[英]Using Curl with Kubernetes nginx Ingress #5116
I configured authentication through nginx to a specific service in k8s.我通过 nginx 配置了对 k8s 中特定服务的身份验证。
It works fine with WUI.它适用于 WUI。
I saw some examples我看到了一些例子
This works fine too:这也很好用:
curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar'
But i need to close other part my url same.但我需要关闭我的 url 的其他部分。
For example /api/v1/upload例如 /api/v1/upload
I deployd 2nd ingress with path:我使用路径部署了第二个入口:
spec:
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: service
servicePort: 8000
path: /api/v1/upload
Without nginx i got to type:没有 nginx 我必须输入:
curl -XPOST 'file=@/file' http://10.2.29.4:8000/api/v1/upload -H "Authorization:key"
How do i need to try use curl for hide real ip or port and get a good result?我需要如何尝试使用 curl 来隐藏真实的 ip 或端口并获得良好的结果?
I would really appreciate if you could help me figure it out.如果您能帮我弄清楚,我将不胜感激。
ingress1:入口1:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mobsf
namespace: default
labels:
app: mobsf
# env: dev
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: mobsf-basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
rules:
- host: worker1.mydomain.local
http:
paths:
- path: /
- backend:
serviceName: mobsf
servicePort: 8000
Ingress 2:入口 2:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mobsf2
namespace: default
labels:
app: mobsf2
# env: dev
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: mobsf-basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
rules:
- host: worker1.mydomain.local
http:
paths:
- backend:
serviceName: mobsf2
servicePort: 8000
path: /api/v1/
DNS check (correct): DNS检查(正确):
nslookup worker1.mydomain.local
Server: 10.2.67.10
Address: 10.2.67.10#53
Name: worker1.mydomain.local
Address: 10.2.67.203
Services:服务:
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.233.0.1 <none> 443/TCP 159d
minio-service LoadBalancer 10.233.32.19 <pending> 9001:30809/TCP 104d
mobsf NodePort 10.233.18.34 <none> 8000:30426/TCP 8d
vault NodePort 10.233.43.134 <none> 8200:30820/TCP 69
Ing:英:
kubectl get ing
NAME HOSTS ADDRESS PORTS AGE
mobsf worker1.dev002.local 80 2d1h
mobsf2 worker1.dev002.local 80 23h
In bare metal installations is not possible to use Ingress
and LoadBalancer
services by default.在裸机安装中,默认情况下无法使用Ingress
和LoadBalancer
服务。 You can't get EXTERNAL-IP
, as displayed in the outputs that you provided.您无法获得EXTERNAL-IP
,如您提供的输出中所示。
The first curl
command you provided show that you are using your service mobsf
as NodePort
, it means you are able to reach your application typing IP of your node + port like this http://<NODE_IP>:8080
, but without authentication since you are not accessing the server through the ingress.您提供的第一个curl
命令表明您正在使用您的服务mobsf
作为NodePort
,这意味着您可以访问您的应用程序,输入您的节点的 IP + 端口,如http://<NODE_IP>:8080
,但由于您没有身份验证不通过入口访问服务器。
Here is all service types and how that works:以下是所有服务类型及其工作原理:
ClusterIP
: Exposes the Service on a cluster-internal IP.ClusterIP
:在集群内部 IP 上公开服务。 Choosing this value makes the Service only reachable from within the cluster.选择此值会使服务只能从集群内部访问。 This is the defaultServiceType
.这是默认的ServiceType
。NodePort
: Exposes the Service on each Node's IP at a static port (theNodePort
).NodePort
:在静态端口(NodePort
)的每个节点的 IP 上公开服务。 AClusterIP
Service, to which theNodePort
Service routes, is automatically created.NodePort
服务路由到的ClusterIP
服务会自动创建。 You'll be able to contact theNodePort
Service, from outside the cluster, by requesting<NodeIP>:<NodePort>
.您将能够通过请求<NodeIP>:<NodePort>
从集群外部联系NodePort
服务。LoadBalancer
: Exposes the Service externally using a cloud provider's load balancer.LoadBalancer
:使用云提供商的负载均衡器在外部公开服务。NodePort
andClusterIP
Services, to which the external load balancer routes, are automatically created.外部负载均衡器路由到的NodePort
和ClusterIP
服务是自动创建的。
The Nginx docs shows how to setup MetalLB to allow your bare metal cluster the usage of LoadBalancer Services. Nginx文档展示了如何设置MetalLB以允许您的裸机集群使用 LoadBalancer 服务。
MetalLB provides a network load-balancer implementation for Kubernetes clusters that do not run on a supported cloud provider, effectively allowing the usage of LoadBalancer Services within any cluster. MetalLB为不在受支持的云提供商上运行的 Kubernetes 集群提供网络负载均衡器实现,有效地允许在任何集群中使用 LoadBalancer 服务。
Basically, the setup is easy:基本上,设置很简单:
kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.8.3/manifests/metallb.yaml
And then create a ConfigMap to configure: - Edit the ip range according yout network然后创建一个 ConfigMap 进行配置: - 根据您的网络编辑 ip 范围
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 192.168.1.240-192.168.1.250 <= EDIT IP RANGE
Check the installation typing kubectl get pods -n metallb-system
, this is an expected output:检查安装键入kubectl get pods -n metallb-system
,这是预期的输出:
$ kubectl get pods -n metallb-system
NAME READY STATUS RESTARTS AGE
controller-65895b47d4-6wzfr 1/1 Running 0 9d
speaker-v52xj 1/1 Running 0 9d
After MetalLB installed and configured you should be able to use your ingress and Loadbalancer services.在安装和配置MetalLB之后,您应该能够使用您的入口和负载均衡器服务。
Here there's an example of how setup a Service (ClusterIP) and Ingress:这里有一个如何设置服务 (ClusterIP) 和 Ingress 的示例:
apiVersion: v1
kind: Service
metadata:
name: mobsf
spec:
selector:
app: mobsf
ports:
- protocol: TCP
port: 8000
targetPort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: mobsf-ing
namespace: default
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: worker1.mydomain.local
http:
paths:
- path: "/"
backend:
serviceName: mobsf
servicePort: 8000
- path: "/api/v1"
backend:
serviceName: mobsf
servicePort: 8080
Check your ingress with the command kubectl get ing
and look for in EXTERNAL-IP
column.使用命令kubectl get ing
检查您的入口并在EXTERNAL-IP
列中查找。
After that make sure you configure in your local DNS an entry for worker1.mydomain.local
pointing to the ip above.之后,请确保在本地 DNS 中为worker1.mydomain.local
配置一个指向上面 ip 的条目。
Please let me know if that helped请让我知道这是否有帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.