7. kubernetes ingress網(wǎng)路

7. kubernetes ingress網(wǎng)路

Kubernetes 暴露服務(wù)的有三種方式,分別為 LoadBlancer Service、NodePort Service、Ingress。官網(wǎng)對 Ingress 的定義為管理對外服務(wù)到集群內(nèi)服務(wù)之間規(guī)則的集合,通俗點講就是它定義規(guī)則來允許進入集群的請求被轉(zhuǎn)發(fā)到集群中對應(yīng)服務(wù)上,從來實現(xiàn)服務(wù)暴露。 Ingress 能把集群內(nèi) Service 配置成外網(wǎng)能夠訪問的 URL,流量負(fù)載均衡,SSL,提供基于域名訪問的虛擬主機等等。

在kubernetes集群中,我們知道service和pod的ip僅在集群內(nèi)部訪問。如果外部應(yīng)用要訪問集群內(nèi)的服務(wù),集群外部的請求需要通過負(fù)載均衡轉(zhuǎn)發(fā)到service在Node上暴露的NodePort上,然后再由kube-proxy組件將其轉(zhuǎn)發(fā)給相關(guān)的pod。

Service對集群之外暴露服務(wù)的主要方式有兩種:NotePort和LoadBalancer。但是這 兩種方式,都有一定的缺點:

  • NodePor方式的缺點是會占用很多集群機器的端口,那么當(dāng)集群服務(wù)越多的時候,這個缺點就愈發(fā)明顯
  • LB方式的缺點是每個service需要一個LB,浪費、麻煩,并且需要kubernetes之外設(shè)備的支持,基于這種現(xiàn)狀,kubernetes提供了ingress資源對象,Ingress只需要—個NodePort或者一個LB就可以滿足暴露多個Service的需求。

一、Ingress-nginx

1. Ingress-nginx 的組成

  • 反向代理負(fù)載均衡器:通常以service的port方式運行,接收并按照ingress定義的規(guī)則進行轉(zhuǎn)發(fā),常用的有nginx,Haproxy,Traefik等,我們使用的就是nginx,即Ingress-nginx。
  • Ingress Controller:監(jiān)聽API Server,根據(jù)用戶編寫的ingress規(guī)則(編寫ingress的yaml文件),動態(tài)地去更改nginx服務(wù)的配置文件,并且reload重載使其生效,此過程是自動化的(通過lua腳本來實現(xiàn)(有點類似consul template + consul nginx的概念))。
  • Ingress:(kubernetes的一個資源對象,作用是定義請求如何轉(zhuǎn)發(fā)到service的規(guī)則)將nginx的配置抽象成一個Ingress對象,當(dāng)用戶每添加一個新的服務(wù),只需要編寫一個新的ingress的yaml文件即可。

2. Ingress-nginx 的工作原理

推薦:k8s 基于 Ingress 實現(xiàn) k8s 七層調(diào)度和負(fù)載均衡

  1. 用戶編寫ingress規(guī)則,說明哪個域名對應(yīng)kubernetes集群中的哪個Service
  2. Ingress控制器動態(tài)感知Ingress服務(wù)規(guī)則的變化,然后生成一段對應(yīng)的Nginx反向代理配置
  3. Ingress控制品會將生成的Nginx配置寫入到一個運行著的Nginx服務(wù)中,并動態(tài)更新
  4. 到此為止,其實真正在工作的就是一個Nginx了,內(nèi)部配置了用戶定義的請求轉(zhuǎn)發(fā)規(guī)則
image.png
  1. Nginx 對后端運行的服務(wù)(Service1、Service2)提供反向代理,在配置文件中配置了域名與后端服務(wù) Endpoints 的對應(yīng)關(guān)系。
  2. 客戶端通過使用 DNS 服務(wù)或者直接配置本地的 hosts 文件,將域名都映射到 Nginx 代理服務(wù)器。
  3. 當(dāng)客戶端訪問 service1.com 時,瀏覽器會把包含域名的請求發(fā)送給 nginx 服務(wù)器,nginx 服務(wù)器根據(jù)傳來的域名,選擇對應(yīng)的 Service,這里就是選擇 Service 1 后端服務(wù),然后根據(jù)一定的負(fù)載均衡策略,選擇 Service1 中的某個容器接收來自客戶端的請求并作出響應(yīng)。

3. 官網(wǎng)地址

基于 nginx 服務(wù)的ingress controller根據(jù)開發(fā)公司我們有可以分為:

  • kubernetes 社區(qū)版
  • nginx 官方版

我們選擇最主流,最活躍的。 即 kubernetes 社區(qū)版

github: https://github.com/kubernetes/ingress-nginx

官網(wǎng): https://kubernetes.github.io/ingress-nginx

二、 安裝Ingress-nginx

安裝的化,推薦參考github。選取符合自己要求的版本。

適用于 Kubernetes 版本 v1.19+ (包括 v1.19 )
我們使用v1.2.0.

這里我們從github上截取一部分

ngress-NGINX version k8s supported version Alpine Version Nginx Version
v1.2.1 1.23, 1.22, 1.21, 1.20, 1.19 3.14.6 1.19.10?
v1.2.0 1.23, 1.22, 1.21, 1.20, 1.19 3.14.6 1.19.10?
v1.1.3 1.23, 1.22, 1.21, 1.20, 1.19 3.14.4 1.19.10?
v1.1.2 1.23, 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9?
v1.1.1 1.23, 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9?
v1.1.0 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9?
v1.0.5 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9?
v1.0.4 1.22, 1.21, 1.20, 1.19 3.14.2 1.19.9? 
# 注意,官方的nginx-ingress 鏡像由于網(wǎng)路原因無法下載,這里我們換源成國內(nèi)的阿里鏡像。
# 可以先把鏡像下載,再安裝(如果有多個節(jié)點,需要在多個節(jié)點上執(zhí)行)
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.2.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1

# 下載官方的yaml,網(wǎng)絡(luò)因素有可能失敗,多試幾次
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.2.0/deploy/static/provider/cloud/deploy.yaml

# 修改鏡像地址
sed -i 's@k8s.gcr.io/ingress-nginx/controller:v1.2.0\(.*\)@registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.2.0@' deploy.yaml
sed -i 's@k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1\(.*\)$@registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1@' deploy.yaml

### 還需要修改兩地方,具體修改位置和內(nèi)容,參照`完整的deploy.yaml`
# 1、kind: 類型修改成DaemonSet,replicas: 注銷掉,因為DaemonSet模式會每個節(jié)點運行一個pod
# 2、在添加一條: hostnetwork:true
# 3、把LoadBalancer修改成NodePort
# 4、在--validating-webhook-key下面添加- --watch-ingress-without-class=true

kubectl apply -f deploy.yaml

# 查看是否部署成功
kubectl get pods -n ingress-nginx
#--------------------------
NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create-dz4jt        0/1     Completed   0          18m
ingress-nginx-admission-patch-gtlgx         0/1     Completed   1          18m
ingress-nginx-controller-5d895cdfdf-7p5zb   1/1     Running     0          18m
#--------------------------

# 我們重點查看`ingress-nginx-controller`, READY = 1/1; STATUS = Running; 代表成功。
# ingress-nginx-admission-create、ingress-nginx-admission-patch `STATUS = Completed` 即可

完整的deploy.yaml 文件如下,請參考帶有# 號標(biāo)識的部分進行修改

apiVersion: v1
kind: Namespace
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx
  namespace: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resourceNames:
  - ingress-controller-leader
  resources:
  - configmaps
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - secrets
  - namespaces
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-admission
rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-admission
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: v1
data:
  allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: NodePort # 修改LoadBalancer 為 NodePort
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  ports:
  - appProtocol: https
    name: https-webhook
    port: 443
    targetPort: webhook
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: ClusterIP
---
apiVersion: apps/v1
# kind: Deployment
# 修改kind 為`DaemonSet`,每個節(jié)點都部署副本。
kind: DaemonSet
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  minReadySeconds: 0
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
    spec:
      hostNetwork: true # ingress-nginx-controller 為 hostNetwork模式
      containers:
      - args:
        - /nginx-ingress-controller
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
        - --election-id=ingress-controller-leader
        - --controller-class=k8s.io/ingress-nginx
        - --ingress-class=nginx
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        - --watch-ingress-without-class=true # 增加信息
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
        image: k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            exec:
              command:
              - /wait-shutdown
        livenessProbe:
          failureThreshold: 5
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: controller
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          name: https
          protocol: TCP
        - containerPort: 8443
          name: webhook
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 100m
            memory: 90Mi
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsUser: 101
        volumeMounts:
        - mountPath: /usr/local/certificates/
          name: webhook-cert
          readOnly: true
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
      - name: webhook-cert
        secret:
          secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.2.0
      name: ingress-nginx-admission-create
    spec:
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
        imagePullPolicy: IfNotPresent
        name: create
        securityContext:
          allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.2.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
      - args:
        - patch
        - --webhook-name=ingress-nginx-admission
        - --namespace=$(POD_NAMESPACE)
        - --patch-mutating=false
        - --secret-name=ingress-nginx-admission
        - --patch-failure-policy=Fail
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
        imagePullPolicy: IfNotPresent
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: nginx
spec:
  controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.2.0
  name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: ingress-nginx-controller-admission
      namespace: ingress-nginx
      path: /networking/v1/ingresses
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validate.nginx.ingress.kubernetes.io
  rules:
  - apiGroups:
    - networking.k8s.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  sideEffects: None

三、 ingress-nginx的使用

我們按照以下步驟來部署配置ingress網(wǎng)絡(luò):

step 1:

      我們編寫一個nginx資源配置文件(包含deployment 和 service),并運行

step 2:

      查看nginx 服務(wù)是否部署成功

step 3:

      我們編寫**ingress資源配置文件**,關(guān)聯(lián)service,運行

step 4:

      配置虛擬機hosts,并測試訪問

step 5:

    拓展,多服務(wù)網(wǎng)絡(luò)。我們編寫一個tomcat資源配置文件,運行。

step 6:

      修改ingress配置文件,運行,查看結(jié)果。

step 1

# step 1 我們編寫一個nginx資源配置文件(包含deployment 和 service),并運行
vim ingress_deployment.yaml
#--------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-demo-ig
  labels:
    app: nginx-deployment-demo-ig
spec:
  replicas: 3
  template:
    metadata:
      name: nginx-deployment-demo-ig
      labels:
        app: nginx-deployment-demo-ig
    spec:
      containers:
        - name: nginx-deployment-demo-ig
          image: nginx
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80
      restartPolicy: Always
  selector:
    matchLabels:
      app: nginx-deployment-demo-ig
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service-demo-ig
spec:
  selector:
    app: nginx-deployment-demo-ig # selector 對應(yīng)匹配 deployment的 labels
  ports:
    - port: 80
      name: nginx-service-ig-80
      protocol: TCP
      targetPort: 80
  type: ClusterIP
#--------------------------------

kubectl apply -f ingress_deployment.yaml

step 2

# step 2 查看nginx 服務(wù)是否部署成功
kubectl describe service my-tomcat-service-ig
#--------------------------------

Name:              nginx-service-demo-ig
Namespace:         default
Labels:            <none>
Annotations:       <none>
Selector:          app=nginx-deployment-demo-ig
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.222.216.203
IPs:               10.222.216.203
Port:              nginx-service-ig-80  80/TCP
TargetPort:        80/TCP
Endpoints:         10.244.122.154:80,10.244.211.216:80,10.244.32.145:80
Session Affinity:  None
Events:            <none>
#--------------------------------

curl 10.222.216.203:80
#--------------------------------
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a >nginx.org</a>.<br/>
Commercial support is available at
<a >nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#--------------------------------

step 3

# step 3 我們編寫ingress資源配置文件,關(guān)聯(lián)service,運行
vim ingress_service_nginx.yml
#---------------------------------
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-nginx-http
spec:
  rules:
    - host: mytest.nginx.com
      http:
        paths:
          - path: "/"
            pathType: Prefix
            backend:
              service:
                name: nginx-service-demo-ig
                port:
                  number: 80
#---------------------------------
kubectl apply -f ingress_service_nginx.yaml

# 查看詳情
#---------------------------------
Name:             ingress-nginx-http
Labels:           <none>
Namespace:        default
Address:          10.222.103.214
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host               Path  Backends
  ----               ----  --------
  mytest.nginx.com
                     /   nginx-service-demo-ig:80 (10.244.122.154:80,10.244.211.216:80,10.244.32.145:80)
Annotations:         <none>
Events:
  Type    Reason  Age                 From                      Message
  ----    ------  ----                ----                      -------
  Normal  Sync    29m (x3 over 125m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    29m (x3 over 125m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    29m (x3 over 125m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    29m (x3 over 125m)  nginx-ingress-controller  Scheduled for sync
#---------------------------------

step 4

# step 4 配置虛擬機hosts,并測試訪問
vim /etc/hosts
# 添加如下信息
#----------------------
10.222.103.214 mytest.nginx.com mytest.tomcat.com
#----------------------

curl mytest.nginx.com
#----------------------
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a >nginx.org</a>.<br/>
Commercial support is available at
<a >nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#----------------------

step 5

# step 5  拓展,多服務(wù)網(wǎng)絡(luò)。我們編寫一個tomcat資源配置文件,運行。
vim ingress_tomcat_deployment.yml
#----------------------------------------
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-tomcat-test-ig
  labels:
    app: my-tomcat-test-ig
spec:
  replicas: 3
  template:
    metadata:
      name: my-tomcat-test-ig
      labels:
        app: my-tomcat-test-ig
    spec:
      containers:
        - name: my-tomcat-test-ig
          image: tomcat:8.5.34-jre8-alpine
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080
      restartPolicy: Always
  selector:
    matchLabels:
      app: my-tomcat-test-ig
---
apiVersion: v1
kind: Service
metadata:
  name: my-tomcat-service-ig
spec:
  selector:
    app: my-tomcat-service-ig
  ports:
    - port: 8080
      name: http
      targetPort: 8080
  type: ClusterIP
#----------------------------------------

kubectl apply -f ingress_tomcat_deployment.yml

step 6

# step 6 修改ingress配置文件,運行,查看結(jié)果
vim ingress_service_nginx.yml
# 修改如下
#------------------------------
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-nginx-http
spec:
  rules:
    - host: mytest.nginx.com
      http:
        paths:
          - path: "/"
            pathType: Prefix
            backend:
              service:
                name: nginx-service-demo-ig
                port:
                  number: 80
    - host: mytest.tomcat.com
      http:
        paths:
          - path: "/"
            pathType: Prefix
            backend:
              service:
                name:  my-tomcat-service-ig
                port:
                  number: 8080
#------------------------------

kubectl apply -f ingress_service_nginx.yml

# 查看詳情
kubectl describe ingress ingress-nginx-http
#----------------------------

Name:             ingress-nginx-http
Labels:           <none>
Namespace:        default
Address:          10.222.103.214
Rules:
  Host               Path  Backends
  ----               ----  --------
  mytest.nginx.com
                     /   nginx-service-demo-ig:80 (10.244.122.154:80,10.244.211.216:80,10.244.32.145:80)
  mytest.tomcat.com
                     /   my-tomcat-service-ig:8080 (10.244.122.156:8080,10.244.211.219:8080,10.244.32.147:8080)
Annotations:         <none>
Events:
  Type    Reason  Age                 From                      Message
  ----    ------  ----                ----                      -------
  Normal  Sync    29m (x3 over 125m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    29m (x3 over 125m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    29m (x3 over 125m)  nginx-ingress-controller  Scheduled for sync
  Normal  Sync    29m (x3 over 125m)  nginx-ingress-controller  Scheduled for sync
#----------------------------

# 訪問測試
curl mytest.nginx.com 
curl mytest.tomcat.com

附錄

參考資料

k8s 基于 Ingress 實現(xiàn) k8s 七層調(diào)度和負(fù)載均衡

Kubernetes(k8s)Ingress原理

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容