一、基本概念
????????k8s集群中,ingress作為集群內服務對外暴漏的訪問接入點,幾乎承載著集群內服務訪問的所有流量。ingress是k8s中的一個資源對象,用來管理集群外部訪問集群內部服務的方式。可以通過ingress資源來配置不同的轉發規則,從而達到根據不同的規則設置訪問集群內不同的Service后端Pod。
????????Ingress資源僅支持http流量的規則,無法配置一些高級特性。如:負載均衡的算法,Sessions Affinity等,這些高級特性都需要再ingress Controller中進行配置。
二、原理
? ? ? ? 為了是得ingress資源正常工作,集群中必須要有個ingress controller來解析ingress的轉發規則。ingress controller收到請求,匹配ingress轉發規則到后端service,而service轉發到pod,最終由pod處理請求。k8s中service、ingress、ingress controller有著以下關系:
- service是后端真是服務的抽象,一個serivce可以代表多個相同的后端服務。
- ingress是反向代理規則,用來規定http/https請求因該被轉發到那個service上。如根據請求中不同的host和url路徑,讓請求落到不同的service上。
- ingress controller是一個反向代理程序,負責解析ingress的反向代理規則。如果ingress有增刪改的變動,ingress Controller會及時更新自己相應的轉發規則,當ingress Controller收到請求后就會根據這些規則將請求轉發到對應的service。
ingressController通過api server獲取ingress資源的變化,動態生成load Balancer(如nginx)所需要的配置文件(如nginx.conf),然后重新加載load Balancer(r如:nginx -s reload重新加載nginx)來生成新的路由轉發規則。
三、修改文件
# egrep -v "^$|^#|^ *#" values.yaml
global:image:registry: k8s.kubesre.xyz
namespaceOverride: ""
commonLabels: {}
controller:name: controllerenableAnnotationValidations: trueimage:chroot: falseregistry: registry-cn-hangzhou.ack.aliyuncs.comimage: acs/aliyun-ingress-controllertag: "v1.11.5-aliyun.1"pullPolicy: IfNotPresentrunAsNonRoot: truerunAsUser: 101runAsGroup: 82allowPrivilegeEscalation: falseseccompProfile:type: RuntimeDefaultreadOnlyRootFilesystem: falsecontainerName: controllercontainerPort:http: 80https: 443config: {}configAnnotations: {}proxySetHeaders: {}addHeaders: {}dnsConfig: {}hostAliases: []hostname: {}dnsPolicy: ClusterFirstreportNodeInternalIp: falsewatchIngressWithoutClass: falseingressClassByName: falseenableTopologyAwareRouting: falsedisableLeaderElection: falseelectionTTL: ""allowSnippetAnnotations: falsehostNetwork: truehostPort:enabled: falseports:http: 80https: 443networkPolicy:enabled: falseelectionID: ""ingressClassResource:name: nginxenabled: truedefault: falseannotations: {}controllerValue: k8s.io/ingress-nginxaliases: []parameters: {}ingressClass: nginxpodLabels: {}podSecurityContext: {}sysctls: {}containerSecurityContext: {}publishService:enabled: truepathOverride: ""scope:enabled: falsenamespace: ""namespaceSelector: ""configMapNamespace: ""tcp:configMapNamespace: ""annotations: {}udp:configMapNamespace: ""annotations: {}maxmindLicenseKey: ""extraArgs: {}extraEnvs: []kind: DaemonSetannotations: {}labels: {}updateStrategy: {}progressDeadlineSeconds: 0minReadySeconds: 0tolerations:- key: ""operator: "Exists"value: ""affinity: {}topologySpreadConstraints: []terminationGracePeriodSeconds: 300nodeSelector:kubernetes.io/os: linuxboge/ingress-controller-ready: "true"livenessProbe:httpGet:path: "/healthz"port: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 1successThreshold: 1failureThreshold: 5readinessProbe:httpGet:path: "/healthz"port: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 1successThreshold: 1failureThreshold: 3healthCheckPath: "/healthz"healthCheckHost: ""podAnnotations: {}replicaCount: 1minAvailable: 1unhealthyPodEvictionPolicy: ""resources:limits:cpu: 6memory: 12Girequests:cpu: 2memory: 4Giautoscaling:enabled: falseannotations: {}minReplicas: 1maxReplicas: 11targetCPUUtilizationPercentage: 50targetMemoryUtilizationPercentage: 50behavior: {}autoscalingTemplate: []keda:apiVersion: "keda.sh/v1alpha1"enabled: falseminReplicas: 1maxReplicas: 11pollingInterval: 30cooldownPeriod: 300restoreToOriginalReplicaCount: falsescaledObject:annotations: {}triggers: []behavior: {}enableMimalloc: truecustomTemplate:configMapName: ""configMapKey: ""service:enabled: trueexternal:enabled: trueannotations: {}labels: {}type: ClusterIPclusterIP: ""externalIPs: []loadBalancerIP: ""loadBalancerSourceRanges: []loadBalancerClass: ""externalTrafficPolicy: ""sessionAffinity: ""ipFamilyPolicy: SingleStackipFamilies:- IPv4enableHttp: trueenableHttps: trueports:http: 80https: 443targetPorts:http: httphttps: httpsappProtocol: truenodePorts:http: ""https: ""tcp: {}udp: {}internal:enabled: falseannotations: {}type: ""clusterIP: ""externalIPs: []loadBalancerIP: ""loadBalancerSourceRanges: []loadBalancerClass: ""externalTrafficPolicy: ""sessionAffinity: ""ipFamilyPolicy: SingleStackipFamilies:- IPv4ports: {}targetPorts: {}appProtocol: truenodePorts:http: ""https: ""tcp: {}udp: {}shareProcessNamespace: falseextraContainers: []extraVolumeMounts: []extraVolumes: []extraInitContainers: []extraModules: []admissionWebhooks:name: admissionannotations: {}enabled: trueextraEnvs: []failurePolicy: Failport: 8443certificate: "/usr/local/certificates/cert"key: "/usr/local/certificates/key"namespaceSelector: {}objectSelector: {}labels: {}service:annotations: {}externalIPs: []loadBalancerSourceRanges: []servicePort: 443type: ClusterIPcreateSecretJob:name: createsecurityContext:runAsNonRoot: truerunAsUser: 65532runAsGroup: 65532allowPrivilegeEscalation: falseseccompProfile:type: RuntimeDefaultcapabilities:drop:- ALLreadOnlyRootFilesystem: trueresources: {}patchWebhookJob:name: patchsecurityContext:runAsNonRoot: truerunAsUser: 65532runAsGroup: 65532allowPrivilegeEscalation: falseseccompProfile:type: RuntimeDefaultcapabilities:drop:- ALLreadOnlyRootFilesystem: trueresources: {}patch:enabled: trueimage:registry: registry.k8s.ioimage: ingress-nginx/kube-webhook-certgentag: v1.5.2pullPolicy: IfNotPresentpriorityClassName: ""podAnnotations: {}networkPolicy:enabled: falsenodeSelector:kubernetes.io/os: linuxboge/ingress-controller-ready: "true"tolerations:- operator: Existslabels: {}securityContext: {}rbac:create: trueserviceAccount:create: truename: ""automountServiceAccountToken: truecertManager:enabled: falserootCert:duration: ""admissionCert:duration: ""metrics:port: 10254portName: metricsenabled: falseservice:enabled: trueannotations: {}labels: {}externalIPs: []loadBalancerSourceRanges: []servicePort: 10254type: ClusterIPserviceMonitor:enabled: falseadditionalLabels: {}annotations: {}namespace: ""namespaceSelector: {}scrapeInterval: 30stargetLabels: []relabelings: []metricRelabelings: []prometheusRule:enabled: falseadditionalLabels: {}annotations: {}rules: []lifecycle:preStop:exec:command:- /wait-shutdownpriorityClassName: ""
revisionHistoryLimit: 10
defaultBackend:enabled: falsename: defaultbackendimage:registry: registry.k8s.ioimage: defaultbackend-amd64tag: "1.5"pullPolicy: IfNotPresentrunAsNonRoot: truerunAsUser: 65534runAsGroup: 65534allowPrivilegeEscalation: falseseccompProfile:type: RuntimeDefaultreadOnlyRootFilesystem: trueextraArgs: {}serviceAccount:create: truename: ""automountServiceAccountToken: trueextraEnvs: []port: 8080livenessProbe:failureThreshold: 3initialDelaySeconds: 30periodSeconds: 10successThreshold: 1timeoutSeconds: 5readinessProbe:failureThreshold: 6initialDelaySeconds: 0periodSeconds: 5successThreshold: 1timeoutSeconds: 5updateStrategy: {}minReadySeconds: 0tolerations: - key: ""operator: "Exists"value: ""affinity: {}topologySpreadConstraints: []podSecurityContext: {}containerSecurityContext: {}podLabels: {}nodeSelector:kubernetes.io/os: linuxboge/ingress-controller-ready: "true"podAnnotations: {}replicaCount: 1minAvailable: 1unhealthyPodEvictionPolicy: ""resources: {}extraVolumeMounts: []extraVolumes: []extraConfigMaps: []autoscaling:annotations: {}enabled: falseminReplicas: 1maxReplicas: 2targetCPUUtilizationPercentage: 50targetMemoryUtilizationPercentage: 50networkPolicy:enabled: falseservice:annotations: {}externalIPs: []loadBalancerSourceRanges: []servicePort: 80type: ClusterIPpriorityClassName: ""labels: {}
rbac:create: truescope: false
serviceAccount:create: truename: ""automountServiceAccountToken: trueannotations: {}
imagePullSecrets: []
tcp: {}
udp: {}
portNamePrefix: ""
dhParam: ""#?helm upgrade --install ingress-nginx -n ingress-nginx . -f values.yaml
進程地址空間)
 Spring AI 1.0版本 + 千問大模型+RAG)
——攻擊者使用什么漏洞獲取了服務器的配置文件?)
)
