demo-service-hello servicePort: 80 path: /hello pathType: ImplementationSpecific
alb.ingress.kubernetes.io/canary-weight
:佈建要求到指定服務的百分比(值為0~100的整數)。配置灰階服務的權重為50%,樣本如下:
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/order: "3" alb.ingress.kubernetes.io/canary: "true" alb.ingress.kubernetes.io/canary-weight: "50" name: demo-canary-weight namespace: default spec: ingressClassName: alb rules: - http: paths: - backend: service: name: demo-service-hello port: number: 80 path: /hello pathType: ImplementationSpecific
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/order: "3" alb.ingress.kubernetes.io/canary: "true" alb.ingress.kubernetes.io/canary-weight: "50" name: demo-canary-weight namespace: default spec: ingressClassName: alb rules: - http: paths: - backend: serviceName: demo-service-hello servicePort: 80 path: /hello pathType: ImplementationSpecific
通過註解實現會話保持
ALB Ingress支援通過註解實現會話保持:
alb.ingress.kubernetes.io/sticky-session
:是否啟用會話保持。取值:true
或false
;預設值:false
。alb.ingress.kubernetes.io/sticky-session-type
:Cookie的處理方式。取值:Insert
或Server
;預設值:Insert
。Insert
:植入Cookie。用戶端第一次訪問時,負載平衡會在返回請求中植入Cookie(即在HTTP或HTTPS響應報文中插入SERVERID),下次用戶端攜帶此Cookie訪問時,負載平衡服務會將請求定向轉寄給之前記錄到的後端伺服器。Server
:重寫Cookie。負載平衡發現使用者自訂了Cookie,將會對原來的Cookie進行重寫,下次用戶端攜帶新的Cookie訪問時,負載平衡服務會將請求定向轉寄給之前記錄到的後端伺服器。
說明當前伺服器組
StickySessionEnabled
為true
時,該參數生效。alb.ingress.kubernetes.io/cookie-timeout
:Cookie逾時時間。單位:秒;取值:1~86400;預設值:1000
。
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress-v3
annotations:
alb.ingress.kubernetes.io/sticky-session: "true"
alb.ingress.kubernetes.io/sticky-session-type: "Insert"
alb.ingress.kubernetes.io/cookie-timeout: "1800"
spec:
ingressClassName: alb
rules:
- http:
paths:
#配置Context Path。
- path: /tea2
backend:
service:
name: tea-svc
port:
number: 80
# 配置Context Path。
- path: /coffee2
backend:
service:
name: coffee-svc
port:
number: 80
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: cafe-ingress-v3
annotations:
alb.ingress.kubernetes.io/sticky-session: "true"
alb.ingress.kubernetes.io/sticky-session-type: "Insert"
alb.ingress.kubernetes.io/cookie-timeout: "1800"
spec:
ingressClassName: alb
rules:
- http:
paths:
#配置Context Path。
- path: /tea2
backend:
serviceName: tea-svc
servicePort: 80
#配置Context Path。
- path: /coffee2
backend:
serviceName: coffee-svc
servicePort: 80
指定伺服器組負載平衡演算法
ALB Ingress支援通過設定Ingress註解alb.ingress.kubernetes.io/backend-scheduler
指定伺服器組負載平衡演算法。配置樣本如下:
1.19及之後版本叢集
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/backend-scheduler: "uch" # 此處的uch可按需配置為wrr、sch和wlc。
alb.ingress.kubernetes.io/backend-scheduler-uch-value: "test" # 僅負載平衡演算法為uch時,需要配置此參數。當調度演算法為wrr、sch或wlc均無需配置此參數。
name: cafe-ingress
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80
1.19版本之前叢集
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/backend-scheduler: "uch" # 此處的uch也可按需配置為wrr、sch和wlc。
alb.ingress.kubernetes.io/backend-scheduler-uch-value: "test" # 僅負載平衡演算法為uch時,需要配置此參數。當調度演算法為wrr、sch或wlc均無需配置此參數。
name: cafe-ingress
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- backend:
serviceName: tea-svc
servicePort: 80
path: /tea-svc
pathType: ImplementationSpecific
調度演算法alb.ingress.kubernetes.io/backend-scheduler
取值說明:
wrr
:預設值,權重值越高的後端伺服器,被輪詢到的機率也越高。wlc
:根據每台後端伺服器設定的權重值和後端伺服器的實際負載(即串連數)進行輪詢。當權重值相同時,當前串連數越小的後端伺服器被輪詢到的機率越高。sch
:源IP一致性Hash。uch
:URL參數一致性Hash。ALB Ingress支援伺服器組負載平衡演算法為uch
時,通過註解alb.ingress.kubernetes.io/backend-scheduler-uch-value
指定URL參數進行一致性Hash。
跨網域設定
當前ALB Ingress支援跨網域設定樣本如下:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: alb-ingress
annotations:
alb.ingress.kubernetes.io/enable-cors: "true"
alb.ingress.kubernetes.io/cors-expose-headers: ""
alb.ingress.kubernetes.io/cors-allow-methods: "GET,POST"
alb.ingress.kubernetes.io/cors-allow-credentials: "true"
alb.ingress.kubernetes.io/cors-max-age: "600"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cloud-nodeport
port:
number: 80
參數 | 說明 |
| 允許通過瀏覽器訪問伺服器資源的網站。網站之間使用半形逗號(,)分割。 單個value值必須以http://或者https://開頭後跟一個正確網域名稱,或者一級的泛網域名稱。 預設值: |
| 允許跨域方法,不區分大小寫。跨域方法之間使用半形逗號(,)分割。 預設值: |
| 允許跨域傳播的要求標頭,只能輸入字母、數字、底線(_)和短劃線(-)。要求標頭之間使用半形逗號(,)分割。 預設值: |
| 允許暴露的Header列表,允許輸入字母、數字、底線(_)、短劃線(-)和星號(*)。Header之間使用半形逗號(,)分割。 預設值: |
| 設定跨域訪問時是否允許攜帶憑證資訊。 預設值: |
| 對於非簡單請求,設定OPTIONS預檢請求在瀏覽器的最大緩衝時間(秒),取值範圍[-1,172800]。 預設值: |
後端長連結
傳統的負載平衡會採用短連結的方式訪問後端伺服器組,每一條請求都需要經歷TCP層面的建立串連和中斷連線,使網路連接成為這類高效能系統的瓶頸,通過負載平衡的後端長連結支援,極大的減少了處理串連層面的資源消耗,以此大幅度提高處理效能。當前在ALB Ingress中可以通過註解alb.ingress.kubernetes.io/backend-keepalive
開啟後端長連結。參考樣本如下:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: alb-ingress
annotations:
alb.ingress.kubernetes.io/backend-keepalive: "true"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cloud-nodeport
port:
number: 80
支援QPS限速
ALB本身支援轉寄規則的QPS限速功能,限速值要求在1~100000之間。當前在ALB Ingress只需要設定alb.ingress.kubernetes.io/traffic-limit-qps
註解即可。參考樣本如下:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
alb.ingress.kubernetes.io/traffic-limit-qps: "50"
spec:
ingressClassName: alb
rules:
- host: demo.alb.ingress.top
http:
paths:
- path: /tea
pathType: ImplementationSpecific
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: ImplementationSpecific
backend:
service:
name: coffee-svc
port:
number: 80