k8s Nginx Ingress 常用的 9个 配置(annotation)
上一篇文章介绍了 ingress vhost这个annotation的使用,趁热打铁我们一口气介绍 9 个常用的annotation。
1、ingress class
如果一个k8s 集群里面部署多个ingress controller的时候,如果配置ingress 希望指定到某个ingress controller的时候,ingress claas就发挥巨大作用了。
一方面在controller启动的时候需要通过参数指定ingress class
--ingress-class=ngx-ds另一方面,在创建ingress的时候,通过annotation指定ingress class,如下所示
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: other-ngx-k8s
namespace: other-ngx
annotations:
kubernetes.io/ingress.class: "ngx-ds"
spec:
rules:
- host: other-ngx-k8s.demo.com.cn
http:
paths:
- path: /
backend:
serviceName: other-ngx-k8s-ngx-svc
servicePort: 90012、 强制https
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"通过这个annotation可以强制 https,如果是http请求,会通过 301 redirect到 https。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/preserve-trailing-slash: "true"
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test
servicePort: 803、请求超时
nginx.org/proxy-connect-timeout 和nginx.org/proxy-read-timeout 这两个参数分别设置nginx的建立连接以及等待结果的超时时间。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: cafe-ingress-with-annotations
annotations:
nginx.org/proxy-connect-timeout: "30s"
nginx.org/proxy-read-timeout: "20s"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
backend:
serviceName: tea-svc
servicePort: 80
- path: /coffee
backend:
serviceName: coffee-svc
servicePort: 804、跨域访问
我们经常将nginx作为api的网关,支持跨域必不可少。通过nginx.ingress.kubernetes.io/cors-allow-methods 设置支持跨域请求的方法。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For, X-app123-XPTO"
nginx.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"
nginx.ingress.kubernetes.io/cors-max-age: 600
nginx.ingress.kubernetes.io/cors-allow-credentials: "false"
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test
servicePort: 805、限流
限流也经常使用,通过 rps 限制每秒请求数,rpm 限制每分钟请求数,connections限制连接数。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/limit-rps: "5"
nginx.ingress.kubernetes.io/limit-rpm: "300"
nginx.ingress.kubernetes.io/limit-connections: "10"
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test
servicePort: 806、最大body
这个主要是针对外部请求,防止将流量打满,proxy-body-size 设置最大请求 body,如果超过则会返回 413 请求错误。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 8m
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test7、客户端白名单
这个主要是用于安全限制,只允许特定的客户端请求,但由于现在网络中NAT的广泛应用,这个参数使用的场景比较有限。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/24,172.10.0.1"
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test8、默认服务
这个经常使用,当客户端请求一个不存在的path的时候,我们不希望返回 404 ,跳转到一个默认的服务上。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/default-backend: <svc name>
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test9、access log开关
nginx ingress 默认是开启access log的,如果你想关闭,可以通过将 nginx.ingress.kubernetes.io/enable-access-log 设置成false。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/enable-access-log: "false"
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test