NGINX Ingress控制器后端协议注释如何在基于路径的路由中工作? [英] How NGINX Ingress controller back-end protocol annotation works in path based routing?
问题描述
我目前正在k8s集群中使用NGINX入口控制器.我试图使端到端加密有效,并且能够使连接一直到Pod都保持安全.
I'm currently playing with NGINX ingress controller in my k8s cluster. I was trying to make end-to-end encryption work and I was able to make the connection secure all the way to the pod.
为了直到Pod一直实现HTTPS,我不得不使用注释
In order to achieve HTTPS all the way till pod, I had to use annotation
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
示例入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-api-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- foo.example.com
secretName: foo-cert
rules:
- host: foo.example.com
http:
paths:
- path: /path1
backend:
serviceName: foo-api-path1-service
servicePort: 443
- path: /path2
backend:
serviceName: foo-api-path2-service
servicePort: 443
我对这种情况的发生方式感到困惑,因为当我们加密连接路径时也会加密,那么NGINX如何进行基于路径的路由?它会在入口处解密连接并重新加密吗?另外,使用这种方法会影响性能吗?
I'm confused in terms of how exactly this happens because when we encrypt the connection path also get encrypted then how NGINX does path-based routing? does it decrypt the connection at ingress and re-encrypt it? also, does performance get affected by using this method?
推荐答案
TL; DR
它会在入口处解密连接并重新加密吗?
does it decrypt the connection at ingress and re-encrypt it?
简而言之,是的.请参阅下面的说明.
In short, yes. Please see the explanation below.
请求到达 Pod 所经过的路径可以看作:
The path that a request is travelling to get to a Pod can be seen as:
假设我们有一个 Ingress控制器( nginx-ingress )代替了一个 Ingress ,那么您可以通过多种方式来连接客户端使用 Pod (简体):
Assuming that we have an Ingress controller (nginx-ingress) in place of an Ingress you can have several ways to connect your client with a Pod (simplified):
- 未加密:
-
client-(HTTP)->入口控制器-(HTTP)->Service---->Pod
- Unencrypted:
client-- (HTTP) -->Ingress controller-- (HTTP) -->Service---->Pod
- 在
Ingress控制器中加密(使用nginx.ingress.kubernetes.io/backend-protocol:"HTTPS")-
client-(HTTP)->入口控制器-(HTTP S )->Service---->Pod
- Encrypted at the
Ingress controller(withnginx.ingress.kubernetes.io/backend-protocol: "HTTPS")client-- (HTTP) -->Ingress controller-- (HTTPS) -->Service---->Pod
- Encrypted and decrypted at the
Ingress controllerwhere TLS Termination happens:client-- (HTTPS) -->Ingress controller(TLS Termination) -- (HTTP) -->Service---->Pod
您的设置:
- 在
Ingress控制器处进行加密和解密,其中 nginx.ingress.kubernetes.io/backend-protocol:"HTTPS" :-
client-(HTTP S )->入口控制器(TLS终止)-(HTTP S )->Service---->Pod
- Encrypted and decrypted at the
Ingresscontroller where TLS Termination happens and encrypted once again when connecting with a HTTPS backend bynginx.ingress.kubernetes.io/backend-protocol: "HTTPS":client-- (HTTPS) -->Ingress controller(TLS Termination) -- (HTTPS) -->Service---->Pod
- Encrypted and decrypted at the
PodwhereIngress controlleris configured with SSL Passthrough:client-- (HTTPS) -->Ingress controller-- (HTTPS) -->Service---->Pod
免责声明!
这只是一个简化的解释.有关更多参考,您可以查看以下评论:
This is only a simplified explanation. For more reference you can look at this comment:
这里缺少一个详细信息,SSL传递流量永远不会到达入口控制器中的NGINX.有一个用于TLS连接的go侦听器,该侦听器仅将流量传递到入口中定义的服务.
there is a missing detail here, the SSL Passthrough traffic never reaches NGINX in the ingress controller. There is a go listener for TLS connections that just pipes the traffic to the service defined in the ingress.
有关更多参考,您可以查看类似的问题(带有答案):
For more reference you can look on the similar question (with an answer):
您还可以使用与您的示例设置类似的示例设置来查看本文:
You can also check this article with example setup similar to yours:
其他资源:
- Github.com:Kubernetes:Ingress nginx:是否有可能从nginx控制器安全的后端连接?
- Github.com:Kubernetes:入口Nginx:Nginx配置:注释:后端证书认证
这篇关于NGINX Ingress控制器后端协议注释如何在基于路径的路由中工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
-
-
-
