Kubernetes之Ingress-Nginx
简介
ingress-Nginx和ingress-Nginx-Controller的区别

ingress-Nginx:是每个服务自己创建的ingress,就是nginx的转发规则,生成Nginx的配置文件

ingress-Nginx-Controller:相当于Nginx的服务,监听API Server,根据用户编写的ingress-nginx规则(ingress.yaml文件),动态的去更改Nginx服务的配置文件,并且reload使其生效,此过程是自动化的,通过lua实现

ingress-Nginx-Controller 的Service类型

NodePort:用Deployment的方式部署一个ingress-nginx-controller,再创建一个type为NodePort的Service,这样就在集群的所有Node节点暴露了ingress-nginx-controller的端口,然后找几台机器挂在公有云的ELB后面,然后把域名解析到公有云的ELB就实现的服务的对外暴露

LoadBalance:用Deployment部署一个ingress-nginx-controller,再创建一个type为LoadBalancer的Service关联这组Pod.大部分公有云,都会为LoadBalancer的Service自动创建一个负载均衡器,通常还绑定的公网地址,只要把域名指向该地址,就实现了服务的对外暴露

部署ingress-Nginx-Controller
1.ingress-Nginx-Crontoller所需的ServiceAccount,用来访问API Server

复制代码
apiVersion: v1
kind: ServiceAccount
metadata:

labels:
app: nginx-ingress
chart: nginx-ingress-1.26.2
heritage: Helm
release: nginx-ingress
name: nginx-ingress
namespace: se
secrets:

  • name: nginx-ingress-token-9bbd4
    复制代码
    2.ingress-Nginx-Controller中ServiceAccount所需的Secret(通过base64加密之后的ca和token)

复制代码
apiVersion: v1
data:
ca.crt: LS0tLS1CUJBZ0lVUXVqazcwRmhXQm43dXQ1M3liMWdLeXNkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKb3N01DVGpPK2VNd0h3WURWUjBqQkJnd0ZvQVVXYTVCSzQvSApOMjdteEVvaVB3N01DVGpPK2VNd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJcDlveFJTb29OelNGQmJrMEMvCmIwbVNvTUFlSU5vOVYrNWFEdGg3eExjWjZPazJCYVFWV1ZLK2ZVYW45WQpjaTQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
namespace: c2U=
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnpaU0lzSW10MVltVnlibRTRXVlSjN2U0NlcTc5S25ENFdaWnoybXBvR1RuLVZHUFI4ai1B
kind: Secret
metadata:

name: nginx-ingress-token-9bbd4
namespace: se

type: kubernetes.io/service-account-token
复制代码
3.ingress-Nginx-Controller的 Deployment配置文件

复制代码
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.26.2
component: controller
heritage: Helm
release: nginx-ingress
name: nginx-ingress-controller
namespace: se
spec:
replicas: 1
selector:
matchLabels:
app: nginx-ingress
component: controller
release: nginx-ingress
template:
metadata:
labels:
app: nginx-ingress
component: controller
release: nginx-ingress
spec:
containers:

  • args:
    • /nginx-ingress-controller
    • --default-backend-service=se/nginx-ingress-default-backend
    • --election-id=ingress-controller-leader
    • --ingress-class=nginx
    • --configmap=se/nginx-ingress-controller
      env:
    • name: POD_NAME
      valueFrom:
      fieldRef:
      apiVersion: v1
      fieldPath: metadata.name
    • name: POD_NAMESPACE
      valueFrom:
      fieldRef:
      apiVersion: v1
      fieldPath: metadata.namespace
      image: hrb.xxxx.com/library/nginx-ingress-controller:0.26.1
      imagePullPolicy: IfNotPresent
      livenessProbe:
      failureThreshold: 3
      httpGet:
      path: /healthz
      port: 10254
      scheme: HTTP
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
      name: nginx-ingress-controller
      ports:
    • containerPort: 80
      name: http
      protocol: TCP
    • containerPort: 443
      name: https
      protocol: TCP
      readinessProbe:
      failureThreshold: 3
      httpGet:
      path: /healthz
      port: 10254
      scheme: HTTP
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 1
      securityContext:
      allowPrivilegeEscalation: true
      capabilities:
      add:

      • NET_BIND_SERVICE
        drop:
      • ALL
        runAsUser: 33
        serviceAccount: nginx-ingress
        serviceAccountName: nginx-ingress
        复制代码
        4.ingress-Nginx-Controller的Service配置文件

复制代码
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.26.2
component: controller
heritage: Helm
release: nginx-ingress
name: nginx-ingress-controller
namespace: se

spec:
ports:

  • name: http
    nodePort: 30080
    port: 80
    protocol: TCP
    targetPort: http
  • name: https
    nodePort: 30443
    port: 443
    protocol: TCP
    targetPort: https
    selector:
    app: nginx-ingress
    component: controller
    release: nginx-ingress
    type: NodePort
    复制代码
    5.查看ingress-Nginx-Controller的Service

kubectl get svc nginx-ingress-controller -n se
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-ingress-controller NodePort 192.168.2.67 80:30080/TCP,443:30443/TCP 1d
进行到这步,ingress-Nginx-Controller已经部署完了,所有的集群Node节点都已经监听30080和30443端口

AWS上申请ELB,然后找两个固定的Node节点,专门做转发用,不做Pod调度

ELB的80端口-->Node节点的NodePort30080端口
ELB的443端口-->Node节点的NodePort30443端口
部署一个测试用的服务
1.测试服务的Deployment配置文件

复制代码
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: test-docker
env: stg
name: test-docker
namespace: test
spec:
replicas: 1
selector:
matchLabels:
app: test-docker
template:
metadata:
labels:
app: test-docker
env: stg
spec:
containers:

  • env:

    • name: K8S_ENV
      value: stg
    • name: K8S_CLUSTER
      value: aws
    • name: CPU_REQUEST
      valueFrom:
      resourceFieldRef:
      containerName: test-docker
      divisor: "0"
      resource: requests.cpu
    • name: MEM_REQUEST
      valueFrom:
      resourceFieldRef:
      containerName: test-docker
      divisor: "0"
      resource: requests.memory
    • name: CPU_LIMIT
      valueFrom:
      resourceFieldRef:
      containerName: test-docker
      divisor: "0"
      resource: limits.cpu
    • name: MEM_LIMIT
      valueFrom:
      resourceFieldRef:
      containerName: test-docker
      divisor: "0"
      resource: limits.memory
    • name: TZ
      value: Asia/Shanghai
    • name: POD_IP
      valueFrom:
      fieldRef:
      apiVersion: v1
      fieldPath: status.podIP
      image: hrb.xxx.com/test-docker:1.0.428.7eb2128
      imagePullPolicy: IfNotPresent
      name: test-docker
      ports:
    • containerPort: 8025
      protocol: TCP
      readinessProbe:
      failureThreshold: 3
      httpGet:
      path: /status
      port: 8025
      scheme: HTTP
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 5
      resources:
      limits:
      cpu: "1"
      memory: 2000Mi
      requests:
      cpu: 100m
      memory: 2000Mi
      volumeMounts:
    • mountPath: /etc/localtime
      name: host-time
      readOnly: true
    • mountPath: /data/logs
      name: log
    • mountPath: /app/conf
      name: config-volume
      readOnly: true

      volumes:

  • hostPath:
    path: /etc/localtime
    type: ""
    name: host-time
  • hostPath:
    path: /data/logs/test-docker-stg
    type: ""
    name: log
  • configMap:
    defaultMode: 420
    name: test-docker
    name: config-volume
    复制代码
    2.测试服务的Service配置文件

复制代码
apiVersion: v1
kind: Service
metadata:
name: test-docker
namespace: test
spec:
ports:

  • name: http-8025
    port: 8025
    protocol: TCP
    targetPort: 8025
    selector:
    app: test-docker
    type: ClusterIP
    复制代码
    3.测试服务的ingress配置文件

复制代码
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-docker
namespace: test
spec:
rules:

  • host: test.baidu.com
    http:
    paths:

    • backend:
      serviceName: test-docker
      servicePort: 8025
      path: /
      复制代码
      到这里,测试服务部署完成,测试服务的域名可以解析到ELB,然后就完成通过域名访问了.

服务怎么通过ingress暴露出去,然后用域名访问的?
1.先创建ingress-nginx-controller,ingress-nginx-controller的Server通过NodePort方式暴露端口,这样所有K8S集群的Node节点全部监听NodePort端口,这个就相当于是Nginx的服务

  那Nginx的配置文件怎么来呢,ingress-nginx-controller监听API Server,用户在K8S集群内创建完服务的ingress之后,ingress-nginx-controller就会加载这个ingress里面的规则信息,并更新到ingress-nginx-controller的配置文件里

2.创建一个AWS的ELB,解析到随便两台Node节点

3.用户创建一个服务,先创建Deployment、Service、ingress,然后ingress里写上域名 转发到 某个Service上,然后service会转发到 具体的Pod上的

4.ingress里配置的域名解析到ELB的地址,就行了,就能通过域名访问K8S集群的服务了.
查看ingress-nginx 相关信息:
kubectl get pod -n ingress-nginx -o wide
kubectl get ns
kubectl get cm,deploy,pod -n ingress-nginx -o wide
kubectl get svc -n ingress-nginx -o wide

最后修改日期:2021年2月8日

作者

留言

撰写回覆或留言

发布留言必须填写的电子邮件地址不会公开。