Kubernetes Ingress - 负载均衡器流量拆分
Kubernetes Ingress - Load balancer traffic split
我有一个 class nginx 的 kubernetes 入口和两个负载平衡器。 运行 在 GKE v1.17 上。
入口 yaml 示例:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
kubernetes.io/ingress.class: "nginx"
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes.io/auth-tls-secret: "production/client-cert-secret"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
# Automatically redirect http to https
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# Use regex in paths
nginx.ingress.kubernetes.io/use-regex: "true"
# Allow larger request body
nginx.ingress.kubernetes.io/proxy-body-size: 30m
# For notifications we add the proxy headers
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
spec:
tls:
- hosts:
- my-domain.com
secretName: my-tls-certificate
rules:
- host: my-domain.com
http:
paths:
- path: /(.*)
backend:
serviceName: load-balancer-1
servicePort: 443
我希望在两个负载均衡器之间拆分到达入口的流量。
例如:
load-balancer-1 将获得 90% 的流量
load-balancer-2 将获得 10% 的流量
如何使用 kubernetes ingress 做到这一点?
nginx 入口控制器通过 Canary Annotations
支持金丝雀部署
In some cases, you may want to "canary" a new set of changes by
sending a small number of requests to a different service than the
production service. The canary annotation enables the Ingress spec to
act as an alternative service for requests to route to depending on
the rules applied. The following annotations to configure canary can
be enabled after nginx.ingress.kubernetes.io/canary: "true" is set:
nginx.ingress.kubernetes.io/canary-weight: The integer based (0 - 100)
percent of random requests that should be routed to the service
specified in the canary Ingress. A weight of 0 implies that no
requests will be sent to the service in the Canary ingress by this
canary rule. A weight of 100 means implies all requests will be sent
to the alternative service specified in the Ingress.
Note that when you mark an ingress as canary, then all the other
non-canary annotations will be ignored (inherited from the
corresponding main ingress) except
nginx.ingress.kubernetes.io/load-balance and
nginx.ingress.kubernetes.io/upstream-hash-by.
Known Limitations
Currently a maximum of one canary ingress can be applied per Ingress
rule.
换句话说,您可以引入一个新的 Ingress 对象 my-ingress-canary,您可以在其中设置注释
nginx.ingress.kubernetes.io/canary: "true"(告诉 Nginx Ingress 将此标记为“Canary”,并通过匹配主机和路径将此 Ingress 与主 Ingress 相关联。
nginx.ingress.kubernetes.io/canary-weight: "10"(将百分之十的流量路由到 load-balancer-2)
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress-canary
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "10"
spec:
rules:
- host: my-domain.com
http:
paths:
- path: /(.*)
backend:
serviceName: load-balancer-2
servicePort: 443
我有一个 class nginx 的 kubernetes 入口和两个负载平衡器。 运行 在 GKE v1.17 上。
入口 yaml 示例:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
kubernetes.io/ingress.class: "nginx"
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes.io/auth-tls-secret: "production/client-cert-secret"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
# Automatically redirect http to https
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# Use regex in paths
nginx.ingress.kubernetes.io/use-regex: "true"
# Allow larger request body
nginx.ingress.kubernetes.io/proxy-body-size: 30m
# For notifications we add the proxy headers
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
spec:
tls:
- hosts:
- my-domain.com
secretName: my-tls-certificate
rules:
- host: my-domain.com
http:
paths:
- path: /(.*)
backend:
serviceName: load-balancer-1
servicePort: 443
我希望在两个负载均衡器之间拆分到达入口的流量。 例如:
load-balancer-1 将获得 90% 的流量
load-balancer-2 将获得 10% 的流量
如何使用 kubernetes ingress 做到这一点?
nginx 入口控制器通过 Canary Annotations
支持金丝雀部署In some cases, you may want to "canary" a new set of changes by sending a small number of requests to a different service than the production service. The canary annotation enables the Ingress spec to act as an alternative service for requests to route to depending on the rules applied. The following annotations to configure canary can be enabled after
nginx.ingress.kubernetes.io/canary: "true"is set:
nginx.ingress.kubernetes.io/canary-weight: The integer based (0 - 100) percent of random requests that should be routed to the service specified in the canary Ingress. A weight of 0 implies that no requests will be sent to the service in the Canary ingress by this canary rule. A weight of 100 means implies all requests will be sent to the alternative service specified in the Ingress.Note that when you mark an ingress as canary, then all the other non-canary annotations will be ignored (inherited from the corresponding main ingress) except nginx.ingress.kubernetes.io/load-balance and nginx.ingress.kubernetes.io/upstream-hash-by.
Known Limitations
Currently a maximum of one canary ingress can be applied per Ingress rule.
换句话说,您可以引入一个新的 Ingress 对象 my-ingress-canary,您可以在其中设置注释
nginx.ingress.kubernetes.io/canary: "true"(告诉 Nginx Ingress 将此标记为“Canary”,并通过匹配主机和路径将此 Ingress 与主 Ingress 相关联。nginx.ingress.kubernetes.io/canary-weight: "10"(将百分之十的流量路由到 load-balancer-2)
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress-canary
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "10"
spec:
rules:
- host: my-domain.com
http:
paths:
- path: /(.*)
backend:
serviceName: load-balancer-2
servicePort: 443