ingress-nginx安装与使用方法
我们一般公开kubernetes里面的service方法有下面几种:
- load balance ,一般共有云都提供,例如aws .
- NodePort , 这是我们常用的方法,在每个节点启动一个端口,外部就可以通过此端口访问内部的service.
- ingress, 由于NodePort方法随着需要公开的服务越来越多,端口就多,所以我们需要采用后端代理的方式,统一一个入口端口,再中转到后端的各个服务实现服务公开。例如nginx的upstream。但是每次增加服务都需要更改nginx的配置,为了更加方便,使用ingress,每次增加公开的服务,只要增加ingress的规则就行。
ingress简介:
通常,服务和Pod只能通过集群网络路由IP。 所有在边缘路由器处结束的流量都会丢弃或转发到别处。 从概念上讲,这可能看起来像:
internet
|
------------
[ Services ]Ingress是允许入站连接到达集群服务的一组规则。
internet
|
[ Ingress ]
--|-----|--
[ Services ]下面以nginx-ingress为例子:
环境:
kubernetes 1.9.8
NGINX Ingress controller :0.15.0
一、安装必要的服务:controller和backend、rabc权限等等。
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml检查所有服务是否安装成功:
# kubectl get all -n ingress-nginx
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deploy/default-http-backend 1 1 1 1 41s
deploy/nginx-ingress-controller 1 1 1 1 39s
NAME DESIRED CURRENT READY AGE
rs/default-http-backend-55c6c69b88 1 1 1 40s
rs/nginx-ingress-controller-5f6d649c67 1 1 1 39s
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deploy/default-http-backend 1 1 1 1 41s
deploy/nginx-ingress-controller 1 1 1 1 39s
NAME DESIRED CURRENT READY AGE
rs/default-http-backend-55c6c69b88 1 1 1 40s
rs/nginx-ingress-controller-5f6d649c67 1 1 1 39s
NAME READY STATUS RESTARTS AGE
po/default-http-backend-55c6c69b88-ct72h 1/1 Running 0 38s
po/nginx-ingress-controller-5f6d649c67-brqft 1/1 Running 0 39s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/default-http-backend ClusterIP 10.254.228.114 80/TCP 40s 二、由于我们k8s集群使用二进制文件,安装在裸机上,所以需要配置ingress-service为 NodePort方式:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml如果你的k8s集群在aws上运行,你可以配置ingress-service为LoadBalancer方式。
三、最后所有ingress已经安装完毕:
# kubectl get all -n ingress-nginx
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deploy/default-http-backend 1 1 1 1 7m
deploy/nginx-ingress-controller 1 1 1 1 6m
NAME DESIRED CURRENT READY AGE
rs/default-http-backend-55c6c69b88 1 1 1 7m
rs/nginx-ingress-controller-5f6d649c67 1 1 1 6m
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deploy/default-http-backend 1 1 1 1 7m
deploy/nginx-ingress-controller 1 1 1 1 6m
NAME DESIRED CURRENT READY AGE
rs/default-http-backend-55c6c69b88 1 1 1 7m
rs/nginx-ingress-controller-5f6d649c67 1 1 1 6m
NAME READY STATUS RESTARTS AGE
po/default-http-backend-55c6c69b88-ct72h 1/1 Running 0 6m
po/nginx-ingress-controller-5f6d649c67-brqft 1/1 Running 0 6m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/default-http-backend ClusterIP 10.254.228.114 80/TCP 7m
svc/ingress-nginx NodePort 10.254.73.54 80:27468/TCP,443:42584/TCP 8s 查看安装的版本:
# POD_NAMESPACE=ingress-nginx
# POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app=ingress-nginx -o jsonpath={.items[0].metadata.name})
# kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: 0.15.0
Build: git-df61bd7
Repository: https://github.com/kubernetes/ingress-nginx
-------------------------------------------------------------------------------
四、下面我们启动一个nginx服务来验证ingress http的使用方法:
1. 启动一个nginx 服务:
# cat nginx.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx
labels:
app: nginx
spec:
type: ClusterIP
selector:
app: nginx
ports:
- port: 80
targetPort: 80
name: http-nginx
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
# kubectl create -f ./nginx.yaml# kubectl get pod,svc |grep nginx
po/nginx-6c54bd5869-qrr8d 1/1 Running 0 43s
svc/nginx ClusterIP 10.254.225.236 80/TCP 43s 2. 编写ingress规则:
# cat nginx-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-nginx
spec:
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80# kubectl create -f ./nginx-ingress.yaml3. 在客户端访问:
curl http://foo.bar.com:27468/4. 注意上面第二点安装:service-nodeport.yaml ,由于在service-nodeport.yaml中没有定义NodePort的端口,随机使用了端口:27468
你可以修改该service文件,增加nodePort: 80 和 nodePort: 443 如下 :
# cat ./service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
nodePort: 443
protocol: TCP
selector:
app: ingress-nginx这样,你不需要使用端口访问:
curl http://foo.bar.com/5. 多服务的ingress,可以使用以下方法定义ingress规则
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /foo
backend:
serviceName: nginx-1
servicePort: 80
- path: /bar
backend:
serviceName: nginx-2
servicePort: 80五、以DaemonSet方法安装ingress controller
以此方式安装,再配合在serive NodePort类型中设置:externalTrafficPolicy: Local,这样可以达到http协议可以获取到客户端的真实IP.
ingress daemonSet 参考: https://github.com/4220182/kubernetes/blob/master/ingress-nginx/0.15.0/Real-Source-IP/
pod内获取client真实IP: https://blog.csdn.net/kozazyh/article/details/80605403
六、配置 https
参考: https://blog.csdn.net/kozazyh/article/details/80588395
更多ingresss使用方法参考:
https://kubernetes.io/docs/concepts/services-networking/ingress/
https://github.com/kubernetes/ingress-nginx/blob/nginx-0.19.0/docs/deploy/index.md