k8s - ingress 的理解和实践
Ingress 英文翻译 进入;进入权;进食,更准确的讲就是入口,即外部流量进入k8s集群必经之口。这道大门到底有什么作用?我们如何使用Ingress?k8s又是如何进行服务发现的呢?先看一张图:OK。ingress 的作用可以做到 service nodeport 不能做到的 使用不同的web url 来指向不同的pod service 的功能。下面开始部署:看了网上下载以下两个ya...
Ingress 英文翻译 进入;进入权;进食,更准确的讲就是入口,即外部流量进入k8s集群必经之口。这道大门到底有什么作用?我们如何使用Ingress?k8s又是如何进行服务发现的呢?先看一张图:
OK。ingress 的作用可以做到 service nodeport 不能做到的 使用不同的web url 来指向不同的pod service 的功能。
下面开始部署:看了网上下载以下两个yaml: (和网上的路径有些不一样,原因是官方把原文件放了不同的位置)
https://github.com/kubernetes/ingress-nginx/blob/master/deploy/static/mandatory.yaml
https://github.com/kubernetes/ingress-nginx/blob/master/deploy/baremetal/service-nodeport.yaml
下载下来,kubectl apply -f mandatory.yaml 和 service-nodeport.yaml 发现是jason 文件,我就去链接下面copy yaml 原代码,然后copy 到server 上, apply 一下就成功啦。
[root@k8s-master script]# kubectl apply -f mandatory.yaml
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.apps/nginx-ingress-controller created
[root@k8s-master script]# kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ingress-controller-568867bf56-6tvzv 1/1 Running 0 2m30s 10.244.1.17 k8s-node <none> <none>
### 通过创建的svc可以看到已经把ingress-nginx service在主机映射的端口为30239(http),30949(https)
[root@k8s-master script]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.1.13.222 <none> 80:30239/TCP,443:30949/TCP 34s
2、验证
2.1 创建svc及后端deployment
[root@k8s-master01 ingress-master]# cat test-ingress-pods.yml
apiVersion: v1
kind: Service
metadata:
name: myapp-svc
namespace: default
spec:
selector:
app: myapp
env: test
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-test
spec:
replicas: 2
selector:
matchLabels:
app: myapp
env: test
template:
metadata:
labels:
app: myapp
env: test
spec:
containers:
- name: myapp
image: nginx:1.15-alpine
ports:
- name: httpd
containerPort: 80
## 查看pod资源部署[root@k8s-master script]# kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-test-d84885678-7hzhj 1/1 Running 0 4m7s
myapp-test-d84885678-v959h 1/1 Running 0 4m7s
## 查看svc[root@k8s-master script]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.1.13.222 <none> 80:30239/TCP,443:30949/TCP 43m
kubernetes ClusterIP 10.1.0.1 <none> 443/TCP 6d2h
myapp-svc ClusterIP 10.1.235.146 <none> 80/TCP 4m23s
2.2 创建ingress规则
## ingress规则中,要指定需要绑定暴露的svc名称
[root@k8s-master01 ingress-master]# cat test-ingress-myapp.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.shp.com
http:
paths:
- path:
backend:
serviceName: myapp-svc
servicePort: 80[root@k8s-master script]# kubectl apply -f test-ingress-myapp.yml
ingress.extensions/ingress-myapp created
[root@k8s-master script]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp www.shp.com 80 42s
2.3 在主机配置hosts域名解析
## 这里随机解析任一台节点主机都可以
| 1 |
|
然后主机浏览器访问http://www.shp.com:30239,这里访问时需要加上svc映射到主机时随机产生的nodePort端口号。
[root@k8s-master script]# kubectl describe ingress ingress-myapp
Name: ingress-myapp
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
www.shp.com
myapp-svc:80 (10.244.1.27:80,10.244.1.28:80)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"ingress-myapp","namespace":"default"},"spec":{"rules":[{"host":"www.shp.com","http":{"paths":[{"backend":{"serviceName":"myapp-svc","servicePort":80},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 38m nginx-ingress-controller Ingress default/ingress-myapp
------
下面进入容器看看nginx 是否已经进来了:
[root@k8s-master script]# kubectl exec -n ingress-nginx -it nginx-ingress-controller-568867bf56-6tvzv bash
www-data@nginx-ingress-controller-568867bf56-6tvzv:/etc/nginx$ cat nginx.conf
## start server www.shp.com
server {
server_name www.shp.com ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location / {
set $namespace "default";
set $ingress_name "ingress-myapp";
set $service_name "myapp-svc";
set $service_port "80";
set $location_path "/";
我测试了一把,发现: curl www.shp.com 被拒绝,
所以不能打开,下面研究改一下。
看了是因为80 端口没有暴露,修改在mandatory.yaml 的:(红色部分)
[root@k8s-master script]# cat mandatory.yaml
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
# wait up to five minutes for the drain of connections
terminationGracePeriodSeconds: 300
serviceAccountName: nginx-ingress-serviceaccount
hostNetwork: true
nodeSelector:
kubernetes.io/os: linux
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
---
然后再 apply 一下:
root@k8s-master script]# kubectl apply -f mandatory.yaml
namespace/ingress-nginx unchanged
configmap/nginx-configuration unchanged
configmap/tcp-services unchanged
configmap/udp-services unchanged
serviceaccount/nginx-ingress-serviceaccount unchanged
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole unchanged
role.rbac.authorization.k8s.io/nginx-ingress-role unchanged
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding unchanged
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding unchanged
deployment.apps/nginx-ingress-controller configured
[root@k8s-master script]# kubectl apply -f test-ingress-pods.yaml
service/myapp-svc unchanged
deployment.apps/myapp-test unchanged
[root@k8s-master script]# kubectl apply -f test-ingress-myapp.yml
ingress.extensions/ingress-myapp configured
现在再看一下ingress-control 的变化:
[root@k8s-master script]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-568867bf56-6tvzv 1/1 Terminating 2 20h
nginx-ingress-controller-5bbd46cd86-mwrjz 1/1 Running 0 15s
原来的pod 在 terminate, 好事,下面看看:
[root@k8s-master script]# kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ingress-controller-5bbd46cd86-mwrjz 1/1 Running 0 2m22s 192.168.122.61 k8s-node <none> <none>
发现现在的ingress 的IP 变成 node 的IP,然后再测试一下:
[root@k8s-master script]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.1.13.222 <none> 80:30239/TCP,443:30949/TCP 20h
[root@k8s-master script]# curl 192.168.122.61 30239
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>openresty/1.15.8.2</center>
</body>
</html>
测试成功!
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献12条内容
所有评论(0)