在Kubernetes集群中,ALB Ingress对集群服务(Service)中外部可访问的API对象进行管理,提供七层负载均衡能力。本文介绍如何使用ALB Ingress将来自不同域名或URL路径的请求转发给不同的后端服务器组、将HTTP访问重定向至HTTPS及实现灰度发布等功能。

前提条件

目录信息

ALB Ingress服务高级用法包含以下内容:

基于域名转发请求

通过以下命令创建一个简单的Ingress,根据指定的正常域名或空域名转发请求。

  • 基于正常域名转发请求的示例如下:
    1. 部署以下模板,分别创建Service、Deployment和Ingress,将访问请求通过Ingress的域名转发至Service。
      apiVersion: v1
      kind: Service
      metadata:
        name: demo-service
        namespace: default
      spec:
        ports:
          - name: port1
            port: 80
            protocol: TCP
            targetPort: 8080
        selector:
          app: demo
        sessionAffinity: None
        type: NodePort
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: demo
        namespace: default
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: demo
        template:
          metadata:
            labels:
              app: demo
          spec:
            containers:
              - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
                imagePullPolicy: IfNotPresent
                name: demo
                ports:
                  - containerPort: 8080
                    protocol: TCP
      ---
      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      metadata:
        name: demo
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - host: demo.domain.ingress.top
            http:
              paths:
                - backend:
                    serviceName: demo-service
                    servicePort: 80
                  path: /hello
                  pathType: ImplementationSpecific
      apiVersion: v1
      kind: Service
      metadata:
        name: demo-service
        namespace: default
      spec:
        ports:
          - name: port1
            port: 80
            protocol: TCP
            targetPort: 8080
        selector:
          app: demo
        sessionAffinity: None
        type: NodePort
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: demo
        namespace: default
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: demo
        template:
          metadata:
            labels:
              app: demo
          spec:
            containers:
              - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
                imagePullPolicy: IfNotPresent
                name: demo
                ports:
                  - containerPort: 8080
                    protocol: TCP
      ---
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: demo
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - host: demo.domain.ingress.top
            http:
              paths:
                - backend:
                    service:
                    	name: demo-service
                      port: 
                        number: 80
                  path: /hello
                  pathType: ImplementationSpecific

    2. 执行以下命令,通过指定的正常域名访问服务。

      替换ADDRESS为ALB实例对应的域名地址,可通过kubectl get ing获取。

      curl -H "host: demo.domain.ingress.top" <ADDRESS>/hello
      预期输出:
      {"hello":"coffee"}
  • 基于空域名转发请求的示例如下:
    1. 部署以下模板,创建Ingress。
      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      metadata:
        name: demo
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - host: ""
            http:
              paths:
                - backend:
                    serviceName: demo-service
                    servicePort: 80
                  path: /hello
                  pathType: ImplementationSpecific
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: demo
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - host: ""
            http:
              paths:
                - backend:
                    service:
                      name: demo-service
                      port: 
                        number: 80
                  path: /hello
    2. 执行以下命令,通过空域名访问服务。

      替换ADDRESS为ALB实例对应的域名地址,可通过kubectl get ing获取。

      curl <ADDRESS>/hello
      预期输出:
      {"hello":"coffee"}

基于URL路径转发请求

ALB Ingress支持按照URL转发请求,可以通过pathType字段设置不同的URL匹配策略。pathType支持Exact、ImplementationSpecific和Prefix三种匹配方式。

三种匹配方式的示例如下:

  • Exact:以区分大小写的方式精确匹配URL路径。
    1. 部署以下模板,创建Ingress。
      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      metadata:
        name: demo-path
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - http:
              paths:
              - path: /hello
                backend:
                  serviceName: demo-service
                  servicePort: 80
                pathType: Exact
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: demo-path
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - http:
              paths:
              - path: /hello
                backend:
                  service:
                    name: demo-service
                    port: 
                      number: 80
                pathType: Exact
    2. 执行以下命令,访问服务。

      替换ADDRESS为ALB实例对应的域名地址,可通过kubectl get ing获取。

      curl <ADDRESS>/hello
      预期输出:
      {"hello":"coffee"}
  • ImplementationSpecific:默认。在ALB Ingress中与Exact做相同处理,但两者Ingress Controller的实现方式不一样。
    1. 部署以下模板,创建Ingress。

      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      metadata:
        name: demo-path
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - http:
              paths:
              - path: /hello
                backend:
                  serviceName: demo-service
                  servicePort: 80
                pathType: ImplementationSpecific
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: demo-path
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - http:
              paths:
              - path: /hello
                backend:
                  service:
                    name: demo-service
                    port:
                      number: 80
                pathType: ImplementationSpecific
    2. 执行以下命令,访问服务。

      替换ADDRESS为ALB实例对应的域名地址,可通过kubectl get ing获取。

      curl <ADDRESS>/hello
      预期输出:
      {"hello":"coffee"}
  • Prefix:以/分隔的URL路径进行前缀匹配。匹配区分大小写,并且对路径中的元素逐个完成匹配。
    1. 部署以下模板,创建Ingress。
      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      metadata:
        name: demo-path-prefix
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - http:
              paths:
              - path: /
                backend:
                  serviceName: demo-service
                  servicePort: 80
                pathType: Prefix
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: demo-path-prefix
        namespace: default
      spec:
        ingressClassName: alb
        rules:
          - http:
              paths:
              - path: /
                backend:
                  service:
                    name: demo-service
                    port:
                      number: 80
                pathType: Prefix
    2. 执行以下命令,访问服务。

      替换ADDRESS为ALB实例对应的域名地址,可通过kubectl get ing获取。

      curl <ADDRESS>/hello
      预期输出:
      {"hello":"coffee"}

配置健康检查

ALB Ingress支持配置健康检查,可以通过设置以下注解实现。

配置健康检查的YAML示例如下所示:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/healthcheck-enabled: "true"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
    alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
    alb.ingress.kubernetes.io/healthcheck-httpcode: "http_2xx"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # 配置Context Path。
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      # 配置Context Path。
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/healthcheck-enabled: "true"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
    alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
    alb.ingress.kubernetes.io/healthcheck-httpcode: "http_2xx"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # 配置Context Path
      - path: /tea
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      # 配置Context Path
      - path: /coffee
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

相关参数解释如下表所示。
参数 说明
alb.ingress.kubernetes.io/healthcheck-enabled (可选)表示是否开启健康检查。默认开启(true)。
alb.ingress.kubernetes.io/healthcheck-path (可选)表示健康检查路径。默认/
  • 输入健康检查页面的URL,建议对静态页面进行检查。长度限制为1~80个字符,支持使用字母、数字和短划线(-)、正斜线(/)、半角句号(.)、百分号(%)、半角问号(?)、井号(#)和and(&)以及扩展字符集_;~!()*[]@$^:',+。URL必须以正斜线(/)开头。
  • HTTP健康检查默认由负载均衡系统通过后端ECS内网IP地址向该服务器应用配置的默认首页发起HTTP Head请求。如果您用来进行健康检查的页面并不是应用服务器的默认首页,需要指定具体的检查路径。
alb.ingress.kubernetes.io/healthcheck-protocol (可选)表示健康检查协议。
  • HTTP(默认):通过发送HEAD或GET请求模拟浏览器的访问行为来检查服务器应用是否健康。
  • TCP:通过发送SYN握手报文来检测服务器端口是否存活。
  • GRPC:通过发送POST或GET请求来检查服务器应用是否健康。
alb.ingress.kubernetes.io/healthcheck-method (可选)选择一种健康检查方法。
  • HEAD(默认):HTTP监听健康检查默认采用HEAD方法。请确保您的后端服务器支持HEAD请求。如果您的后端应用服务器不支持HEAD方法或HEAD方法被禁用,则可能会出现健康检查失败,此时可以使用GET方法来进行健康检查。
  • POST:GRPC监听健康检查默认采用POST方法。请确保您的后端服务器支持POST请求。如果您的后端应用服务器不支持POST方法或POST方法被禁用,则可能会出现健康检查失败,此时可以使用GET方法来进行健康检查。
  • GET:如果响应报文长度超过8 KB,会被截断,但不会影响健康检查结果的判定。
alb.ingress.kubernetes.io/healthcheck-httpcode 设置健康检查正常的状态码。
  • 当健康检查协议为HTTP协议时,可以选择http_2xx(默认)、http_3xxhttp_4xxhttp_5xx
  • 当健康检查协议为GRPC协议时,状态码范围为0~99。支持范围输入,最多支持20个范围值,多个范围值使用半角逗号(,)隔开。
alb.ingress.kubernetes.io/healthcheck-timeout-seconds 表示接收健康检查的响应需要等待的时间。如果后端ECS在指定的时间内没有正确响应,则判定为健康检查失败。时间范围为1~300秒,默认值为5秒。
alb.ingress.kubernetes.io/healthcheck-interval-seconds 健康检查的时间间隔。取值范围1~50秒,默认为2秒。
alb.ingress.kubernetes.io/healthy-threshold-count 表示健康检查连续成功所设置的次数后会将后端服务器的健康检查状态由失败判定为成功。取值范围2~10,默认为3次。
alb.ingress.kubernetes.io/unhealthy-threshold-count 表示健康检查连续失败所设置的次数后会将后端服务器的健康检查状态由成功判定为失败。取值范围2~10,默认为3次。

配置自动发现HTTPS证书功能

ALB Ingress Controller提供证书自动发现功能。您需要首先在数字证书管理服务控制台创建证书,然后ALB Ingress Controller会根据Ingress中TLS配置的域名自动匹配发现证书。

  1. 执行以下命令,通过openssl创建证书。
    openssl genrsa -out albtop-key.pem 4096
    openssl req -subj "/CN=demo.alb.ingress.top" -sha256  -new -key albtop-key.pem -out albtop.csr
    echo subjectAltName = DNS:demo.alb.ingress.top > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in albtop.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out albtop-cert.pem -extfile extfile.cnf
  2. 数字证书管理服务控制台上传证书。

    具体操作,请参见上传证书

  3. 在Ingress的YAML中添加以下命令,配置该证书对应的域名。
    tls:
      - hosts:
        - demo.alb.ingress.top

    示例如下:

    apiVersion: v1
    kind: Service
    metadata:
      name: demo-service-https
      namespace: default
    spec:
      ports:
        - name: port1
          port: 443
          protocol: TCP
          targetPort: 8080
      selector:
        app: demo-cafe
      sessionAffinity: None
      type: NodePort
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: demo-cafe
      namespace: default
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: demo-cafe
      template:
        metadata:
          labels:
            app: demo-cafe
        spec:
          containers:
            - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
              imagePullPolicy: IfNotPresent
              name: demo-cafe
              ports:
                - containerPort: 8080
                  protocol: TCP
    ---
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      name: demo-https
      namespace: default
    spec:
      ingressClassName: alb
      #配置证书对应的域名。
      tls:
      - hosts:
        - demo.alb.ingress.top
      rules:
        - host: demo.alb.ingress.top
          http:
            paths:
              - backend:
                  serviceName: demo-service-https
                  servicePort: 443
                path: /
                pathType: Prefix
    apiVersion: v1
    kind: Service
    metadata:
      name: demo-service-https
      namespace: default
    spec:
      ports:
        - name: port1
          port: 443
          protocol: TCP
          targetPort: 8080
      selector:
        app: demo-cafe
      sessionAffinity: None
      type: NodePort
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: demo-cafe
      namespace: default
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: demo-cafe
      template:
        metadata:
          labels:
            app: demo-cafe
        spec:
          containers:
            - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
              imagePullPolicy: IfNotPresent
              name: demo-cafe
              ports:
                - containerPort: 8080
                  protocol: TCP
    ---
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: demo-https
      namespace: default
    spec:
      ingressClassName: alb
      tls:
      - hosts:
        - demo.alb.ingress.top
      rules:
        - host: demo.alb.ingress.top
          http:
            paths:
              - backend:
                  service:
                    name: demo-service-https
                    port:  
                      number: 443
                path: /
                pathType: Prefix

  4. 执行以下命令,查看证书。
    curl https://demo.alb.ingress.top/tea
    预期输出:
    {"hello":"tea"}

配置HTTP重定向至HTTPS

ALB Ingress通过设置注解alb.ingress.kubernetes.io/ssl-redirect: "true",可以将HTTP请求重定向到HTTPS 443端口。

配置示例如下:

apiVersion: v1
kind: Service
metadata:
  name: demo-service-ssl
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo-ssl
  sessionAffinity: None
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-ssl
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-ssl
  template:
    metadata:
      labels:
        app: demo-ssl
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo-ssl
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/ssl-redirect: "true"
  name: demo-ssl
  namespace: default
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - ssl.alb.ingress.top
  rules:
    - host: ssl.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: demo-service-ssl
              servicePort: 80
            path: /
            pathType: Prefix
apiVersion: v1
kind: Service
metadata:
  name: demo-service-ssl
  namespace: default
spec:
  ports:
    - name: port1
      port: 80
      protocol: TCP
      targetPort: 8080
  selector:
    app: demo-ssl
  sessionAffinity: None
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-ssl
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo-ssl
  template:
    metadata:
      labels:
        app: demo-ssl
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/alb-sample/cafe:v1
          imagePullPolicy: IfNotPresent
          name: demo-ssl
          ports:
            - containerPort: 8080
              protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/ssl-redirect: "true"
  name: demo-ssl
  namespace: default
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - ssl.alb.ingress.top
  rules:
    - host: ssl.alb.ingress.top
      http:
        paths:
          - backend:
              service:
                name: demo-service-ssl
                port: 
                  number: 80
            path: /
            pathType: Prefix

支持HTTPS和GRPC协议

当前ALB后端协议支持HTTPS和GRPC协议,通过ALB Ingress只需要在注解中配置alb.ingress.kubernetes.io/backend-protocol: "grpc" alb.ingress.kubernetes.io/backend-protocol: "https" 即可。使用Ingress转发gRPC服务需要对应域名拥有SSL证书,使用TLS协议进行通信。配置GRPC协议的示例如下:

说明 后端协议不支持修改,如果您需要变更协议,请删除重建Ingress。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: "grpc"
  name: lxd-grpc-ingress
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: grpc-demo-svc
              servicePort: 9080
            path: /
            pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: "grpc"
  name: lxd-grpc-ingress
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:  
      - path: /
        pathType: Prefix
        backend:
          service:
            name: grpc-demo-svc
            port:
              number: 9080

支持Rewrite重写

当前ALB支持Rewrite重写,通过ALB Ingress只需要在注解中配置alb.ingress.kubernetes.io/rewrite-target: /path/${2} 即可。

说明
  • 如果您需要使用正则表达式,提交工单申请正则白名单。
  • rewrite-target注解中,${number}类型的捕获组变量需要在路径为Prefix类型的path上配置。
  • path默认无法配置正则符号,例如*?等,您需要通过配置rewrite-target注解使用正则符号。
  • path必须以 / 开头。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/rewrite-target: /path/${2}
  name: rewrite-ingress
spec:
  ingressClassName: alb
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: rewrite-svc
              servicePort: 9080
            path: /something(/|$)(.*)
            pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/rewrite-target: /path/${2}
  name: rewrite-ingress
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /something(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: rewrite-svc
            port:
              number: 9080

配置自定义监听端口

当前支持Ingress配置自定义监听端口。通过该方式,可以将服务同时暴露80端口和443端口,配置示例如下:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
  name: cafe-ingress
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: tea-svc
              servicePort: 80
            path: /tea-svc
            pathType: ImplementationSpecific
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
   alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
spec:
  ingressClassName: alb
  tls:
  - hosts:
    - demo.alb.ingress.top
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80

配置转发规则优先级

通过配置Ingress注解可以定义ALB转发规则优先级。

说明 同一个监听内规则优先级必须唯一。alb.ingress.kubernetes.io/order用于标识Ingress之间的优先级顺序,取值范围为1~1000,值越小表示优先级越高。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/order: "2" 
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: tea-svc
              servicePort: 80
            path: /tea-svc
            pathType: ImplementationSpecific
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
   alb.ingress.kubernetes.io/order: "2"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80

通过注解实现灰度发布

ALB提供复杂路由处理能力,支持基于Header、Cookie以及权重的灰度发布功能。灰度发布功能可以通过设置注解来实现,为了启用灰度发布功能,需要设置注解alb.ingress.kubernetes.io/canary: "true",通过不同注解可以实现不同的灰度发布功能:

说明
  • 灰度优先级顺序:基于Header>基于Cookie>基于权重(从高到低)。
  • 灰度过程中不能删除原有的规则,否则会导致服务异常。待灰度验证无误后,将原有Ingress中的后端服务Service更新为新的Service,最后将灰度的Ingress删除。
  • alb.ingress.kubernetes.io/canary-by-headeralb.ingress.kubernetes.io/canary-by-header-value:匹配的Request Header的值,该规则允许您自定义Request Header的值,但必须与alb.ingress.kubernetes.io/canary-by-header一起使用。
    • 当请求中的headerheader-value与设置的值匹配时,请求流量会被分配到灰度服务入口。
    • 对于其他header值,将会忽略header,并通过灰度优先级将请求流量分配到其他规则设置的灰度服务。
    当请求Header为location: hz时将访问灰度服务;其它Header将根据灰度权重将流量分配给灰度服务。配置示例如下:
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      annotations:
        alb.ingress.kubernetes.io/order: "1"
        alb.ingress.kubernetes.io/canary: "true"
        alb.ingress.kubernetes.io/canary-by-header: "location"
        alb.ingress.kubernetes.io/canary-by-header-value: "hz"
      name: demo-canary
      namespace: default
    spec:
      ingressClassName: alb
      rules:
        - http:
            paths:
              - backend:
                  serviceName:demo-service-hello
                  servicePort: 80
                path: /hello
                pathType: ImplementationSpecific
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        alb.ingress.kubernetes.io/order: "1"
        alb.ingress.kubernetes.io/canary: "true"
        alb.ingress.kubernetes.io/canary-by-header: "location"
        alb.ingress.kubernetes.io/canary-by-header-value: "hz"
      name: demo-canary
      namespace: default
    spec:
      ingressClassName: alb
      rules:
        - http:
            paths:
              - backend:
                  service:
                    name: demo-service-hello
                    port: 
                      number: 80
                path: /hello
                pathType: ImplementationSpecific

  • alb.ingress.kubernetes.io/canary-by-cookie:基于Cookie的流量切分。
    • 当配置的cookie值为always时,请求流量将被分配到灰度服务入口。
    • 当配置的cookie值为never时,请求流量将不会分配到灰度服务入口。
    说明 基于Cookie的灰度不支持设置自定义,只有alwaysnever
    请求的Cookie为demo=always时将访问灰度服务。配置示例如下:
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      annotations:
        alb.ingress.kubernetes.io/order: "2"
        alb.ingress.kubernetes.io/canary: "true"
        alb.ingress.kubernetes.io/canary-by-cookie: "demo"
      name: demo-canary-cookie
      namespace: default
    spec:
      ingressClassName: alb
      rules:
        - http:
            paths:
              - backend:
                  serviceName:demo-service-hello
                  servicePort: 80
                path: /hello
                pathType: ImplementationSpecific
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        alb.ingress.kubernetes.io/order: "2"
        alb.ingress.kubernetes.io/canary: "true"
        alb.ingress.kubernetes.io/canary-by-cookie: "demo"
      name: demo-canary-cookie
      namespace: default
    spec:
      ingressClassName: alb
      rules:
        - http:
            paths:
              - backend:
                  service:
                    name: demo-service-hello
                    port: 
                      number: 80
                path: /hello
                pathType: ImplementationSpecific

  • alb.ingress.kubernetes.io/canary-weight:设置请求到指定服务的百分比(值为0~100的整数)。

    配置灰度服务的权重为50%,示例如下:

    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
      annotations:
        alb.ingress.kubernetes.io/order: "3"
        alb.ingress.kubernetes.io/canary: "true"
        alb.ingress.kubernetes.io/canary-weight: "50"
      name: demo-canary-weight
      namespace: default
    spec:
      ingressClassName: alb
      rules:
        - http:
            paths:
              - backend:
                  serviceName: demo-service-hello
                  servicePort: 80
                path: /hello
                pathType: ImplementationSpecific
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        alb.ingress.kubernetes.io/order: "3"
        alb.ingress.kubernetes.io/canary: "true"
        alb.ingress.kubernetes.io/canary-weight: "50"
      name: demo-canary-weight
      namespace: default
    spec:
      ingressClassName: alb
      rules:
        - http:
            paths:
              - backend:
                  service:
                    name: demo-service-hello
                    port: 
                      number: 80
                path: /hello
                pathType: ImplementationSpecific

通过注解实现会话保持

ALB Ingress支持通过注解实现会话保持:
  • alb.ingress.kubernetes.io/sticky-session:是否启用会话保持。取值:truefalse;默认值:false
  • alb.ingress.kubernetes.io/sticky-session-type:Cookie的处理方式。取值:InsertServer;默认值:Insert
    • Insert:植入Cookie。客户端第一次访问时,负载均衡会在返回请求中植入Cookie(即在HTTP或HTTPS响应报文中插入SERVERID),下次客户端携带此Cookie访问时,负载均衡服务会将请求定向转发给之前记录到的后端服务器。
    • Server:重写Cookie。负载均衡发现用户自定义了Cookie,将会对原来的Cookie进行重写,下次客户端携带新的Cookie访问时,负载均衡服务会将请求定向转发给之前记录到的后端服务器。
    说明 当前服务器组StickySessionEnabledtrue时,该参数生效。
  • alb.ingress.kubernetes.io/cookie-timeout:Cookie超时时间。单位:秒;取值:1~86400;默认值:1000
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-v3
  annotations:
    alb.ingress.kubernetes.io/sticky-session: "true"
    alb.ingress.kubernetes.io/sticky-session-type: "Insert"
    alb.ingress.kubernetes.io/cookie-timeout: "1800"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      #配置Context Path。
      - path: /tea2
        backend:
          serviceName: tea-svc
          servicePort: 80
      #配置Context Path。
      - path: /coffee2
        backend:
          serviceName: coffee-svc
          servicePort: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress-v3
  annotations:
    alb.ingress.kubernetes.io/sticky-session: "true"
    alb.ingress.kubernetes.io/sticky-session-type: "Insert"
    alb.ingress.kubernetes.io/cookie-timeout: "1800"
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      #配置Context Path。
      - path: /tea2
        backend:
          service:
            name: tea-svc
            port: 
             number: 80
      #配置Context Path。
       - path: /coffee2
         backend:
           service:
              name: coffee-svc
              port: 
               number: 80

指定服务器组负载均衡算法

ALB Ingress支持通过设置Ingress注解alb.ingress.kubernetes.io/backend-scheduler指定服务器组负载均衡算法。配置示例如下:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-scheduler: "wlc"
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
    - host: demo.alb.ingress.top
      http:
        paths:
          - backend:
              serviceName: tea-svc
              servicePort: 80
            path: /tea-svc
            pathType: ImplementationSpecific
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
   alb.ingress.kubernetes.io/backend-scheduler: "wlc"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
调度算法alb.ingress.kubernetes.io/backend-scheduler取值说明:
  • Wrr:默认值,权重值越高的后端服务器,被轮询到的概率也越高。
  • Wlc:根据每台后端服务器设定的权重值和后端服务器的实际负载(即连接数)进行轮询。当权重值相同时,当前连接数越小的后端服务器被轮询到的概率越高。
  • Sch:源IP一致性Hash。

跨域配置

当前ALB Ingress支持跨域配置示例如下:
说明 目前ALB使用跨域需要白名单权限,请提交工单申请白名单。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-ingress
  annotations:
    alb.ingress.kubernetes.io/enable-cors: "true"
    alb.ingress.kubernetes.io/cors-expose-headers: ""
    alb.ingress.kubernetes.io/cors-allow-methods: "GET,POST"
    alb.ingress.kubernetes.io/cors-allow-credentials: "true"
    alb.ingress.kubernetes.io/cors-max-age: "600"

spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: cloud-nodeport
            port:
              number: 80
参数 说明
alb.ingress.kubernetes.io/cors-allow-origin 允许通过浏览器访问服务器资源的站点。站点之间使用半角逗号(,)分割。 单个value值必须以http://或者https://开头后跟一个正确域名,或者一级的泛域名。

默认值:*,示例:alb.ingress.kubernetes.io/cors-allow-origin: "https://origin-site.com:4443, http://origin-site.com, https://example.org:1199"

alb.ingress.kunbernetes.io/cors-allow 允许跨域方法,不区分大小写。站点之间使用半角逗号(,)分割。

默认值:GET, PUT, POST, DELETE, PATCH, OPTIONS,示例:alb.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"

alb.ingress.kubernetes.io/cors-allow-headers 允许跨域传播的请求头,只能输入字母、数字、下划线(_)和短划线(-)。站点之间使用半角逗号(,)分割。

默认值:DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,示例:alb.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For, X-app123-XPTO"

alb.ingress.kubernetes.io/cors-expose-headers 允许暴露的Header列表,允许输入字母、数字、下划线(_)、短划线(-)和星号(*)。站点之间使用半角逗号(,)分割。

默认值:empty,示例:alb.ingress.kubernetes.io/cors-expose-headers: "*, X-CustomResponseHeader"

alb.ingress.kubernetes.io/cors-allow-credentials 设置跨域访问时是否允许携带凭证信息。

默认值:true,示例:alb.ingress.kubernetes.io/cors-allow-credentials: "false"

alb.ingress.kubernetes.io/cors-max-age 对于非简单请求,设置OPTIONS预检请求在浏览器的最大缓存时间(秒),取值范围[-1,172800]。

默认值:172800

后端长链接

传统的负载均衡会采用短链接的方式访问后端服务器组,每一条请求都需要经历TCP层面的建立连接和断开连接,使网络连接成为这类高性能系统的瓶颈,通过负载均衡的后端长链接支持,极大的减少了处理连接层面的资源消耗,以此大幅度提高处理性能。当前在ALB Ingress中可以通过注解alb.ingress.kubernetes.io/backend-keepalive开启后端长链接。参考示例如下:
说明 目前ALB使用后端长链接需要白名单权限,请提交工单申请白名单。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: alb-ingress
  annotations:
    alb.ingress.kubernetes.io/backend-keepalive: "true"
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: cloud-nodeport
            port:
              number: 80

支持QPS限速

ALB本身支持转发规则的QPS限速功能,限速值要求在1~100000之间。当前在ALB Ingress只需要设置alb.ingress.kubernetes.io/traffic-limit-qps注解即可。参考示例如下:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/traffic-limit-qps: "50"
spec:
  ingressClassName: alb
  rules:
   - host: demo.alb.ingress.top
     http:
      paths:
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: ImplementationSpecific
        backend:
          service:
            name: coffee-svc
            port:
              number: 80