利用ingress实现集群外部对kubernetes内部服务的访问

一.基本概念

    由于Pod和Service是kubernetes集群范围内的虚拟概念，所以集群外的客户端系统无法通过Pod的IP地址或者Service的虚拟IP地址和虚拟端口号访问到它们。为了让外部客户端能够访问到这些服务，可以将Pod或Service的端口号映射到宿主机。

    1.将容器应用的端口号映射到物理机

      1）设置容器级别的hostPort，将容器应用的端口号映射到物理机

      2）设置Pod级别的hostNetwork=true，该Pod中所有容器的端口号都将被直接映射到物理机上

    2.将Service的端口号映射到物理机

      1）设置nodePort映射到物理机，同时设置Service的类型为NodePort

      2）设置LoadBalancer映射到云服务商提供的LoadBalancer地址

    如果设置了Service的nodePort，那么集群会在每一个节点都监听设置的nodePort，外部客户端可以通过任意nodeIP:Port的方式对集群服务进行访问。但是当集群中服务较多，那么需要管理的端口也会比较多，各个端口之间不能冲突，比较麻烦；另外，因为方式访问形式为nodeIP:Port的方式，那么对于一些HTTP服务，这种方式是无法做到根据URL路径进行转发的。ingress是kubernetes V1.1版本之后新增的资源对象，用于实现HTTP层业务路由机制。

    实现ingress路由机制主要包括3个组件：

      1）ingress是kubernetes的一个资源对象，用于编写定义规则

      2）反向代理负载均衡器，通常以Service的Port方式运行，接收并按照ingress定义的规则进行转发，通常为nginx，haproxy，traefik等，本文使用nginx

      3）ingress-controller，监听apiserver，获取服务新增，删除等变化，并结合ingress规则动态更新到反向代理负载均衡器上，并重载配置使其生效

二.部署    

    本文使用谷歌提供的nginx-ingress-controller镜像创建ingress-controller，并以Pod+Service方式运行，其中Service使用nodePort方式将80,443端口映射至物理机上

    部署过程中使用到的文档参考：https://github.com/kubernetes/ingress-nginx/tree/master/deploy

    1.下载各所需的yaml文件

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/namespace.yaml >namespace.yaml
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/default-backend.yaml>default-backend.yaml
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/configmap.yaml>configmap.yaml
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/tcp-services-configmap.yaml>tcp-services-configmap.yaml
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/udp-services-configmap.yaml > udp-services-configmap.yaml
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/without-rbac.yaml>without-rbac.yaml
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/rbac.yaml>rbac.yaml
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/with-rbac.yaml > with-rbac.yaml
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml >service-nodeport.yaml

    2.启动上述yaml文件

kubectl create -f namespace.yaml 
kubectl create -f configmap.yaml 
kubectl create -f default-backend.yaml 
kubectl create -f tcp-services-configmap.yaml 
kubectl create -f udp-services-configmap.yaml
kubectl create -f rbac.yaml
kubectl create -f with-rbac.yaml
kubectl create -f service-nodeport.yaml

    上述yaml文件中几乎可以不用修改，仅default-backend.yaml以及with-rbac.yaml两个文件需要简单修改。

    default-backend.yaml文件定义了默认的ingress服务，即客户端访问的URL地址不存在时，默认返回的页面，这个服务使用任何应用实现都可以，只需要能够返回一个404应答，并且提供/healthz路径实现健康检查，另外服务名称需要设置为default-backend-service，因为该镜像中nginx默认通过default-backend-service访问默认backend

    rabc.yaml是kubernetes实现鉴权的方式，本文不做介绍

    with-rbac.yaml文件中定义了一个Deployment，运行ingress-controller；需要注意的是如果修改了yaml文件中使用的镜像，部分参数可能需要更改，这个具体情况具体分析，本文不做说明

    service-nodeport.yaml文件定义了一个服务，并且以nodePort方式监听80以及443端口，为客户端提供访问入口。

    上述文件修改后如下：

nginx-ingress]# cat namespace.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  
############################
nginx-ingress]# cat configmap.yaml 
kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app: ingress-nginx

 ##############################    
nginx-ingress]# cat rbac.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
        - events
    verbs:
        - create
        - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "-"
      # Here: "-"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - create
      - update

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx
    
#############################
nginx-ingress]# cat tcp-services-configmap.yaml 
kind: ConfigMap
apiVersion: v1
metadata:
  name: tcp-services
  namespace: ingress-nginx
  
#############################
nginx-ingress]# cat udp-services-configmap.yaml 
kind: ConfigMap
apiVersion: v1
metadata:
  name: udp-services
  namespace: ingress-nginx
  
#############################
nginx-ingress]# cat service-nodeport.yaml 
apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  type: NodePort
  ports:
  - name: http
    port: 80
    targetPort: 80
    nodePort: 80
    protocol: TCP
  - name: https
    port: 443
    targetPort: 443
    nodePort: 443
    protocol: TCP
  selector:
    app: ingress-nginx
    
##############################
nginx-ingress]# cat default-backend.yaml 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: default-http-backend
  labels:
    app: default-http-backend
  namespace: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: default-http-backend
  template:
    metadata:
      labels:
        app: default-http-backend
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - name: default-http-backend
        # Any image is permissible as long as:
        # 1. It serves a 404 page at /
        # 2. It serves 200 on a /healthz endpoint
        #image: gcr.io/google_containers/defaultbackend:1.4
        image: index.tenxcloud.com/google_containers/defaultbackend:1.0 
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 30
          timeoutSeconds: 5
        ports:
        - containerPort: 8080
        resources:
          limits:
            cpu: 10m
            memory: 20Mi
          requests:
            cpu: 10m
            memory: 20Mi
---

apiVersion: v1
kind: Service
metadata:
  name: default-http-backend
  namespace: ingress-nginx
  labels:
    app: default-http-backend
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: default-http-backend
    
####################################
nginx-ingress]# cat with-rbac.yaml 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx 
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-nginx
  template:
    metadata:
      labels:
        app: ingress-nginx
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          #image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.15.0
          #image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.2
          image: index.tenxcloud.com/google_containers/nginx-ingress-controller:0.8.3 
          args:
            - /nginx-ingress-controller
            - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
            - --nginx-configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            #- --annotations-prefix=nginx.ingress.kubernetes.io
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
          - name: http
            containerPort: 80
          - name: https
            containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          securityContext:
            runAsNonRoot: false

三，ingress规则编写

下面是一个简单的例子

nginx-ingress]# cat mytest.yaml 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    ingress.kubernetes.io/ssl-redirect: "false"  ##关闭强制使用HTTPS的设置
spec:
  rules:
  ## 根据URL路径实现转发，域名为 *
  - http:
      paths:
      - path: /demo
        backend:
          serviceName: mydemo
          servicePort: 8080
      - path: /test
        backend:
          serviceName: mytest
          servicePort: 8080

nginx-ingress]# cat mytest.yaml      
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: pand-ingress
  annotations:
    ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  ## 根据域名实现转发
  - host: www.mywebsite1.com
    http:
      paths:
      - backend:
          serviceName: mydemo
          servicePort: 8080
  - host: www.mywebsite2.com
    http:
      paths:
      - backend:
          serviceName: mytest
          servicePort: 8080

    创建上述ingress，在客户端配置好域名解析，实现访问