ingress-nginx 面试题
30 道题- 分类
- Kubernetes
- 子分类
- ingress
- 题目数
- 30 道
已阅读 0 / 30 题
1 ingress-nginx 的架构由哪些组件构成?
答案:
ingress-nginx 基于 NGINX 反向代理和 Lua 扩展实现,核心组件包括 Controller、NGINX、ConfigMap 和 Admission Webhook。
- Controller:以 Deployment 或 DaemonSet 方式运行,核心职责包括:Watch Ingress/Service/Endpoint/ConfigMap 资源变化,动态生成 NGINX 配置文件(nginx.conf),通过 Lua 模块实现零停机热加载。
- NGINX:承接实际流量,执行反向代理、负载均衡、SSL 终止、重写规则等功能。
- ConfigMap:存储全局 NGINX 配置参数(worker_processes、client-body-size、proxy-timeout 等),Controller 监视其变化并刷新配置。
- Admission Webhook:验证 Ingress 资源的合法性(Annotation 格式、TLS Secret 是否存在),防止无效配置导致 Controller 崩溃。
流量路径:
外部请求 → LoadBalancer VIP → NodePort → Controller Pod
→ NGINX 监听 80/443 → 根据 Ingress 规则选择后端 Service
→ Endpoint → 后端 Pod
2 ingress-nginx 如何处理 HTTPS/TLS 终止?
答案:
ingress-nginx 通过 Kubernetes Secret 管理 TLS 证书,在 NGINX 层面完成 SSL 终止。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
ingressClassName: nginx
tls:
- hosts:
- app.example.com
secretName: app-tls-secret
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 80
证书管理:Controller Watch Secret 变更后自动更新 NGINX SSL 配置,热加载后立即生效。cert-manager 可自动签发和续期 TLS 证书。
HTTPS 强制跳转:
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
3 ingress-nginx 如何实现灰度发布(Canary)?
答案:
通过 Annotation 实现基于权重或请求头的流量路由。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-canary
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "10" # 10% 流量
spec:
ingressClassName: nginx
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-canary-svc
port:
number: 80
匹配模式:
| 模式 | Annotation | 说明 |
|---|---|---|
| 权重 | canary-weight | 按百分比随机分配 |
| 请求头 | canary-by-header | Header 存在即匹配 |
| 请求头值 | canary-by-header-value | Header 等于特定值 |
| Cookie | canary-by-cookie | Cookie 值触发 |
4 ingress-nginx 的 ConfigMap 有哪些关键配置?
答案:
ConfigMap 控制 NGINX 全局行为,修改后 Controller 自动热加载。
| 配置项 | 默认值 | 说明 |
|---|---|---|
worker-processes | auto | NGINX Worker 进程数 |
worker-connections | 1024 | 每 Worker 最大连接数 |
proxy-body-size | 1m | 请求体大小限制 |
proxy-connect-timeout | 5s | 后端连接超时 |
proxy-read-timeout | 60s | 后端读取超时 |
proxy-send-timeout | 60s | 后发送超时 |
keep-alive | 75 | HTTP Keep-Alive 超时 |
ssl-protocols | TLSv1.2 TLSv1.3 | SSL 协议版本 |
use-forwarded-headers | false | 使用 X-Forwarded-* 头 |
enable-real-ip | false | 启用真实 IP |
log-format-upstream | 默认格式 | 访问日志格式 |
client-header-buffer-size | 64k | 请求头缓冲区 |
配置示例:
apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
data:
proxy-body-size: "50m"
proxy-read-timeout: "120"
ssl-protocols: "TLSv1.3"
enable-real-ip: "true"
forwarded-for-header: "X-Forwarded-For"
5 ingress-nginx 如何配置重写规则(Rewrite)?
答案:
通过 Annotation nginx.ingress.kubernetes.io/rewrite-target 实现 URL 路径重写。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rewrite-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: app.example.com
http:
paths:
- path: /api(/|$)(.*)
pathType: ImplementationSpecific
backend:
service:
name: api-svc
port:
number: 8080
常用重写 Annotation:
| Annotation | 作用 |
|---|---|
| rewrite-target | 请求路径重写目标 |
| use-regex | 启用正则路径匹配 |
| app-root | 根路径重定向 |
| server-snippet / configuration-snippet | 自定义 NGINX 配置片段 |
应用场景:
外部请求 /api/v1/users → 后端 /v1/users
外部请求 /old-path → 301 重定向到 /new-path
6 ingress-nginx 如何获取客户端真实 IP?
答案:
ingress-nginx 通过 X-Forwarded-For 和 X-Real-IP 头传递客户端真实 IP。
配置:
# ConfigMap 启用真实 IP
data:
use-forwarded-headers: "true"
forwarded-for-header: "X-Forwarded-For"
enable-real-ip: "true"
proxy-real-ip-cidr: "0.0.0.0/0" # 信任的代理 CIDR
外部和内部流量处理:
外部请求 → LB → ingress-nginx → Pod
→ X-Forwarded-For: <client-IP>, <LB-IP>
建议将 proxy-real-ip-cidr 限制为 LB 的 CIDR 范围,防止 IP 欺骗。
7 ingress-nginx 如何配置跨域(CORS)?
答案:
通过 Annotation 配置跨域资源共享。
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://app.example.com"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-headers: "Authorization, Content-Type"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/cors-max-age: "86400"
8 ingress-nginx 如何限制访问速率?
答案:
通过 Annotation 实现基于 NGINX limit_req 模块的速率限制。
annotations:
nginx.ingress.kubernetes.io/limit-rps: "100" # 每秒请求数
nginx.ingress.kubernetes.io/limit-rpm: "6000" # 每分钟请求数
nginx.ingress.kubernetes.io/limit-connections: "50" # 并发连接限制
nginx.ingress.kubernetes.io/limit-rate-after: "10m" # 限速开始流量
nginx.ingress.kubernetes.io/limit-rate: "5m" # 限速后速率
nginx.ingress.kubernetes.io/limit-burst-multiplier: "5" # 突发倍数
限速范围和维度:
- Ingress 级别:整个 Ingress 的速率限制
- Annotations 级别:按 Ingress 规则
9 ingress-nginx 如何实现会话保持(Session Affinity)?
答案:
通过 Cookie 实现会话保持。
annotations:
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
nginx.ingress.kubernetes.io/session-cookie-path: "/"
nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
实现原理: NGINX 使用 sticky cookie 在首次请求时生成 Cookie,后续请求根据 Cookie 值路由到同一后端 Pod。
10 ingress-nginx 如何配置上游 TLS 后端?
答案:
当后端 Service 需要 HTTPS 通信时,use-ssl-backend 将从 HTTP 升级到 HTTPS。
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/secure-backends: "true" # 弃用,使用 backend-protocol
# 设置上游 SSL 证书验证
nginx.ingress.kubernetes.io/proxy-ssl-secret: "default/backend-tls"
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
11 ingress-nginx 如何配置白名单访问?
答案:
通过 Annotation 限制来源 IP。
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8, 192.168.0.0/16"
12 ingress-nginx 如何实现自定义错误页面?
答案:
通过 ConfigMap 配置自定义错误服务和页面。
# ConfigMap 配置
data:
custom-http-errors: "404,503"
default-backend-service: "ingress-nginx/error-pages-svc"
# 自定义错误后端 Service
apiVersion: v1
kind: Service
metadata:
name: error-pages-svc
spec:
ports:
- port: 80
targetPort: 8080
13 ingress-nginx 如何实现 WebSocket 支持?
答案:
ingress-nginx 原生支持 WebSocket,无需额外配置。NGINX 自动检测 Upgrade 头并建立隧道。
# 可选配置 WebSocket 超时
annotations:
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
14 ingress-nginx 如何设置自定义请求/响应头?
答案:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: DENY";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Strict-Transport-Security: max-age=31536000";
proxy_set_header X-Custom-Header "custom-value";
15 ingress-nginx 的 Auth 认证机制有哪些?
答案:
支持基本认证、外部认证和 OAuth 代理三种模式。
基本认证:
htpasswd -c auth admin
kubectl create secret generic basic-auth --from-file=auth
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
外部认证:
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://auth.example.com/verify"
nginx.ingress.kubernetes.io/auth-method: "GET"
nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-User"
nginx.ingress.kubernetes.io/auth-cache-key: "auth_cache_$remote_user"
nginx.ingress.kubernetes.io/auth-cache-duration: "200 202 401"
16 ingress-nginx 如何实现 TCP/UDP 服务的四层转发?
答案:
ingress-nginx 支持通过 ConfigMap 暴露非 HTTP 的 TCP/UDP 端口。
# tcp-services ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: ingress-nginx
data:
"3306": "default/mysql-svc:3306"
"6379": "default/redis-svc:6379"
# udp-services ConfigMap
data:
"53": "kube-system/coredns-svc:53"
需在 Controller 启动参数中添加:--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services。
17 ingress-nginx 如何实现健康检查和故障恢复?
答案:
NGINX 通过 proxy_next_upstream 实现后端健康检查和自动故障转移。
annotations:
nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_502 http_503"
nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "3"
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "10"
Lua 健康检查(主动):
- Controller 内置 Lua 脚本定期检测后端 Endpoint 健康
- 自动将不健康的端点从 Upstream 中摘除
- Global ConfigMap 中配置:
upstream-healthcheck-path: "/healthz"
18 ingress-nginx 如何实现 SSL Passthrough?
答案:
SSL Passthrough 将 TLS 流量直接转发到后端,ingress-nginx 不解密。
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# Controller 启动参数需启用
spec:
template:
spec:
containers:
- args:
- --enable-ssl-passthrough
注意: SSL Passthrough 启用后无法进行 TLS 终止和基于 HTTP 的路由(如 path 匹配),仅支持基于 SNI(Server Name Indication)的路由。使用 Layer 4 转发。
19 ingress-nginx 如何优化大文件上传?
答案:
# ConfigMap
data:
proxy-body-size: "0" # 取消请求体限制
proxy-request-buffering: "off" # 关闭请求缓冲
proxy-buffering: "off" # 关闭响应缓冲
# Ingress
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "2000m"
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
nginx.ingress.kubernetes.io/proxy-buffering: "off"
nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "0"
20 ingress-nginx 如何实现自定义 NGINX 配置片段?
答案:
# 全局级别(ConfigMap)
data:
http-snippet: |
geo $country {
default ZZ;
10.0.0.0/8 CN;
192.168.0.0/16 US;
}
server-snippet: |
if ($country = ZZ) {
return 403;
}
# Ingress 级别
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
location /internal {
deny all;
return 403;
}
nginx.ingress.kubernetes.io/configuration-snippet: |
add_header X-Custom "value";
if ($host = admin.example.com) {
set $auth "off";
}
21 ingress-nginx 如何监控和日志管理?
答案:
提供 Prometheus 指标、访问日志和 Stats 接口。
Prometheus 指标:
# ConfigMap 启用
data:
enable-prometheus-metrics: "true"
关键指标:nginx_ingress_controller_requests、nginx_ingress_controller_connections、nginx_ingress_controller_request_duration_seconds。
访问日志:
data:
log-format-upstream: '{"time": "$time_iso8601", "remote_addr": "$remote_addr", "host": "$host", "method": "$request_method", "uri": "$uri", "status": $status, "body_bytes": $body_bytes_sent, "upstream_addr": "$upstream_addr", "request_time": $request_time, "upstream_response_time": "$upstream_response_time"}'
22 ingress-nginx 如何处理大规模集群的性能问题?
答案:
# ConfigMap 大规模集群优化
data:
worker-processes: "auto"
worker-connections: "65536"
max-worker-connections: "65536"
use-http2: "true"
enable-lua: "true"
lua-max-running-timers: "4096"
lua-max-pending-timers: "4096"
large-client-header-buffers: "4 8k"
keep-alive: "120"
upstream-keepalive-connections: "320"
upstream-keepalive-timeout: "120"
LB 和 Ingress 层的连接数关系:
每 Ingress Controller 最大连接 = worker-processes × worker-connections
示例:auto(通常等于 CPU 核数) × 65536 = 数百万并发
23 ingress-nginx 的安装方式有哪些?
答案:
Helm(推荐):
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx --create-namespace
Kubectl 清单:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.0/deploy/static/provider/baremetal/deploy.yaml
关键配置参数:
# values.yaml
controller:
service:
type: LoadBalancer
externalTrafficPolicy: Local
config:
use-forwarded-headers: "true"
proxy-body-size: "50m"
replicaCount: 3
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 10
resources:
requests:
cpu: 500m
memory: 1Gi
24 ingress-nginx 如何处理全局速率限制(Global Rate Limit)?
答案:
全局速率限制在 Controller 级别生效,不受单个 Ingress 规则影响。
# ConfigMap 配置
data:
limit-rate-after: "10m" # 10MB 后限速
limit-rate: "5m" # 限速至 5MB/s
# Ingress 级别覆盖
annotations:
nginx.ingress.kubernetes.io/limit-rps: "1000"
nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"
25 ingress-nginx 的 IngressClass 如何工作?
答案:
IngressClass 资源将 Ingress 与 Controller 实例关联,支持多 Ingress Controller 共存。
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: nginx
spec:
controller: k8s.io/ingress-nginx
parameters:
apiGroup: k8s.io
kind: IngressParameters
name: nginx-config
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
spec:
ingressClassName: nginx # 引用 IngressClass
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-svc
port:
number: 80
默认 IngressClass:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: nginx
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
26 ingress-nginx 如何实现 Server-Sent Events(SSE)和长连接?
答案:
annotations:
nginx.ingress.kubernetes.io/proxy-buffering: "off"
nginx.ingress.kubernetes.io/proxy-read-timeout: "7200"
nginx.ingress.kubernetes.io/proxy-send-timeout: "7200"
nginx.ingress.kubernetes.io/proxy-cache: "off"
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
27 ingress-nginx 如何实现 HTTP/2 和 gRPC 支持?
答案:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# ConfigMap 启用 HTTP/2
data:
use-http2: "true"
gRPC 后端必须使用 HTTPS 或 HTTP/2 协议通信。 ingress-nginx 将前端 HTTP/2 请求转换为后端 HTTP/1.1 或 HTTP/2 转发。
28 ingress-nginx 如何进行排错?
答案:
# 检查 Controller Pod 状态
kubectl -n ingress-nginx get pods
kubectl -n ingress-nginx logs -l app.kubernetes.io/name=ingress-nginx
# 检查 Ingress 资源
kubectl describe ingress <name>
kubectl describe svc <backend-svc>
# 检查生成的 NGINX 配置
kubectl -n ingress-nginx exec <controller-pod> -- cat /etc/nginx/nginx.conf
# 检查 TLS Secret
kubectl describe secret <tls-secret>
# 检查 Controller 配置
kubectl -n ingress-nginx describe cm ingress-nginx-controller
常见问题:
| 问题 | 原因 | 排查 |
|---|---|---|
| 502 Bad Gateway | 后端 Service 端口不匹配 | 检查 Service 端口和 Pod 端口 |
| 404 Not Found | 路径不匹配 | 检查 Ingress path 配置 |
| 证书错误 | Secret 格式错误 | base64 解码检查 cert/key |
| 配置不生效 | Annotation 拼写错误 | kubectl describe 检查事件 |
29 ingress-nginx 如何配置自定义上游超时?
答案:
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
30 ingress-nginx 如何实现多命名空间 Ingress 共享?
答案:
一个 ingress-nginx Controller 实例可以处理所有命名空间的 Ingress 资源。
# Controller 启动参数
spec:
template:
spec:
containers:
- args:
- --watch-ingress-without-class=true # 监视无 IngressClass 的 Ingress
- --watch-namespace="" # 空 = 所有命名空间
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: shared-ingress
namespace: team-a
spec:
ingressClassName: nginx
rules:
- host: team-a.app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: team-a-svc
port:
number: 80
多命名空间隔离: 不同命名空间的 Ingress 使用不同的 host,或通过路径前缀区分。同一个 Ingress Controller 可服务所有命名空间。