k8s之ingress及ingress controller

1.ingress概述

k8s之ingress及ingress controller_第1张图片

图解:第一个service起到的作用是:引入外部流量,也可以不用此方式,以DaemonSet控制器的方式让Pod共享节点网络,第二个service的作用是:对后端pod分组,不被调度时使用,如果后端pod发生变动,则ingress就会将变动信息注入到,ingress controller管理的7层负载nginx的配置文件中.

2.部署

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

kubectl apply -f mandatory.yaml

# 之前还有个default-http-backend,现在只运行一个pod

kubectl get pods -n ingress-nginx

NAME                                        READY   STATUS    RESTARTS   AGE

nginx-ingress-controller-689498bc7c-sm972   1/1     Running   0          45s

 

# nginx-ingress-controller部署在node1上,一个deployment控制器,一个replicaset,一个pod.

# 接下来还需要部署一个service-nodeport服务,才能实现把集群外部流量接入到集群中来.

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml

# 为了不让service nodeport自动分配端口,需要手动指定nodeport

cat service-nodeport.yaml

apiVersion: v1

kind: Service

metadata:

  name: ingress-nginx

  namespace: ingress-nginx

  labels:

    app.kubernetes.io/name: ingress-nginx

    app.kubernetes.io/part-of: ingress-nginx

spec:

  type: NodePort

  ports:

    - name: http

      port: 80

      targetPort: 80

      nodePort: 30080

      protocol: TCP

    - name: https

      port: 443

      targetPort: 443

      protocol: TCP

      nodePort: 30443

  selector:

    app.kubernetes.io/name: ingress-nginx

    app.kubernetes.io/part-of: ingress-nginx

 

kubectl apply -f service-nodeport.yaml

kubectl get svc -n ingress-nginx

NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE

ingress-nginx   NodePort   10.102.228.59           80:30080/TCP,443:30443/TCP   31s

3.定义后端分组service:myapp-svc

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

cat myapp-svc-headless.yaml

apiVersion: v1

kind: Service

metadata:

  name: myapp-svc

  namespace: default

spec:

  selector:

    app: myapp

    release: canary

  clusterIP: "None"

  ports:

  - port: 80

    targetPort: 80

---

apiVersion: apps/v1

kind: Deployment

metadata:

  name: myapp-deploy

  namespace: default

spec:

  replicas: 2

  selector:

    matchLabels:

      app: myapp

      release: canary

  template:

    metadata:

      labels:

        app: myapp

        release: canary

    spec:

      containers:

      - name: myapp

        image: ikubernetes/myapp:v1

        ports:

        - name: http

          containerPort: 80

# 创建pod时,用nodeSelector可实现精准分布

kubectl apply -f myapp-svc-headless.yaml

kubectl get svc

NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE

kubernetes   ClusterIP   10.96.0.1            443/TCP   13d

myapp-svc    ClusterIP   None                 80/TCP    29m

 

# 通过Ingress把myapp-svc发布出去

cat ingress-myapp.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: ingress-myapp

  namespace: default

  annotations:

    kubernetes.io/ingress.class: "nginx"

spec:

  rules:

  - host: myapp.lixiang.com

    http:

      paths:

      - path:

        backend:

          serviceName: myapp-svc

          servicePort: 80

 

namespace要和deployment和要发布的service处于同一个名称空间

annotations:说明我们要用到的ingress-controller是nginx,而不是Traefik、Envoy

host:表示访问这个域名,就会转发到后端myapp-deploy管理的pod上

kubectl apply -f ingress-myapp.yaml

kubectl get ingress

NAME            HOSTS               ADDRESS   PORTS   AGE

ingress-myapp   myapp.lixiang.com             80      5m34s

#  进入交互式命令行

kubectl exec -n ingress-nginx -it nginx-ingress-controller-689498bc7c-sm972 -- /bin/sh

cat nginx.conf

    ## start server myapp.lixiang.com

    server {

        server_name myapp.lixiang.com ;

        listen 80;

        location / {

            set $namespace      "default";

            set $ingress_name   "ingress-myapp";

            set $service_name   "myapp-svc";

            set $service_port   "80";

            set $location_path  "/";

# ingress一经创建,就将信息注入到nginx-ingress-controller这个pod中,

# 个人感觉ingress像一个监视者、搬运工,nginx-ingress-controller起到反向代理的作用

# 添加一条hosts解析

curl myapp.lixiang.com:30080

Hello MyApp | Version: v1 | "hostname.html">Pod Name</a>

4.使用https访问

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

# 自签证书

openssl genrsa -out tls.key 2048

openssl req -new -x509 -key tls.key  -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=myapp.lixiang.com

# 通过secret把证书注入到pod中

kubectl create secret tls myapp-infress-secret --cert=tls.crt --key=tls.key

cat ingress-myapp.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

  name: ingress-myapp-tls

  namespace: default

  annotations:

    kubernetes.io/ingress.class: "nginx"

spec:

  tls:

  - hosts:

    - myapp.lixiang.com

    secretName: myapp-infress-secret

  rules:

  - host: myapp.lixiang.com

    http:

      paths:

      - path: /

        backend:

          serviceName: myapp-svc

          servicePort: 80

# 进入容器查看配置文件

cat nginx.conf

server {

    server_name myapp.lixiang.com ;

    listen 80; 

    listen 443  ssl http2;

curl -k https://myapp.lixiang.com:30443

你可能感兴趣的:(kubernetes)