一、Ingress简介
pod的IP以及service IP只能在集群内访问,如果想在集群外访问kubernetes提供的服务,可以使用nodeport、proxy、loadbalacer以及ingress等方式,由于service的IP集群外不能访问,就使用ingress方式再代理一次,即ingress代理service,service代理pod。
二、Ingress 基本原理图
三、部署ingress-nginx
1、下载nginx-ingress-controller配置文件
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/baremetal/deploy.yaml
2、修改镜像地址
[root@k8s-master ~]$ vi deploy.yaml ...... image: k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a ...... 修改成(去掉后面@部分,否则就算镜像下载到本地,也无法启动): ...... image: k8s.gcr.io/ingress-nginx/controller:v0.44.0 ...... |
---|
3、执行yaml文件部署
[root@k8s-master ~]$ kubectl apply -f deploy.yaml |
---|
备注:由于新版本中包含了service-nodeport配置文件,默认就是nodeport方式对外提供服务,只要执行一个yaml文件即可
4、查看ingress-nginx组件状态
[root@k8s-master ~]# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE ingress-nginx-admission-create-rr5dd 0/1 Completed 0 5m49s ingress-nginx-admission-patch-ncp76 0/1 Completed 0 5m49s ingress-nginx-controller-64dcb8c779-w5tq9 1/1 Running 0 5m49s |
---|
5、查看创建的ingress service暴露的端口
[root@k8s-master ~]# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller NodePort 10.111.241.155 <none> 80:31313/TCP,443:31556/TCP 4m35s ingress-nginx-controller-admission ClusterIP 10.110.27.94 <none> 443/TCP 4m35s |
---|
至此,ingress-nginx服务已经部署至kubernetes环境中
四、创建nginx和tomcat后端示例服务
1、创建Deployment和Service的yaml文件
[root@k8s-master ~]$ vi app-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment namespace: default spec: replicas: 2 selector: matchLabels: app: nginx-app template: metadata: labels: app: nginx-app spec: containers: - name: nginx imagePullPolicy: Always image: nginx ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: nginx-service namespace: default spec: selector: app: nginx-app ports: - name: nginx-port port: 80 targetPort: 80 protocol: TCP apiVersion: apps/v1 kind: Deployment metadata: name: tomcat-deployment namespace: default spec: replicas: 2 selector: matchLabels: app: tomcat-app template: metadata: labels: app: tomcat-app spec: containers: - name: tomcat imagePullPolicy: Always image: tomcat:8.5-jre10-slim ports: - containerPort: 8080 --- apiVersion: v1 kind: Service metadata: name: tomcat-service namespace: default spec: selector: app: tomcat-app ports: - name: tomcat-port port: 8080 targetPort: 8080 protocol: TCP |
---|
2、应用yaml文件创建相关服务及检查状态是否就绪
[root@k8s-master ~]$ kubectl apply -f app-deployment.yaml deployment.apps/nginx-deployment created service/nginx-service created deployment.apps/tomcat-deployment created service/tomcat-service created |
---|
[root@k8s-master ~]# kubectl get pod,svc -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/nginx-deployment-6f7d8d4d55-6srsk 1/1 Running 0 9m25s 10.244.1.6 k8s-node01 <none> <none> pod/nginx-deployment-6f7d8d4d55-vmpxm 1/1 Running 0 9m25s 10.244.2.6 k8s-node02 <none> <none> pod/tomcat-deployment-779799d5df-jt8kf 1/1 Running 0 8m42s 10.244.1.7 k8s-node01 <none> <none> pod/tomcat-deployment-779799d5df-t5t9p 1/1 Running 0 8m42s 10.244.2.7 k8s-node02 <none> <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 18h <none> service/nginx-service ClusterIP 10.111.156.166 <none> 80/TCP 9m25s app=nginx-app service/tomcat-service ClusterIP 10.101.78.249 <none> 8080/TCP 8m42s app=tomcat-app |
---|
五、创建http访问模式的ingress规则
1、创建一个http访问模式的ingress规则yaml文件
[root@k8s-master ~]# vi ingress-http.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-http annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: nginx.mytest.org http: paths: - path: / pathType: Prefix backend: service: name: nginx-service port: number: 80 - host: tomcat.mytest.org http: paths: - path: / pathType: Prefix backend: service: name: tomcat-service port: number: 8080 |
---|
2、应用yaml文件并查看创建的ingress规则
[root@k8s-master ~]# kubectl apply -f ingress-http.yaml ingress.networking.k8s.io/ingress-http created [root@k8s-master ~]# kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS AGE ingress-http <none> nginx.mytest.org,tomcat.mytest.org 172.21.204.110 80 2m18s [root@k8s-master ~]# kubectl describe ingress ingress-http Name: ingress-http Namespace: default Address: 172.21.204.111 Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>) Rules: Host Path Backends ---- ---- -------- nginx.mytest.org / nginx-service:80 (10.244.1.6:80,10.244.2.6:80) tomcat.mytest.org / tomcat-service:8080 (10.244.1.7:8080,10.244.2.7:8080) Annotations: nginx.ingress.kubernetes.io/rewrite-target: / Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Sync 8m36s (x2 over 9m24s) nginx-ingress-controller Scheduled for sync |
---|
3、查看ingress-default-backend的详细信息
[root@k8s-master ~]# kubectl exec -it -n ingress-nginx ingress-nginx-controller-64dcb8c779-w5tq9 /bin/sh $ cat nginx.conf ...... ## start server nginx.mytest.org server { server_name nginx.mytest.org ; listen 80 ; listen 443 ssl http2 ; set $proxy_upstream_name "-"; ssl_certificate_by_lua_block { certificate.call() } location / { set $namespace "default"; set $ingress_name "ingress-http"; set $service_name "nginx-service"; set $service_port "80"; set $location_path "/"; set $global_rate_limit_exceeding n; ...... |
---|
4、配置集群外域名解析,当前测试环境我们使用windows hosts文件进行解析
172.21.204.110 nginx.mytest.org 172.21.204.110 tomcat.mytest.org |
---|
5、使用域名进行访问(域名 ingress service端口)
http://nginx.mytest.org:31313/
http://tomcat.mytest.org:31313/
六、创建https访问模式的ingress规则
1、分别创建各自域名自签名的证书(生产环境直接使用购买的证书即可)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx_tls.key -out nginx_tls.crt -subj "/CN=nginx.mytest.org/O=nginx.mytest.org" openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tomcat_tls.key -out tomcat_tls.crt -subj "/CN=tomcat.mytest.org/O=tomcat.mytest.org" |
---|
2、分别创建各自secret密钥(两种创建方法)
方法一:使用命令行创建 TLS Secret
kubectl create secret tls nginx-tls-secret --cert=/root/nginx_tls.crt --key=/root/nginx_tls.key kubectl create secret tls tomcat-tls-secret --cert=/root/tomcat_tls.crt --key=/root/tomcat_tls.key |
---|
方法二:使用yaml文件来创建 TLS Secret
[root@k8s-master ~]# vi nginx-tls-secret.yaml apiVersion: v1 kind: Secret metadata: name: nginx-tls-secret namespace: default type: kubernetes.io/tls data: tls.crt: base64 编码的 cert tls.key: base64 编码的 key [root@k8s-master ~]# vi tomcat-tls-secret.yaml apiVersion: v1 kind: Secret metadata: name: tomcat-tls-secret namespace: default type: kubernetes.io/tls data: tls.crt: base64 编码的 cert tls.key: base64 编码的 key |
---|
3、创建一个https访问模式的ingress规则yaml文件
[root@k8s-master ~]# vi ingress-https.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-https spec: tls: - hosts: - nginx.mytest.org secretName: nginx-tls-secret - hosts: - tomcat.mytest.org secretName: tomcat-tls-secret rules: - host: nginx.mytest.org http: paths: - path: / pathType: Prefix backend: service: name: nginx-service port: number: 80 - host: tomcat.mytest.org http: paths: - path: / pathType: Prefix backend: service: name: tomcat-service port: number: 8080 |
---|
4、应用yaml文件并查看创建的ingress规则
[root@k8s-master ~]# kubectl apply -f ingress-https.yaml ingress.networking.k8s.io/ingress-https created [root@k8s-master ~]# kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS AGE ingress-https <none> nginx.mytest.org,tomcat.mytest.org 172.21.204.110 80, 443 99s [root@k8s-master ~]# kubectl describe ingress ingress-http Name: ingress-https Namespace: default Address: 172.21.204.111 Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>) TLS: nginx-tls-secret terminates nginx.mytest.org tomcat-tls-secret terminates tomcat.mytest.org Rules: Host Path Backends ---- ---- -------- nginx.mytest.org / nginx-service:80 (10.244.1.6:80,10.244.2.6:80) tomcat.mytest.org / tomcat-service:8080 (10.244.1.7:8080,10.244.2.7:8080) Annotations: <none> Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Sync 103s (x2 over 114s) nginx-ingress-controller Scheduled for sync |
---|
5、查看ingress-default-backend的详细信息
[root@k8s-master ~]# kubectl exec -it -n ingress-nginx ingress-nginx-controller-64dcb8c779-w5tq9 /bin/sh $ cat nginx.conf ...... ## start server nginx.mytest.org server { server_name nginx.mytest.org ; listen 80 ; listen 443 ssl http2 ; set $proxy_upstream_name "-"; ssl_certificate_by_lua_block { certificate.call() } location / { set $namespace "default"; set $ingress_name "ingress-http"; set $service_name "nginx-service"; set $service_port "80"; set $location_path "/"; set $global_rate_limit_exceeding n; ...... |
---|
6、配置集群外域名解析,当前测试环境我们使用windows hosts文件进行解析
172.21.204.110 nginx.mytest.org 172.21.204.110 tomcat.mytest.org |
---|
7、使用域名进行访问(域名 ingress service端口)
https://nginx.mytest.org:31556/
https://tomcat.mytest.org:31556