Amazon web services k8s入口,使用https保护应用程序
Im有Amazon web services k8s入口,使用https保护应用程序,amazon-web-services,kubernetes,google-cloud-platform,kubernetes-ingress,nginx-ingress,Amazon Web Services,Kubernetes,Google Cloud Platform,Kubernetes Ingress,Nginx Ingress,Im有k8sapp(Web api),它首先通过NodePort公开(我使用了端口转发来运行它,它按预期工作) 像localhost:8080/api/v1/users那样运行它 apiVersion: v1 kind: Service metadata: name: fzr labels: app: fzr tier: service spec: type: LoadBalancer ports: - port: 8080 selector:
k8s
app(Web api),它首先通过NodePort
公开(我使用了端口转发来运行它,它按预期工作)
像localhost:8080/api/v1/users那样运行它
apiVersion: v1
kind: Service
metadata:
name: fzr
labels:
app: fzr
tier: service
spec:
type: LoadBalancer
ports:
- port: 8080
selector:
app: fzr
然后,我创建了一个服务
,类型为LoadBalancer
,将其暴露在外部,该工作正常
e、 g.http://myhost:8080/api/v1/users
apiVersion: v1
kind: Service
metadata:
name: fzr
labels:
app: fzr
tier: service
spec:
type: LoadBalancer
ports:
- port: 8080
selector:
app: fzr
现在,我们需要使其安全
,在阅读了有关此主题的内容后,我们决定使用入口
这就是我所做的
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ctr-ingress
selector:
app: fzr
spec:
ports:
- name: https
port: 443
targetPort: https
现在我想像这样运行它
https://myhost:443/api/v1/users
apiVersion: v1
kind: Service
metadata:
name: fzr
labels:
app: fzr
tier: service
spec:
type: LoadBalancer
ports:
- port: 8080
selector:
app: fzr
这是不工作,我无法使用端口443
作为https
运行应用程序,请告知 在我看来,您似乎正在使用类型服务的yaml模板来部署入口,但并不正确targetPort
应该是一个数字端口,无论如何,我认为“https”不是一个正确的值(尽管我可能错了)
大概是这样的:
apiVersion: v1
kind: Service
type: NodePort
metadata:
name: fzr-ingress
spec:
type: NodePort
selector:
app: fzr
ports:
- protocol: TCP
port: 443
targetPort: 8080
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: gcs-ingress
namespace: default
spec:
rules:
- host: myhost
http:
paths:
- backend:
serviceName: fzr
servicePort: 443
path: /api/v1/users
tls:
- hosts:
- myhost
secretName: myhosts-tls
现在您有了一个nodeport服务,它监听443,并将流量转发到您的fzr播客,监听端口8080
但是,事实上,您正在端口443上监听,这对保护您的应用程序本身并没有任何作用。要加密流量,您需要TLS证书,该证书必须作为机密提供给入口
如果这看起来有点复杂(因为它是复杂的),您可以考虑从
在任何情况下,您的入口yaml都会如下所示:
apiVersion: v1
kind: Service
type: NodePort
metadata:
name: fzr-ingress
spec:
type: NodePort
selector:
app: fzr
ports:
- protocol: TCP
port: 443
targetPort: 8080
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: gcs-ingress
namespace: default
spec:
rules:
- host: myhost
http:
paths:
- backend:
serviceName: fzr
servicePort: 443
path: /api/v1/users
tls:
- hosts:
- myhost
secretName: myhosts-tls
有关如何配置此入口的更多信息在我看来,您似乎正在使用类型服务的yaml模板来部署入口,但并不正确targetPort
应该是一个数字端口,无论如何,我认为“https”不是一个正确的值(尽管我可能错了)
大概是这样的:
apiVersion: v1
kind: Service
type: NodePort
metadata:
name: fzr-ingress
spec:
type: NodePort
selector:
app: fzr
ports:
- protocol: TCP
port: 443
targetPort: 8080
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: gcs-ingress
namespace: default
spec:
rules:
- host: myhost
http:
paths:
- backend:
serviceName: fzr
servicePort: 443
path: /api/v1/users
tls:
- hosts:
- myhost
secretName: myhosts-tls
现在您有了一个nodeport服务,它监听443,并将流量转发到您的fzr播客,监听端口8080
但是,事实上,您正在端口443上监听,这对保护您的应用程序本身并没有任何作用。要加密流量,您需要TLS证书,该证书必须作为机密提供给入口
如果这看起来有点复杂(因为它是复杂的),您可以考虑从
在任何情况下,您的入口yaml都会如下所示:
apiVersion: v1
kind: Service
type: NodePort
metadata:
name: fzr-ingress
spec:
type: NodePort
selector:
app: fzr
ports:
- protocol: TCP
port: 443
targetPort: 8080
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: gcs-ingress
namespace: default
spec:
rules:
- host: myhost
http:
paths:
- backend:
serviceName: fzr
servicePort: 443
path: /api/v1/users
tls:
- hosts:
- myhost
secretName: myhosts-tls
有关如何配置此选项的详细信息