企业官网建设流程全解析

宝安做网站,网站的外链怎么做,动漫制作专业主要学什么,网站安全优化最新北京时间1月30日#xff0c;Kubernetes 指导委员会和安全响应委员会在 kubernetes.io 再次发出公告《Ingress NGINX: Statement from the Kubernetes Steering and Security Response Committees》#xff0c;强调立即迁移 Ingress NGINX#xff0c;并通过 CNCF 官方微信…最新北京时间1月30日Kubernetes 指导委员会和安全响应委员会在 kubernetes.io 再次发出公告《Ingress NGINX: Statement from the Kubernetes Steering and Security Response Committees》强调立即迁移 Ingress NGINX并通过 CNCF 官方微信公众号 发布中文版公告。英文版公告https://kubernetes.io/blog/2026/01/29/ingress-nginx-statement/一、环境信息Kubernetes1.35.0集群中 未安装 kube-proxy或计划替换 我的环境已经替换集群节点间网络三层互通Pod CIDR 已规划示例使用 10.244.0.0/16二、为什么选择 Cilium Gateway API维度 Nginx Ingress Cilium Gateway API标准化 低annotations 高K8s 原生 API数据面 iptables / userspace eBPF Envoy安全能力 L4 为主 L4 L7 原生可观测 插件化 Hubble 原生官方趋势 维护 重点发展三、安装 Ciliumkube-proxy replacement 模式3.1 安装 Cilium CLIcurl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz sudo tar xzvf cilium-linux-amd64.tar.gz -C /usr/local/bin cilium version3.2 安装 Ciliumv1.18.x 推荐cilium install \ --set kubeProxyReplacementtrue \ --set ipam.modekubernetes \ --set routingModenative \ --set autoDirectNodeRoutestrue \ --set ipam.operator.clusterPoolIPv4PodCIDRList10.244.0.0/16 \ --set ipam.operator.clusterPoolIPv4MaskSize24 \ --set ipv4NativeRoutingCIDR10.244.0.0/16 \ --set hubble.enabledtrue \ --set hubble.relay.enabledtrue \ --set hubble.ui.enabledtrue3.3 验证 Cilium 状态cilium statusrootops-test-025:~# cilium status /¯¯\ /¯¯\__/¯¯\ Cilium: OK \__/¯¯\__/ Operator: OK /¯¯\__/¯¯\ Envoy DaemonSet: OK \__/¯¯\__/ Hubble Relay: OK \__/ ClusterMesh: disabled DaemonSet cilium Desired: 2, Ready: 2/2, Available: 2/2 DaemonSet cilium-envoy Desired: 2, Ready: 2/2, Available: 2/2 Deployment cilium-operator Desired: 1, Ready: 1/1, Available: 1/1 Deployment hubble-relay Desired: 1, Ready: 1/1, Available: 1/1 Deployment hubble-ui Desired: 1, Ready: 1/1, Available: 1/1 Containers: cilium Running: 2 cilium-envoy Running: 2 cilium-operator Running: 1 clustermesh-apiserver hubble-relay Running: 1 hubble-ui Running: 1 Cluster Pods: 4/4 managed by Cilium Helm chart version: 1.18.3 Image versions cilium quay.io/cilium/cilium:v1.18.3sha256:5649db451c88d928ea585514746d50d91e6210801b300c897283ea319d68de15: 2 cilium-envoy quay.io/cilium/cilium-envoy:v1.34.10-1761014632-c360e8557eb41011dfb5210f8fb53fed6c0b3222sha256:ca76eb4e9812d114c7f43215a742c00b8bf41200992af0d21b5561d46156fd15: 2 cilium-operator quay.io/cilium/operator-generic:v1.18.3sha256:b5a0138e1a38e4437c5215257ff4e35373619501f4877dbaf92c89ecfad81797: 1 hubble-relay quay.io/cilium/hubble-relay:v1.18.3sha256:e53e00c47fe4ffb9c086bad0c1c77f23cb968be4385881160683d9e15aa34dc3: 1 hubble-ui quay.io/cilium/hubble-ui-backend:v0.13.3sha256:db1454e45dc39ca41fbf7cad31eec95d99e5b9949c39daaad0fa81ef29d56953: 1 hubble-ui quay.io/cilium/hubble-ui:v0.13.3sha256:661d5de7050182d495c6497ff0b007a7a1e379648e60830dd68c4d78ae21761d: 1 rootops-test-025:~#关键检查项 - Cilium: OK - Operator: OK - Envoy DaemonSet: OK - Hubble Relay: OK四、启用 Ingress Controller为 Gateway API 打基础Gateway API 与 Ingress Controller 在 Cilium 1.18 中 解耦需要显式开启。cilium upgrade \ --set ingressController.enabledtrue \ --set ingressController.defaulttrue验证kubectl get ingressclassrootops-test-025:~# kubectl get ingressclass NAME CONTROLLER PARAMETERS AGE cilium cilium.io/ingress-controller none 51m五、安装 Gateway API CRD官方标准kubectl apply -f \ https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml验证kubectl get crd | grep gatewayrootops-test-025:~# kubectl get crd | grep gateway gatewayclasses.gateway.networking.k8s.io 2026-02-02T08:52:00Z gateways.gateway.networking.k8s.io 2026-02-02T08:52:00Z grpcroutes.gateway.networking.k8s.io 2026-02-02T08:52:00Z httproutes.gateway.networking.k8s.io 2026-02-02T08:52:01Z referencegrants.gateway.networking.k8s.io 2026-02-02T08:52:01Z rootops-test-025:~#六、启用 Cilium Gateway API Controller关键步骤cilium upgrade–set gatewayAPI.enabledtrue验证 GatewayClasskubectl get gatewayclassrootops-test-025:~# kubectl get gatewayclass NAME CONTROLLER ACCEPTED AGE cilium io.cilium/gateway-controller Unknown 46m期望看到cilium io.cilium/gateway-controller注ACCEPTEDUnknown 在 Cilium 1.18 属于正常现象不影响使用。七、创建 Gateway入口边界7.1 创建 GatewayapiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: edge-gateway namespace: default spec: gatewayClassName: cilium listeners: - name: http protocol: HTTP port: 80kubectl apply -f gateway.yaml7.2 验证 Gateway 状态kubectl get gatewayrootops-test-025:~# kubectl get gateway NAME CLASS ADDRESS PROGRAMMED AGE edge-gateway cilium Unknown 38m八、创建 HTTPRoute业务路由假设已有 Servicedemo-svc:80apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: demo-route spec: parentRefs: - name: edge-gateway rules: - matches: - path: type: PathPrefix value: / backendRefs: - name: demo-svc port: 80kubectl apply -f httproute.yaml九、流量入口9.1查看 Gateway Servicekubectl get svc -n kube-system | grep gateway9.2 访问验证http://十、安全加固推荐10.1 只允许 Gateway 作为入口apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: only-from-gateway spec: endpointSelector: matchLabels: app: demo ingress: - fromEntities: - gateway toPorts: - ports: - port: 80 protocol: TCP十一、可观测性验证Hubblehubble observe --protocol http十二、迁移建议从 Nginx Ingress 到 Gateway API推荐迁移路径保留 Nginx Ingress不新增新业务统一使用 Gateway API存量 Ingress 逐步改写为 HTTPRoute最终下线 Nginx Ingress Controller