The service definition
Kubernetes Service defines an abstraction layer: to manage logical groupings of pods, external access services are policies that can access pods, pods, and Services. Connect via Label Selector
Service provides load balancing capability, but only supports 4 layers of load, not 7 layers, which can be achieved through ingress
The service type
- ClusterIp: The default type. An IP address is automatically allocated for internal cluster access
- NodePort: Binds a port for service on each machine for external access based on ClusterIp.
- LoadBalance: on the basis of Nodeport, create an external load balancer with cloud provider and forward the request to the Nodeport. This is a charging scheme provided by third parties, such as ali cloud and AWS
- ExternalName: introduces external services to the cluster so that external services can be used within the cluster. If the external service address changes, only the service of externalName needs to be updated, not the pod inside the cluster.
Service Implementation Principle
Service Proxy mode classification
userspace —-> iptables —-> ipvs
III IpvS proxy mode
And the iptables; Similarly, ipvS is based on The Hook functionality of NetFilter, but uses hash tables as the underlying data interface and works in the kernel, which means that IPVS can redirect traffic more quickly, and also provides more options for load balancing algorithms
- Rr polling scheduling
- Lc Minimum number of connections
- Dh target hash
- Sh source hash
- Sed Minimum expected delay
- Nq does not queue scheduling
Note that the IPVS kernel module must be installed on the node. If the node is not installed, kube-Proxy will be demoted to iptables by default
The service for the sample
- Start by creating a Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: myNginx
labels:
app: myNginx
spec:
replicas: 3
template:
metadata:
name: myNginx
labels:
app: myNginx
version: 1.7.9
spec:
containers:
- name: myNginx
image: nginx:1.7.9
imagePullPolicy: IfNotPresent
restartPolicy: Always
selector:
matchLabels:
app: myNginx
Copy the code- Create a NodePort service to map to a pod in deployment according to selector
ApiVersion: v1 kind: Service metadata: name: ngService spec: selector: app: myNginx Version: 1.7.9 Ports: -port: 80 type: NodePortCopy the code- Create ExternalName service
apiVersion: v1
kind: Service
metadata:
name: myService
spec:
type: ExternalName
externalName: hub.icepear.cn
Copy the codeThe SVC created. There will be a myService defalut. SVC. Cluster. The name of the local, internal just visit myService. Defalut. SVC. Cluster. The local, It will then be forwarded to the corresponding ExternalName domain.
The relationship between service and POD is many-to-many
Ipvs can view routing rules using ipvsadm -ln. Iptables can view routing rules using iptables -t nat-nvl
service ingress
Ingress – Nginx’s official website
HTTP proxy example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myApp
labels:
app: myApp
spec:
replicas: 3
template:
metadata:
name: myApp
labels:
app: myApp
spec:
containers:
- name: myApp
image: icepear/myApp:v1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
restartPolicy: Always
selector:
matchLabels:
app: myApp
---
apiVersion: v1
kind: Service
metadata:
name: ngService
spec:
selector:
app: myApp
ports:
- port: 80
targetPort: 80
protocol: TCP
type: NodePort
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-Ingress
spec:
rules:
- host: a.ice.com
http:
paths: /
- backend:
serviceName: ngService
servicePort: 80
Copy the codeExample of HTTPS proxy
- Create a certificate and store cert
openssl req -x509 -sha256 -nodes -day 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
Copy the code- The sample files
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-Ingress
spec:
tls:
- hosts:
- a.ice.com
secretName: tls-secret
rules:
- host: a.ice.com
http:
paths: /
- backend:
serviceName: ngService
servicePort: 80
Copy the code