在配置以及使用的ingress-nginx 之前应该先了学习并了解k8s的服务发现原理,以及常用的服务器发现规则
提供:https://kubernetes.github.io/ingress-nginx/
https://github.com/kubernetes/ingress-nginx/用于学习了解ingress-nginx内容以及对应k8s的版本情况,建议使用github的地址去下载yaml 文件
在了解了k8s 的通信方式后,最后集群外访问集群内的时候,就需要用ingress 将域名信息或者ip转发到对应服务ip
ingress 可以提供负载均衡、ssl终结基于名称的虚拟托管
一、了解ingress,什么是ingress
Ingress 开放了从集群外部到集群内服务的 HTTP 和 HTTPS 路由,流量路由由 Ingress 资源上定义的规则控制。
Ingress 可为 Service 提供外部可访问的 URL、负载均衡流量、终止 SSL/TLS,以及基于名称的虚拟托管。Ingress 控制器通常负责通过负载均衡器来实现 Ingress,尽管它也可以配置边缘路由器或其他前端来帮助处理流量。
Ingress 不会公开任意端口或协议。将 HTTP 和 HTTPS 以外的服务公开到 Internet 时,通常使用 Service.Type=NodePort 或 Service.Type=LoadBalancer 类型的 Service。
二、ingress yaml文件配置以及优化
[root@k8s-master01 ingress-nginx]# kubelet --version
Kubernetes v1.19.16
由于我的kubernets版本是v1.19.16,根据官网我可用使用 最新的v1.2.1nginx-ingress-controller,
ingress的下载链接如下:
-
国内需要将:对应image 镜像修改为对国内的如:
registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.2.1
registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1 -
修改Deployment为DaemonSet比较好,因为DaemonSet可以自动为每一台需要安装的机器都安装一份(使用标签控制);
-
Container使用主机网络,对应的dnsPolicy策略也需要改为主机网络的 (dnsPolicy: ClusterFirstWithHostNet)
-
修改Container使用主机网络,直接在主机上开辟 80,443端口,无需中间解析,速度更快 (hostNetwork: true)
-
修改Service为ClusterIP,无需NodePort模式了
-
修改DaemonSet的nodeSelector: ingress-node=true 。这样只需要给node节点打上 ingress-node=true 标签,即可快速的加入/剔除 ingress-controller的数量
优化后的文件下载地址:https://blog.buwo.net/public/jyl-containers/ingress-controller.yaml
二、安装ingress-nginx
自建集群使用裸金属安装方式
2.1 优化ingress的 ymal 文件
需要如下修改:
-
修改ingress-nginx-controller镜像为 registry.cn-hangzhou.aliyuncs.com/google_containers/ingress-nginx-controller:v0.46.0;
-
修改Deployment为DaemonSet比较好,因为DaemonSet可以自动为每一台需要安装的机器都安装一份(使用标签控制);
-
修改Container使用主机网络,直接在主机上开辟 80,443端口,无需中间解析,速度更快;
-
Container使用主机网络,对应的dnsPolicy策略也需要改为主机网络的;
-
修改Service为ClusterIP,无需NodePort模式了;
-
修改DaemonSet的nodeSelector: ingress-node=true 。这样只需要给node节点打上 node-role=ingress 标签,即可快速的加入/剔除 ingress-controller的数量
node-role: ingress #以后只需要给某个node打上这个标签就可以部署ingress-nginx到这个节点上了
2.3 在k8s上部署ingress-nginx
检查k8s 集群master以及node节点80和443端口使用情况
[root@k8s-master01 ingress-nginx]# ss -ntpl|grep 80
[root@k8s-master01 ingress-nginx]# ss -ntpl|grep 443
使用kubectl apply部署对应的yaml文件:
[root@k8s-master01 ingress-nginx]# kubectl apply -f ingress-controller.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
daemonset.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
给需要的node节点上部署ingress-controller:
因为我们使用的是DaemonSet模式,所以理论上会为所有的节点都安装,但是由于我们的selector使用了筛选标签:node-role=ingress ,所以此时所有的node节点都没有被执行安装;
[root@k8s-master01 ingress-nginx]# kubectl get ds -n ingress-nginx
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
ingress-nginx-controller 0 0 0 0 0 node-role=ingress 5m9s
当我们需要为所有的node节点安装ingress-controller的时候,只需要为对应的节点打上标签:node-role=ingress
[root@k8s-master01 ingress-nginx]# kubectl label node k8s-node01 node-role=ingress
[root@k8s-master01 ingress-nginx]# kubectl label node k8s-node02 node-role=ingress
查看k8s 上ingress-nginx的信息
[root@k8s-master01 ingress-nginx]# kubectl get all -n ingress-nginx
NAME READY STATUS RESTARTS AGE
pod/ingress-nginx-admission-create-628r6 0/1 Completed 0 104d
pod/ingress-nginx-admission-patch-w2js2 0/1 Completed 0 104d
pod/ingress-nginx-controller-s6nx6 1/1 Running 4 104d
pod/ingress-nginx-controller-tthn5 1/1 Running 3 104d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ingress-nginx-controller ClusterIP 10.97.116.179 <none> 80/TCP,443/TCP 104d
service/ingress-nginx-controller-admission ClusterIP 10.108.175.254 <none> 443/TCP 104d
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/ingress-nginx-controller 2 2 2 2 2 node-role=ingress 104d
NAME COMPLETIONS DURATION AGE
job.batch/ingress-nginx-admission-create 1/1 1s 104d
job.batch/ingress-nginx-admission-patch 1/1 1s 104d
[root@k8s-master01 ingress-nginx]# kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-admission-create-628r6 0/1 Completed 0 105d 10.244.58.200 k8s-node02 <none> <none>
ingress-nginx-admission-patch-w2js2 0/1 Completed 0 105d 10.244.58.201 k8s-node02 <none> <none>
ingress-nginx-controller-4ht4c 1/1 Running 0 28m 192.168.232.71 k8s-node01 <none> <none>
ingress-nginx-controller-m5vk4 1/1 Running 0 28m 192.168.232.72 k8s-node02 <none> <none>
三、使用ingress-nginx
下面是一个使用ingress-nginx 代理的damo
#deploy
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-demo
spec:
selector:
matchLabels:
app: tomcat-demo
replicas: 1
template:
metadata:
labels:
app: tomcat-demo
spec:
containers:
- name: tomcat-demo
image: registry.cn-hangzhou.aliyuncs.com/liuyi01/tomcat:8.0.51-alpine
ports:
- containerPort: 8080
---
#service
apiVersion: v1
kind: Service
metadata:
name: tomcat-demo
spec:
ports:
- port: 80
protocol: TCP
targetPort: 8080
selector:
app: tomcat-demo
---
#ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-demo
spec:
rules:
- host: http://wxw.jylx.net
http:
paths:
- path: /
backend:
serviceName: tomcat-demo
servicePort: 80
使用kubectl apply部署这个damo
[root@k8s-master01 ingress-nginx]# kubectl apply -f damo.yaml
通过 http://wxw.jylx.net 可以验证
参考文章:https://blog.csdn.net/ouyangzhenxin/article/details/123786857
Comments | NOTHING