1.ingress概述
图解:第一个service起到的作用是:引入外部流量,也可以不用此方式,以DaemonSet控制器的方式让Pod共享节点网络,第二个service的作用是:对后端pod分组,不被调度时使用,如果后端pod发生变动,则ingress就会将变动信息注入到,ingress controller管理的7层负载nginx的配置文件中.
2.部署
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
kubectl apply -f mandatory.yaml
# 之前还有个default-http-backend,现在只运行一个pod
kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-689498bc7c-sm972 1/1 Running 0 45s
# nginx-ingress-controller部署在node1上,一个deployment控制器,一个replicaset,一个pod.
# 接下来还需要部署一个service-nodeport服务,才能实现把集群外部流量接入到集群中来.
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml
# 为了不让service nodeport自动分配端口,需要手动指定nodeport
cat service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30080
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
kubectl apply -f service-nodeport.yaml
kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.102.228.59 <none> 80:30080/TCP,443:30443/TCP 31s
3.定义后端分组service:myapp-svc
cat myapp-svc-headless.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp-svc
namespace: default
spec:
selector:
app: myapp
release: canary
clusterIP: "None"
ports:
- port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
# 创建pod时,用nodeSelector可实现精准分布
kubectl apply -f myapp-svc-headless.yaml
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d
myapp-svc ClusterIP None <none> 80/TCP 29m
# 通过Ingress把myapp-svc发布出去
cat ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.lixiang.com
http:
paths:
- path:
backend:
serviceName: myapp-svc
servicePort: 80
namespace要和deployment和要发布的service处于同一个名称空间
annotations:说明我们要用到的ingress-controller是nginx,而不是Traefik、Envoy
host:表示访问这个域名,就会转发到后端myapp-deploy管理的pod上
kubectl apply -f ingress-myapp.yaml
kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.lixiang.com 80 5m34s
# 进入交互式命令行
kubectl exec -n ingress-nginx -it nginx-ingress-controller-689498bc7c-sm972 -- /bin/sh
$ cat nginx.conf
## start server myapp.lixiang.com
server {
server_name myapp.lixiang.com ;
listen 80;
location / {
set $namespace "default";
set $ingress_name "ingress-myapp";
set $service_name "myapp-svc";
set $service_port "80";
set $location_path "/";
# ingress一经创建,就将信息注入到nginx-ingress-controller这个pod中,
# 个人感觉ingress像一个监视者、搬运工,nginx-ingress-controller起到反向代理的作用
# 添加一条hosts解析
curl myapp.lixiang.com:30080
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
4.使用https访问
# 自签证书
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=myapp.lixiang.com
# 通过secret把证书注入到pod中
kubectl create secret tls myapp-infress-secret --cert=tls.crt --key=tls.key
cat ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- myapp.lixiang.com
secretName: myapp-infress-secret
rules:
- host: myapp.lixiang.com
http:
paths:
- path: /
backend:
serviceName: myapp-svc
servicePort: 80
# 进入容器查看配置文件
cat nginx.conf
server {
server_name myapp.lixiang.com ;
listen 80;
listen 443 ssl http2;
curl -k https://myapp.lixiang.com:30443
参考博客:http://blog.itpub.net/28916011/viewspace-2214747/