什么是应用程序网关入口控制器?What is Application Gateway Ingress Controller?

应用程序网关入口控制器 (AGIC) 是一个 Kubernetes 应用程序。有了它,Azure Kubernetes 服务 (AKS) 客户就可以利用 Azure 的本机应用程序网关 L7 负载均衡器向 Internet 公开云软件。The Application Gateway Ingress Controller (AGIC) is a Kubernetes application, which makes it possible for Azure Kubernetes Service (AKS) customers to leverage Azure's native Application Gateway L7 load-balancer to expose cloud software to the Internet. AGIC 监视托管时所在的 Kubernetes 群集并持续更新应用程序网关,以便向 Internet 公开所选服务。AGIC monitors the Kubernetes cluster it is hosted on and continuously updates an Application Gateway, so that selected services are exposed to the Internet.

在客户的 AKS 上,入口控制器在其自己的 Pod 中运行。The Ingress Controller runs in its own pod on the customer’s AKS. AGIC 监视部分 Kubernetes 资源中的更改。AGIC monitors a subset of Kubernetes Resources for changes. AKS 群集的状态会转换为特定于应用程序网关的配置并应用到 Azure 资源管理器 (ARM)The state of the AKS cluster is translated to Application Gateway specific configuration and applied to the Azure Resource Manager (ARM).

应用程序网关入口控制器的好处Benefits of Application Gateway Ingress Controller

有了 AGIC,部署就可以通过单个应用程序网关入口控制器来控制多个 AKS 群集。AGIC allows your deployment to control multiple AKS clusters with a single Application Gateway Ingress Controller. 另外,有了 AGIC,就不需在 AKS 群集前面设置另一个负载均衡器/公共 IP,避免在请求到达 AKS 群集之前在数据路径中设置多个跃点。AGIC also helps eliminate the need to have another load balancer/public IP in front of AKS cluster and avoids multiple hops in your datapath before requests reach the AKS cluster. 应用程序网关直接使用其专用 IP 与 Pod 通信,不需要 NodePort 或 KubeProxy 服务。Application Gateway talks to pods using their private IP directly and does not require NodePort or KubeProxy services. 这也会改进部署性能。This also brings better performance to your deployments.

入口控制器完全由 Standard_v2 和 WAF_v2 SKU 提供支持,这也会带来自动缩放的好处。Ingress Controller is supported exclusively by Standard_v2 and WAF_v2 SKUs, which also brings you autoscaling benefits. 应用程序网关可以响应流量负载的增减并相应地进行缩放,不消耗 AKS 群集中的任何资源。Application Gateway can react in response to an increase or decrease in traffic load and scale accordingly, without consuming any resources from your AKS cluster.

在 AGIC 基础上使用应用程序网关还可以提供 TLS 策略和 Web 应用程序防火墙 (WAF) 功能,这有助于保护 AKS 群集。Using Application Gateway in addition to AGIC also helps protect your AKS cluster by providing TLS policy and Web Application Firewall (WAF) functionality.

Azure 应用程序网关 + AKS

AGIC 通过 Kubernetes 入口资源以及服务和部署/Pod 进行配置。AGIC is configured via the Kubernetes Ingress resource, along with Service and Deployments/Pods. 它提供许多功能,利用 Azure 的本机应用程序网关 L7 负载均衡器。It provides a number of features, leveraging Azure’s native Application Gateway L7 load balancer. 例如:To name a few:

  • URL 路由URL routing
  • 基于 Cookie 的相关性Cookie-based affinity
  • TLS 终止TLS termination
  • 端到端 TLSEnd-to-end TLS
  • 支持公共、专用和混合网站Support for public, private, and hybrid web sites
  • 集成式 Web 应用程序防火墙Integrated web application firewall

AGIC 能够处理多个命名空间并有 ProhibitedTargets,这意味着 AGIC 可以专为 AKS 群集配置应用程序网关,不影响其他现有的后端。AGIC is able to handle multiple namespaces and has ProhibitedTargets, which means AGIC can configure the Application Gateway specifically for AKS clusters without affecting other existing backends.

后续步骤Next Steps