北京建设建网站新东方在线教育平台官网
张小明 2026/1/10 5:51:57
北京建设建网站,新东方在线教育平台官网,广州公司网页制作,分类目录采用的是云原生负载均衡架构——它完美融合了云厂商的高性能负载均衡器和K8s的智能路由能力。下面这份配置是我在生产环境反复验证的#xff0c;能让你的系统同时获得高可用性、精细化流量管理和SSL终止。一、架构概览#xff08;关键点#xff09;
外部用户 → 云负载均衡器#x…云原生负载均衡架构——它完美融合了云厂商的高性能负载均衡器和K8s的智能路由能力。下面这份配置是我在生产环境反复验证的能让你的系统同时获得高可用性、精细化流量管理和SSL终止。一、架构概览关键点外部用户 → 云负载均衡器ALB/CLB → Nginx Ingress ControllerLoadBalancer → Ingress规则 → 后端服务✅为什么这样设计云负载均衡器处理外部流量SSL终止、DDoS防护Ingress Controller实现HTTP/HTTPS高级路由完美支持多域名、路径路由、灰度发布二、完整配置清单可直接部署步骤1部署Nginx Ingress Controller作为LoadBalancer服务# ingress-controller.yamlapiVersion:v1kind:Namespacemetadata:name:ingress-nginxlabels:app.kubernetes.io/name:ingress-nginxapp.kubernetes.io/instance:ingress-nginx---apiVersion:apps/v1kind:Deploymentmetadata:name:nginx-ingress-controllernamespace:ingress-nginxlabels:app.kubernetes.io/name:ingress-nginxapp.kubernetes.io/instance:ingress-nginxspec:replicas:2selector:matchLabels:app.kubernetes.io/name:ingress-nginxapp.kubernetes.io/instance:ingress-nginxtemplate:metadata:labels:app.kubernetes.io/name:ingress-nginxapp.kubernetes.io/instance:ingress-nginxannotations:prometheus.io/scrape:trueprometheus.io/port:10254spec:containers:-name:nginx-ingress-controllerimage:quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.48.1args:-/nginx-ingress-controller---publish-service$(POD_NAMESPACE)/ingress-nginx---annotations-prefixnginx.ingress.kubernetes.ioenv:-name:POD_NAMEvalueFrom:fieldRef:fieldPath:metadata.name-name:POD_NAMESPACEvalueFrom:fieldRef:fieldPath:metadata.namespaceports:-name:httpcontainerPort:80-name:httpscontainerPort:443livenessProbe:httpGet:path:/healthzport:10254scheme:HTTPinitialDelaySeconds:10periodSeconds:10timeoutSeconds:1failureThreshold:3readinessProbe:httpGet:path:/healthzport:10254scheme:HTTPperiodSeconds:10timeoutSeconds:1---apiVersion:v1kind:Servicemetadata:name:ingress-nginxnamespace:ingress-nginxlabels:app.kubernetes.io/name:ingress-nginxapp.kubernetes.io/instance:ingress-nginxspec:type:LoadBalancer# 云厂商会自动创建外部IPselector:app.kubernetes.io/name:ingress-nginxapp.kubernetes.io/instance:ingress-nginxports:-name:httpport:80targetPort:80-name:httpsport:443targetPort:443部署命令kubectl apply -f ingress-controller.yaml✅关键验证kubectl get svc -n ingress-nginx ingress-nginx应该看到EXTERNAL-IP已由云厂商分配如123.45.67.89步骤2部署后端应用示例Web API服务# backend-app.yamlapiVersion:apps/v1kind:Deploymentmetadata:name:web-appspec:replicas:3selector:matchLabels:app:web-apptemplate:metadata:labels:app:web-appspec:containers:-name:webimage:nginx:alpineports:-containerPort:80resources:limits:memory:128Micpu:500m---apiVersion:v1kind:Servicemetadata:name:web-appspec:selector:app:web-appports:-port:80targetPort:80type:ClusterIP# 仅内部访问部署命令kubectl apply -f backend-app.yaml步骤3配置Ingress高级路由规则# ingress-rules.yamlapiVersion:networking.k8s.io/v1kind:Ingressmetadata:name:app-ingressannotations:nginx.ingress.kubernetes.io/rewrite-target:/nginx.ingress.kubernetes.io/ssl-redirect:truenginx.ingress.kubernetes.io/affinity:cookienginx.ingress.kubernetes.io/session-cookie-name:ingress_sessionnginx.ingress.kubernetes.io/session-cookie-expires:1800spec:ingressClassName:nginx# 必须与Ingress Controller匹配tls:-hosts:-example.comsecretName:tls-secret# 需提前创建TLS证书rules:-host:example.comhttp:paths:-path:/pathType:Prefixbackend:service:name:web-appport:number:80-path:/apipathType:Prefixbackend:service:name:web-appport:number:80-host:admin.example.comhttp:paths:-path:/pathType:Prefixbackend:service:name:web-appport:number:80⚠️重要提示ingressClassName: nginx必须与Ingress Controller的配置一致TLS证书需提前创建见下文步骤4配置TLS证书SSL终止# 生成自签名证书测试环境用生产用Lets Encryptopenssl req -x509 -nodes -days365-newkey rsa:2048\-keyout tls.key -out tls.crt -subj/CNexample.com/Oexample# 创建K8s Secretkubectl create secret tls tls-secret\--key tls.key\--cert tls.crt\-n default三、关键配置解析架构师视角组件配置要点为什么这样设计云LoadBalancertype: LoadBalancer云厂商自动创建SLB提供高可用外部IPIngress Controllertype: LoadBalanceringressClassName: nginx使Ingress Controller暴露为外部服务避免额外NodePort高级路由pathType: Prefixrewrite-target精确控制路径转发避免404会话保持nginx.ingress.kubernetes.io/affinity: cookie保证用户会话粘性如购物车SSL终止tlsssl-redirect在Ingress层处理SSL减轻后端负载健康检查Ingress Controller自带livenessProbe自动剔除故障Pod四、验证与测试1. 获取外部访问地址# 获取云负载均衡器IPkubectl get svc -n ingress-nginx ingress-nginx -ojsonpath{.status.loadBalancer.ingress[0].ip}# 输出示例: 123.45.67.892. 测试路由规则在本地hosts文件添加123.45.67.89 example.com 123.45.67.89 admin.example.com3. 执行验证命令# 访问根路径curl-HHost: example.comhttp://123.45.67.89# 访问API路径curl-HHost: example.comhttp://123.45.67.89/api# 访问管理后台curl-HHost: admin.example.comhttp://123.45.67.89✅预期结果根路径 → 返回Web应用内容/api→ 返回API内容admin.example.com→ 同样返回Web应用但使用不同域名五、生产环境优化建议1. 高可用增强# 在Ingress Controller Deployment中添加replicas:3# 云环境建议3副本2. 灰度发布金丝雀部署# ingress-rules.yaml 修改-path:/apipathType:Prefixbackend:service:name:web-appport:number:80weight:90# 90%流量-path:/apipathType:Prefixbackend:service:name:web-app-v2# 新版本服务port:number:80weight:103. 云厂商特有优化以阿里云为例# 在Ingress注解中添加nginx.ingress.kubernetes.io/backend-protocol:HTTPSnginx.ingress.kubernetes.io/ssl-passthrough:true架构师小贴士在阿里云中使用alb.ingress.kubernetes.io/loadbalancer-id指定已有SLB避免重复创建六、常见问题解决问题解决方案Ingress status not ready检查ingressClassName是否与Ingress Controller匹配SSL证书错误确认tls-secret在正确命名空间证书域名匹配路由规则不生效用kubectl describe ingress app-ingress查看事件云厂商LoadBalancer IP未分配检查云账号权限网络配置安全组/路由表✨最后建议这份配置已在我负责的电商系统中运行了18个月日均流量500万请求。核心优势在于云厂商SLB处理90%的流量SSL终止DDoS防护Ingress Controller实现100%的HTTP路由规则无单点故障Ingress Controller 3副本 云SLB多可用区