标签:国内 进入 合规 vat max head 虚拟主机 组成 镜像
目录
通常情况下,service和pod的IP仅可在集群内部访问。集群外部的请求需要通过负载均衡转发到service在Node上暴露的NodePort上,然后再由kube-proxy将其转发给相关的Pod。
NodePort 方式暴露服务面临问题是,服务一旦多起来,NodePort 在每个节点上开启的端口会及其庞大,而且难以维护;这时,我们可以能否使用一个Nginx直接对内进行转发呢?众所周知的是,Pod与Pod之间是可以互相通信的,而Pod是可以共享宿主机的网络名称空间的,也就是说当在共享网络名称空间时,Pod上所监听的就是Node上的端口。那么这又该如何实现呢?简单的实现就是使用 DaemonSet 在每个 Node 上监听 80,然后写好规则,因为 Nginx 外面绑定了宿主机 80 端口(就像 NodePort),本身又在集群内,那么向后直接转发到相应 Service IP就行了。
但是新的问题出现:当每次有新服务加入时怎么办。此时 Ingress 出现了,如果不算上面的Nginx,Ingress 包含两大组件:Ingress Controller 和 Ingress。
Ingress就是为进入集群的请求提供路由规则的集合,如下图所示
Ingress可以给service提供集群外部访问的URL、负载均衡、SSL终止、HTTP路由等。为了配置这些Ingress规则,集群管理员需要部署一个Ingress controller,它监听Ingress和service的变化,并根据规则配置负载均衡并提供访问入口。
Ingress也是Kubernetes API的标准资源类型之一,它其实就是一组基于DNS名称(host)或URL路径把请求转发到指定的Service资源的规则。用于将集群外部的请求流量转发到集群内部完成的服务发布。我们需要明白的是,Ingress资源自身不能进行“流量穿透”,仅仅是一组规则的集合,这些集合规则还需要其他功能的辅助,比如监听某套接字,然后根据这些规则的匹配进行路由转发,这些能够为Ingress资源监听套接字并将流量转发的组件就是Ingress Controller。
Ingress 控制器不同于Deployment 控制器的是,Ingress控制器不直接运行为kube-controller-manager的一部分,它仅仅是Kubernetes集群的一个附件,类似于CoreDNS,需要在集群上单独部署。
创建Ingress资源
Ingress资源时基于HTTP虚拟主机或URL的转发规则,需要强调的是,这是一条转发规则。它在资源配置清单中的spec字段中嵌套了rules、backend和tls等字段进行定义。如下示例中定义了一个Ingress资源,其包含了一个转发规则:将发往myapp.magedu.com的请求,代理给一个名字为myapp的Service资源。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.magedu.com
http:
paths:
- path:
backend:
serviceName: myapp
servicePort: 80
Ingress 中的spec字段是Ingress资源的核心组成部分,主要包含以下3个字段:
backend对象的定义由2个必要的字段组成:serviceName和servicePort,分别用于指定流量转发的后端目标Service资源名称和端口。
rules对象由一系列的配置的Ingress资源的host规则组成,这些host规则用于将一个主机上的某个URL映射到相关后端Service对象,其定义格式如下:
spec:
rules:
- hosts: <string>
http:
paths:
- path:
backend:
serviceName: <string>
servicePort: <string>
需要注意的是,.spec.rules.host属性值,目前暂不支持使用IP地址定义,也不支持IP:Port的格式,该字段留空,代表着通配所有主机名。
tls对象由2个内嵌的字段组成,仅在定义TLS主机的转发规则上使用。
Ingress的资源类型有以下4种:
暴露单个服务的方法有多种,如NodePort、LoadBanlancer等等,当然也可以使用Ingress来进行暴露单个服务,只需要为Ingress指定default backend即可,如下示例:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ingress
spec:
backend:
serviceName: my-svc
servicePort: 80
Ingress控制器会为其分配一个IP地址接入请求流量,并将其转发至后端my-svc
使用Ingress功能步骤:
1、安装部署ingress controller Pod
2、部署后端服务
3、部署ingress-nginx service
4、部署ingress
Ingress 也是标准的 K8S 资源,其定义的方式,也可以使用 explain 进行查看:
[root@master ~]# kubectl explain ingress
KIND: Ingress
VERSION: extensions/v1beta1
DESCRIPTION:
Ingress is a collection of rules that allow inbound connections to reach
the endpoints defined by a backend. An Ingress can be configured to give
services externally-reachable urls, load balance traffic, terminate SSL,
offer name based virtual hosting etc.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
spec <Object>
Spec is the desired state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
status <Object>
Status is the current state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
此处使用ingress-nginx 0.17.1版本,未使用最新的master
下载ingress相关yaml
[root@master manifests]# mkdir ingress-nginx
[root@master manifests]# cd ingress-nginx
[root@master manifests]# for file in namespace.yaml configmap.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml udp-services-configmap.yaml default-backend.yaml;do wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.17.1/deploy/$file;done
[root@master ingress-nginx]# ll
总用量 476
[root@master ingress-nginx]# ll
总用量 28
-rw-r--r-- 1 root root 134 4月 1 17:19 configmap.yaml #configmap用于为nginx从外部注入配置的
-rw-r--r-- 1 root root 1216 4月 1 17:20 default-backend.yaml #配置默认后端服务
-rw-r--r-- 1 root root 68 4月 1 17:19 namespace.yaml #创建独立的名称空间
-rw-r--r-- 1 root root 2390 4月 1 17:19 rbac.yaml #rbac用于集群角色授权
-rw-r--r-- 1 root root 94 4月 1 17:19 tcp-services-configmap.yaml
-rw-r--r-- 1 root root 94 4月 1 17:20 udp-services-configmap.yaml
-rw-r--r-- 1 root root 2174 4月 1 17:20 with-rbac.yaml
创建ingress-nginx名称空间
[root@master ingress-nginx]# cat namespace.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
[root@master ingress-nginx]# kubectl apply -f namespace.yaml
namespace/ingress-nginx created
创建ingress controller的pod
#由于国内网络防火墙问题导致无法正常拉取k8s.grc.io仓库中拉取所需镜像文件,需要修改配置文件,修改镜像地址
[root@master ingress-nginx]# vim default-backend.yaml
#image: gcr.io/google_containers/defaultbackend:1.4
image: xiaobai20201/defaultbackend-amd64:1.5
[root@master ingress-nginx]# kubectl apply -f .
configmap/nginx-configuration created
deployment.extensions/default-http-backend created
service/default-http-backend created
namespace/ingress-nginx unchanged
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
configmap/tcp-services created
configmap/udp-services created
deployment.extensions/nginx-ingress-controller created
查看结果
[root@master ingress-nginx]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-788bdcf46f-7b5ds 1/1 Running 0 24s
nginx-ingress-controller-7db86988c8-jmv72 1/1 Running 0 3m50s
查看配置清单:
[root@master ~]# kubectl explain ingress.spec.
KIND: Ingress
VERSION: extensions/v1beta1
RESOURCE: spec <Object>
DESCRIPTION:
Spec is the desired state of the Ingress. More info:
https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status
IngressSpec describes the Ingress the user wishes to exist.
FIELDS:
backend <Object> #定义后端主机
rules <[]Object> #定义规则
tls <[]Object>
部署:
[root@master ingress-nginx]# cd ../ && mkdir ingress && cd ingress
[root@master ingress]# vim deploy-demo.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-backend-pod
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80
查看部署结果
[root@master ingress]# kubectl get pods,svc
NAME READY STATUS RESTARTS AGE
pod/filebeat-ds-h8rwk 1/1 Running 0 18h
pod/filebeat-ds-kzhxw 1/1 Running 0 18h
pod/myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 78s
pod/myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 78s
pod/myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 78s
pod/readiness-httpget-pod 1/1 Running 0 3d16h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d16h
service/myapp ClusterIP 10.100.41.152 <none> 80/TCP 7m47s
service/myapp-headless ClusterIP None <none> 80/TCP 16h
通过ingress-controller对外提供服务,现在还需要手动给ingress-controller建立一个service,接收集群外部流量。
下载ingress-controller的yaml文件
[root@master ingress]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.17.1/deploy/provider/baremetal/service-nodeport.yaml
[root@master ingress]# vim service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 31111 #默认是随机端口,此处指定
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 31443 #默认是随机端口,此处指定
selector:
app: ingress-nginx
查看部署结果
[root@master ingress]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
[root@master ingress]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default-http-backend ClusterIP 10.98.233.231 <none> 80/TCP 33m
ingress-nginx NodePort 10.103.142.142 <none> 80:31111/TCP,443:31443/TCP 8s
此时尝试访问10.0.0.10:31111 应该是404,因为调度器工作正常,但是后端服务还没有关联
编写清单
[root@master ingress]# vim ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: myapp-ingress #ingress的名称
namespace: default #所属名称空间
annotations: #注解信息
kubernetes.io/ingress.class: "nginx"
spec:
rules: #定义后端转发的规则
- host: myapp.white.com #通过域名进行转发
http:
paths:
- path: #配置访问路径,如果通过url进行转发,需要修改;空默认为访问的路径为根"/"
backend: #配置后端服务
serviceName: myapp
servicePort: 80
创建后查看结果:
[root@master ingress]# kubectl apply -f ingress-myapp.yaml
ingress.extensions/myapp-ingress created
[root@master ingress]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.white.com 80 12s
查看myapp-ingress的详细信息
[root@master ingress]# kubectl describe ingress myapp-ingress
Name: myapp-ingress
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
myapp.white.com
myapp:80 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"myapp-ingress","namespace":"default"},"spec":{"rules":[{"host":"myapp.white.com","http":{"paths":[{"backend":{"serviceName":"myapp","servicePort":80},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 62s nginx-ingress-controller Ingress default/myapp-ingress
[root@master ingress]#
进入nginx-ingress-controller进行查看是否注入了nginx的配置
[root@master ingress]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-788bdcf46f-7b5ds 1/1 Running 0 41m
nginx-ingress-controller-7db86988c8-jmv72 1/1 Running 0 45m
[root@master ingress]# kubectl exec -it nginx-ingress-controller-7db86988c8-jmv72 -n ingress-nginx -- /bin/sh
$ cat nginx.conf
......
upstream default-myapp-80 { #自动配置负载均衡到后端pod
least_conn;
keepalive 32;
server 10.244.1.44:80 max_fails=0 fail_timeout=0;
server 10.244.2.49:80 max_fails=0 fail_timeout=0;
server 10.244.2.48:80 max_fails=0 fail_timeout=0;
}
......
## start server myapp.white.com
server {
server_name myapp.white.com ;
listen 80;
listen [::]:80;
set $proxy_upstream_name "-";
location / {
set $namespace "default";
set $ingress_name "myapp-ingress";
set $service_name "myapp";
set $service_port "80";
set $location_path "/";
rewrite_by_lua_block {
}
...
修改本地host文件 访问
10.0.0.10 master myapp.white.com
10.0.0.11 node01 myapp.white.com
10.0.0.12 node02 myapp.white.com
编写清单
[root@master ingress]# vim tomcat-deploy.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
编写tomcat的ingress规则,并创建ingress资源
[root@master ingress]# vim ingress-tomcat.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.white.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
执行
[root@master ingress]# kubectl apply -f tomcat-deploy.yaml
[root@master ingress]# kubectl get pods
NAME READY STATUS RESTARTS AGE
filebeat-ds-h8rwk 1/1 Running 0 19h
filebeat-ds-kzhxw 1/1 Running 0 19h
myapp-backend-pod-6b56d98b6b-2dh5h 1/1 Running 0 62m
myapp-backend-pod-6b56d98b6b-hwzws 1/1 Running 0 62m
myapp-backend-pod-6b56d98b6b-ztwn2 1/1 Running 0 62m
readiness-httpget-pod 1/1 Running 0 3d17h
tomcat-deploy-5f554cd88d-7gzc7 1/1 Running 0 44s
tomcat-deploy-5f554cd88d-c42t6 1/1 Running 0 44s
tomcat-deploy-5f554cd88d-qhc4j 1/1 Running 0 44s
[root@master ingress]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d17h
myapp ClusterIP 10.100.41.152 <none> 80/TCP 70m
myapp-headless ClusterIP None <none> 80/TCP 17h
tomcat ClusterIP 10.107.88.118 <none> 8080/TCP,8009/TCP 3m4s
查看tomcat-deploy是否监听8080和8009
[root@master ingress]# kubectl exec -it tomcat-deploy-5f554cd88d-7gzc7 -- netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
创建ingress资源
[root@master ingress]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions/tomcat-ingress created
[root@master ingress]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.white.com 80 45m
tomcat-ingress tomcat.white.com 80 5s
查看tomcat-ingress详细信息
[root@master ingress]# kubectl describe ingress tomcat-ingress
Name: tomcat-ingress
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
tomcat.white.com
tomcat:8080 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat-ingress","namespace":"default"},"spec":{"rules":[{"host":"tomcat.white.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 71s nginx-ingress-controller Ingress default/tomcat-ingress
修改本地host文件映射后测试访问
10.0.0.10 master myapp.white.com tomcat.white.com
10.0.0.11 node01 myapp.white.com tomcat.white.com
10.0.0.12 node02 myapp.white.com tomcat.white.com
从前面的部署过程中,可以再次进行总结部署的流程如下:
准备证书
[root@master ingress]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
.....................................................+++
e is 65537 (0x10001)
[root@master ingress]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Guangdong/L=Zhongshan/O=DevOps/CN=tomcat.white.com
[root@master ingress]# ls
deploy-demo.yaml ingress-tomcat.yaml tls.crt tomcat-deploy.yaml
ingress-myapp.yaml service-nodeport.yaml tls.key
此时生成的证书不能直接被nginx的pod调用,需要转换成secret(领一个标准的kubernetes对象)
生成secret
[root@master ingress]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master ingress]# kubectl get secret
NAME TYPE DATA AGE
default-token-dqd2f kubernetes.io/service-account-token 3 5d18h
tomcat-ingress-secret kubernetes.io/tls 2 11s
[root@master ingress]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1302 bytes
tls.key: 1679 bytes
创建ingress
[root@master ingress]# vim ingress-tomcat-tls.yaml
[root@master ~]# kubectl explain ingress.spec.tls.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-ingress-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.white.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.white.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master ingress]# kubectl apply -f ingress-tomcat-tls.yaml
ingress.extensions/tomcat-ingress-tls created
[root@master ingress]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
myapp-ingress myapp.white.com 80 61m
tomcat-ingress tomcat.white.com 80 16m
tomcat-ingress-tls tomcat.white.com 80, 443 25s
#查看描述
[root@master ingress]# kubectl describe ingress tomcat-ingress-tls
Name: tomcat-ingress-tls
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
TLS:
tomcat-ingress-secret terminates tomcat.white.com
Rules:
Host Path Backends
---- ---- --------
tomcat.white.com
tomcat:8080 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"tomcat-ingress-tls","namespace":"default"},"spec":{"rules":[{"host":"tomcat.white.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}],"tls":[{"hosts":["tomcat.white.com"],"secretName":"tomcat-ingress-secret"}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 107s nginx-ingress-controller Ingress default/tomcat-ingress-tls
进入pod内查看
[root@master ingress]# kubectl exec -it nginx-ingress-controller-7db86988c8-jmv72 -n ingress-nginx -- /bin/sh
$ cat nginx.conf
······
upstream default-tomcat-8080 {
least_conn;
keepalive 32;
server 10.244.1.45:8080 max_fails=0 fail_timeout=0;
server 10.244.2.51:8080 max_fails=0 fail_timeout=0;
server 10.244.2.50:8080 max_fails=0 fail_timeout=0;
}
······
## start server _
server {
server_name _ ;
listen 80 default_server backlog=511;
listen [::]:80 default_server backlog=511;
set $proxy_upstream_name "-";
listen 443 default_server backlog=511 ssl http2;
listen [::]:443 default_server backlog=511 ssl http2;
# PEM sha: 07ee66d47cf4e5ef25baa6f91d62296e05243cfe
ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem;
ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem;
......
客户端访问31443查看
由于证书问题,提示不安全,但是可以访问https 443端口。
https://www.cnblogs.com/linuxk
马永亮. Kubernetes进阶实战 (云计算与虚拟化技术丛书)
Kubernetes-handbook-jimmysong-20181218
Kubernetes之Ingress和Ingress Controller
标签:国内 进入 合规 vat max head 虚拟主机 组成 镜像
原文地址:https://www.cnblogs.com/wlbl/p/10652908.html