diff --git a/8 NGINX-Ingress-Controller/.DS_Store b/8 NGINX-Ingress-Controller/.DS_Store index f2d70ef195337334a5acffa6bc6f6d992cef3828..fb69e0bfad2ed7c7f3b07e87cd0fcdda7e4537ba 100644 Binary files a/8 NGINX-Ingress-Controller/.DS_Store and b/8 NGINX-Ingress-Controller/.DS_Store differ diff --git a/8 NGINX-Ingress-Controller/0-deployment/README.md b/8 NGINX-Ingress-Controller/0-deployment/README.md index b4e18684b958ea7bf3c6383111ad13899a6027be..b61515d12ff3f38ea66b35e5d8e1165c3a806d43 100644 --- a/8 NGINX-Ingress-Controller/0-deployment/README.md +++ b/8 NGINX-Ingress-Controller/0-deployment/README.md @@ -4,10 +4,19 @@ (https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/) 本文件使用了hostnetwork方式对外暴露服务,暴露端口如下: + - http服务:80:80 - https服务:443:443 -- Dashboard:8080:8080 +- Dashboard:8000:8000 +- Service Insight 9114:9114 + +执行以下命令部署KIC +```bash +root@ubuntu:/# cd /root/kic-lab/0-deployment/ +root@ubuntu:/root/kic-lab/0-deployment# kubectl create -f nginx-plus-ingress-hostnetwork.yaml +deployment.apps/nginx-ingress created +``` -部署完成后,可以通过http/https服务暴露端口进行测试,应该能看到nginx版本页面,通过`http://’服务IP:8080‘/dashboard.html`应能看到NGINX Plus Dashboard,其中*'服务IP:8080’*是你对外暴露的KIC Dashboard的IP和端口。 +部署完成后,可以通过UDF平台点击k8s-master的Dashboard,如果能正常打开页面,说明部署成功。 ![Dashboard](https://images.gitee.com/uploads/images/2021/0916/170542_2e484244_9655660.png "dashboard.png") \ No newline at end of file diff --git a/8 NGINX-Ingress-Controller/0-deployment/nginx-plus-ingress-hostnetwork.yaml b/8 NGINX-Ingress-Controller/0-deployment/nginx-plus-ingress-hostnetwork.yaml index 365097d87d45370c4812ea371d2f684ac778388b..72d1d6eeafd7b997e2218ddde6b1df5cb6595142 100644 --- a/8 NGINX-Ingress-Controller/0-deployment/nginx-plus-ingress-hostnetwork.yaml +++ b/8 NGINX-Ingress-Controller/0-deployment/nginx-plus-ingress-hostnetwork.yaml @@ -12,17 +12,30 @@ spec: metadata: labels: app: nginx-ingress + app.kubernetes.io/name: nginx-ingress #annotations: #prometheus.io/scrape: "true" #prometheus.io/port: "9113" #prometheus.io/scheme: http spec: - serviceAccountName: nginx-ingress hostNetwork: true - nodeSelector: - name: master + serviceAccountName: nginx-ingress + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault +# fsGroup: 101 #nginx +# volumes: +# - name: nginx-etc +# emptyDir: {} +# - name: nginx-cache +# emptyDir: {} +# - name: nginx-lib +# emptyDir: {} +# - name: nginx-log +# emptyDir: {} containers: - - image: docker-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:1.12.0 + - image: private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:3.1.1 imagePullPolicy: Never name: nginx-plus-ingress ports: @@ -32,23 +45,47 @@ spec: containerPort: 443 - name: readiness-port containerPort: 8081 + - name: prometheus + containerPort: 9113 + - name: service-insight + containerPort: 9114 - name: dashboard - containerPort: 8080 - #- name: prometheus - # containerPort: 9113 + containerPort: 8000 + - name: ts-8001 + containerPort: 8001 + - name: ts-8002 + containerPort: 8002 readinessProbe: httpGet: path: /nginx-ready port: readiness-port periodSeconds: 1 + resources: + requests: + cpu: "100m" + memory: "128Mi" + #limits: + # cpu: "1" + # memory: "1Gi" securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true runAsUser: 101 #nginx + runAsNonRoot: true capabilities: drop: - ALL add: - NET_BIND_SERVICE +# volumeMounts: +# - mountPath: /etc/nginx +# name: nginx-etc +# - mountPath: /var/cache/nginx +# name: nginx-cache +# - mountPath: /var/lib/nginx +# name: nginx-lib +# - mountPath: /var/log/nginx +# name: nginx-log env: - name: POD_NAMESPACE valueFrom: @@ -62,14 +99,36 @@ spec: - -nginx-plus - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret + #- -include-year + #- -enable-cert-manager + #- -enable-external-dns - -enable-app-protect + #- -enable-app-protect-dos #- -v=3 # Enables extensive logging. Useful for troubleshooting. - -report-ingress-status #- -external-service=nginx-ingress #- -enable-prometheus-metrics + - -enable-service-insight - -global-configuration=$(POD_NAMESPACE)/nginx-configuration - -ingress-class=nginx-plus - -enable-tls-passthrough - - -nginx-status-allow-cidrs=10.1.10.0/24 - -enable-preview-policies - - -health-status \ No newline at end of file + - -health-status + - -nginx-status-allow-cidrs=10.1.1.0/24 + - -nginx-status-port=8000 +# initContainers: +# - image: nginx/nginx-ingress:3.1.1 +# imagePullPolicy: IfNotPresent +# name: init-nginx-ingress +# command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +# securityContext: +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsUser: 101 #nginx +# runAsNonRoot: true +# capabilities: +# drop: +# - ALL +# volumeMounts: +# - mountPath: /mnt/etc +# name: nginx-etc \ No newline at end of file diff --git a/8 NGINX-Ingress-Controller/1-basic-ingress/README.md b/8 NGINX-Ingress-Controller/1-basic-ingress/README.md index 987b1aaedbb1a02668f6529ebc1b2c541381bcdd..c351f6abd2e8eb35a168fe2075bbf12cffd1e3c1 100644 --- a/8 NGINX-Ingress-Controller/1-basic-ingress/README.md +++ b/8 NGINX-Ingress-Controller/1-basic-ingress/README.md @@ -2,9 +2,12 @@ 基本的Ingress体验,根据host和uri进行7层应用路由,同时进行tls加密。 +进入相应文件夹。 + ## Step 1 - 部署cafe应用 部署cafe应用相应的pod并发布service: + ``` $ kubectl create -f cafe.yaml ``` @@ -12,19 +15,22 @@ $ kubectl create -f cafe.yaml ## Step 2 - 部署证书密钥和Ingress 1. 使用secret资源创建证书和密钥: - ``` - $ kubectl create -f cafe-secret.yaml - ``` + + ``` + $ kubectl create -f cafe-secret.yaml + ``` 2. 创建基本的Ingress资源: - ``` - $ kubectl create -f cafe-ingress.yaml - ``` + + ``` + $ kubectl create -f cafe-ingress.yaml + ``` ## Step 3 - 验证基本Ingress功能 -1. 使用浏览器访问`cafe.example.com/coffee`,能够显示访问到coffee pods,多次访问应该在两个pod之间负载均衡。 - - **请留意** 浏览器不需要特意指定https,应用会自动跳转到https进行访问,你可以通过curl命令观察到Ingress做了重定向。 +1. 执行`curl -L -k http://cafe.example.com/coffee`,能够显示访问到coffee pods,多次访问应该在两个pod之间负载均衡。 + + **请留意** curl不需要特意指定https,应用会自动跳转到https进行访问,你可以通过curl命令观察到Ingress做了重定向。 + ``` $ curl -i cafe.example.com/coffee HTTP/1.1 301 Moved Permanently @@ -44,25 +50,27 @@ $ kubectl create -f cafe.yaml ``` -2. 使用浏览器访问`cafe.example.com/tea`,能够显示访问到tea pods,多次访问应该在两个pod之间负载均衡。 +2. 执行`curl -L -k http://cafe.example.com/tea`,能够显示访问到tea pods,多次访问应该在两个pod之间负载均衡。 ## Step 4 - 部署带会话保持的Ingress 1. 删除基本Ingress: - ``` - $ kubectl delete -f cafe-ingress.yaml - ``` + + ``` + $ kubectl delete -f cafe-ingress.yaml + ``` 2. 创建带会话保持的Ingress资源: - ``` - $ kubectl create -f cafe-ingress-with-session-persistence.yaml - ``` + + ``` + $ kubectl create -f cafe-ingress-with-session-persistence.yaml + ``` ## Step 5 - 验证带会话保持的Ingress -1. 浏览器打开开发者工具,访问`cafe.example.com/coffee`,能够显示访问到coffee pod,多次访问也只会访问到同一个pod,通过开发者工具查看cookie,能看到Ingress插入的会话保持cookie。 +1. 执行`curl -i -k https://cafe.example.com/coffee`,能够显示访问到coffee pod,多次访问也只会访问到同一个pod,并且能看到Ingress插入的会话保持cookie。 -2. 浏览器打开开发者工具,访问`cafe.example.com/tea`,能够显示访问到tea pod,多次访问也只会访问到同一个pod,通过开发者工具查看cookie,能看到Ingress插入的会话保持cookie。 +2. 执行`curl -i -k https://cafe.example.com/tea`,能够显示访问到tea pod,多次访问也只会访问到同一个pod,并且能看到Ingress插入的会话保持cookie。 -3. 对比coffee和tea cookie的不同,留意过期时间。 +3. 对比coffee和tea cookie的不同,留意有效时间。 **暂时保留本实验创建的资源,下一个实验会继续使用** \ No newline at end of file diff --git a/8 NGINX-Ingress-Controller/1-basic-ingress/cafe-ingress-with-session-persistence.yaml b/8 NGINX-Ingress-Controller/1-basic-ingress/cafe-ingress-with-session-persistence.yaml index e8ea6a0cdf1badb951146afc5cfda3fe92ea4635..5ba2eb1029d039cb6dd2d1655719e4cb1d4d6845 100644 --- a/8 NGINX-Ingress-Controller/1-basic-ingress/cafe-ingress-with-session-persistence.yaml +++ b/8 NGINX-Ingress-Controller/1-basic-ingress/cafe-ingress-with-session-persistence.yaml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cafe-ingress @@ -15,10 +15,16 @@ spec: http: paths: - path: /tea + pathType: Prefix backend: - serviceName: tea-svc - servicePort: 80 + service: + name: tea-svc + port: + number: 80 - path: /coffee + pathType: Prefix backend: - serviceName: coffee-svc - servicePort: 80 + service: + name: coffee-svc + port: + number: 80 diff --git a/8 NGINX-Ingress-Controller/1-basic-ingress/cafe-ingress.yaml b/8 NGINX-Ingress-Controller/1-basic-ingress/cafe-ingress.yaml index 7b4d38a32398eead925ce92ef825cab739c8ed44..71672f6e39f5fbbb5fc4df170f0ddbdb2b9f0fd0 100644 --- a/8 NGINX-Ingress-Controller/1-basic-ingress/cafe-ingress.yaml +++ b/8 NGINX-Ingress-Controller/1-basic-ingress/cafe-ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cafe-ingress @@ -13,10 +13,16 @@ spec: http: paths: - path: /tea + pathType: Prefix backend: - serviceName: tea-svc - servicePort: 80 + service: + name: tea-svc + port: + number: 80 - path: /coffee + pathType: Prefix backend: - serviceName: coffee-svc - servicePort: 80 + service: + name: coffee-svc + port: + number: 80 diff --git a/8 NGINX-Ingress-Controller/10-ts-basic/README.md b/8 NGINX-Ingress-Controller/10-ts-basic/README.md new file mode 100644 index 0000000000000000000000000000000000000000..f700bf7a479112ec9ef36af1065db98a8bd08e4d --- /dev/null +++ b/8 NGINX-Ingress-Controller/10-ts-basic/README.md @@ -0,0 +1,45 @@ +# TS发布4层应用 + +本实验通过KIC的CRD之一Transport Server,实现应用的4层发布。 + +首先应用cafe.yaml创建后端应用。 + +```bash +kubectl apply -f cafe.yaml +``` + +然后应用`globalconfiguration-listener.yaml`文件,为KIC创建新的Listener。 + +```bash +kubectl apply -f globalconfiguration-listener.yaml +``` + +应用以上文件后,再分别创建两个TranportServer资源。 + +```bash +kubectl apply -f ts-coffee.yaml +kubectl apply -f ts-tea.yaml +``` + +以上资源都创建完成后,就可以通过IP:Port的方式访问tea和coffee应用了。 + +```bash +root@ubuntu:~/kic-lab/10-ts-basic# curl http://127.0.0.1:8001 +Server address: 10.244.0.64:80 +Server name: coffee-56d887dccc-fk9k2 +Date: 30/May/2023:13:54:12 +0000 +URI: / +Request ID: 6e26ff8a1a316d97a170c039b3b98160 +root@ubuntu:~/kic-lab/10-ts-basic# curl http://127.0.0.1:8002 +Server address: 10.244.0.62:80 +Server name: tea-5bdc4f89ff-b6m5g +Date: 30/May/2023:13:54:14 +0000 +URI: / +Request ID: 89a2d1b4719f44313c96842f8bb60f2e +``` + + + +**请注意globalconfiguration这个资源千万不要删除!** 如果要删除Listener,可以应用一个空的globalconfiguration资源。 + +# 至此,实验全部完成! diff --git a/8 NGINX-Ingress-Controller/4-vs-health/cafe.yaml b/8 NGINX-Ingress-Controller/10-ts-basic/cafe.yaml old mode 100644 new mode 100755 similarity index 100% rename from 8 NGINX-Ingress-Controller/4-vs-health/cafe.yaml rename to 8 NGINX-Ingress-Controller/10-ts-basic/cafe.yaml diff --git a/8 NGINX-Ingress-Controller/10-ts-basic/globalconfiguration-listener.yaml b/8 NGINX-Ingress-Controller/10-ts-basic/globalconfiguration-listener.yaml new file mode 100755 index 0000000000000000000000000000000000000000..3b13b6bbba8abba88f208c8c781afbbd7d893aed --- /dev/null +++ b/8 NGINX-Ingress-Controller/10-ts-basic/globalconfiguration-listener.yaml @@ -0,0 +1,13 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: nginx-configuration + namespace: nginx-ingress +spec: + listeners: + - name: tcp-8001 + port: 8001 + protocol: TCP + - name: tcp-8002 + port: 8002 + protocol: TCP diff --git a/8 NGINX-Ingress-Controller/10-ts-basic/globalconfiguration.yaml b/8 NGINX-Ingress-Controller/10-ts-basic/globalconfiguration.yaml new file mode 100755 index 0000000000000000000000000000000000000000..061c9c061bc72ee711398982a3c6ed3fc348a7cb --- /dev/null +++ b/8 NGINX-Ingress-Controller/10-ts-basic/globalconfiguration.yaml @@ -0,0 +1,6 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: nginx-configuration + namespace: nginx-ingress +spec: diff --git a/8 NGINX-Ingress-Controller/10-ts-basic/ts-coffee.yaml b/8 NGINX-Ingress-Controller/10-ts-basic/ts-coffee.yaml new file mode 100755 index 0000000000000000000000000000000000000000..90a2bf39d180744d5d6c4fc5cb95e6784d94231a --- /dev/null +++ b/8 NGINX-Ingress-Controller/10-ts-basic/ts-coffee.yaml @@ -0,0 +1,14 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: TransportServer +metadata: + name: coffee +spec: + listener: + name: tcp-8001 + protocol: TCP + upstreams: + - name: coffee + service: coffee-svc + port: 80 + action: + pass: coffee diff --git a/8 NGINX-Ingress-Controller/10-ts-basic/ts-tea.yaml b/8 NGINX-Ingress-Controller/10-ts-basic/ts-tea.yaml new file mode 100755 index 0000000000000000000000000000000000000000..2a2cbf6b3d8687dfa182ccd3b0968ebf11d3197d --- /dev/null +++ b/8 NGINX-Ingress-Controller/10-ts-basic/ts-tea.yaml @@ -0,0 +1,14 @@ +apiVersion: k8s.nginx.org/v1alpha1 +kind: TransportServer +metadata: + name: tea +spec: + listener: + name: tcp-8002 + protocol: TCP + upstreams: + - name: tea + service: tea-svc + port: 80 + action: + pass: tea diff --git a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/README.md b/8 NGINX-Ingress-Controller/3-ingress-cross-ns/README.md deleted file mode 100644 index b1221379dcbc8309274b2ce40eca598ee15e4018..0000000000000000000000000000000000000000 --- a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/README.md +++ /dev/null @@ -1,40 +0,0 @@ -# Cross-Namespace Ingress - -实验通过Mergeable Ingress的方式实现跨Namespace的Ingress服务发布 - -## Step 1 - 创建分布于不同namespace下的cafe服务 - -``` -$ kubectl create -f cafe-with-ns.yaml -``` - -## Step 2 - 部署证书密钥和Ingress - -1. 使用secret资源创建证书和密钥: - ``` - $ kubectl create -f cafe-secret.yaml - ``` -2. 创建默认namespace的master ingress资源: - ``` - $ kubectl create -f cafe-master.yaml - ``` -3. 创建coffee namespace的minion ingress资源: - ``` - $ kubectl create -f coffee-minion.yaml - ``` -4. 创建tea namespace的minion ingress资源: - ``` - $ kubectl create -f tea-minion.yaml - ``` - -## Step 3 - 验证效果 - -使用curl命令或浏览器访问`cafe.example.com/coffee`和`cafe.example.com/tea`,能够分别显示访问到coffee pods和tea pods,证明可实现跨namespace的服务发布。 - -## Step 4 - 还原实验环境 - -清除所有资源,**执行两遍**: - - ``` - $ kubectl delete -f ./ - ``` diff --git a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/cafe-master.yaml b/8 NGINX-Ingress-Controller/3-ingress-cross-ns/cafe-master.yaml deleted file mode 100644 index 92d6ee46f0582bd1fc930cd859972a7c9954a0b0..0000000000000000000000000000000000000000 --- a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/cafe-master.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: cafe-ingress-master - annotations: - nginx.org/mergeable-ingress-type: "master" -spec: - ingressClassName: nginx-plus - tls: - - hosts: - - cafe.example.com - secretName: cafe-secret - rules: - - host: cafe.example.com diff --git a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/coffee-minion.yaml b/8 NGINX-Ingress-Controller/3-ingress-cross-ns/coffee-minion.yaml deleted file mode 100644 index aee15fde42df4b8b34878b861814ec910c5f5cf6..0000000000000000000000000000000000000000 --- a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/coffee-minion.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: cafe-ingress-coffee-minion - namespace: coffee - annotations: - nginx.org/mergeable-ingress-type: "minion" -spec: - ingressClassName: nginx-plus - rules: - - host: cafe.example.com - http: - paths: - - path: /coffee - backend: - serviceName: coffee-svc - servicePort: 80 diff --git a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/tea-minion.yaml b/8 NGINX-Ingress-Controller/3-ingress-cross-ns/tea-minion.yaml deleted file mode 100644 index 001dbd1de91e75ecc2bbd6ad8230ee58bc9bb325..0000000000000000000000000000000000000000 --- a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/tea-minion.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: cafe-ingress-tea-minion - namespace: tea - annotations: - nginx.org/mergeable-ingress-type: "minion" -spec: - ingressClassName: nginx-plus - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - backend: - serviceName: tea-svc - servicePort: 80 diff --git a/8 NGINX-Ingress-Controller/4-vs-health/README.md b/8 NGINX-Ingress-Controller/3-vs-health/README.md similarity index 39% rename from 8 NGINX-Ingress-Controller/4-vs-health/README.md rename to 8 NGINX-Ingress-Controller/3-vs-health/README.md index daeaf686a9622883470d12b9e36b5b6c0dbdc821..a726c7303492ad418c3e2304174793b9b6b235be 100644 --- a/8 NGINX-Ingress-Controller/4-vs-health/README.md +++ b/8 NGINX-Ingress-Controller/3-vs-health/README.md @@ -11,30 +11,57 @@ $ kubectl create -f cafe.yaml ## Step 2 - 部署证书密钥和VS 1. 使用secret资源创建证书和密钥: - ``` - $ kubectl create -f cafe-secret.yaml - ``` + + ``` + $ kubectl create -f cafe-secret.yaml + ``` + 2. 创建vs资源: - ``` - $ kubectl create -f vs-health-check.yaml - ``` + + ``` + $ kubectl create -f vs-health-check.yaml + ``` ## Step 3 - 验证效果 -1. 使用curl命令或浏览器访问`cafe.example.com/coffee`和`cafe.example.com/tea`,能够分别显示访问到coffee pods和tea pods。 +1. 使用curl命令 访问`cafe.example.com/coffee`和`cafe.example.com/tea`,能够分别显示访问到coffee pods和tea pods。 + 2. 打开Dashboard,观察upstream,特别留意tea的health monitor部分。 + 3. 使用`kubectl exec -it *tea_pod_name* -- sh`进入任意一个tea pod。 + + ```bash + root@ubuntu:/# kubectl get pod + NAME READY STATUS RESTARTS AGE + coffee-56d887dccc-9bv4h 1/1 Running 0 3m8s + coffee-56d887dccc-ztdfc 1/1 Running 0 3m8s + tea-5bdc4f89ff-5lc6z 1/1 Running 0 3m8s + tea-5bdc4f89ff-jzxtb 1/1 Running 0 3m8s + web-coffee-5975694976-929dg 1/1 Running 0 6d + web-tea-545b5c798b-8bhsv 1/1 Running 0 6d + root@ubuntu:/# kubectl exec -it tea-5bdc4f89ff-5lc6z -- sh + ``` + 修改`/etc/nginx/conf.d/hello-plain-text.conf`文件,增加一个`return 403;`指令。 - ``` - ... - return 403; - #return 200 'Server address...'; - ... - ``` - 执行`ngins -s reload`,使配置生效。 + + ``` + ... + return 403; + #return 200 'Server address...'; + ... + ``` + + 执行`nginx -s reload`,使配置生效。 + 4. 观察Dashboard中tea的health monitor部分的变化,一段时间后,其中一个pod应该被标记为down。 -5. 在第3步的tea pod中,撤销之前做的操作,执行`ngins -s reload`,使配置生效。 -6. 观察Dashboard中tea的health monitor部分的变化,一段时间后,被标记为down的pod应该重新up。 + +5. 打开k8s-master的Sercie Insight页面,在路径后加入vs域名cafe.example.com(完整路径类似这样:https://c80cf5f8-dbd5-4242-b40c-ec4edce62b3b.access.udf.f5.com/probe/cafe.example.com),应该能看到统计数据,总共4个pod,3个up,1个是unhealthy。 + +6. 在第3步的tea pod中,撤销之前做的操作,执行`ngins -s reload`,使配置生效。 + +7. 观察Dashboard中tea的health monitor部分的变化,一段时间后,被标记为down的pod应该重新up。 + +8. 观察Sercie Insight页面的变化。 ## Step 4 - 还原实验环境 diff --git a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/cafe-secret.yaml b/8 NGINX-Ingress-Controller/3-vs-health/cafe-secret.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/3-ingress-cross-ns/cafe-secret.yaml rename to 8 NGINX-Ingress-Controller/3-vs-health/cafe-secret.yaml diff --git a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/cafe-with-ns.yaml b/8 NGINX-Ingress-Controller/3-vs-health/cafe.yaml similarity index 84% rename from 8 NGINX-Ingress-Controller/3-ingress-cross-ns/cafe-with-ns.yaml rename to 8 NGINX-Ingress-Controller/3-vs-health/cafe.yaml index ba37ea7452c15d287b528ed41f17ebda70b99a90..5fcfd71148bf6eb41d7c18563495589149123bcb 100644 --- a/8 NGINX-Ingress-Controller/3-ingress-cross-ns/cafe-with-ns.yaml +++ b/8 NGINX-Ingress-Controller/3-vs-health/cafe.yaml @@ -1,18 +1,7 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: tea ---- -apiVersion: v1 -kind: Namespace -metadata: - name: coffee ---- apiVersion: apps/v1 kind: Deployment metadata: name: coffee - namespace: coffee spec: replicas: 2 selector: @@ -34,7 +23,6 @@ apiVersion: v1 kind: Service metadata: name: coffee-svc - namespace: coffee spec: ports: - port: 80 @@ -48,7 +36,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: tea - namespace: tea spec: replicas: 2 selector: @@ -70,7 +57,7 @@ apiVersion: v1 kind: Service metadata: name: tea-svc - namespace: tea + labels: spec: ports: - port: 80 diff --git a/8 NGINX-Ingress-Controller/4-vs-health/vs-health-check.yaml b/8 NGINX-Ingress-Controller/3-vs-health/vs-health-check.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/4-vs-health/vs-health-check.yaml rename to 8 NGINX-Ingress-Controller/3-vs-health/vs-health-check.yaml diff --git a/8 NGINX-Ingress-Controller/4-vs-health/cafe-secret.yaml b/8 NGINX-Ingress-Controller/4-vs-health/cafe-secret.yaml deleted file mode 100644 index e94493b121037da7284ce7e241a5da5250f3a114..0000000000000000000000000000000000000000 --- a/8 NGINX-Ingress-Controller/4-vs-health/cafe-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cafe-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhZQ0NRREFPRjl0THNhWFdqQU5CZ2txaGtpRzl3MEJBUXNGQURCYU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MApaREViTUJrR0ExVUVBd3dTWTJGbVpTNWxlR0Z0Y0d4bExtTnZiU0FnTUI0WERURTRNRGt4TWpFMk1UVXpOVm9YCkRUSXpNRGt4TVRFMk1UVXpOVm93V0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba05CTVNFd0h3WUQKVlFRS0RCaEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReEdUQVhCZ05WQkFNTUVHTmhabVV1WlhoaApiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDcDZLbjdzeTgxCnAwanVKL2N5ayt2Q0FtbHNmanRGTTJtdVpOSzBLdGVjcUcyZmpXUWI1NXhRMVlGQTJYT1N3SEFZdlNkd0kyaloKcnVXOHFYWENMMnJiNENaQ0Z4d3BWRUNyY3hkam0zdGVWaVJYVnNZSW1tSkhQUFN5UWdwaW9iczl4N0RsTGM2SQpCQTBaalVPeWwwUHFHOVNKZXhNVjczV0lJYTVyRFZTRjJyNGtTa2JBajREY2o3TFhlRmxWWEgySTVYd1hDcHRDCm42N0pDZzQyZitrOHdnemNSVnA4WFprWldaVmp3cTlSVUtEWG1GQjJZeU4xWEVXZFowZXdSdUtZVUpsc202OTIKc2tPcktRajB2a29QbjQxRUUvK1RhVkVwcUxUUm9VWTNyemc3RGtkemZkQml6Rk8yZHNQTkZ4MkNXMGpYa05MdgpLbzI1Q1pyT2hYQUhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSEZDY3lPalp2b0hzd1VCTWRMClJkSEliMzgzcFdGeW5acS9MdVVvdnNWQTU4QjBDZzdCRWZ5NXZXVlZycTVSSWt2NGxaODFOMjl4MjFkMUpINnIKalNuUXgrRFhDTy9USkVWNWxTQ1VwSUd6RVVZYVVQZ1J5anNNL05VZENKOHVIVmhaSitTNkZBK0NuT0Q5cm4yaQpaQmVQQ0k1ckh3RVh3bm5sOHl3aWozdnZRNXpISXV5QmdsV3IvUXl1aTlmalBwd1dVdlVtNG52NVNNRzl6Q1Y3ClBwdXd2dWF0cWpPMTIwOEJqZkUvY1pISWc4SHc5bXZXOXg5QytJUU1JTURFN2IvZzZPY0s3TEdUTHdsRnh2QTgKN1dqRWVxdW5heUlwaE1oS1JYVmYxTjM0OWVOOThFejM4Zk9USFRQYmRKakZBL1BjQytHeW1lK2lHdDVPUWRGaAp5UkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWVpcCs3TXZOYWRJN2lmM01wUHJ3Z0pwYkg0N1JUTnBybVRTdENyWG5LaHRuNDFrCkcrZWNVTldCUU5semtzQndHTDBuY0NObzJhN2x2S2wxd2k5cTIrQW1RaGNjS1ZSQXEzTVhZNXQ3WGxZa1YxYkcKQ0pwaVJ6ejBza0lLWXFHN1BjZXc1UzNPaUFRTkdZMURzcGRENmh2VWlYc1RGZTkxaUNHdWF3MVVoZHErSkVwRwp3SStBM0kreTEzaFpWVng5aU9WOEZ3cWJRcCt1eVFvT05uL3BQTUlNM0VWYWZGMlpHVm1WWThLdlVWQ2cxNWhRCmRtTWpkVnhGbldkSHNFYmltRkNaYkp1dmRySkRxeWtJOUw1S0Q1K05SQlAvazJsUkthaTAwYUZHTjY4NE93NUgKYzMzUVlzeFR0bmJEelJjZGdsdEkxNURTN3lxTnVRbWF6b1Z3QndJREFRQUJBb0lCQVFDUFNkU1luUXRTUHlxbApGZlZGcFRPc29PWVJoZjhzSStpYkZ4SU91UmF1V2VoaEp4ZG01Uk9ScEF6bUNMeUw1VmhqdEptZTIyM2dMcncyCk45OUVqVUtiL1ZPbVp1RHNCYzZvQ0Y2UU5SNThkejhjbk9SVGV3Y290c0pSMXBuMWhobG5SNUhxSkpCSmFzazEKWkVuVVFmY1hackw5NGxvOUpIM0UrVXFqbzFGRnM4eHhFOHdvUEJxalpzVjdwUlVaZ0MzTGh4bndMU0V4eUZvNApjeGI5U09HNU9tQUpvelN0Rm9RMkdKT2VzOHJKNXFmZHZ5dGdnOXhiTGFRTC94MGtwUTYyQm9GTUJEZHFPZVBXCktmUDV6WjYvMDcvdnBqNDh5QTFRMzJQem9idWJzQkxkM0tjbjMyamZtMUU3cHJ0V2wrSmVPRmlPem5CUUZKYk4KNHFQVlJ6NWhBb0dCQU50V3l4aE5DU0x1NFArWGdLeWNrbGpKNkY1NjY4Zk5qNUN6Z0ZScUowOXpuMFRsc05ybwpGVExaY3hEcW5SM0hQWU00MkpFUmgySi9xREZaeW5SUW8zY2czb2VpdlVkQlZHWTgrRkkxVzBxZHViL0w5K3l1CmVkT1pUUTVYbUdHcDZyNmpleHltY0ppbS9Pc0IzWm5ZT3BPcmxEN1NQbUJ2ek5MazRNRjZneGJYQW9HQkFNWk8KMHA2SGJCbWNQMHRqRlhmY0tFNzdJbUxtMHNBRzR1SG9VeDBlUGovMnFyblRuT0JCTkU0TXZnRHVUSnp5K2NhVQprOFJxbWRIQ2JIelRlNmZ6WXEvOWl0OHNaNzdLVk4xcWtiSWN1YytSVHhBOW5OaDFUanNSbmU3NFowajFGQ0xrCmhIY3FIMHJpN1BZU0tIVEU4RnZGQ3haWWRidUI4NENtWmlodnhicFJBb0dBSWJqcWFNWVBUWXVrbENkYTVTNzkKWVNGSjFKelplMUtqYS8vdER3MXpGY2dWQ0thMzFqQXdjaXowZi9sU1JxM0hTMUdHR21lemhQVlRpcUxmZVpxYwpSMGlLYmhnYk9jVlZrSkozSzB5QXlLd1BUdW14S0haNnpJbVpTMGMwYW0rUlk5WUdxNVQ3WXJ6cHpjZnZwaU9VCmZmZTNSeUZUN2NmQ21mb09oREN0enVrQ2dZQjMwb0xDMVJMRk9ycW40M3ZDUzUxemM1em9ZNDR1QnpzcHd3WU4KVHd2UC9FeFdNZjNWSnJEakJDSCtULzZzeXNlUGJKRUltbHpNK0l3eXRGcEFOZmlJWEV0LzQ4WGY2ME54OGdXTQp1SHl4Wlp4L05LdER3MFY4dlgxUE9ucTJBNWVpS2ErOGpSQVJZS0pMWU5kZkR1d29seHZHNmJaaGtQaS80RXRUCjNZMThzUUtCZ0h0S2JrKzdsTkpWZXN3WEU1Y1VHNkVEVXNEZS8yVWE3ZlhwN0ZjanFCRW9hcDFMU3crNlRYcDAKWmdybUtFOEFSek00NytFSkhVdmlpcS9udXBFMTVnMGtKVzNzeWhwVTl6WkxPN2x0QjBLSWtPOVpSY21Vam84UQpjcExsSE1BcWJMSjhXWUdKQ2toaVd4eWFsNmhZVHlXWTRjVmtDMHh0VGwvaFVFOUllTktvCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== \ No newline at end of file diff --git a/8 NGINX-Ingress-Controller/5-vs-split/README.md b/8 NGINX-Ingress-Controller/4-vs-split/README.md similarity index 69% rename from 8 NGINX-Ingress-Controller/5-vs-split/README.md rename to 8 NGINX-Ingress-Controller/4-vs-split/README.md index d1bbb8a28eadc2fa521492d822f341e54b353d4c..83c61fcdfa72057a5340e7dfc438d246ac3ded79 100644 --- a/8 NGINX-Ingress-Controller/5-vs-split/README.md +++ b/8 NGINX-Ingress-Controller/4-vs-split/README.md @@ -5,7 +5,7 @@ ## Step 1 - 创建cafe服务 ``` -$ kubectl create -f cafe-with-ns.yaml +$ kubectl create -f cafe.yaml ``` ## Step 2 - 部署vs @@ -18,11 +18,14 @@ $ kubectl create -f cafe-with-ns.yaml ## Step 3 - 验证效果 -1. 使用curl命令或浏览器访问`cafe.example.com/coffee`能够显示访问到coffee v1 pods和coffee v2 pods。 +1. 使用curl命令访问`cafe.example.com/coffee`能够显示访问到coffee v1 pods和coffee v2 pods。 + 2. 使用wrk打一定的压力,参考命令: - ``` - wrk -c100 -t2 -d30s http://cafe.example.com/coffee - ``` + + ``` + wrk -c100 -t2 -d30s http://cafe.example.com/coffee + ``` + 3. 打开Dashboard,观察upstream中coffee v1和v2的request数量,应该大致在9:1。 ## Step 4 - 还原实验环境 diff --git a/8 NGINX-Ingress-Controller/5-vs-split/cafe.yaml b/8 NGINX-Ingress-Controller/4-vs-split/cafe.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/5-vs-split/cafe.yaml rename to 8 NGINX-Ingress-Controller/4-vs-split/cafe.yaml diff --git a/8 NGINX-Ingress-Controller/5-vs-split/vs-split.yaml b/8 NGINX-Ingress-Controller/4-vs-split/vs-split.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/5-vs-split/vs-split.yaml rename to 8 NGINX-Ingress-Controller/4-vs-split/vs-split.yaml diff --git a/8 NGINX-Ingress-Controller/6-vs-condition/README.md b/8 NGINX-Ingress-Controller/5-vs-condition/README.md similarity index 81% rename from 8 NGINX-Ingress-Controller/6-vs-condition/README.md rename to 8 NGINX-Ingress-Controller/5-vs-condition/README.md index 878944e7438ec2e444600d53c1b174874bc34c1b..c2419f0571a2b280f76745f16aa70e18bc5bbd29 100644 --- a/8 NGINX-Ingress-Controller/6-vs-condition/README.md +++ b/8 NGINX-Ingress-Controller/5-vs-condition/README.md @@ -5,7 +5,7 @@ ## Step 1 - 创建cafe服务 ``` -$ kubectl create -f cafe-with-ns.yaml +$ kubectl create -f cafe.yaml ``` ## Step 2 - 部署vs @@ -20,11 +20,16 @@ $ kubectl create -f cafe-with-ns.yaml 1. 使用普通curl命令访问`cafe.example.com/coffee`能够显示访问到coffee v1 pods。 2. 使用curl命令携带名为*version*,值为*v2*的cookie访问`cafe.example.com/coffee`能够显示访问到coffee v2 pods。 - ``` - curl --cookie 'version=v2' http://cafe.example.com/coffee - ``` + + ``` + curl --cookie 'version=v2' http://cafe.example.com/coffee + ``` 3. 使用普通curl命令访问`cafe.example.com/tea`能够显示访问到tea pods。 4. 使用curl命令指定方法为POST访问`cafe.example.com/tea`能够显示访问到tea-post pods。 + + ```bash + curl -X POST http://cafe.example.com/tea + ``` ## Step 4 - 还原实验环境 diff --git a/8 NGINX-Ingress-Controller/6-vs-condition/cafe.yaml b/8 NGINX-Ingress-Controller/5-vs-condition/cafe.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/6-vs-condition/cafe.yaml rename to 8 NGINX-Ingress-Controller/5-vs-condition/cafe.yaml diff --git a/8 NGINX-Ingress-Controller/6-vs-condition/vs-condition.yaml b/8 NGINX-Ingress-Controller/5-vs-condition/vs-condition.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/6-vs-condition/vs-condition.yaml rename to 8 NGINX-Ingress-Controller/5-vs-condition/vs-condition.yaml diff --git a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/README.md b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/README.md similarity index 45% rename from 8 NGINX-Ingress-Controller/7-vsr-cross-ns/README.md rename to 8 NGINX-Ingress-Controller/6-vsr-cross-ns/README.md index 5beb28c639fdf0950db0ab79fcecd7896a2d8de0..9b07c6138968bed3cd872ea615991916d9757229 100644 --- a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/README.md +++ b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/README.md @@ -5,6 +5,7 @@ ## Step 1 - 创建Namespace 创建tea, coffee, 和 cafe namespaces: + ``` $ kubectl create -f namespaces.yaml ``` @@ -12,42 +13,49 @@ $ kubectl create -f namespaces.yaml ## Step 2 - 部署cafe应用 1. 创建 tea deployment 和 service 在 tea namespace: - ``` - $ kubectl create -f tea.yaml - ``` -1. 创建 coffee deployment 和 service 在 coffee namespace: - ``` - $ kubectl create -f coffee.yaml - ``` + + ``` + $ kubectl create -f tea.yaml + ``` +2. 创建 coffee deployment 和 service 在 coffee namespace: + + ``` + $ kubectl create -f coffee.yaml + ``` ## Step 3 - 部署vs和vsr 1. 创建 VirtualServerRoute 在 tea namespace: - ``` - $ kubectl create -f tea-virtual-server-route.yaml - ``` + + ``` + $ kubectl create -f tea-virtual-server-route.yaml + ``` 2. 创建 VirtualServerRoute 在 coffee namespace,其中包含了反向代理功能: - ``` - $ kubectl create -f coffee-virtual-server-route.yaml - ``` + + ``` + $ kubectl create -f coffee-virtual-server-route.yaml + ``` 3. 部署证书密钥在 cafe namespace: - ``` - $ kubectl create -f cafe-secret.yaml - ``` + + ``` + $ kubectl create -f cafe-secret.yaml + ``` 4. 创建 VirtualServer 在 cafe namespace: - ``` - $ kubectl create -f cafe-virtual-server.yaml - ``` + + ``` + $ kubectl create -f cafe-virtual-server.yaml + ``` ## Step 4 - 验证 -1. 使用curl命令或浏览器访问`cafe.example.com/coffee`和`cafe.example.com/tea`,能够分别显示访问到coffee pods和tea pods,证明可实现跨namespace的服务发布。 -2. 使用curl命令访问`cafe.example.com/tea`,能够看到KIC插入的Header *My-Header*和*IC-Nginx-Version*,以及KIC对URI做了改写,从`/coffee`被改写到了`/coffee/rewrite`。 - ``` - curl -i http://cafe.example.com/coffee - ``` +1. 使用curl命令访问`cafe.example.com/coffee`和`cafe.example.com/tea`,能够分别显示访问到coffee pods和tea pods,证明可实现跨namespace的服务发布。 +2. 使用curl命令访问`cafe.example.com/coffee`,能够看到KIC插入的Header *My-Header*和*IC-Nginx-Version*,以及KIC对URI做了改写,从`/coffee`被改写到了`/coffee/rewrite`。 + + ``` + curl -i http://cafe.example.com/coffee + ``` 3. 使用普通curl命令访问`cafe.example.com/tea`能够显示访问到tea pods。 -4. 使用curl命令指定方法为POST访问`cafe.example.com/tea`能够显示访问到tea-post pods。 +4. ## Step 5 - 还原实验环境 diff --git a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/cafe-secret.yaml b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/cafe-secret.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/7-vsr-cross-ns/cafe-secret.yaml rename to 8 NGINX-Ingress-Controller/6-vsr-cross-ns/cafe-secret.yaml diff --git a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/cafe-virtual-server.yaml b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/cafe-virtual-server.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/7-vsr-cross-ns/cafe-virtual-server.yaml rename to 8 NGINX-Ingress-Controller/6-vsr-cross-ns/cafe-virtual-server.yaml diff --git a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/coffee-virtual-server-route.yaml b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/coffee-virtual-server-route.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/7-vsr-cross-ns/coffee-virtual-server-route.yaml rename to 8 NGINX-Ingress-Controller/6-vsr-cross-ns/coffee-virtual-server-route.yaml diff --git a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/coffee.yaml b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/coffee.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/7-vsr-cross-ns/coffee.yaml rename to 8 NGINX-Ingress-Controller/6-vsr-cross-ns/coffee.yaml diff --git a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/namespaces.yaml b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/namespaces.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/7-vsr-cross-ns/namespaces.yaml rename to 8 NGINX-Ingress-Controller/6-vsr-cross-ns/namespaces.yaml diff --git a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/tea-virtual-server-route.yaml b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/tea-virtual-server-route.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/7-vsr-cross-ns/tea-virtual-server-route.yaml rename to 8 NGINX-Ingress-Controller/6-vsr-cross-ns/tea-virtual-server-route.yaml diff --git a/8 NGINX-Ingress-Controller/7-vsr-cross-ns/tea.yaml b/8 NGINX-Ingress-Controller/6-vsr-cross-ns/tea.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/7-vsr-cross-ns/tea.yaml rename to 8 NGINX-Ingress-Controller/6-vsr-cross-ns/tea.yaml diff --git a/8 NGINX-Ingress-Controller/8-policy-ratelimit/README.md b/8 NGINX-Ingress-Controller/7-policy-ratelimit/README.md similarity index 78% rename from 8 NGINX-Ingress-Controller/8-policy-ratelimit/README.md rename to 8 NGINX-Ingress-Controller/7-policy-ratelimit/README.md index 26c26081c53672cdce7bd97ac7c54f4cd3b532c3..0bd8f328a761956169dd80d2e9bf7d077bf16087 100644 --- a/8 NGINX-Ingress-Controller/8-policy-ratelimit/README.md +++ b/8 NGINX-Ingress-Controller/7-policy-ratelimit/README.md @@ -11,6 +11,7 @@ $ kubectl apply -f webapp.yaml ## Step 2 - 部署Rate Limit Policy 创建一个Policy,使用ratelimit把每个客户端的请求速率限制到100r/s: + ``` $ kubectl apply -f rate-limit.yaml ``` @@ -23,12 +24,14 @@ $ kubectl apply -f vs-ratelimit.yaml ## Step 4 - 验证 -1. 使用curl命令或浏览器访问`webapp.example.com/`能够正常访问。 +1. 使用curl命令访问`webapp.example.com/`能够正常访问。 2. 使用wrk打一定的压力,参考命令: - ``` - wrk -c100 -t2 -d30s http://webapp.example.com - ``` + + ``` + wrk -c100 -t2 -d30s http://webapp.example.com + ``` 3. 打开Dashboard,观察HTTP Zones页面,可以看到Limit Req中拦截的超限流量。观察upstream中的请求速率,应该稳定在100r/s左右。 +4. 可以尝试下删除Policy调用,再打一次压力。 ## Step 5 - 还原实验环境 diff --git a/8 NGINX-Ingress-Controller/8-policy-ratelimit/rate-limit.yaml b/8 NGINX-Ingress-Controller/7-policy-ratelimit/rate-limit.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/8-policy-ratelimit/rate-limit.yaml rename to 8 NGINX-Ingress-Controller/7-policy-ratelimit/rate-limit.yaml diff --git a/8 NGINX-Ingress-Controller/8-policy-ratelimit/vs-ratelimit.yaml b/8 NGINX-Ingress-Controller/7-policy-ratelimit/vs-ratelimit.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/8-policy-ratelimit/vs-ratelimit.yaml rename to 8 NGINX-Ingress-Controller/7-policy-ratelimit/vs-ratelimit.yaml diff --git a/8 NGINX-Ingress-Controller/8-policy-ratelimit/webapp.yaml b/8 NGINX-Ingress-Controller/7-policy-ratelimit/webapp.yaml similarity index 100% rename from 8 NGINX-Ingress-Controller/8-policy-ratelimit/webapp.yaml rename to 8 NGINX-Ingress-Controller/7-policy-ratelimit/webapp.yaml diff --git a/8 NGINX-Ingress-Controller/9-app-protect/README.md b/8 NGINX-Ingress-Controller/8-app-protect/README.md similarity index 73% rename from 8 NGINX-Ingress-Controller/9-app-protect/README.md rename to 8 NGINX-Ingress-Controller/8-app-protect/README.md index 427e7a7f8e75b4d74476639ace5683aa7147f6aa..15dcd26818876b57cd2f3fd6d78668750c85d649 100644 --- a/8 NGINX-Ingress-Controller/9-app-protect/README.md +++ b/8 NGINX-Ingress-Controller/8-app-protect/README.md @@ -1,4 +1,4 @@ -# Rate Limit +# APP Protect 本实验通过KIC的CRD之一Policy,以及NGINX Plus的APP Protect模块,实现WAF功能。 @@ -11,6 +11,7 @@ $ kubectl apply -f webapp.yaml ## Step 2 - 部署App Protect Policy 创建一个app protect policy,使用最基本的waf策略: + ``` $ kubectl apply -f ap-policy.yaml ``` @@ -18,6 +19,7 @@ $ kubectl apply -f ap-policy.yaml ## Step 3 - 部署App Protect Log Config 创建一个app protect logconf,配置waf的日志格式: + ``` $ kubectl apply -f ap-logconf.yaml ``` @@ -28,11 +30,13 @@ $ kubectl apply -f ap-logconf.yaml $ kubectl apply -f syslog.yaml $ kubectl get service ``` + 复制其中syslog-svc的ip。 ## Step 5 - 部署Policy 创建一个Policy资源,调用之前创建的waf策略和日志配置,其中的`logDest`填写刚才复制的syslog-svc的ip: + ``` $ kubectl apply -f policy-waf.yaml ``` @@ -45,12 +49,20 @@ $ kubectl apply -f vs-waf.yaml ## Step 7 - 验证 -1. 使用curl命令或浏览器访问`webapp.example.com/`能够正常访问。 -2. 使用curl命令或浏览器访问`webapp.example.com/