1.ingress概述
圖解:第一個service起到的作用是:引入外部流量,也可以不用此方式,以DaemonSet控制器的方式讓Pod共享節點網絡,第二個service的作用是:對后端pod分組,不被調度時使用,如果后端pod發生變動,則ingress就會將變動信息注入到,ingress controller管理的7層負載nginx的配置文件中.
2.部署
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
kubectl apply -f mandatory.yaml
# 之前還有個default-http-backend,現在只運行一個pod
kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-689498bc7c-sm972 1/1 Running 0 45s
# nginx-ingress-controller部署在node1上,一個deployment控制器,一個replicaset,一個pod.
# 接下來還需要部署一個service-nodeport服務,才能實現把集群外部流量接入到集群中來.
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml
# 為了不讓service nodeport自動分配端口,需要手動指定nodeport
cat service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30080
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
kubectl apply -f service-nodeport.yaml
kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.102.228.59 <none> 80:30080/TCP,443:30443/TCP 31s
3.定義后端分組service:myapp-svc
cat myapp-svc-headless.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp-svc
namespace: default
spec:
selector:
app: myapp
release: canary
clusterIP: "None"
ports:
- port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deploy
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
# 創建pod時,用nodeSelector可實現精准分布
kubectl apply -f myapp-svc-headless.yaml
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d
myapp-svc ClusterIP None <none> 80/TCP 29m
# 通過Ingress把myapp-svc發布出去
cat ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.lixiang.com
http:
paths:
- path:
backend:
serviceName: myapp-svc
servicePort: 80
namespace要和deployment和要發布的service處於同一個名稱空間
annotations:說明我們要用到的ingress-controller是nginx,而不是Traefik、Envoy
host:表示訪問這個域名,就會轉發到后端myapp-deploy管理的pod上
kubectl apply -f ingress-myapp.yaml
kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp myapp.lixiang.com 80 5m34s
# 進入交互式命令行
kubectl exec -n ingress-nginx -it nginx-ingress-controller-689498bc7c-sm972 -- /bin/sh
$ cat nginx.conf
## start server myapp.lixiang.com
server {
server_name myapp.lixiang.com ;
listen 80;
location / {
set $namespace "default";
set $ingress_name "ingress-myapp";
set $service_name "myapp-svc";
set $service_port "80";
set $location_path "/";
# ingress一經創建,就將信息注入到nginx-ingress-controller這個pod中,
# 個人感覺ingress像一個監視者、搬運工,nginx-ingress-controller起到反向代理的作用
# 添加一條hosts解析
curl myapp.lixiang.com:30080
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
4.使用https訪問
# 自簽證書
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=myapp.lixiang.com
# 通過secret把證書注入到pod中
kubectl create secret tls myapp-infress-secret --cert=tls.crt --key=tls.key
cat ingress-myapp.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myapp-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- myapp.lixiang.com
secretName: myapp-infress-secret
rules:
- host: myapp.lixiang.com
http:
paths:
- path: /
backend:
serviceName: myapp-svc
servicePort: 80
# 進入容器查看配置文件
cat nginx.conf
server {
server_name myapp.lixiang.com ;
listen 80;
listen 443 ssl http2;
curl -k https://myapp.lixiang.com:30443
參考博客:http://blog.itpub.net/28916011/viewspace-2214747/