百度智能云
All Product Document

          Cloud Container Engine

          • Cloud Container Engine
          • >
          • Operation Guide
          • >
          • Traffic Access
          • >
          • Set Ingress Traffic Forwarding

          Set Ingress Traffic Forwarding

          Last Updated2020-10-27

          Ingress is a 7-layer traffic access method provided by Kubernetes. It manages traffic by connecting external load balance and internal container services. Compared with LoadBalancer Service, Ingress can simplify the management of open ports of hosts, and provide more complete routing and security rules by using the ability of external loads. For details, please see the official website description: Kubernetes Ingress.

          Ingress is primarily composed of two parts:

          • Ingress object: Provide the Ingress Kubernetes object, which can be created and updated through yaml, and be used to map Service and domain name;
          • Ingress Controller: The common components deployed in the cluster transform the configuration of Ingress service into the configuration of external load balance, and manage and update the load balancer.

          CCE provides the implementation of Ingress-controller based on cloud platform load balance service. When users use Ingress, they will create and manage cloud platform Application BLB service, so as to realize the access and management of external traffic. The usage of Ingress service is consistent with the native Kubernetes. Users can create and manage Ingress through console or yaml.

          Create Ingress

          1.Open CCE console and find "Ingress" in the left [Traffic Access] submenu.

          2.Click "Create New Ingress" in the Ingress list.

          3.Fill in the information of Ingress, including the name of Ingress, network type (whether to buy EIP), the cluster, namespace, listening port, whether to specify BLB and EIP, etc;

          4.If the selected cluster is deployed for the first time, you need to check the option below to approve the creation of Ingress-Controller.

          Note: Because the first deployment of Ingress requires the creation of an Ingress-Controller in the cluster, it will take a while for the cluster to change from NotReady to Ready when it first creates Ingress.

          Certificate Management

          If the selected listening port includes htmlS: 443 when creating Ingress, you need to select a certificate when creating Ingress.

          Click "Add" certificate to upload the certificate. You need to fill in the certificate name, certificate content and private key. Please click "View reference sample" to get the sample of certificate content and private key. If you have more questions, please click the link at the bottom right to enter the "Certificate Management" instruction document.

          The uploaded certificates will be stored in the cloud platform security authentication service. You can click the personal avatar, and the "Manage my Certificates" link will jump to the certificate management page to view and manage.

          Configure Forwarding Rules

          When the created Ingress enters the Ready state, you can start to configure the forwarding rules of Ingress.

          1.Enter the Ingress list, click the name of Ingress to enter the details page.

          2.In the details page, you can see the relevant configuration of Ingress, including the application BLB created by association. If you need to, you can click the BLB_[ID]to enter the application BLB console to view the BLB (it is strongly recommended not to modify the relevant configuration in the BLB page).

          3.Click forwarding rules to see the list of forwarding rules of current Ingress.

          4.In the upper left corner of the rule list, click the Edit button to enter the editing status of the list, and then add, delete or edit the rule.

          5.For each new rule, select the protocol type, listening port, domain name, URI to be forwarded, and which back-end service and service port to forward to. When the information is completed, click the Save button. Note: The backend service must expose NodePort (that is, Service is of NodePort or LoadBalancer type). For service creation, please see Service management document of traffic access.

          6.After creating the forwarding rule, you can see the rule status on the right side of the list. When the rule status is Ready, it means that the port of the back-end service can start to accept the traffic forwarded by BLB.

          Domain Name and URI Rules

          When domain name and URI conditions appear in a single rule, the following conditions need to be met for the rule to match successfully:

          1.Domain name forwarding rule matching content limit: Limit length<100; Wildcards only support ; The wildcard can appear 0 or 1 time
           Wildcard can match 0-n characters; Only prefix matching is supported, that is, it can only appear at the beginning of the domain name, such as: .agile.com

          2.URI forwarding rule matching content limit: Limit length<100; Wildcards only support ; The wildcard can appear 0 or 1 time Wildcard can match 0-n characters; It supports prefix, middle, and suffix matching, which can appear anywhere in the matching rule * For a detailed introduction of routing rules, please see the application-oriented load balance document.

          Example of Using Ingress

          1.On the deployment page or service page, create a sample deployment and service with the following yaml content: 

              apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: ingress-nginx-deployment
      labels:
        app: ingress-nginx
    spec:
      replicas: 2
      selector:
        matchLabels:
          app: ingress-nginx
      template:
        metadata:
          labels:
            app: ingress-nginx
        spec:
          containers:
          - name: nginx
            image: hub.agilecloud.com/cce/nginx-ingress
            ports:
            - containerPort: 80
    
    ---
    kind: Service
    apiVersion: v1
    metadata:
      name: hello-service
    spec:
      selector:
        app: ingress-nginx
      type: NodePort
      ports:
      - protocol: TCP
        port: 8000
        targetPort: 80
    
    ---
    kind: Service
    apiVersion: v1
    metadata:
      name: world-service
    spec:
      selector:
        app: ingress-nginx
      type: NodePort
      ports:
      - protocol: TCP
        port: 9000
        targetPort: 80

          2.Create an Ingress object named helloworld:

          3.Configure Ingress forwarding rules:

          • www.cce-ingress.com/hello/* -> hello-service:8000/hello/
          • www.cce-ingress.com/world/* -> world-service:9000/world/

          The back-end service corresponding to Service must support the URI of the forwarding policy. If you want to support all cases, it is recommended to set it to/. Here, the path requirements of the URI are very strict. Note "/", and the settings are as follows:

          4.Modify local/etc/hosts, and point www.cce-Ingress.com to EIP (for example: 106.12.52.80):

          5.Access test:

          Ingress Annotation Description

          Parameter name Type Description Example
          kubernetes.io/ingress.class string Designated as cce-Ingress-controller hosting "cce"
          kubernetes.io/cce.ingress.blb-id string Ingress binds BLB,Modification or deletion may cause BLB leakage "lb-asdfDsXS"
          kubernetes.io/cce.ingress.internal string Intranet access only, default "false" "true" or "false"
          kubernetes.io/cce.ingress.eip string Ingress binds EIP,Modification or deletion may cause EIP leakage "100.0.0.1"
          kubernetes.io/cce.ingress.eip-bandwidth-in-mbps string EIP bandwidth, billing by traffic 1-1000 mbps "500"
          kubernetes.io/cce.ingress.timeout-in-seconds string Access timeout 1 ~ 3600 "1500"
          kubernetes.io/cce.ingress.https string Whether HTTPSS is supported "true" or "false"
          kubernetes.io/cce.ingress.http-redirect string Whether HTTPS supports HTTPSS redirection? Only when HTTPSS is enabled can it take effect "true" or "false"
          kubernetes.io/cce.ingress.blb-cert-id string HTTPSS certificate ID "xs-asdfDESz"
          kubernetes.io/cce.ingress.max-backend-count string Default RS number of BLB mount, no limit by default "50"
          kubernetes.io/cce.ingress.vpc-subnet-id string Specify BLB VPC subnet, not used by default "sb-adfEsDzs"

          CCE Ingress to support HTTPS and HTTPSS forwarding for a single domain name, two new Annotations are added as follows:

          kubernetes.io/cce.ingress.http-rules: 

          [ 
    { 
        "host":"agile-cce-ingress.com", 
        "http":{ 
            "paths":[ 
                { 
                    "path":"/apple/", 
                    "backend":{ 
                        "serviceName":"service-example", 
                        "servicePort":80 
                    } 
                }, 
                { 
                    "path":"/banana/", 
                    "backend":{ 
                        "serviceName":"service-example", 
                        "servicePort":80 
                    } 
                } 
            ] 
        } 
    } 
]

          kubernetes.io/cce.ingress.https-rules 

          [ 
    { 
        "host":"agile-cce-ingress.com", 
        "http":{ 
            "paths":[ 
                { 
                    "path":"/orange/", 
                    "backend":{ 
                        "serviceName":"service-example", 
                        "servicePort":80 
                    } 
                } 
            ] 
        } 
    } 
]

          The logic of the rule is as follows: 

          for rule in rules: 
    if rule in annotation_https_rules: 
        setHTTPS(rule) 
     
    if rule in annotation_http_rule: 
        setHTTP(rule) 
 
    if rule not in annotation_https_rules && rule not in annotation_http_rule: 
        setHTTP(rule)
          Previous
          Service Management
          Next
          Create LoadBalancer Service