K8s中的两种nginx-ingress-controller及其区别
有两种基于 NGINX 的 Ingress 控制器实现:一种是nginxinc/kubernetes-ingress (opens new window),另一种是kubernetes/ingress-nginx (opens new window)。
# 什么是Ingress Controller?
为了让 Ingress 资源工作,集群中至少要有一个 Ingress Controller运行。 Ingress Controller抽象出 Kubernetes 应用程序流量路由的复杂性,并在 Kubernetes 服务和外部服务(外部世界)之间提供桥梁。^1 (opens new window)
您可以在集群中部署多个 Ingress Controller。这需要在创建 Ingress 时,使用适当的 ingress.class 注解 Ingress,以标识应使用哪个 Ingress Controller。如果没有定义指定,则使用默认的Ingress Controller。
一般情况下,所有Ingress Controller都应满足此规范,但各种Ingress Controller的操作略有不同。
目前有两种基于 NGINX 的 Kubernetes Ingress Controller——它们都是开源的并托管在 GitHub 上。一个是K8s开源社区的kubernetes/ingress-nginx (opens new window),另一个是Nginx官方的nginxinc/kubernetes-ingress (opens new window)
# 主要区别
# Kubernetes Ingress Controller
这是k8s官方社区开发维护的控制器,它是基于Nginx的,扩展功能则需要使用Lua插件实现。
# NGINX Ingress Controller
这是由nginx的官方开发维护的控制器,它还有一个基于Nginx Plus的商业版本。NGINX 控制器具有高稳定性、持续向后兼容性、没有任何第三方模块、由于没有Lua 代码更高效(与k8s官方控制器相比)。
即使与官方控制器相比,免费软件版本也受到很大限制(由于没有Lua 模块)。同时,付费版本拥有相当广泛的附加功能:实时指标、JWT 验证、主动健康检查等。
关于 nginxinc/kubernetes-ingress (opens new window) 和kubernetes/ingress-nginx (opens new window) 的更多区别可见下表^2 (opens new window):
| Aspect or Feature | kubernetes/ingress-nginx | nginxinc/kubernetes-ingress with NGINX | nginxinc/kubernetes-ingress with NGINX Plus |
|---|---|---|---|
| Fundamental | |||
| Authors | Kubernetes community | NGINX Inc and community | NGINX Inc and community |
| NGINX version | Custom (opens new window) NGINX build that includes several third-party modules | NGINX official mainline build (opens new window) | NGINX Plus |
| Commercial support | N/A | N/A | Included |
| Implemented in | Go/Lua (while Nginx is written in C) | Go/Python | Go/Python |
| Load balancing configuration via the Ingress resource | |||
| Merging Ingress rules with the same host | Supported | Supported via Mergeable Ingresses | Supported via Mergeable Ingresses |
| HTTP load balancing extensions - Annotations | See the supported annotations (opens new window) | See the supported annotations (opens new window) | See the supported annotations (opens new window) |
| HTTP load balancing extensions -- ConfigMap | See the supported ConfigMap keys (opens new window) | See the supported ConfigMap keys (opens new window) | See the supported ConfigMap keys (opens new window) |
| TCP/UDP | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources |
| Websocket | Supported | Supported via an annotation | Supported via an annotation |
| TCP SSL Passthrough | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources |
| JWT validation | Not supported | Not supported | Supported |
| Session persistence | Supported via a third-party module | Not supported | Supported |
| Canary testing (by header, cookie, weight) | Supported via annotations | Supported via custom resources | Supported via custom resources |
| Configuration templates | See the template (opens new window) | See the templates | See the templates |
| Load balancing configuration via Custom Resources | |||
| HTTP load balancing | Not supported | See VirtualServer and VirtualServerRoute (opens new window) resources | See VirtualServer and VirtualServerRoute (opens new window) resources |
| TCP/UDP load balancing | Not supported | See TransportServer (opens new window) resource | See TransportServer (opens new window) resource |
| TCP SSL Passthrough load balancing | Not supported | See TransportServer (opens new window) resource | See TransportServer (opens new window) resource |
| Deployment | |||
| Command-line arguments | See the arguments (opens new window) | See the arguments (opens new window) | See the arguments (opens new window) |
| TLS certificate and key for the default server | Required as a command-line argument/ auto-generated | Required as a command-line argument | Required as a command-line argument |
| Helm chart | Supported | Supported | Supported |
| Operator | Not supported | Supported | Supported |
| Operational | |||
| Reporting the IP address(es) of the Ingress controller into Ingress resources | Supported | Supported | Supported |
| Extended Status | Supported via a third-party module | Not supported | Supported |
| Prometheus Integration | Supported | Supported | Supported |
| Dynamic reconfiguration of endpoints (no configuration reloading) | Supported with a third-party Lua module | Not supported | Supported |
# 实际使用差别
当我们实际使用上述两个版本的Ingress控制器(Nginx官方和Kubernetes官方)时,特别需要注意的就是他们所支持的Annotation不同(这也是在我工作中经常处理遇到的问题,经常搞混导致设置不生效),比如下面的这个问题:
我们有一个数据量大的导出接口阻塞等待大约5分钟,每次在刚好1分钟时接口报错504 Gateway Time-out,怎么处理?
如果只是nginx,这只需要设置nginx的proxy-read-timeout(顾名思义这个参数是设置nginx代理读取超时时间,默认60s)即可。比如**proxy-read-timeout 600s**
对于kubernetes/ingress-nginx需要使用**nginx.ingress.kubernetes.io/proxy-read-timeout: "600"**
对于nginxinc/kubernetes-ingress with NGINX需要使用**nginx.org/proxy-read-timeout: "10m"**
更多注解上的使用区分可查看kubernetes/ingress-nginx: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ (opens new window),nginxinc/kubernetes-ingress with NGINX:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/ (opens new window)