20_2.服务暴露-ingress (ingress-nginx)

我就是我 2022-10-07 05:45 20阅读 0赞

20_2.服务暴露-ingress (ingress-nginx)

ingress-nginx

https://github.com/kubernetes/ingress-nginx

准备镜像

docker pull quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0

资源配置清单

参考:https://github.com/kubernetes/ingress-nginx/blob/master/deploy/static/provider/cloud/deploy.yaml
参考:https://hub.fastgit.org/kubernetes/ingress-nginx/blob/nginx-0.30.0/deploy/static/mandatory.yaml

https://hub.fastgit.org 为github的国内加速代理

namespace.yaml
  1. apiVersion: v1
  2. kind: Namespace
  3. metadata:
  4.   name: ingress-nginx
  5.   labels:
  6.     app.kubernetes.io/name: ingress-nginx
  7.     app.kubernetes.io/part-of: ingress-nginx
  8. ---
configmap.yaml
  1. kind: ConfigMap
  2. apiVersion: v1
  3. metadata:
  4.   name: nginx-configuration
  5.   namespace: ingress-nginx
  6.   labels:
  7.     app.kubernetes.io/name: ingress-nginx
  8.     app.kubernetes.io/part-of: ingress-nginx
  9. ---
  10. kind: ConfigMap
  11. apiVersion: v1
  12. metadata:
  13.   name: tcp-services
  14.   namespace: ingress-nginx
  15.   labels:
  16.     app.kubernetes.io/name: ingress-nginx
  17.     app.kubernetes.io/part-of: ingress-nginx
  18. ---
  19. kind: ConfigMap
  20. apiVersion: v1
  21. metadata:
  22.   name: udp-services
  23.   namespace: ingress-nginx
  24.   labels:
  25.     app.kubernetes.io/name: ingress-nginx
  26.     app.kubernetes.io/part-of: ingress-nginx
  27. ---
deployment.yaml
  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   name: nginx-ingress-controller
  5.   namespace: ingress-nginx
  6.   labels:
  7.     app.kubernetes.io/name: ingress-nginx
  8.     app.kubernetes.io/part-of: ingress-nginx
  9. spec:
  10.   replicas: 1
  11.   selector:
  12.     matchLabels:
  13.       app.kubernetes.io/name: ingress-nginx
  14.       app.kubernetes.io/part-of: ingress-nginx
  15.   template:
  16.     metadata:
  17.       labels:
  18.         app.kubernetes.io/name: ingress-nginx
  19.         app.kubernetes.io/part-of: ingress-nginx
  20.       annotations:
  21.         prometheus.io/port: "10254"
  22.         prometheus.io/scrape: "true"
  23.     spec:
  24.       # wait up to five minutes for the drain of connections
  25.       terminationGracePeriodSeconds: 300
  26.       serviceAccountName: nginx-ingress-serviceaccount
  27.       nodeSelector:
  28.         kubernetes.io/os: linux
  29.       containers:
  30.         - name: nginx-ingress-controller
  31.           image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
  32.           args:
  33.             - /nginx-ingress-controller
  34.             - --configmap=$(POD_NAMESPACE)/nginx-configuration
  35.             - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
  36.             - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
  37.             - --publish-service=$(POD_NAMESPACE)/ingress-nginx
  38.             - --annotations-prefix=nginx.ingress.kubernetes.io
  39.           securityContext:
  40.             allowPrivilegeEscalation: true
  41.             capabilities:
  42.               drop:
  43.                 - ALL
  44.               add:
  45.                 - NET_BIND_SERVICE
  46.             # www-data -> 101
  47.             runAsUser: 101
  48.           env:
  49.             - name: POD_NAME
  50.               valueFrom:
  51.                 fieldRef:
  52.                   fieldPath: metadata.name
  53.             - name: POD_NAMESPACE
  54.               valueFrom:
  55.                 fieldRef:
  56.                   fieldPath: metadata.namespace
  57.           ports:
  58.             - name: http
  59.               containerPort: 80
  60.             - name: https
  61.               containerPort: 443
  62.           livenessProbe:
  63.             failureThreshold: 3
  64.             httpGet:
  65.               path: /healthz
  66.               port: 10254
  67.               scheme: HTTP
  68.             initialDelaySeconds: 10
  69.             periodSeconds: 10
  70.             successThreshold: 1
  71.             timeoutSeconds: 10
  72.           readinessProbe:
  73.             failureThreshold: 3
  74.             httpGet:
  75.               path: /healthz
  76.               port: 10254
  77.               scheme: HTTP
  78.             periodSeconds: 10
  79.             successThreshold: 1
  80.             timeoutSeconds: 10
  81.           lifecycle:
  82.             preStop:
  83.               exec:
  84.                 command:
  85.                   - /wait-shutdown
  86. ---
service.yaml
  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4.   name: ingress-nginx
  5.   namespace: ingress-nginx
  6.   labels:
  7.     app.kubernetes.io/name: ingress-nginx
  8.     app.kubernetes.io/part-of: ingress-nginx
  9. spec:
  10.   type: NodePort
  11.   ports:
  12.     - name: http
  13.       port: 80
  14.       targetPort: 80
  15.       protocol: TCP
  16.       nodePort: 8480  # 设置对外http暴露入口为8480
  17.     - name: https
  18.       port: 443
  19.       targetPort: 443
  20.       protocol: TCP
  21.       nodePort: 8443  # 设置对外https暴露入口为8443
  22.   selector:
  23.     app.kubernetes.io/name: ingress-nginx
  24.     app.kubernetes.io/part-of: ingress-nginx
  25. ---

使用nodePort类型service暴露ingress-nginx服务,指定端口8480和8443,作为集群服务的总入口

和traefik一样,前置代理服务器可以配置流量负载到nodeIP:8480上,后续通过ingress规则分发业务流量给目标service

rbac.yaml
  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   name: nginx-ingress-serviceaccount
  5.   namespace: ingress-nginx
  6.   labels:
  7.     app.kubernetes.io/name: ingress-nginx
  8.     app.kubernetes.io/part-of: ingress-nginx
  9. ---
  10. apiVersion: rbac.authorization.k8s.io/v1beta1
  11. kind: ClusterRole
  12. metadata:
  13.   name: nginx-ingress-clusterrole
  14.   labels:
  15.     app.kubernetes.io/name: ingress-nginx
  16.     app.kubernetes.io/part-of: ingress-nginx
  17. rules:
  18.   - apiGroups:
  19.       - ""
  20.     resources:
  21.       - configmaps
  22.       - endpoints
  23.       - nodes
  24.       - pods
  25.       - secrets
  26.     verbs:
  27.       - list
  28.       - watch
  29.   - apiGroups:
  30.       - ""
  31.     resources:
  32.       - nodes
  33.     verbs:
  34.       - get
  35.   - apiGroups:
  36.       - ""
  37.     resources:
  38.       - services
  39.     verbs:
  40.       - get
  41.       - list
  42.       - watch
  43.   - apiGroups:
  44.       - ""
  45.     resources:
  46.       - events
  47.     verbs:
  48.       - create
  49.       - patch
  50.   - apiGroups:
  51.       - "extensions"
  52.       - "networking.k8s.io"
  53.     resources:
  54.       - ingresses
  55.     verbs:
  56.       - get
  57.       - list
  58.       - watch
  59.   - apiGroups:
  60.       - "extensions"
  61.       - "networking.k8s.io"
  62.     resources:
  63.       - ingresses/status
  64.     verbs:
  65.       - update
  66. ---
  67. apiVersion: rbac.authorization.k8s.io/v1beta1
  68. kind: Role
  69. metadata:
  70.   name: nginx-ingress-role
  71.   namespace: ingress-nginx
  72.   labels:
  73.     app.kubernetes.io/name: ingress-nginx
  74.     app.kubernetes.io/part-of: ingress-nginx
  75. rules:
  76.   - apiGroups:
  77.       - ""
  78.     resources:
  79.       - configmaps
  80.       - pods
  81.       - secrets
  82.       - namespaces
  83.     verbs:
  84.       - get
  85.   - apiGroups:
  86.       - ""
  87.     resources:
  88.       - configmaps
  89.     resourceNames:
  90.       # Defaults to "<election-id>-<ingress-class>"
  91.       # Here: "<ingress-controller-leader>-<nginx>"
  92.       # This has to be adapted if you change either parameter
  93.       # when launching the nginx-ingress-controller.
  94.       - "ingress-controller-leader-nginx"
  95.     verbs:
  96.       - get
  97.       - update
  98.   - apiGroups:
  99.       - ""
  100.     resources:
  101.       - configmaps
  102.     verbs:
  103.       - create
  104.   - apiGroups:
  105.       - ""
  106.     resources:
  107.       - endpoints
  108.     verbs:
  109.       - get
  110. ---
  111. apiVersion: rbac.authorization.k8s.io/v1beta1
  112. kind: RoleBinding
  113. metadata:
  114.   name: nginx-ingress-role-nisa-binding
  115.   namespace: ingress-nginx
  116.   labels:
  117.     app.kubernetes.io/name: ingress-nginx
  118.     app.kubernetes.io/part-of: ingress-nginx
  119. roleRef:
  120.   apiGroup: rbac.authorization.k8s.io
  121.   kind: Role
  122.   name: nginx-ingress-role
  123. subjects:
  124.   - kind: ServiceAccount
  125.     name: nginx-ingress-serviceaccount
  126.     namespace: ingress-nginx
  127. ---
  128. apiVersion: rbac.authorization.k8s.io/v1beta1
  129. kind: ClusterRoleBinding
  130. metadata:
  131.   name: nginx-ingress-clusterrole-nisa-binding
  132.   labels:
  133.     app.kubernetes.io/name: ingress-nginx
  134.     app.kubernetes.io/part-of: ingress-nginx
  135. roleRef:
  136.   apiGroup: rbac.authorization.k8s.io
  137.   kind: ClusterRole
  138.   name: nginx-ingress-clusterrole
  139. subjects:
  140.   - kind: ServiceAccount
  141.     name: nginx-ingress-serviceaccount
  142.     namespace: ingress-nginx
  143. ---

查看部署情况

  1.  ~  kubectl get all -n ingress-nginx -o wide
  2. NAME                                            READY   STATUS    RESTARTS   AGE     IP             NODE            NOMINATED NODE   READINESS GATES
  3. pod/nginx-ingress-controller-69c8b48fd6-wj7kk   1/1     Running   0          3m15s   172.20.102.3   172.10.10.102   <none>           <none>
  4. NAME                    TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                    AGE     SELECTOR
  5. service/ingress-nginx   NodePort   192.168.16.78   <none>        80:8480/TCP,443:8443/TCP   3m10s   app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
  6. NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE     CONTAINERS                 IMAGES                                                 SELECTOR
  7. deployment.apps/nginx-ingress-controller   1/1     1            1           3m15s   nginx-ingress-controller   harbor.hzwod.com/k8s/nginx-ingress-controller:0.30.0   app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
  8. NAME                                                  DESIRED   CURRENT   READY   AGE     CONTAINERS                 IMAGES                                                 SELECTOR
  9. replicaset.apps/nginx-ingress-controller-69c8b48fd6   1         1         1       3m15s   nginx-ingress-controller   harbor.hzwod.com/k8s/nginx-ingress-controller:0.30.0   app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx,pod-template-hash=69c8b48fd6

kubelctl apply上述资源后

  1.   nginx-ingress curl http://172.10.10.101:8480
  2. <html>
  3. <head><title>404 Not Found</title></head>
  4. <body>
  5. <center><h1>404 Not Found</h1></center>
  6. <hr><center>nginx/1.17.8</center>
  7. </body>
  8. </html>

看见了一个nginx?? 其实就是nginx pod

配置ingress规则

目标服务
  1.   nginx-ingress kubectl get all -n default -l name=whoami -o wide
  2. NAME                          READY   STATUS    RESTARTS   AGE   IP             NODE            NOMINATED NODE   READINESS GATES
  3. pod/whoami-644f4f96df-f7dcj   1/1     Running   0          12m   172.20.102.3   172.10.10.102   <none>           <none>
  4. NAME             TYPE        CLUSTER-IP        EXTERNAL-IP   PORT(S)   AGE   SELECTOR
  5. service/whoami   ClusterIP   192.168.255.128   <none>        80/TCP    17m   app=myapp,task=whoami
ingress规则

whoami_ingress.yaml

  1. apiVersion: networking.k8s.io/v1beta1
  2. kind: Ingress
  3. metadata:
  4.   name: whoamiingress
  5.   annotations:
  6.     kubernetes.io/ingress.class: "nginx"
  7. spec:
  8.   rules:
  9.   - http:
  10.       paths:
  11.         - path: /bar
  12.           backend:
  13.             serviceName: "whoami"
  14.             servicePort: 80
测试
  1.   nginx-ingress kubectl get ingress --all-namespaces
  2. NAMESPACE   NAME            HOSTS   ADDRESS           PORTS   AGE
  3. default     whoamiingress   *       192.168.175.255   80      12m
  4.   nginx-ingress curl http://172.10.10.101:8480/bar
  5. Hostname: whoami-644f4f96df-f7dcj
  6. IP: 127.0.0.1
  7. IP: 172.20.102.3
  8. RemoteAddr: 172.20.102.4:45984
  9. GET /bar HTTP/1.1
  10. Host: 172.10.10.101:8480
  11. User-Agent: curl/7.29.0
  12. Accept: */*
  13. X-Forwarded-For: 172.10.10.101
  14. X-Forwarded-Host: 172.10.10.101:8480
  15. X-Forwarded-Port: 80
  16. X-Forwarded-Proto: http
  17. X-Real-Ip: 172.10.10.101
  18. X-Request-Id: 34cbd03ec296a29f6e4918bc2236906e
  19. X-Scheme: http

实现了通过ingress-nginx入口代理访问到了集群内部whoami的服务

发表评论

表情:
评论列表 (有 0 条评论,20人围观)

还没有评论,来说两句吧...

相关阅读

    相关 Dubbo服务暴露原理

    服务暴露原理 ![这里写图片描述][70] 配置文件 IOC容器启动,加载配置文件的时候 Dubbo标签处理器,解析每一个标签 封装成对应的组件 ![这

    傷城~傷城~/ 0/ 360 阅读