一起来学k8s 11.ingress-controller
Ingress-controller
Kubernetes 集群内部使用 kube-dns 实现服务发现的功能,那么我们部署在 Kubernetes 集群中的应用如何暴露给外部的用户使用呢?我们知道前面我们使用 NodePort 和 LoadBlancer 类型的 Service 可以实现把应用暴露给外部用户使用,除此之外,Kubernetes 还为我们提供了一个非常重要的资源对象可以用来暴露服务给外部用户,那就是 ingress。对于小规模的应用我们使用 NodePort 或许能够满足我们的需求,但是当你的应用越来越多的时候,你就会发现对于 NodePort 的管理就非常麻烦了,这个时候使用 ingress 就非常方便了,可以避免管理大量的 Port
环境
192.168.48.101 master01
192.168.48.201 node01
192.168.48.202 node02
官方
https://github.com/kubernetes/ingress-nginx/tree/master01/deploy/static
安装ingress-controller
yaml文件下载
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master01/deploy/static/mandatory.yaml
镜像下载
需要的镜像
quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0
链接: https://pan.baidu.com/s/1_n_IPRo2bojl2EIoaqqcUg 提取码: tjyt
节点导入镜像
docker load -i ingress-controller-nginx-0.25.0.tar.gz
创建ingress-controller
[root@master01 ~]# kubectl apply -f mandatory.yaml
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.apps/nginx-ingress-controller created
查看
[root@master01 ~]# kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ingress-controller-7995bd9c47-c4g5b 1/1 Running 0 16s 10.244.2.5 node02
创建ingress-crontroller的svc
官方默认的yaml文件创建的是deployment,所以得创建一个service,暴露给外网 http是30080 https是30443
vim ingress-crontroller-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-controller-svc
namespace: ingress-nginx
spec:
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
[root@master01 ~]# kubectl apply -f ingress-crontroller-svc.yaml
service/ingress-controller-svc created
[root@master01 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-controller-svc NodePort 10.101.54.200 80:30080/TCP,443:30443/TCP 19s
测试一下,发现出来了,但是404,因为没写ingress
ingress
ingress实时监听着service
部署webapp
准备deployment
[root@master01 deploy_yaml]# vim myapp-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
labels:
app: myapp
type: deploy
spec:
replicas: 2
selector:
matchLabels:
app: myapp
type: deploy
template:
metadata:
name: myapp-pod
labels:
app: myapp
type: deploy
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
[root@master01 deploy_yaml]# kubectl apply -f myapp-deploy.yaml
deployment.apps/myapp-deploy created
准备service
[root@master01 svc_yaml]# vim myapp-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp-svc
namespace: default
labels:
type: svc
app: myapp
spec:
selector:
app: myapp
type: deploy
type: ClusterIP
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
[root@master01 svc_yaml]# kubectl apply -f myapp-svc.yaml
service/myapp-svc created
编写ingress
vim myapp-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress
namespace: default
labels:
type: ingress
app: myapp
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.tk8s.com
http:
paths:
- path:
backend:
serviceName: myapp-svc
servicePort: 80
创建ingress
[root@master01 ingress_yaml]# kubectl apply -f myapp-ingress.yaml
[root@master01 ~]# kubectl get ingresses -o wide
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.tk8s.com 80 17s
测试
因为是域名访问,hosts写入相关内容
192.168.48.101 master01 myapp.tk8s.com
192.168.48.201 node01
192.168.48.202 node02
访问
部署tomcat
准备deployment
vim tomcat-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
labels:
app: tomcat
type: deploy
spec:
replicas: 2
selector:
matchLabels:
app: tomcat
type: deploy
template:
metadata:
name: tomcat-pod
labels:
app: tomcat
type: deploy
spec:
containers:
- name: tomcat
image: tomcat:8.5.32-jre8-alpine
ports:
- name: http
containerPort: 8080
[root@master01 deploy_yaml]# kubectl apply -f tomcat-deploy.yaml
deployment.apps/tomcat-deploy created
准备service
vim tomcat-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat-svc
namespace: default
labels:
type: svc
app: tomcat
spec:
selector:
app: tomcat
type: deploy
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http
[root@master01 svc_yaml]# kubectl apply -f tomcat-svc.yaml
service/tomcat-svc created
编写ingress
vim tomcat-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-ingress
namespace: default
labels:
type: ingress
app: tomcat
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.tk8s.com
http:
paths:
- path:
backend:
serviceName: tomcat-svc
servicePort: 8080
创建ingress
[root@master01 ingress_yaml]# kubectl apply -f tomcat-ingress.yaml
ingress.extensions/tomcat-ingress created
[root@master01 ~]# kubectl get ingresses.
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.tk8s.com 80 96m
tomcat-ingress tomcat.tk8s.com 80 7s
测试
因为是域名访问,hosts写入相关内容
192.168.48.101 master01 myapp.tk8s.com tomcat.tk8s.com
192.168.48.201 node01
192.168.48.202 node02
访问
tomcat https
做证书
[root@master01 ~]# openssl genrsa -out tomcat.key 2048
Generating RSA private key, 2048 bit long modulus
........................................+++
.............................................+++
e is 65537 (0x10001)
[root@master01 ~]# openssl req -new -x509 -key tomcat.key -out tomcat.crt -subj /C=CN/ST=Beijing/L=Beijing/O=dev/CN=tomcat.tk8s.com
创建secret
[root@master01 ~]# kubectl create secret tls tomcat-ingress-secret --cert=tomcat.crt --key=tomcat.key
secret/tomcat-ingress-secret created
[root@master01 ~]# kubectl get secrets
NAME TYPE DATA AGE
default-token-56k45 kubernetes.io/service-account-token 3 19d
tomcat-ingress-secret kubernetes.io/tls 2 8s
编写ingress
vim tomcat-ingress-ssl.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-ingress-ssl
namespace: default
labels:
type: ingress
app: tomcat
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.tk8s.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.tk8s.com
http:
paths:
- path:
backend:
serviceName: tomcat-svc
servicePort: 8080
创建ingress
[root@master01 ~]# kubectl apply -f tomcat-ingress-ssl.yaml
ingress.extensions/tomcat-ingress-ssl created
[root@master01 ~]# kubectl get ingresses.
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.tk8s.com 80 102m
tomcat-ingress tomcat.tk8s.com 80 6m16s
tomcat-ingress-ssl tomcat.tk8s.com 80, 443 10s
测试
因为是域名访问,本机hosts写入相关内容
192.168.48.101 master01 myapp.tk8s.com tomcat.tk8s.com
192.168.48.201 node01
192.168.48.202 node02
访问
