kubernetes 入门实践-Ingress

ㅤㅤㅤ
ㅤㅤㅤ
ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ(读书而不思考,等于吃饭而不消化。——波尔克)
ㅤㅤㅤ
ㅤㅤㅤ
ㅤㅤㅤㅤㅤㅤㅤㅤㅤ在这里插入图片描述
上一篇:kubernetes 入门实践-操作k8s集群
该教程将演示如何使用ingress-nginx来做集群的负载均衡,域名访问和ssl。

为什么需要Ingress

在前面的教程中,咱们为了能够外部访问,采用了NodePort的方式暴露了端口.
但NodePort存在以下缺点

  • 每一个service都有单独的端口,随着应用的逐渐庞大,端口也变得难以维护
  • 虚拟域名问题,传统的方式是更改nginx.conf再进行重载。但在k8s中有更高级的方式,使用ingress的yaml配置文件,每次变更重新更新文件,生效配置即可
  • service只支持四层,只能根据ip访问,无法再根据http header, path进行转发,ingress支持七层
四层和七层协议的区别

四层是指TCP/IP四层模型,主要包括:应用层、运输层、网际层和网络接口层。
七层是指OSI七层协议模型,主要是:应用层(Application)、表示层(Presentation)、会话层(Session)、传输层(Transport)、网络层(Network)、数据链路层(Data Link)、物理层(Physical)

  • 物理层
    物理层是OSI参考模型的最底层,它的作用是实现相邻计算机节点之间比特流的透明传送,屏蔽了具体传输介质和物理设备的差异。透明 传送表示经实际实际电路传送后的比特流没有发生变化,对传送的比特流来说,这个电路好像看不见一样。
    我们都知道机器只能识别二进制,即0和1,它使用高低电平表示,而物理层传送的是比特流(即二进制流,比特是是二进制中的位),所以能承载比特流的常见设备有:网卡、网线、集线器、中继器、调制调解器等。

  • 数据链路层
    数据链路层是OSI参考模型的第二层,它负责建立和管理节点的链路。该层的主要功能是:通过各种控制协议,将有差错的物理信道变为无差错的、能可靠传输数据帧的数据链路。在计算机网络中由于各种干扰(如磁场、温度等)的存在,物理链路是不可靠的,因此这一层的主要功能是在物理层提供的比特流的基础上,通过差错控制、流量控制,使有差错的物理线路变为无差错的数据链路(即提供可靠的物理介质的数据的方法)。数据链路层的具体工作是接收来自物理层的位流形式的数据,并封装层帧,传送到上一层;同样,也将来自上一层的数据帧,拆装为位流形式的数据转发到物理层;并且,还负责处理接收端发回的确认帧的信息,以便提供可靠的数据传输。
    常见的网桥、交换机等属于数据链路层。

  • 网络层
    网络层是OSI参考模型的第三层,也是最复杂的一层。他在下两层的基础上向资源子网络提供服务。其主要任务是:通过路由选择算法,为报文或分组通过通信子网选择最佳路径。具体的说,数据链路层的数据在这一层被转换为数据包,然后通过路由选择、分组组合、顺序、进/出路由等控制,将信息从一个网络设备传送到另一个网络设备。一般的,数据链路层解决同一网络节点之间的通信,而网络层主要解决不同网络间的通信。
    常见的路由器属于网络层

  • 传输层
    传输层是OSI参考模型的第四层,该层是通信子网络和资源子网的接口和桥梁,起到承上启下的作用。该层的主要任务是:向用户提供可靠的端到端的差错和流量控制,保证报文的正确传输。传输层的作用是向高层屏蔽下层数据通信细节,即向用户透明地传输报文。该层常见的的协议有TCP和UDP协议。传输层提供会话层和网络层之间的传输服务,它从会话层获取数据,在必要时将数据进行分割,然后传输层将数据传输到网络层,并确保数据能正确无误的传送到网络层,因此传输层负责提供两节点之间数据的可靠传送。

  • 会话层
    会话层是OSI参考模型的第五层,它是用户应用程序和网络之间的接口,主要任务是:向两个实体的表示层提供建立和使用连接的方法。将不同实体之间的表示层的连接称为会话。因此会话层的任务就是组织和协调两个会话进程之间的通信,并对数据交换进行管理。用户可以按照半双工、单工、和全双工的方式建立会话。当建立会话时,用户必须提供他们想要连接的远程地址,而这些地址与MAC地址或网络层的逻辑地址不通过,它们是为用户专门设计的,更便于用户记忆。会话层可以理解为定义如何开始、控制、结束一个会话。

  • 表示层
    表示层是OSI参考模型的第六层,它对来自应用层的命令和数据进行解释,对各种语法赋予相应的含义,并按照一定的格式传送给会话层。其主要功能是处理用户信息的表示问题(如编码、数据格式转换、加密解密等)。表示层可以理解为定义数据的格式和加密方式。

  • 应用层
    应用层是OSI参考模型的第七层,它是计算机用户以及各种应用程序和网络之间的接口,其功能是直接向用户提供服务,完成用户希望在网络上完成的各种工作。它在其他六层工作的基础上,负责完成网络中应用程序与网络操作系统之间的联系,建立与结束使用者之间的联系,并完成网络用户提出的各种网络服务及应用所需的监督、管理和服务等各种协议,此外该层还负责协调各个应用程序之间的工作。应用层可以理解为需要进行网络通信的应用程序

Ingress

Ingress 是一种 Kubernetes 资源,可让您为运行在 Kubernetes 上的应用程序配置 HTTP 负载均衡器,由一个或多个服务表示。这样的负载均衡器对于将这些应用程序交付给 Kubernetes 集群之外的客户端是必要的。
Ingress 资源支持以下功能:
基于内容的路由:
基于主机的路由。例如,将带有主机头的请求路由foo.example.com到一组服务,将主机头路由bar.example.com到另一组。
基于路径的路由。例如,使用/serviceA以服务 A 开头的 URI 路由请求,以及使用/serviceB以服务 B开头的 URI 的请求。
每个主机名的TLS/SSL 终止,例如foo.example.com

下面是一个将所有流量都发送到同一 Service 的简单 Ingress 示例:

kubernetes 入门实践-Ingress_第1张图片
可以将 Ingress 配置为服务提供外部可访问的 URL、负载均衡流量、终止 SSL/TLS,以及提供基于名称的虚拟主机等能力。 Ingress 控制器 通常负责通过负载均衡器来实现 Ingress,尽管它也可以配置边缘路由器或其他前端来帮助处理流量。

Ingress 不会公开任意端口或协议。 将 HTTP 和 HTTPS 以外的服务公开到 Internet 时,通常使用 Service.Type=NodePort 或 Service.Type=LoadBalancer 类型的服务。

总结:类似nginx中的nginx.conf配置文件。在k8s中,配置了ingress-controller的话,请求会先经过ingress-controller再到ingress,再根据ingress的策略转发到对应的service中,再由service根据生成的pod组策略进行转发。

Ingress-Controller 简称IC

Ingress 控制器是运行在集群中的应用程序,根据 Ingress 资源配置 HTTP 负载均衡器。负载均衡器可以是在集群中运行的软件负载均衡器,也可以是在外部运行的硬件或云负载均衡器。不同的负载均衡器需要不同的 Ingress 控制器实现。
在 NGINX 的情况下,Ingress 控制器与负载均衡器一起部署在一个 Pod 中。

Ingress-Controller工作原理
ingress控制器如何将服务提供外网访问

下图演示了通过ingress控制器访问服务的架构图
kubernetes 入门实践-Ingress_第2张图片

  1. 有用户admin,A,B通过k8s api来操作集群
  2. 客户端A和B连接部署好的应用A和B
  3. ingress控制器部署在pod中,通过Ingress.yaml配置文件进行配置策略。ingress控制器使用k8s的api获取集群中最新的ingress资源,然后根据这些资源配置/重载内部的nginx
  4. 用户A和B在各自的命名空间中部署了两个pod应用,为了放用户能够通过域名访问到内部应用,用户A和B分别配置ingress控制器访问入口
  5. 部署完成后,用户通过域名访问ingress控制器,根据Ingress配置的策略访问到最终的pod
ingree控制如何处理ingrss配置文件

下图演示了ingress资源发布到最后生效的过程
kubernetes 入门实践-Ingress_第3张图片

  1. 用户创建一个ingress资源,其中配置了域名转发到service中的一系列配置
  2. ingress控制器通过监听资源的变化,从缓存中获取ingress最新的资源
  3. 通过最新的Ingress资源来生成nginx配置文件
  4. 生成新的ingress配置文件后,ingress控制器会重载nginx并发送一个k8s事件表示更新状态。
  5. 如果更新失败则抛出异常
总结

Ingress Controller内部就是nginx,通过k8s api监听ingress资源变化,每次重新生成新的nginx.conf,然后进行重载生效

开始配置k8s ingress和ingress控制器
第一步 安装Ingress控制器 ingress-controller

下载ingress-controller yml配置文件官方链接
但可能因为网络问题导致无法访问,并且即便下载成功之后,也会在后面的安装过程中出现超时等问题,导致无法正常启动ingress控制器
所以这里有整理好的yml文件,其中使用了国内的仓储地址,加快了访问和下载速度

### 先将下面的文件内容复制,然后开始编辑文件并复制进去
vim kube-ingress-controller.yaml

### 保存文件
wq!

### 执行kubectl,运行该配置文件
kubectl apply -f kube-ingress-controller.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx

---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - configmaps
    resourceNames:
      - ingress-controller-leader
    verbs:
      - get
      - update
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
      appProtocol: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10
  minReadySeconds: 0
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      containers:
        - name: controller
          image: willdockerhub/ingress-nginx-controller:v1.0.0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            runAsUser: 101
            allowPrivilegeEscalation: true
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:
            failureThreshold: 5
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: webhook
              containerPort: 8443
              protocol: TCP
          volumeMounts:
            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 90Mi
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/controller-ingressclass.yaml
# We don't support namespaced ingressClass yet
# So a ClusterRole and a ClusterRoleBinding is required
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: nginx
  namespace: ingress-nginx
spec:
  controller: k8s.io/ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:
  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /networking/v1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - get
      - create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:
  template:
    metadata:
      name: ingress-nginx-admission-create
      labels:
        helm.sh/chart: ingress-nginx-4.0.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.0.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: create
          image: jettech/kube-webhook-certgen:v1.0.0
          imagePullPolicy: IfNotPresent
          args:
            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:
  template:
    metadata:
      name: ingress-nginx-admission-patch
      labels:
        helm.sh/chart: ingress-nginx-4.0.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.0.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: patch
          image: jettech/kube-webhook-certgen:v1.0.0
          imagePullPolicy: IfNotPresent
          args:
            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
运行结果

kubernetes 入门实践-Ingress_第4张图片
kubernetes 入门实践-Ingress_第5张图片

kubernetes 入门实践-Ingress_第6张图片

第二步 配置ingress yaml文件

kubernetes 入门实践-ingress yaml文档

# 配置节点虚拟域名 增加以下两个域名
vim /etc/hosts
# 192.168.5.139 ingress.vuelist.com
# 192.168.5.139 ingress.vuelogin.com

kubernetes 入门实践-Ingress_第7张图片

# 查看k8s集群的所有节点
kubectl get node -o wide

kubernetes 入门实践-Ingress_第8张图片
查看在运行的service,其中31065是service的端口,我们在ingress中就需要代理这个端口
在这里插入图片描述
由于该service在vue命名空间下,所以我们的ingress也需要在vue命名空间下运行

新建min-ingress.yaml配置文件

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: min-ingress
  namespace: vue
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: ingress.vuelist.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: vue-service
            port:
              number: 31065
  - host: ingress.vuelogin.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: vue-service
            port:
              number: 31065

# 应用min-ingress.yaml配置
kubectl apply -f min-ingress.yaml

kubernetes 入门实践-Ingress_第9张图片
进入ingress控制器容器,查看生成的nginx配置文件

# 查看ingress控制器集群下pod
kubectl get pods -n ingress-nginx

kubernetes 入门实践-Ingress_第10张图片
其中ingress-nginx-controller是ingress控制器的pod

# 通过k8s命令进入Pod内部
kubectl exec -n ingress-nginx -it ingress-nginx-controller-qvdqm -- /bin/sh

kubernetes 入门实践-Ingress_第11张图片
查看nginx.conf,可以看到其中有我们在ingress中的配置
kubernetes 入门实践-Ingress_第12张图片

第三步 验证ingress

由于前端做了默认路由,所以会转发至/list
访问 https://ingress.vuelist.com
kubernetes 入门实践-Ingress_第13张图片
访问 https://ingress.vuelogin.com
kubernetes 入门实践-Ingress_第14张图片
查看service下pod
kubernetes 入门实践-Ingress_第15张图片
查看三个pod的日志
kubernetes 入门实践-Ingress_第16张图片

k8s中ingress的常用命令
# 查看命名空间内运行的ingress
kubectl get ingress -n 命名空间

# 查看ingress的描述信息
kubectl describe ingress -n 命名空间

# 应用ingress配置文件
kubectl apply -f ingress.yaml

# 删除命名空间下的ingress
kubectl delete ingress min-ingress -n ingress-nginx

你可能感兴趣的:(kubernetes,nginx,k8s,kubernetes,docker,容器)