k8s之ingress及ingress controller

2019-09-20 19:05:34 阅读：277 来源： 互联网

标签：ingress name nginx controller myapp 80 k8s com

原文链接：https://www.cnblogs.com/fawaikuangtu123/p/11030993.html

1.ingress概述

图解:第一个service起到的作用是:引入外部流量,也可以不用此方式,以DaemonSet控制器的方式让Pod共享节点网络,第二个service的作用是:对后端pod分组,不被调度时使用,如果后端pod发生变动,则ingress就会将变动信息注入到,ingress controller管理的7层负载nginx的配置文件中.

2.部署

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

kubectl apply -f mandatory.yaml

# 之前还有个default-http-backend,现在只运行一个pod

kubectl get pods -n ingress-nginx

NAME READY STATUS RESTARTS AGE

nginx-ingress-controller-689498bc7c-sm972 1/1 Running 0 45s

# nginx-ingress-controller部署在node1上,一个deployment控制器,一个replicaset,一个pod.

# 接下来还需要部署一个service-nodeport服务,才能实现把集群外部流量接入到集群中来.

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml

# 为了不让service nodeport自动分配端口,需要手动指定nodeport

cat service-nodeport.yaml

apiVersion: v1

kind: Service

metadata:

name: ingress-nginx

namespace: ingress-nginx

labels:

app.kubernetes.io/name: ingress-nginx

app.kubernetes.io/part-of: ingress-nginx

spec:

type: NodePort

ports:

- name: http

port: 80

targetPort: 80

nodePort: 30080

protocol: TCP

- name: https

port: 443

targetPort: 443

protocol: TCP

nodePort: 30443

selector:

app.kubernetes.io/name: ingress-nginx

app.kubernetes.io/part-of: ingress-nginx

kubectl apply -f service-nodeport.yaml

kubectl get svc -n ingress-nginx

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

ingress-nginx NodePort 10.102.228.59 <none> 80:30080/TCP,443:30443/TCP 31s

3.定义后端分组service:myapp-svc

cat myapp-svc-headless.yaml

apiVersion: v1

kind: Service

metadata:

name: myapp-svc

namespace: default

spec:

selector:

app: myapp

release: canary

clusterIP: "None"

ports:

- port: 80

targetPort: 80

---

apiVersion: apps/v1

kind: Deployment

metadata:

name: myapp-deploy

namespace: default

spec:

replicas: 2

selector:

matchLabels:

app: myapp

release: canary

template:

metadata:

labels:

app: myapp

release: canary

spec:

containers:

- name: myapp

image: ikubernetes/myapp:v1

ports:

- name: http

containerPort: 80

# 创建pod时,用nodeSelector可实现精准分布

kubectl apply -f myapp-svc-headless.yaml

kubectl get svc

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d

myapp-svc ClusterIP None <none> 80/TCP 29m

# 通过Ingress把myapp-svc发布出去

cat ingress-myapp.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

name: ingress-myapp

namespace: default

annotations:

kubernetes.io/ingress.class: "nginx"

spec:

rules:

- host: myapp.lixiang.com

http:

paths:

- path:

backend:

serviceName: myapp-svc

servicePort: 80

namespace要和deployment和要发布的service处于同一个名称空间

annotations:说明我们要用到的ingress-controller是nginx,而不是Traefik、Envoy

host:表示访问这个域名,就会转发到后端myapp-deploy管理的pod上

kubectl apply -f ingress-myapp.yaml

kubectl get ingress

NAME HOSTS ADDRESS PORTS AGE

ingress-myapp myapp.lixiang.com 80 5m34s

# 进入交互式命令行

kubectl exec -n ingress-nginx -it nginx-ingress-controller-689498bc7c-sm972 -- /bin/sh

$ cat nginx.conf

## start server myapp.lixiang.com

server {

server_name myapp.lixiang.com ;

listen 80;

location / {

set $namespace "default";

set $ingress_name "ingress-myapp";

set $service_name "myapp-svc";

set $service_port "80";

set $location_path "/";

# ingress一经创建,就将信息注入到nginx-ingress-controller这个pod中,

# 个人感觉ingress像一个监视者、搬运工,nginx-ingress-controller起到反向代理的作用

# 添加一条hosts解析

curl myapp.lixiang.com:30080

Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>

4.使用https访问

# 自签证书

openssl genrsa -out tls.key 2048

openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=myapp.lixiang.com

# 通过secret把证书注入到pod中

kubectl create secret tls myapp-infress-secret --cert=tls.crt --key=tls.key

cat ingress-myapp.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

name: ingress-myapp-tls

namespace: default

annotations:

kubernetes.io/ingress.class: "nginx"

spec:

tls:

- hosts:

- myapp.lixiang.com

secretName: myapp-infress-secret

rules:

- host: myapp.lixiang.com

http:

paths:

- path: /

backend:

serviceName: myapp-svc

servicePort: 80

# 进入容器查看配置文件

cat nginx.conf

server {

server_name myapp.lixiang.com ;

listen 80;

listen 443 ssl http2;

curl -k https://myapp.lixiang.com:30443

标签：ingress,name,nginx,controller,myapp,80,k8s,com
来源： https://blog.csdn.net/caohongshuang/article/details/101073775

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。

ICode9

k8s之ingress及ingress controller