一、 安装 Ingress
1. 使用资源清单文件部署Ingress-Nginx
官网:
https://kubernetes.github.io/ingress-nginx/deploy/#bare-metal-clusters
在 Kubernetes 集群中部署 ingress-nginx 时,官方推荐监听 80 和 443 端口。80 端口用于 HTTP,443 端口用于 HTTPS,这是 Web 服务的标准端口,符合互联网访问习惯。这样,客户端可以直接通过 http://yourdomain.com 访问应用,而无需指定端口号,如 http://yourdomain.com:8080。但是kubernetes 具有 NodePort 可见性的服务保留的端口范围默认为30000-32767,此处要想使用80和443端口,需要修改 api-server 的配置参数如下:
- 修改 kube-apiserver 默认端口范围
vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:annotations:kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.16.192.31:6443creationTimestamp: nulllabels:component: kube-apiservertier: control-planename: kube-apiservernamespace: kube-system
spec:containers:- command:- kube-apiserver- --advertise-address=172.16.192.31...- --service-node-port-range=1-65535
- 修改资源清单
~/k8s-cluster-repo# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
~/k8s-cluster-repo# cp deploy.yaml ingress-nginx.yaml
~/k8s-cluster-repo# diff deploy.yaml ingress-nginx.yaml
347c347,348
< externalTrafficPolicy: Local
---
> # externalTrafficPolicy: Local
> externalTrafficPolicy: Cluster # 修改Local为Cluster;流量可以转发到其他节点上的Pod
356a358
> nodePort: 80 # 添加nodePort,指定监听80端口
361a364
> nodePort: 443 # 添加nodePort,指定监听443端口
366c369,370
< type: LoadBalancer
---
> # type: LoadBalancer
> type: NodePort # 修改Service类型为NodePort
445c449,450
< image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
---
> # image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
> image: registry.cn-beijing.aliyuncs.com/dengyouf/ingress-nginx:controller-v1.12.0 # 替换镜像
547c552,553
< image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
---
> # image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
> image: registry.cn-beijing.aliyuncs.com/dengyouf/ingress-nginx:kube-webhook-certgen-v1.5.0 # 替换镜像
601c607,608
< image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
---
> # image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
> image: registry.cn-beijing.aliyuncs.com/dengyouf/ingress-nginx:kube-webhook-certgen-v1.5.0 # 替换镜像~/k8s-cluster-repo# kubectl apply -f ingress-nginx.yaml~/k8s-cluster-repo# kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-admission-create-w88gz 0/1 Completed 0 6m2s 10.233.84.3 worker01 <none> <none>
ingress-nginx-admission-patch-bjp6m 0/1 Completed 0 6m2s 10.233.108.2 worker02 <none> <none>
ingress-nginx-controller-54b59c54-xzbms 1/1 Running 0 6m2s 10.233.108.3 worker02 <none> <none>
~/k8s-cluster-repo# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.233.50.40 <none> 80:80/TCP,443:443/TCP 6m15s
ingress-nginx-controller-admission ClusterIP 10.233.26.25 <none> 443/TCP 6m15s
二、 使用Ingress
2.1 公开后端服务
- 创建第一个 Deployment
echo "---
apiVersion: apps/v1
kind: Deployment
metadata:name: demoapp-deploy-v10labels:app: demoapp
spec:replicas: 1selector:matchLabels:app: demoappversion: v1.0strategy: {}template:metadata:labels:app: demoappversion: v1.0spec:containers:- name: demoapp-v10image: ikubernetes/demoapp:v1.0"|tee demoapp-deploy-v10.yaml|kubectl apply -f -
- 创建Service-
demoapp-v10
echo "---
apiVersion: v1
kind : Service
metadata:name: demoapp-v10-svclabels:app: demoapp
spec:type: ClusterIPports:- name: http-80port: 80targetPort: 80selector:app: demoappversion: v1.0"|tee demoapp-v10-svc.yaml|kubectl apply -f -
- 创建ingress规则
~# kubectl get svc/demoapp-v10-svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp-v10-svc ClusterIP 10.233.20.86 <none> 80/TCP 25secho "---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: demoapp-v10-ingress
spec:rules:- host: demoapp-v10.linux.iohttp:paths:- path: /pathType: Prefixbackend:service:name: demoapp-v10-svcport:number: 80ingressClassName: nginx"|tee demoapp-v10-ingress.yaml|kubectl apply -f -
- 验证
~ curl -H 'Host: demoapp-v10.linux.io' 192.168.122.21
iKubernetes demoapp v1.0 !! ClientIP: 10.233.108.3, ServerName: demoapp-deploy-v10-65c669c5f4-r2c4f, ServerIP: 10.233.84.4!
2.2 URL重写
- 创建第二个Deployment
echo "---
apiVersion: apps/v1
kind: Deployment
metadata:name: demoapp-deploy-v11labels:app: demoapp
spec:replicas: 1selector:matchLabels:app: demoappversion: v1.1strategy: {}template:metadata:labels:app: demoappversion: v1.1spec:containers:- name: demoapp-v11image: ikubernetes/demoapp:v1.1"|tee demoapp-deploy-v11.yaml|kubectl apply -f -echo "---
apiVersion: v1
kind : Service
metadata:name: demoapp-v11-svclabels:app: demoapp
spec:type: ClusterIPports:- name: http-80port: 80targetPort: 80selector:app: demoappversion: v1.1"|tee demoapp-v11-svc.yaml|kubectl apply -f -
~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp-v10-svc ClusterIP 10.233.20.86 <none> 80/TCP 3m5s
demoapp-v11-svc ClusterIP 10.233.55.35 <none> 80/TCP 8s
- url重写规则
echo '---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: demoapp-ingressannotations:nginx.ingress.kubernetes.io/use-regex: "true"nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:rules:- host: demoapp.linux.iohttp:paths:- path: /v10(/|$)(.*)pathType: ImplementationSpecificbackend:service:name: demoapp-v10-svcport:number: 80- path: /v11(/|$)(.*)pathType: ImplementationSpecificbackend:service:name: demoapp-v11-svcport:number: 80ingressClassName: nginx
' |tee demoapp-ingress.yaml|kubectl apply -f -
- 验证
~# curl -H 'Host: demoapp.linux.io' 192.168.122.22/v10
iKubernetes demoapp v1.0 !! ClientIP: 10.233.108.3, ServerName: demoapp-deploy-v10-65c669c5f4-r2c4f, ServerIP: 10.233.84.4!
~# curl -H 'Host: demoapp.linux.io' 192.168.122.22/v11
iKubernetes demoapp v1.1 !! ClientIP: 10.233.108.3, ServerName: demoapp-deploy-v11-579c9d54c-zhtsg, ServerIP: 10.233.108.4!
2.3 HTTPS
- 创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=http-svc.linux.io/O=http-svc.linux.io"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
- 部署服务
echo "apiVersion: apps/v1
kind: Deployment
metadata:name: http-svc
spec:replicas: 1selector:matchLabels:app: http-svctemplate:metadata:labels:app: http-svcspec:containers:- name: http-svcimage: dengyouf/echoserver:2.3ports:- containerPort: 8080env:- name: NODE_NAMEvalueFrom:fieldRef:fieldPath: spec.nodeName- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespace- name: POD_IPvalueFrom:fieldRef:fieldPath: status.podIP---apiVersion: v1
kind: Service
metadata:name: http-svclabels:app: http-svc
spec:ports:- port: 80targetPort: 8080protocol: TCPname: httpselector:app: http-svc
" |tee http-svc.yaml|kubectl apply -f -
- 创建ingress规则
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: http-svc-tls-ingress
spec:tls:- hosts:- http-svc.linux.io# This assumes tls-secret exists and the SSL# certificate contains a CN for foo.bar.comsecretName: tls-secretingressClassName: nginxrules:- host: http-svc.linux.iohttp:paths:- path: /pathType: Prefixbackend:# This assumes http-svc exists and routes to healthy endpointsservice:name: http-svcport:number: 80
"|tee http-svc-tls-ingress.yaml|kubectl apply -f -
- 验证
~]# curl -H 'Host: http-svc.linux.io' -k https://192.168.122.21
