当前位置:网站首页>Getting Started with Kubernetes Networking
Getting Started with Kubernetes Networking
2022-08-05 00:45:00 【NGINX open source community】
原文作者:Brina Ehlert of F5
原文链接:Kubernetes Introduction to network- NGINX
转载来源:NGINX 官方网站
NodePort、LoadBalancer、Ingress controller(Ingress 控制器) ……,Kubernetes Component is dazzling.
When we discuss with the customer and community level production Kubernetes 部署时,They often ask a question is:我需要 Ingress controller 吗?This problem can't simply use“是”或“否”来回答,We need to know will flow routing to pod 的几种不同方式.本文介绍了 Kubernetes 网络的基础知识,Can help you if and when needed Ingress controller 做出明智的决策.
Kubernetes Offers a variety of methods and hierarchy is used to the external flow routing to pod —— But they have different.The default model is kube-proxy,But it is neither agent,Nor for the implementation of traffic load balancing、控制 API 或监控 service Behavior and design.
幸运的是,We can also use other methods to manage the external flow.But before the discussion,我们先来快速回顾一下 Kubernetes 组件:
- Kubernetes 部署由节点(node)组成,These nodes or for physical machine or virtual machine.
- Nodes are interconnected constitute a集群(cluster).
- Each cluster managementpod.从 Kubernetes Network and infrastructure level,pod Is the minimum cell can be deployed.一个或多个 pod Can form a service.
- 每个 pod Inside has one or more containers(Depends on the size of the application).
Kubernetes Responsible for monitoring a service 的 pod,And according to the need to be extended to meet the needs of the application.But how will flow routing to pod 呢?This is about to use two types of Kubernetes 对象:service 和 Ingress controller.
什么是 Kubernetes Service?
根据Kubernetes 文档,一个 service 是“Used for exposure to run application of a set of podAn abstract way”.service Connected to a cluster or a container of all pod,这使得 pod In any node will have an impact on.That is to say, even if their position changes,Or even be destroyed or restart,External flow can also be routed to a specific pod.可以说 service Like a reverse proxy with the most basic functions.
Kubernetes 中有多种类型的 service,而service The type of the object and the external flow routing to Kubernetes 相关.不同类型的 service Objects are often confused,But in fact their function is different,Therefore it is necessary for us to review their function、用途和缺点.
ClusterIP
ClusterIP 是默认的 service,它在 Kubernetes Provided within the cluster in other service 可以访问的 service.ClusterIP Does not support from the cluster external access.暴露 ClusterIP service 的唯一方法是使用 kube-proxy 之类的模型,But it is necessary to do so few scenes.A few such circumstance including access to a laptop service、调试 service Or view some monitoring and indicators.
NodePort
NodePort service Will be open on each node in the cluster a specific port,Any traffic node and will be sent to the port forwarding to the corresponding application.This is will flow routing method into the application of a very basic,But in actual traffic management cases,This method has many limitations.比如每个 NodePort 只能对应一个 service,并且只能使用 30000 到 32767 范围的端口.2768 A port although it sounds a lot,But mass run Kubernetes The enterprise can quickly finish.此外,NodePort Using four layers routing rules and Linux iptables 实用程序,Seven layers limited application routing.
In addition to the routing restrictions,使用 NodePort There are three big shortcoming:
- Downstream clients must know node IP Address can be connected to —— 如果节点的 IP Change address or virtual machine host,The connection cannot be established.
- NodePort Can't to forward traffic to multiple IP 地址.
- 如下图所示,NodePort 没有在 Kubernetes In the cluster to provide load balancing,So the traffic will be randomly distributed to each service.这可能会导致 service Overload and port run out.
Exposing Services with NodePort | 使用 NodePort 暴露 service |
Client Request to pine.color.com on port 30001 | 客户端 向 pine.color.com 的 30001 端口发送请求 |
DNS:port | DNS:端口 |
1 The client is programmed with the service IP address and the DNS name and port. | 1 Client USES on the right side of the picture service 的 IP 地址以及 DNS The name and port programming. |
2 DNS can round robin load balance traffic to nodes. | 2 To the destination node traffic,DNS To implement the load balancing in the form of polling. |
3 Load balancing within Kubemetes is not possible so traffic is distributed randomly, causing service overload and port exhaustion. | 3在 Kubernetes Inside is unable to load balance,So the traffic will be randomly distributed,而这可能会导致 service Overload and port run out. |
Kubernetes cluster | Kubernetes 集群 |
Node 1 | 节点 1 |
NodePort Service Pine port: 30001 Lagoon port: 30002 Deep Lake port: 30003 | NodePort Service Pine 端口:30001 Lagoon 端口:30002 Deep Lake 端口:30003 |
Service: Pine Service: Lagoon Service: Deep Lake | Service:Pine Service:Lagoon Service:Deep Lake |
Node 2 | 节点 2 |
Node 3 | 节点 3 |
LoadBalancer
LoadBalancer service Can accept external flow,But you need to use the external load balancer as the flow of the interface.In the external load balancer properly debug and reconfigure,Can be mapped to a running pod的前提下,LoadBalancer service Seven layer routing support(The routing traffic to pod 的 IP 地址).LoadBalancer Is the most popular exposed outside service 的方式之一.It is the most widely used in the cloud platform,Is a good choice for small static deployment environment.
如果您使用的是托管 Kubernetes service,Then you will automatically receive a cloud provider choose load balancer.Your exposure to each service Have their own public IP Address to forward all traffic,But the flow and without any filter or routing,This means that you can send almost any type of traffic(HTTP、TCP/UDP、WebSocket 等).
If you don't want to use the tools of cloud provider(例如,If you need more powerful functions or platform-independent tools),You can switch to similar to F5 BIG-IP(作为外部负载均衡器)和 F5 Container Ingress Services(作为执行 LoadBalancer 功能的 operator)这样的工具.For further discussion of the pattern,请参阅我们的博文《In the same architecture deployment BIG-IP 和 NGINX Ingress Controller》 .
In a dynamic and changeable environment,应用的 pod Need by expanding to meet the needs of the changing.在这种情况下使用 LoadBalancer Expose application becomes challenging.由于每个 service 都有自己的 IP 地址,A popular application may need to manage hundreds or even thousands of IP 地址.在大多数情况下,The external load balancer can be NodePort 连接到 service(如下图所示)——Although this can guarantee the flow evenly distributed to various nodes on,But still can't to service 进行负载均衡,Therefore will still appear service Overload and port out problem.
Exposing Services with a Load Balancer and NodePort | Using the load balancer and NodePort 暴露 service |
Client Request to pine.color.com on port 80 | 客户端 向 pine.color.com 的 80 端口发送请求 |
Load Balancer port 80 | 负载均衡器 80 端口 |
1 The client is programmed with the service IP address and the load balancer port. | 1 Client USES on the right side of the picture service 的 IP Address and load balancer port programming. |
2 The load balancer guarantees traffic distributes across nodes. | 2 The load balancer to ensure flow distribution to each node. |
3 Load balancing within Kubemetes is not possible so traffic is distributed randomly, causing service overload and port exhaustion. | 3 在 Kubernetes Internal load balance could not be achieved,So the traffic will be randomly distributed,导致 service Overload and port run out. |
Kubernetes cluster | Kubernetes 集群 |
Node 1 | 节点 1 |
NodePort Service Pine port: 30001 Lagoon port: 30002 Deep Lake port: 30003 Service: Pine Service: Lagoon Service: Deep Lake | NodePort Service Pine 端口:30001 Lagoon 端口:30002 Deep Lake 端口:30003 Service:Pine Service:Lagoon Service:Deep Lake |
Node 2 | 节点 2 |
Node 3 | 节点 3 |
什么是 Kubernetes Ingress Controller?
根据 Kubernetes 文档,“控制器 (controller) Control loop is to monitor the state of the cluster,To make changes or request when you want to change.Each controller will be trying to get the current state of the cluster close to the desired state.”控制器用于管理 Kubernetes Many kinds of tasks in the state,Including the correct allocation of resources、Specify the persistent storage and management cron 作业.
In the context of routing,Ingress controller 能够消除 NodePort 和 LoadBalancer 的局限性.
针对特定 service 的 pod,Ingress controller Used to configure and manage the external interaction.Ingress controller Will seven layer dynamic routing as“一等公民”.这意味着 Ingress controller Can provide more granular control more easily and management.借助 Ingress controller,You can easily control the inbound flow,也可以提供 service Performance of the level,As a part of the security policy.Ingress controller Also has many characteristics of traditional external load balancer,例如 TLS 终止、Handle multiple domains and namespace,Of course, load balance traffic.Ingress controller Can according to request, not according to service To load balance traffic,So can support you more efficiently monitor the seven layer flow and better implement SLA.
Ingress controller 还有一个优势!It can also perform to rule,These rules can only allowed from certain pod Traffic transfer to a specific external service,Or make sure you use mTLS To each traffic encryption.mTLS Encrypted in the medical、金融、Industries such as telecommunications and government regulated service is important,This is also the end-to-end encryption (E2EE) The key component of strategies.Control the outbound flow from the same tool can simplify the business logic in service的应用.When inbound and out towards a unified deployment can control the plane in the same,Set appropriate resources rules much easier.
下图展示了 Ingress controller Is how to reduce the complexity of client——The client no longer need to know service 的 IP 地址或端口.不同 service To guarantee the traffic distribution between.一些 Ingress controller Support multiple load balancing algorithm,In order to obtain better flexibility and control.
Exposing Services with an Ingress Controller | 使用 Ingress Controller 暴露 service |
Client Request to pine.color.com on port 80 | 客户端 向 pine.color.com 的 80 端口发送请求 |
Load Balancer port 80 -pine.color -lagoon.color -deeplake.color | 负载均衡器 80 端口 -pine.color -lagoon.color -deeplake.color |
1 The client is programmed with the service IP address and the load balancer port. | 1 客户端使用 service IP Address and load balancer port programming. |
2 The Ingress controller guarantees traffic distributes across nodes and services. | 2 Ingress controller Ensure flow distribution to each node and service. |
Kubernetes cluster | Kubernetes 集群 |
Node 1 | 节点 1 |
Service: Pine Service: Lagoon Service: Deep Lake | Service:Pine Service:Lagoon Service:Deep Lake |
Node 2 | 节点 2 |
Node 3 | 节点 3 |
正如我们在《In the same architecture deployment BIG-IP 和 NGINX Ingress Controller》中所讨论的,Many companies use cases will be for deployment with Ingress controller(Or, in most cases,,多个 Ingress controller 实例)The external load balancer and benefit.When companies need to extend Kubernetes Or when you are operating in highly compliance environment,The deployment is common.These tools are generally managed by different teams and for different purposes:
- 负载均衡器(或称 ADC):
- 所有者:NetOps(也可能是 SecOps)团队
- 用例:位于 Kubernetes 外部,As the only public terminal,Provide service for users outside of the cluster and the application.As a kind of more general application,Aimed at improving safety,And deliver a higher level of network management.
- Ingress controller:
- 所有者:Platform Ops 或 DevOps 团队
- 用例:位于 Kubernetes 内部,Support fine-grained north-south traffic(HTTP2、HTTP/HTTPS、SSL/TLS 终止、TCP/UDP、WebSocket、gRPC)负载均衡、API Gateway functionality and centralized security protection and authentication.
The figure below shows the traffic load balancer processing across multiple cluster distribution process,At the same time cluster deployment Ingress controllers 来确保对 service The average distribution of.
Deploying a Load Balancer in Front of Ingress Controllers | 在 Ingress Controller Deploy the load balancer in front of the |
Client Request to pine.color.com on port 80 | 客户端 向 pine.color.com 的 80 端口发送请求 |
Load Balancer port 80 | 负载均衡器 80 端口 |
Ingress Controller port 80 -pine.color -lagoon.color -deeplake.color | Ingress Controller 80 端口 -pine.color -lagoon.color -deeplake.color |
1 The load balancer distributes traffic across Ingress pods. | 1 The load balancer will flow distribution to each Ingress pod. |
2 The Ingress controller guarantees traffic distributes across nodes and services. | 2 Ingress controller Ensure flow distribution to each node and service. |
Kubernetes cluster | Kubernetes 集群 |
Node 1 | 节点 1 |
Service: Pine Service: Lagoon Service: Deep Lake | Service:Pine Service:Lagoon Service:Deep Lake |
Node 2 | 节点 2 |
Node 3 | 节点 3 |
后续步骤
If the article does not fully answer your question,请观看 Linux Foundation 网络研讨会“为什么需要 Ingress Controller”和“如何选择 Ingress Controller”,其中 NGINX Expert introduction about Kubernetes Introduction to network knowledge,并就 Ingress controller And market status quo makes in-depth discussion.
有关如何使用 Ingress controller And how to choose the most can meet your needs Ingress controller 的更多信息,请阅读我们的博文《Ingress Controller 选购指南,第 1 部分:确定需求》.
更多资源
想要更及时全面地获取 NGINX 相关的技术干货、互动问答、系列课程、活动资源?
请前往 NGINX 开源社区:
边栏推荐
- 2022牛客多校第三场 J题 Journey
- 2021年11月网络规划设计师上午题知识点(上)
- [230]连接Redis后执行命令错误 MISCONF Redis is configured to save RDB snapshots
- 主库预警日志报错ORA-00270
- Software Testing Interview Questions: Qualifying Criteria for Software Acceptance Testing?
- "WEB Security Penetration Testing" (28) Burp Collaborator-dnslog out-band technology
- D - I Hate Non-integer Number (选数的计数dp
- 2021年11月网络规划设计师上午题知识点(下)
- leetcode: 267. Palindromic permutations II
- MongoDB construction and basic operations
猜你喜欢
随机推荐
tiup uninstall
软件测试面试题:测试用例通常包括那些内容?
leetcode: 266. All Palindromic Permutations
Binary tree [full solution] (C language)
leetcode: 269. The Martian Dictionary
leetcode:267. 回文排列 II
2022 Hangzhou Electric Power Multi-School Session 3 Question B Boss Rush
Countdown to 1 day!From August 2nd to 4th, I will talk with you about open source and employment!
2022 The Third J Question Journey
tensor.nozero(), mask, [mask]
After the staged testing is complete, have you performed defect analysis?
软件测试面试题:网络七层协仪具体?
《WEB安全渗透测试》(28)Burp Collaborator-dnslog外带技术
gorm联表查询-实战
Software testing interview questions: What are the strategies for system testing?
[FreeRTOS] FreeRTOS and stm32 built-in stack occupancy
DHCP的工作过程
gorm joint table query - actual combat
Software testing interview questions: What are the three modules of LoadRunner?
[230]连接Redis后执行命令错误 MISCONF Redis is configured to save RDB snapshots