k8s之ingress及ingress controller

1.ingress概述

图解:第一个service起到的作用是:引入外部流量,也可以不用此方式,以DaemonSet控制器的方式让Pod共享节点网络,第二个service的作用是:对后端pod分组,不被调度时使用,如果后端pod发生变动,则ingress就会将变动信息注入到,ingress controller管理的7层负载nginx的配置文件中.

2.部署

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml kubectl apply -f mandatory.yaml # 之前还有个default-http-backend,现在只运行一个pod kubectl get pods -n ingress-nginx NAME                                        READY   STATUS    RESTARTS   AGE nginx-ingress-controller-689498bc7c-sm972   1/1     Running   0          45s   # nginx-ingress-controller部署在node1上,一个deployment控制器,一个replicaset,一个pod. # 接下来还需要部署一个service-nodeport服务,才能实现把集群外部流量接入到集群中来. wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml # 为了不让service nodeport自动分配端口,需要手动指定nodeport cat service-nodeport.yaml apiVersion: v1 kind: Service metadata:   name: ingress-nginx   namespace: ingress-nginx   labels:     app.kubernetes.io/name: ingress-nginx     app.kubernetes.io/part-of: ingress-nginx spec:   type: NodePort   ports:     - name: http       port: 80       targetPort: 80       nodePort: 30080       protocol: TCP     - name: https       port: 443       targetPort: 443       protocol: TCP       nodePort: 30443   selector:     app.kubernetes.io/name: ingress-nginx     app.kubernetes.io/part-of: ingress-nginx   kubectl apply -f service-nodeport.yaml kubectl get svc -n ingress-nginx NAME            TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE ingress-nginx   NodePort   10.102.228.59           80:30080/TCP,443:30443/TCP   31s

3.定义后端分组service:myapp-svc

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

cat myapp-svc-headless.yaml apiVersion: v1 kind: Service metadata:   name: myapp-svc   namespace: default spec:   selector:     app: myapp     release: canary   clusterIP: "None"   ports:   - port: 80     targetPort: 80 --- apiVersion: apps/v1 kind: Deployment metadata:   name: myapp-deploy   namespace: default spec:   replicas: 2   selector:     matchLabels:       app: myapp       release: canary   template:     metadata:       labels:         app: myapp         release: canary     spec:       containers:       - name: myapp         image: ikubernetes/myapp:v1         ports:         - name: http           containerPort: 80 # 创建pod时,用nodeSelector可实现精准分布 kubectl apply -f myapp-svc-headless.yaml kubectl get svc NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE kubernetes   ClusterIP   10.96.0.1            443/TCP   13d myapp-svc    ClusterIP   None                 80/TCP    29m   # 通过Ingress把myapp-svc发布出去 cat ingress-myapp.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata:   name: ingress-myapp   namespace: default   annotations:     kubernetes.io/ingress.class: "nginx" spec:   rules:   - host: myapp.lixiang.com     http:       paths:       - path:         backend:           serviceName: myapp-svc           servicePort: 80   namespace要和deployment和要发布的service处于同一个名称空间 annotations:说明我们要用到的ingress-controller是nginx,而不是Traefik、Envoy host:表示访问这个域名,就会转发到后端myapp-deploy管理的pod上 kubectl apply -f ingress-myapp.yaml kubectl get ingress NAME            HOSTS               ADDRESS   PORTS   AGE ingress-myapp   myapp.lixiang.com             80      5m34s #  进入交互式命令行 kubectl exec -n ingress-nginx -it nginx-ingress-controller-689498bc7c-sm972 -- /bin/sh $ cat nginx.conf     ## start server myapp.lixiang.com     server {         server_name myapp.lixiang.com ;         listen 80;         location / {             set $namespace      "default";             set $ingress_name   "ingress-myapp";             set $service_name   "myapp-svc";             set $service_port   "80";             set $location_path  "/"; # ingress一经创建,就将信息注入到nginx-ingress-controller这个pod中, # 个人感觉ingress像一个监视者、搬运工,nginx-ingress-controller起到反向代理的作用 # 添加一条hosts解析 curl myapp.lixiang.com:30080 Hello MyApp | Version: v1 | "hostname.html">Pod Name</a>

4.使用https访问

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

# 自签证书 openssl genrsa -out tls.key 2048 openssl req -new -x509 -key tls.key  -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=myapp.lixiang.com # 通过secret把证书注入到pod中 kubectl create secret tls myapp-infress-secret --cert=tls.crt --key=tls.key cat ingress-myapp.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata:   name: ingress-myapp-tls   namespace: default   annotations:     kubernetes.io/ingress.class: "nginx" spec:   tls:   - hosts:     - myapp.lixiang.com     secretName: myapp-infress-secret   rules:   - host: myapp.lixiang.com     http:       paths:       - path: /         backend:           serviceName: myapp-svc           servicePort: 80 # 进入容器查看配置文件 cat nginx.conf server {     server_name myapp.lixiang.com ;     listen 80;      listen 443  ssl http2; curl -k https://myapp.lixiang.com:30443