Ingress部署流程:
1.部署Ingress
1.1部署ingress-nginx
1.2部署Service
2.部署應用
2.1部署Service與Pod
2.2創(chuàng)建Ingress
在Kubernetes中萍鲸,服務和Pod的IP地址僅在集群內(nèi)部網(wǎng)絡內(nèi)部使用,對于集群的應用是不可見的鲫寄。
為了使外部的應用能夠訪問集群內(nèi)的服務钩述,在Kubernetes目前提供了以下幾種方案:
1)NodePort
2)LoadBalancer
3)Ingress
1)Ingress組成
Ingress 是反向代理規(guī)則,用來規(guī)定 HTTP/S 請求應該被轉(zhuǎn)發(fā)到哪個 Service 上威蕉,比如根據(jù)請求中不同的 Host 和 url 路徑
讓請求落到不同的 Service 上吧寺;
Ingress Controller 就是一個反向代理程序窜管,它負責解析 Ingress 的反向代理規(guī)則,如果 Ingress 有增刪改的變動稚机,
所有的 Ingress Controller 都會及時更新自己相應的轉(zhuǎn)發(fā)規(guī)則幕帆,當 Ingress Controller 收到請求后就會根據(jù)這些規(guī)則
將請求轉(zhuǎn)發(fā)到對應的 Service;
2)Ingress工作原理
1)Ingress controller通過與Kubernetes api進行交互赖条,動態(tài)的感知集群中Ingress規(guī)則的變化失乾;
2)然后讀取它,按照自定義的規(guī)則纬乍,規(guī)則就是寫明了哪個域名對應哪個service碱茁,生成一段nginx配置;
3)再寫到nginx-ingress-controller的pod里仿贬,這個Ingress controller的pod里運行著一個Nginx服務纽竣,
控制器會把生成的nginx配置寫入/etc/nginx.conf文件中;
4)然后reload一下使配置生效诅蝶。以此達到域名分別配置和動態(tài)更新的問題退个;
3) Ingress可以解決什么問題募壕?
1)動態(tài)配置服務
如果是按照傳統(tǒng)方式调炬,當新增加一個服務時,我們可能需要在流量入口部署一臺反向代理服務器指向我們新的K8s服務舱馅,
而如果使用了Ingress缰泡,則只需配置好這個服務,當服務啟動時代嗤,便會自動注冊到Ingress中棘钞,不需要額外的操作;
2)減少不必要的端口映射
配置過k8s的都清楚, 第一步是要關閉防火墻的, 主要原因是k8s的很多服務會以NodePort方式映射出去, 這樣就相當于給宿主機打了很多孔,
既不安全也不優(yōu)雅. 而Ingress可以避免這個問題, 除了Ingress自身服務可能需要映射出去, 其他服務都不用NodePort方式干毅;
Ingress作用:
ingress 僅是用于定義流量轉(zhuǎn)發(fā)和調(diào)度的通用格式的配置信息宜猜,
它們需要轉(zhuǎn)換為特定的具有http協(xié)議轉(zhuǎn)發(fā)的和調(diào)度功能的應用程序(如nginx、haproxy硝逢、traefik等)
的配置文件姨拥,并由響應 的應用程序生成響應的配置文件完成流量轉(zhuǎn)發(fā)。
1.部署ingress-nginx
[16:57:13root@k8s-master-1 ~/nfs/lk/nginx-ingress]#cat ingress-nginx-controller.yaml
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
2.部署Service
[16:58:27root@k8s-master-1 ~/nfs/lk/nginx-ingress]#cat ingress-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress
namespace: ingress-nginx
spec:
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
nodePort: 40080
- name: https
port: 443
nodePort: 40443
type: NodePort
注釋:此時已部署完ingress-nginx-controller渠鸽,具有7層代理功能
3.部署Pod與Service
[16:58:48root@k8s-master-1 ~/nfs/lk/nginx-ingress]#cat nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: kevin
spec:
replicas: 2
selector:
matchLabels:
app: nginx
rel: beta
template:
metadata:
namespace: kevin
labels:
app: nginx
rel: beta
spec:
containers:
- name: myapp
image: nginx:alpine
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: kevin
spec:
selector:
app: nginx
rel: beta
ports:
- name: http
port: 80
targetPort: 80
4.創(chuàng)建Ingress
[16:58:30root@k8s-master-1 ~/nfs/lk/nginx-ingress]#cat myapp-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx
namespace: kevin
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.kevinxxx.com
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
[17:06:08root@k8s-master-1 ~/nfs/lk/nginx-ingress]#kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-59b9f5d675-v758z 1/1 Running 0 65m
[17:08:20root@k8s-master-1 ~/nfs/lk/nginx-ingress]#kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress NodePort 10.66.113.207 <none> 80:40080/TCP,443:40443/TCP 64m
[17:08:26root@k8s-master-1 ~/nfs/lk/nginx-ingress]#kubectl get pod -n kevin -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-5db4499c6c-2wl4r 1/1 Running 0 23m 10.80.0.232 k8s-master-1 <none> <none>
nginx-5db4499c6c-7zlpf 1/1 Running 0 23m 10.80.2.32 k8s-node-1 <none> <none>
[17:08:31root@k8s-master-1 ~/nfs/lk/nginx-ingress]#kubectl get svc -n kevin
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx ClusterIP 10.66.17.91 <none> 80/TCP 23m
[17:08:37root@k8s-master-1 ~/nfs/lk/nginx-ingress]#kubectl get ingress -n kevin
NAME CLASS HOSTS ADDRESS PORTS AGE
nginx <none> www.kevinxxx.com 80 55m
[17:08:42root@k8s-master-1 ~/nfs/lk/nginx-ingress]#kubectl describe ingress -n kevin
Name: nginx
Namespace: kevin
Address:
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
www.kevinxxx.com
/ nginx:80 (10.80.0.232:80,10.80.2.32:80)
Annotations: kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 55m nginx-ingress-controller Ingress kevin/nginx
image.png
image.png
