5.1 Service基础概念
1. Service概述
Service是Kubernetes中用于暴露Pod服务的抽象层,它为一组Pod提供稳定的网络端点和负载均衡。
Service特性: - 提供稳定的IP地址和DNS名称 - 负载均衡到后端Pod - 服务发现机制 - 支持多种服务类型
Service类型: - ClusterIP - 集群内部访问(默认) - NodePort - 通过节点端口访问 - LoadBalancer - 通过云提供商负载均衡器访问 - ExternalName - 映射到外部服务
2. ClusterIP Service
clusterip-service.yaml
apiVersion: v1
kind: Service
metadata:
name: web-service
labels:
app: web
spec:
type: ClusterIP # 默认类型,可以省略
selector:
app: web
tier: frontend
ports:
- name: http
port: 80 # Service端口
targetPort: 8080 # Pod端口
protocol: TCP
- name: https
port: 443
targetPort: 8443
protocol: TCP
---
# 对应的Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
spec:
replicas: 3
selector:
matchLabels:
app: web
tier: frontend
template:
metadata:
labels:
app: web
tier: frontend
spec:
containers:
- name: web
image: nginx:1.20
ports:
- containerPort: 8080
- containerPort: 8443
3. NodePort Service
nodeport-service.yaml
apiVersion: v1
kind: Service
metadata:
name: web-nodeport-service
spec:
type: NodePort
selector:
app: web
ports:
- name: http
port: 80
targetPort: 8080
nodePort: 30080 # 可选,不指定则自动分配30000-32767范围内的端口
protocol: TCP
- name: https
port: 443
targetPort: 8443
nodePort: 30443
protocol: TCP
4. LoadBalancer Service
loadbalancer-service.yaml
apiVersion: v1
kind: Service
metadata:
name: web-loadbalancer-service
annotations:
# 云提供商特定的注解
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
spec:
type: LoadBalancer
selector:
app: web
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP
- name: https
port: 443
targetPort: 8443
protocol: TCP
# 指定负载均衡器IP(可选)
loadBalancerIP: 192.168.1.100
# 允许访问的源IP范围
loadBalancerSourceRanges:
- 10.0.0.0/8
- 192.168.0.0/16
5. ExternalName Service
externalname-service.yaml
apiVersion: v1
kind: Service
metadata:
name: external-database-service
spec:
type: ExternalName
externalName: database.example.com
ports:
- port: 3306
targetPort: 3306
protocol: TCP
---
# 使用示例Pod
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
- name: app
image: mysql:8.0
env:
- name: MYSQL_HOST
value: "external-database-service" # 使用Service名称
- name: MYSQL_PORT
value: "3306"
5.2 Service高级配置
1. 会话亲和性
session-affinity-service.yaml
apiVersion: v1
kind: Service
metadata:
name: session-affinity-service
spec:
type: ClusterIP
selector:
app: web
ports:
- port: 80
targetPort: 8080
# 会话亲和性配置
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800 # 3小时
2. 多端口Service
multi-port-service.yaml
apiVersion: v1
kind: Service
metadata:
name: multi-port-service
spec:
selector:
app: multi-app
ports:
- name: web
port: 80
targetPort: web-port
protocol: TCP
- name: api
port: 8080
targetPort: api-port
protocol: TCP
- name: metrics
port: 9090
targetPort: metrics-port
protocol: TCP
- name: grpc
port: 50051
targetPort: grpc-port
protocol: TCP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: multi-app-deployment
spec:
replicas: 2
selector:
matchLabels:
app: multi-app
template:
metadata:
labels:
app: multi-app
spec:
containers:
- name: app
image: myapp:latest
ports:
- name: web-port
containerPort: 80
- name: api-port
containerPort: 8080
- name: metrics-port
containerPort: 9090
- name: grpc-port
containerPort: 50051
3. 无头Service(Headless Service)
headless-service.yaml
apiVersion: v1
kind: Service
metadata:
name: headless-service
spec:
clusterIP: None # 设置为None创建无头服务
selector:
app: database
ports:
- port: 3306
targetPort: 3306
---
# StatefulSet示例
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql-statefulset
spec:
serviceName: headless-service
replicas: 3
selector:
matchLabels:
app: database
template:
metadata:
labels:
app: database
spec:
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
value: "password"
ports:
- containerPort: 3306
volumeMounts:
- name: mysql-storage
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: mysql-storage
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
4. 外部IP Service
external-ip-service.yaml
apiVersion: v1
kind: Service
metadata:
name: external-ip-service
spec:
selector:
app: web
ports:
- port: 80
targetPort: 8080
externalIPs:
- 192.168.1.100
- 192.168.1.101
type: ClusterIP
5.3 Endpoints和EndpointSlices
1. 手动管理Endpoints
manual-endpoints.yaml
# Service(不使用selector)
apiVersion: v1
kind: Service
metadata:
name: external-service
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
---
# 手动创建Endpoints
apiVersion: v1
kind: Endpoints
metadata:
name: external-service # 必须与Service名称相同
subsets:
- addresses:
- ip: 192.168.1.100
- ip: 192.168.1.101
ports:
- port: 80
protocol: TCP
2. EndpointSlices示例
endpointslices.yaml
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: web-service-slice
labels:
kubernetes.io/service-name: web-service
addressType: IPv4
ports:
- name: http
port: 80
protocol: TCP
endpoints:
- addresses:
- "10.244.1.10"
conditions:
ready: true
serving: true
terminating: false
hostname: pod-1
nodeName: worker-1
- addresses:
- "10.244.2.10"
conditions:
ready: true
serving: true
terminating: false
hostname: pod-2
nodeName: worker-2
5.4 Ingress基础
1. Ingress概念
Ingress是Kubernetes中用于管理外部访问集群内服务的API对象,通常提供HTTP和HTTPS路由。
Ingress特性: - HTTP/HTTPS路由 - 基于主机名和路径的路由 - TLS终止 - 负载均衡 - 虚拟主机
2. 基本Ingress示例
basic-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: basic-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
3. 多主机Ingress
multi-host-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-host-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
rules:
# 主站点
- host: www.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 80
# API站点
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- path: /v2
pathType: Prefix
backend:
service:
name: api-v2-service
port:
number: 8080
# 管理后台
- host: admin.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: admin-service
port:
number: 3000
4. TLS Ingress
tls-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- secure.example.com
- api.example.com
secretName: example-tls-secret
rules:
- host: secure.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-service
port:
number: 80
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
---
# TLS Secret(手动创建)
apiVersion: v1
kind: Secret
metadata:
name: example-tls-secret
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTi... # Base64编码的证书
tls.key: LS0tLS1CRUdJTi... # Base64编码的私钥
5.5 Ingress Controller
1. Nginx Ingress Controller安装
install-nginx-ingress.sh
#!/bin/bash
echo "=== 安装Nginx Ingress Controller ==="
# 方法1:使用官方YAML
echo "1. 使用官方YAML安装:"
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml
# 方法2:使用Helm安装
echo "\n2. 使用Helm安装(可选):"
# helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
# helm repo update
# helm install ingress-nginx ingress-nginx/ingress-nginx
# 等待部署完成
echo "\n3. 等待部署完成:"
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=120s
# 查看状态
echo "\n4. 查看Ingress Controller状态:"
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx
echo "\n=== Nginx Ingress Controller安装完成 ==="
2. 自定义Nginx Ingress Controller
custom-nginx-ingress.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx-ingress-controller
template:
metadata:
labels:
app: nginx-ingress-controller
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: k8s.gcr.io/ingress-nginx/controller:v1.8.1
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: metrics
containerPort: 10254
resources:
requests:
cpu: 100m
memory: 90Mi
limits:
cpu: 200m
memory: 200Mi
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
timeoutSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: LoadBalancer
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app: nginx-ingress-controller
3. Traefik Ingress Controller
traefik-ingress.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-ingress-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: traefik-ingress-controller
template:
metadata:
labels:
app: traefik-ingress-controller
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.10
args:
- --api.insecure=true
- --providers.kubernetesingress=true
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --certificatesresolvers.letsencrypt.acme.email=admin@example.com
- --certificatesresolvers.letsencrypt.acme.storage=/data/acme.json
- --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
- name: admin
containerPort: 8080
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
type: LoadBalancer
ports:
- name: web
port: 80
targetPort: 80
- name: websecure
port: 443
targetPort: 443
- name: admin
port: 8080
targetPort: 8080
selector:
app: traefik-ingress-controller
5.6 高级Ingress配置
1. 路径重写和重定向
rewrite-redirect-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rewrite-redirect-ingress
annotations:
# 路径重写
nginx.ingress.kubernetes.io/rewrite-target: /$2
# 永久重定向
nginx.ingress.kubernetes.io/permanent-redirect: https://newdomain.com
# 临时重定向
nginx.ingress.kubernetes.io/temporal-redirect: https://maintenance.example.com
# 自定义重定向
nginx.ingress.kubernetes.io/server-snippet: |
location /old-path {
return 301 https://example.com/new-path;
}
spec:
rules:
- host: example.com
http:
paths:
# 路径重写示例:/api/v1/users -> /users
- path: /api/v1(/|$)(.*)
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
# 静态文件服务
- path: /static
pathType: Prefix
backend:
service:
name: static-service
port:
number: 80
2. 认证和授权
auth-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-ingress
annotations:
# Basic认证
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
# OAuth认证
nginx.ingress.kubernetes.io/auth-url: https://auth.example.com/oauth2/auth
nginx.ingress.kubernetes.io/auth-signin: https://auth.example.com/oauth2/start
# 白名单IP
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,192.168.0.0/16
# 限流
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/rate-limit-window: "1m"
spec:
rules:
- host: secure.example.com
http:
paths:
- path: /admin
pathType: Prefix
backend:
service:
name: admin-service
port:
number: 80
- path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
---
# Basic认证Secret
apiVersion: v1
kind: Secret
metadata:
name: basic-auth-secret
type: Opaque
data:
auth: YWRtaW46JGFwcjEkSDY1dnBkJE8vbGpxd... # htpasswd生成的用户密码
3. 负载均衡和会话保持
load-balancing-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: load-balancing-ingress
annotations:
# 负载均衡算法
nginx.ingress.kubernetes.io/load-balance: "round_robin" # ip_hash, least_conn
# 会话保持
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/affinity-mode: "persistent"
nginx.ingress.kubernetes.io/session-cookie-name: "INGRESSCOOKIE"
nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
nginx.ingress.kubernetes.io/session-cookie-path: "/"
# 上游配置
nginx.ingress.kubernetes.io/upstream-keepalive-connections: "32"
nginx.ingress.kubernetes.io/upstream-keepalive-requests: "100"
nginx.ingress.kubernetes.io/upstream-keepalive-timeout: "60s"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
4. 健康检查和故障转移
health-check-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: health-check-ingress
annotations:
# 健康检查
nginx.ingress.kubernetes.io/upstream-health-check: "true"
nginx.ingress.kubernetes.io/upstream-health-check-path: "/health"
nginx.ingress.kubernetes.io/upstream-health-check-timeout: "5s"
nginx.ingress.kubernetes.io/upstream-health-check-interval: "10s"
nginx.ingress.kubernetes.io/upstream-health-check-passes: "2"
nginx.ingress.kubernetes.io/upstream-health-check-fails: "3"
# 故障转移
nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503"
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "30s"
nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "3"
# 超时设置
nginx.ingress.kubernetes.io/proxy-connect-timeout: "5s"
nginx.ingress.kubernetes.io/proxy-send-timeout: "60s"
nginx.ingress.kubernetes.io/proxy-read-timeout: "60s"
spec:
rules:
- host: resilient.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
5.7 服务网格集成
1. Istio Gateway
istio-gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: app-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- app.example.com
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: app-tls-secret
hosts:
- app.example.com
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: app-virtualservice
spec:
hosts:
- app.example.com
gateways:
- app-gateway
http:
- match:
- uri:
prefix: /api/v1
route:
- destination:
host: api-service
port:
number: 8080
fault:
delay:
percentage:
value: 0.1
fixedDelay: 5s
- match:
- uri:
prefix: /
route:
- destination:
host: frontend-service
port:
number: 80
retries:
attempts: 3
perTryTimeout: 2s
2. Linkerd Ingress
linkerd-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: linkerd-ingress
annotations:
nginx.ingress.kubernetes.io/service-upstream: "true"
nginx.ingress.kubernetes.io/upstream-vhost: "app.example.com"
linkerd.io/inject: enabled
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
---
apiVersion: v1
kind: Service
metadata:
name: app-service
annotations:
linkerd.io/inject: enabled
spec:
selector:
app: myapp
ports:
- port: 80
targetPort: 8080
5.8 监控和故障排查
1. Service监控
service-monitor.sh
#!/bin/bash
SERVICE_NAME=$1
NAMESPACE=${2:-default}
if [ -z "$SERVICE_NAME" ]; then
echo "Usage: $0 <service-name> [namespace]"
exit 1
fi
echo "=== Service监控: $SERVICE_NAME (namespace: $NAMESPACE) ==="
# Service基本信息
echo "1. Service基本信息:"
kubectl get service $SERVICE_NAME -n $NAMESPACE -o wide
# Service详细信息
echo "\n2. Service详细信息:"
kubectl describe service $SERVICE_NAME -n $NAMESPACE
# Endpoints信息
echo "\n3. Endpoints信息:"
kubectl get endpoints $SERVICE_NAME -n $NAMESPACE
kubectl describe endpoints $SERVICE_NAME -n $NAMESPACE
# EndpointSlices信息
echo "\n4. EndpointSlices信息:"
kubectl get endpointslices -l kubernetes.io/service-name=$SERVICE_NAME -n $NAMESPACE
# 后端Pod状态
echo "\n5. 后端Pod状态:"
SELECTOR=$(kubectl get service $SERVICE_NAME -n $NAMESPACE -o jsonpath='{.spec.selector}' | jq -r 'to_entries | map("\(.key)=\(.value)") | join(",")')
if [ "$SELECTOR" != "null" ] && [ ! -z "$SELECTOR" ]; then
kubectl get pods -l "$SELECTOR" -n $NAMESPACE -o wide
else
echo "Service没有selector,无法查看后端Pod"
fi
# 测试连通性
echo "\n6. 测试Service连通性:"
SERVICE_IP=$(kubectl get service $SERVICE_NAME -n $NAMESPACE -o jsonpath='{.spec.clusterIP}')
SERVICE_PORT=$(kubectl get service $SERVICE_NAME -n $NAMESPACE -o jsonpath='{.spec.ports[0].port}')
if [ "$SERVICE_IP" != "None" ]; then
echo "测试Service IP: $SERVICE_IP:$SERVICE_PORT"
kubectl run test-pod --image=busybox:1.35 --rm -it --restart=Never -- sh -c "nc -zv $SERVICE_IP $SERVICE_PORT" 2>/dev/null || echo "连接测试失败"
fi
# DNS解析测试
echo "\n7. DNS解析测试:"
kubectl run test-pod --image=busybox:1.35 --rm -it --restart=Never -- sh -c "nslookup $SERVICE_NAME.$NAMESPACE.svc.cluster.local" 2>/dev/null || echo "DNS解析失败"
echo "\n=== Service监控完成 ==="
2. Ingress监控
ingress-monitor.sh
#!/bin/bash
INGRESS_NAME=$1
NAMESPACE=${2:-default}
if [ -z "$INGRESS_NAME" ]; then
echo "Usage: $0 <ingress-name> [namespace]"
exit 1
fi
echo "=== Ingress监控: $INGRESS_NAME (namespace: $NAMESPACE) ==="
# Ingress基本信息
echo "1. Ingress基本信息:"
kubectl get ingress $INGRESS_NAME -n $NAMESPACE -o wide
# Ingress详细信息
echo "\n2. Ingress详细信息:"
kubectl describe ingress $INGRESS_NAME -n $NAMESPACE
# Ingress Controller状态
echo "\n3. Ingress Controller状态:"
kubectl get pods -n ingress-nginx -l app.kubernetes.io/component=controller
# Ingress Controller日志
echo "\n4. Ingress Controller日志(最近50行):"
CONTROLLER_POD=$(kubectl get pods -n ingress-nginx -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
if [ ! -z "$CONTROLLER_POD" ]; then
kubectl logs $CONTROLLER_POD -n ingress-nginx --tail=50
else
echo "未找到Ingress Controller Pod"
fi
# 后端Service状态
echo "\n5. 后端Service状态:"
kubectl get ingress $INGRESS_NAME -n $NAMESPACE -o json | jq -r '.spec.rules[].http.paths[].backend.service.name' | sort -u | while read service; do
if [ ! -z "$service" ]; then
echo "Service: $service"
kubectl get service $service -n $NAMESPACE
fi
done
# TLS证书检查
echo "\n6. TLS证书检查:"
kubectl get ingress $INGRESS_NAME -n $NAMESPACE -o json | jq -r '.spec.tls[]?.secretName' | while read secret; do
if [ ! -z "$secret" ]; then
echo "TLS Secret: $secret"
kubectl get secret $secret -n $NAMESPACE
kubectl describe secret $secret -n $NAMESPACE
fi
done
# 外部访问测试
echo "\n7. 外部访问测试:"
HOSTS=$(kubectl get ingress $INGRESS_NAME -n $NAMESPACE -o json | jq -r '.spec.rules[].host')
INGRESS_IP=$(kubectl get ingress $INGRESS_NAME -n $NAMESPACE -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
if [ ! -z "$INGRESS_IP" ]; then
echo "Ingress IP: $INGRESS_IP"
for host in $HOSTS; do
if [ ! -z "$host" ]; then
echo "测试访问: http://$host"
curl -H "Host: $host" -I http://$INGRESS_IP/ 2>/dev/null || echo "访问测试失败"
fi
done
else
echo "Ingress IP未分配"
fi
echo "\n=== Ingress监控完成 ==="
3. 网络故障排查
network-troubleshoot.sh
#!/bin/bash
echo "=== 网络故障排查 ==="
# 创建测试Pod
echo "1. 创建网络测试Pod:"
kubectl run netshoot --image=nicolaka/netshoot --rm -it --restart=Never -- bash -c '
echo "=== 网络诊断工具箱 ==="
echo "可用命令:"
echo "- ping <target> # 测试连通性"
echo "- nslookup <domain> # DNS解析"
echo "- curl <url> # HTTP测试"
echo "- nc -zv <host> <port> # 端口测试"
echo "- traceroute <target> # 路由跟踪"
echo "- ss -tuln # 查看监听端口"
echo "- ip route # 查看路由表"
echo "- iptables -L # 查看防火墙规则"
echo
echo "测试集群内服务:"
echo "nslookup kubernetes.default.svc.cluster.local"
nslookup kubernetes.default.svc.cluster.local
echo
echo "测试外网连通性:"
echo "ping -c 3 8.8.8.8"
ping -c 3 8.8.8.8
echo
echo "进入交互模式,输入exit退出"
bash
'
echo "\n=== 网络故障排查完成 ==="
总结
本章详细介绍了Service和Ingress的核心概念和使用方法,包括:
Service核心概念
- 服务类型 - ClusterIP、NodePort、LoadBalancer、ExternalName
- 服务发现 - DNS解析、环境变量
- 负载均衡 - 轮询、会话亲和性
- 端点管理 - Endpoints、EndpointSlices
Ingress功能特性
- HTTP路由 - 基于主机名和路径的路由
- TLS终止 - HTTPS证书管理
- 负载均衡 - 多种负载均衡算法
- 高级功能 - 认证、限流、重写
网络管理
- 服务暴露 - 内部服务、外部访问
- 流量控制 - 路由规则、流量分割
- 安全配置 - 认证授权、网络策略
- 性能优化 - 连接池、健康检查
监控运维
- 状态监控 - 服务状态、端点状态
- 故障排查 - 网络连通性、DNS解析
- 性能分析 - 延迟监控、吞吐量分析
- 日志分析 - 访问日志、错误日志
最佳实践
- 服务设计 - 合理选择服务类型
- 路由规划 - 清晰的路由规则
- 安全配置 - 启用TLS、配置认证
- 监控告警 - 完善的监控体系
注意事项
- 网络策略 - 确保网络连通性
- DNS配置 - 正确的DNS解析
- 证书管理 - TLS证书的更新和维护
- 性能调优 - 合理的超时和重试配置
下一章我们将学习ConfigMap和Secret,了解如何管理应用的配置和敏感信息。
