Karmada Multi-Ingress（MCI）技术实践

一、背景

在多集群场景中，Kubernetes 原生 Ingress 控制器无法跨集群调度和管理流量。Karmada 作为一款 Kubernetes 多集群管理控制平面，推出了 Multi-Cluster Ingress（MCI）能力，专门解决多集群应用统一入口问题。

MCI 通过 MultiClusterIngress CRD 资源实现多集群 Ingress 的管理与自动下发，结合 karmada-agent 实现资源同步，最终达到跨集群流量入口统一、自动化、可控的目标。

---

二、MCI 核心组件说明

组件	作用
MultiClusterIngress (MCI)	核心 CRD 资源，定义多集群应用的统一入口
ServiceExport / ServiceImport	解决跨集群后端服务发现问题
karmada Ingress Controller	各成员集群内部流量入口，需接收 karmada-apiserver 分发的 Ingress 资源(Karmda并没有自己维护Karmda ingress Controller 需要手动编译可以参考此链接)

---

三、MCI 典型架构图

                   ┌──────────────────┐
                   │  Karmada Control │
                   │    Plane (Host)  │
                   └──────────────────┘
                            │
              ┌─────────────┴─────────────┐
              │                           │
    ┌─────────────────┐        ┌─────────────────┐
    │   Member Cluster│        │   Member Cluster│
    │     (cluster1)  │        │     (cluster2)  │
    ├─────────────────┤        ├─────────────────┤
    │ karmda-ingress  │        │ karmada-ingress │
    └─────────────────┘        └─────────────────┘

---

四、MCI 部署步骤详解

1. 环境准备

• Kubernetes >= 1.20
• Karmada >= v1.5.0
• 各成员集群已加入 Karmada
• 成员集群部署 karmada-ingress

2. 各成员部署 karmada-ingress

// for HTTPS
git clone https://github.com/karmada-io/multi-cluster-ingress-nginx.git
// for SSH
git clone [email protected]:karmada-io/multi-cluster-ingress-nginx.git

cd charts/ingress-nginx

helm install ingress-nginx . -n ingress-nginx --create-namespace

在部署完成后需要编辑 ingrss-nginx-controller deployment，添加以下内容：

apiVersion: apps/v1
kind: Deployment
metadata:
  ...
spec:
  #...
  template:
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --karmada-kubeconfig=/etc/kubeconfig  # new line
        #...
        volumeMounts:
        #...
        - mountPath: /etc/kubeconfig            # new line
          name: kubeconfig                      # new line
          subPath: kubeconfig                   # new line
      volumes:
      #...
      - name: kubeconfig                        # new line
        secret:                                 # new line
          secretName: kubeconfig                # new line

5. 创建服务暴露资源

在创建之前需要跑一个 nginx deployment，执行命令 kubectl create deployment nginx --image nginx --port=80 --kubeconfig /root/.kube/kamadaconfig

然后再创建服务暴露，资源如下：

apiVersion: v1
kind: Service
metadata:
  name: serve
spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: nginx
---
apiVersion: policy.karmada.io/v1alpha1
kind: PropagationPolicy
metadata:
  name: example-policy # The default namespace is `default`.
spec:
  resourceSelectors:
    - apiVersion: apps/v1
      kind: Deployment
      name: nginx 
    - apiVersion: v1
      kind: Service
      name: serve
  placement:
    clusterAffinity:
      clusterNames:
        - test 
        - test2
---
apiVersion: multicluster.x-k8s.io/v1alpha1
kind: ServiceExport
metadata:
  name: serve
---
apiVersion: policy.karmada.io/v1alpha1
kind: PropagationPolicy
metadata:
  name: serve-export-policy
spec:
  resourceSelectors:
    - apiVersion: multicluster.x-k8s.io/v1alpha1
      kind: ServiceExport
      name: serve
  placement:
    clusterAffinity:
      clusterNames:
        - test
        - test2
---
apiVersion: multicluster.x-k8s.io/v1alpha1
kind: ServiceImport
metadata:
  name: serve
spec:
  type: ClusterSetIP
  ports:
  - port: 80
    protocol: TCP
---
apiVersion: policy.karmada.io/v1alpha1
kind: PropagationPolicy
metadata:
  name: serve-import-policy
spec:
  resourceSelectors:
    - apiVersion: multicluster.x-k8s.io/v1alpha1
      kind: ServiceImport
      name: serve
  placement:
    clusterAffinity:
      clusterNames:
        - test
        - test2

6. 创建 MultiClusterIngress 资源

MultiClusterIngress 也需要通过 karmada-apiserver 创建。

apiVersion: networking.karmada.io/v1alpha1
kind: MultiClusterIngress
metadata:
  name: demo-localhost
  namespace: default
spec:
  ingressClassName: nginx
  rules:
  - host: demo.localdev.me
    http:
      paths:
      - backend:
          service:
            name: serve
            port:
              number: 81
        path: /web
        pathType: Prefix

五、验证方式

1. 在本地电脑绑定域名：

echo "CLUSTER_INGRESS_IP demo.example.com" >> /etc/hosts

2. 访问：

curl http://demo.example.com

应能正常访问后端服务。