service-ingress
Scannednpx machina-cli add skill chaterm/terminal-skills/service-ingress --openclawFiles (1)
SKILL.md
7.1 KB
Service 与 Ingress
概述
服务暴露、Ingress 配置、TLS 终止等技能。
Service 类型
ClusterIP(默认)
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: ClusterIP
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
NodePort
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: NodePort
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
nodePort: 30080 # 30000-32767
LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
type: LoadBalancer
selector:
app: nginx
ports:
- port: 80
targetPort: 8080
ExternalName
apiVersion: v1
kind: Service
metadata:
name: external-db
spec:
type: ExternalName
externalName: db.example.com
Headless Service
apiVersion: v1
kind: Service
metadata:
name: headless-service
spec:
clusterIP: None
selector:
app: nginx
ports:
- port: 80
Service 操作
# 查看 Service
kubectl get svc
kubectl get svc -o wide
kubectl describe svc service-name
# 创建 Service
kubectl expose deploy deployment-name --port=80 --target-port=8080
kubectl expose deploy deployment-name --type=NodePort --port=80
# 删除 Service
kubectl delete svc service-name
# 测试 Service
kubectl run test --rm -it --image=busybox -- wget -qO- http://service-name
Ingress 配置
基础 Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
多路径 Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-path-ingress
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
- path: /web
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
多域名 Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-host-ingress
spec:
ingressClassName: nginx
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
TLS 配置
创建 TLS Secret
# 从证书文件创建
kubectl create secret tls tls-secret --cert=cert.pem --key=key.pem
# 查看 Secret
kubectl get secret tls-secret -o yaml
Ingress TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
secretName: tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
cert-manager 自动证书
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auto-tls-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: nginx
tls:
- hosts:
- example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 80
Ingress 注解
Nginx Ingress 常用注解
metadata:
annotations:
# 重写路径
nginx.ingress.kubernetes.io/rewrite-target: /$2
# SSL 重定向
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# 代理超时
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
# 请求体大小
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
# 限流
nginx.ingress.kubernetes.io/limit-rps: "10"
# WebSocket
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri"
# 跨域
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
Ingress 操作
# 查看 Ingress
kubectl get ingress
kubectl get ing -o wide
kubectl describe ing ingress-name
# 查看 Ingress Controller
kubectl get pods -n ingress-nginx
kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
# 测试 Ingress
curl -H "Host: example.com" http://ingress-ip/
常见场景
场景 1:路径重写
# /api/v1/users -> /users
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- host: example.com
http:
paths:
- path: /api(/|$)(.*)
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
场景 2:会话保持
metadata:
annotations:
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
场景 3:基础认证
# 创建认证 Secret
htpasswd -c auth admin
kubectl create secret generic basic-auth --from-file=auth
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
场景 4:调试 Service 连通性
# 检查 Endpoints
kubectl get endpoints service-name
# 测试 Pod 到 Service
kubectl run test --rm -it --image=busybox -- sh
wget -qO- http://service-name:port
# 检查 DNS
kubectl run test --rm -it --image=busybox -- nslookup service-name
故障排查
| 问题 | 排查方法 |
|---|---|
| Service 无法访问 | 检查 Endpoints、Pod 标签 |
| Ingress 404 | 检查路径配置、后端 Service |
| TLS 错误 | 检查证书 Secret、域名匹配 |
| 502 Bad Gateway | 检查后端 Pod 状态、健康检查 |
# 检查 Service Endpoints
kubectl get endpoints service-name
# 检查 Ingress Controller 日志
kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=100
# 测试后端连通性
kubectl port-forward svc/service-name 8080:80
curl localhost:8080
Source
git clone https://github.com/chaterm/terminal-skills/blob/main/kubernetes/service-ingress/SKILL.mdView on GitHub Overview
你可以使用 Kubernetes Service 来暴露 Pod,并选择 ClusterIP、NodePort、LoadBalancer、ExternalName 或 Headless 等类型;再通过 Ingress 资源在 Ingress Controller 的帮助下实现基于主机名与路径的路由,以及 TLS 终止与证书管理。本技能覆盖从基础暴露到多路径、多域名、以及自动化 TLS 的完整流程,帮助你快速搭建外部访问入口。
How This Skill Works
你先用 Service 将后端 Pod 组装成可访问的抽象入口,Ingress 资源则定义对外的路由规则,并由集群中的 Ingress Controller 实现实际流量转发。TLS 通过 Ingress 的 tls 字段引用 Secret 证书,与 cert-manager 集成时可实现自动化证书申请与续期。通常需要在集群中已存在 Ingress Controller(如 nginx)并确保域名指向入口控制器的 IP。
When to Use It
- 需要将应用暴露给集群外部用户/客户端
- 需要基于主机名或路径将请求路由到多个后端 Service
- 需要对进入的 HTTP/HTTPS 流量做 TLS 终止并管理证书
- 需要实现多域名路由(如 api.example.com 与 web.example.com)
- 需要调试 DNS/端点、验证后端连通性与健康状态
Quick Start
- 部署你的应用(Deployment/Pod)并确保标签可用于 Service 的选择器,例如 app: my-app
- 创建一个 ClusterIP Service(默认)来暴露后端端口,例如将 Pod 的 8080 暴露到集群内部的 80
- 安装或确认存在 Ingress Controller(如 nginx-ingress)在集群中运行
- 创建 Ingress 资源,指向对应的 Service 并指定 host 与 path,例如 example.com/ 指向 my-service:80
- 若需要 TLS,创建 secret tls-secret,然后在 Ingress 的 tls 字段引用 secretName,通过 cert-manager 还可实现自动证书
- 访问入口地址(如 http(s)://example.com)测试路由是否正确
Best Practices
- 优先在 Ingress 层进行 TLS 终止,尽量少在后端处理 SSL/TLS 逻辑
- 为 path 使用明确的 pathType(推荐 Prefix)以避免路由歧义
- 为 TLS 使用稳定的 Secret 名称,并在命名空间内保持一致
- 若使用 cert-manager,请配置 clusterIssuer/issuer 以实现自动化证书申请与续期
- 在部署变更后通过 Ingress Controller 日志与端点检查确保路由生效并能正确转发至后端服务
Example Use Cases
- 基础域名路由:将 example.com 的 / 请求路由到 my-service,路径保护与 TLS 证书由 Ingress 控制器处理
- 多路径路由:/api 指向 api-service,/web 指向 web-service,实现同一个域名下的多后端分流
- 多域名路由:api.example.com 指向 api-service、web.example.com 指向 web-service,分别使用不同 TLS 证书
- 证书自动化:通过 cert-manager 与 letsencrypt-prod 颁发并自动续期 example.com 的 TLS 证书,Ingress YAML 中引用 tls-secret
- 会话保持 / 负载均衡:通过 nginx 注解实现 cookie 基础的会话保持与最小化的负载波动
Frequently Asked Questions
Add this skill to your agents
