一、基本概念
k8s集群中,ingress作为集群内服务对外暴漏的访问接入点,几乎承载着集群内服务访问的所有流量。ingress是k8s中的一个资源对象,用来管理集群外部访问集群内部服务的方式。可以通过ingress资源来配置不同的转发规则,从而达到根据不同的规则设置访问集群内不同的Service后端Pod。
Ingress资源仅支持http流量的规则,无法配置一些高级特性。如:负载均衡的算法,Sessions Affinity等,这些高级特性都需要再ingress Controller中进行配置。
二、原理
为了是得ingress资源正常工作,集群中必须要有个ingress controller来解析ingress的转发规则。ingress controller收到请求,匹配ingress转发规则到后端service,而service转发到pod,最终由pod处理请求。k8s中service、ingress、ingress controller有着以下关系:
- service是后端真是服务的抽象,一个serivce可以代表多个相同的后端服务。
- ingress是反向代理规则,用来规定http/https请求因该被转发到那个service上。如根据请求中不同的host和url路径,让请求落到不同的service上。
- ingress controller是一个反向代理程序,负责解析ingress的反向代理规则。如果ingress有增删改的变动,ingress Controller会及时更新自己相应的转发规则,当ingress Controller收到请求后就会根据这些规则将请求转发到对应的service。
ingressController通过api server获取ingress资源的变化,动态生成load Balancer(如nginx)所需要的配置文件(如nginx.conf),然后重新加载load Balancer(r如:nginx -s reload重新加载nginx)来生成新的路由转发规则。
三、修改文件
# egrep -v "^$|^#|^ *#" values.yaml
global:image:registry: k8s.kubesre.xyz
namespaceOverride: ""
commonLabels: {}
controller:name: controllerenableAnnotationValidations: trueimage:chroot: falseregistry: registry-cn-hangzhou.ack.aliyuncs.comimage: acs/aliyun-ingress-controllertag: "v1.11.5-aliyun.1"pullPolicy: IfNotPresentrunAsNonRoot: truerunAsUser: 101runAsGroup: 82allowPrivilegeEscalation: falseseccompProfile:type: RuntimeDefaultreadOnlyRootFilesystem: falsecontainerName: controllercontainerPort:http: 80https: 443config: {}configAnnotations: {}proxySetHeaders: {}addHeaders: {}dnsConfig: {}hostAliases: []hostname: {}dnsPolicy: ClusterFirstreportNodeInternalIp: falsewatchIngressWithoutClass: falseingressClassByName: falseenableTopologyAwareRouting: falsedisableLeaderElection: falseelectionTTL: ""allowSnippetAnnotations: falsehostNetwork: truehostPort:enabled: falseports:http: 80https: 443networkPolicy:enabled: falseelectionID: ""ingressClassResource:name: nginxenabled: truedefault: falseannotations: {}controllerValue: k8s.io/ingress-nginxaliases: []parameters: {}ingressClass: nginxpodLabels: {}podSecurityContext: {}sysctls: {}containerSecurityContext: {}publishService:enabled: truepathOverride: ""scope:enabled: falsenamespace: ""namespaceSelector: ""configMapNamespace: ""tcp:configMapNamespace: ""annotations: {}udp:configMapNamespace: ""annotations: {}maxmindLicenseKey: ""extraArgs: {}extraEnvs: []kind: DaemonSetannotations: {}labels: {}updateStrategy: {}progressDeadlineSeconds: 0minReadySeconds: 0tolerations:- key: ""operator: "Exists"value: ""affinity: {}topologySpreadConstraints: []terminationGracePeriodSeconds: 300nodeSelector:kubernetes.io/os: linuxboge/ingress-controller-ready: "true"livenessProbe:httpGet:path: "/healthz"port: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 1successThreshold: 1failureThreshold: 5readinessProbe:httpGet:path: "/healthz"port: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 1successThreshold: 1failureThreshold: 3healthCheckPath: "/healthz"healthCheckHost: ""podAnnotations: {}replicaCount: 1minAvailable: 1unhealthyPodEvictionPolicy: ""resources:limits:cpu: 6memory: 12Girequests:cpu: 2memory: 4Giautoscaling:enabled: falseannotations: {}minReplicas: 1maxReplicas: 11targetCPUUtilizationPercentage: 50targetMemoryUtilizationPercentage: 50behavior: {}autoscalingTemplate: []keda:apiVersion: "keda.sh/v1alpha1"enabled: falseminReplicas: 1maxReplicas: 11pollingInterval: 30cooldownPeriod: 300restoreToOriginalReplicaCount: falsescaledObject:annotations: {}triggers: []behavior: {}enableMimalloc: truecustomTemplate:configMapName: ""configMapKey: ""service:enabled: trueexternal:enabled: trueannotations: {}labels: {}type: ClusterIPclusterIP: ""externalIPs: []loadBalancerIP: ""loadBalancerSourceRanges: []loadBalancerClass: ""externalTrafficPolicy: ""sessionAffinity: ""ipFamilyPolicy: SingleStackipFamilies:- IPv4enableHttp: trueenableHttps: trueports:http: 80https: 443targetPorts:http: httphttps: httpsappProtocol: truenodePorts:http: ""https: ""tcp: {}udp: {}internal:enabled: falseannotations: {}type: ""clusterIP: ""externalIPs: []loadBalancerIP: ""loadBalancerSourceRanges: []loadBalancerClass: ""externalTrafficPolicy: ""sessionAffinity: ""ipFamilyPolicy: SingleStackipFamilies:- IPv4ports: {}targetPorts: {}appProtocol: truenodePorts:http: ""https: ""tcp: {}udp: {}shareProcessNamespace: falseextraContainers: []extraVolumeMounts: []extraVolumes: []extraInitContainers: []extraModules: []admissionWebhooks:name: admissionannotations: {}enabled: trueextraEnvs: []failurePolicy: Failport: 8443certificate: "/usr/local/certificates/cert"key: "/usr/local/certificates/key"namespaceSelector: {}objectSelector: {}labels: {}service:annotations: {}externalIPs: []loadBalancerSourceRanges: []servicePort: 443type: ClusterIPcreateSecretJob:name: createsecurityContext:runAsNonRoot: truerunAsUser: 65532runAsGroup: 65532allowPrivilegeEscalation: falseseccompProfile:type: RuntimeDefaultcapabilities:drop:- ALLreadOnlyRootFilesystem: trueresources: {}patchWebhookJob:name: patchsecurityContext:runAsNonRoot: truerunAsUser: 65532runAsGroup: 65532allowPrivilegeEscalation: falseseccompProfile:type: RuntimeDefaultcapabilities:drop:- ALLreadOnlyRootFilesystem: trueresources: {}patch:enabled: trueimage:registry: registry.k8s.ioimage: ingress-nginx/kube-webhook-certgentag: v1.5.2pullPolicy: IfNotPresentpriorityClassName: ""podAnnotations: {}networkPolicy:enabled: falsenodeSelector:kubernetes.io/os: linuxboge/ingress-controller-ready: "true"tolerations:- operator: Existslabels: {}securityContext: {}rbac:create: trueserviceAccount:create: truename: ""automountServiceAccountToken: truecertManager:enabled: falserootCert:duration: ""admissionCert:duration: ""metrics:port: 10254portName: metricsenabled: falseservice:enabled: trueannotations: {}labels: {}externalIPs: []loadBalancerSourceRanges: []servicePort: 10254type: ClusterIPserviceMonitor:enabled: falseadditionalLabels: {}annotations: {}namespace: ""namespaceSelector: {}scrapeInterval: 30stargetLabels: []relabelings: []metricRelabelings: []prometheusRule:enabled: falseadditionalLabels: {}annotations: {}rules: []lifecycle:preStop:exec:command:- /wait-shutdownpriorityClassName: ""
revisionHistoryLimit: 10
defaultBackend:enabled: falsename: defaultbackendimage:registry: registry.k8s.ioimage: defaultbackend-amd64tag: "1.5"pullPolicy: IfNotPresentrunAsNonRoot: truerunAsUser: 65534runAsGroup: 65534allowPrivilegeEscalation: falseseccompProfile:type: RuntimeDefaultreadOnlyRootFilesystem: trueextraArgs: {}serviceAccount:create: truename: ""automountServiceAccountToken: trueextraEnvs: []port: 8080livenessProbe:failureThreshold: 3initialDelaySeconds: 30periodSeconds: 10successThreshold: 1timeoutSeconds: 5readinessProbe:failureThreshold: 6initialDelaySeconds: 0periodSeconds: 5successThreshold: 1timeoutSeconds: 5updateStrategy: {}minReadySeconds: 0tolerations: - key: ""operator: "Exists"value: ""affinity: {}topologySpreadConstraints: []podSecurityContext: {}containerSecurityContext: {}podLabels: {}nodeSelector:kubernetes.io/os: linuxboge/ingress-controller-ready: "true"podAnnotations: {}replicaCount: 1minAvailable: 1unhealthyPodEvictionPolicy: ""resources: {}extraVolumeMounts: []extraVolumes: []extraConfigMaps: []autoscaling:annotations: {}enabled: falseminReplicas: 1maxReplicas: 2targetCPUUtilizationPercentage: 50targetMemoryUtilizationPercentage: 50networkPolicy:enabled: falseservice:annotations: {}externalIPs: []loadBalancerSourceRanges: []servicePort: 80type: ClusterIPpriorityClassName: ""labels: {}
rbac:create: truescope: false
serviceAccount:create: truename: ""automountServiceAccountToken: trueannotations: {}
imagePullSecrets: []
tcp: {}
udp: {}
portNamePrefix: ""
dhParam: ""# helm upgrade --install ingress-nginx -n ingress-nginx . -f values.yaml
进程地址空间)
 Spring AI 1.0版本 + 千问大模型+RAG)
——攻击者使用什么漏洞获取了服务器的配置文件?)
)
