Ingress對外暴露端口

http,https端口

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - ks.hongda.com
    secretName: hongda-com-tls-secret
  rules:
  - host: ks.hongda.com
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

執行：

kubectl apply -f ingress-kubernetes-dashboard.yaml  

具體說明

• kubernetes.io/ingress.class: "nginx"：Inginx Ingress Controller 根據該注解自動發現 Ingress；
• nginx.ingress.kubernetes.io/backend-protocol: Controller 向后端 Service 轉發時使用 HTTPS 協議
• secretName: kube-dasboard-ssl：https 證書 Secret；
• host: ks.hongda.com：對外訪問的域名；
• serviceName: kubernetes-dashboard：集群對外暴露的 Service 名稱；
• servicePort: 443：service 監聽的端口；

注意：創建的 Ingress 必須要和對外暴露的 Service 在同一命名空間下！

ConfigMap暴露TCP端口

Ingress 不支持TCP 和 UDP 服務，可以通過 Ingress controller 來實現

默認的yaml中已經設置：

...
spec:
   hostNetwork: true # <--
   containers:
   - args:
     - /nginx-ingress-controller
     - --configmap=$(POD_NAMESPACE)/nginx-configuration
     - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
     - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
     - --publish-service=$(POD_NAMESPACE)/ingress-nginx
     - --annotations-prefix=nginx.ingress.kubernetes.io
     env:
...

通過 tcp-services-configmap.yaml 設置映射tcp， 通過 udp-services-configmap.yaml 映射udp

tcp-services-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services
  namespace: ingress-nginx
data:
  2181: "kafka/kafka-zookeeper:2181"
  9092: "kafka/kafka:9092"

udp-services-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: udp-services
  namespace: ingress-nginx
data:
  53: "kube-system/kube-dns:53"

Ingress服務公開端口

更新Ingress安裝文件

controller:
  replicaCount: 1
  hostNetwork: true
  nodeSelector:
    node-role.kubernetes.io/edge: ''
  affinity:
    podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
            - key: app
              operator: In
              values:
              - nginx-ingress
            - key: component
              operator: In
              values:
              - controller
          topologyKey: kubernetes.io/hostname
  tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: PreferNoSchedule
defaultBackend:
  nodeSelector:
    node-role.kubernetes.io/edge: ''
  tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: PreferNoSchedule
# TCP service key:value pairs
tcp:
   2181: "kafka/kafka-zookeeper:2181"
   9092: "kafka/kafka:9092"

底部新增了

# TCP service key:value pairs
tcp:
   2181: "kafka/kafka-zookeeper:2181"
   9092: "kafka/kafka:9092"

更新：

helm upgrade nginx-ingress stable/nginx-ingress \
-f ingress-nginx.yaml

查看：

[root@master home]# netstat -ano |grep 2181
tcp        0      0 0.0.0.0:2181            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp6       0      0 :::2181                 :::*                    LISTEN      off (0.00/0/0)

這樣暴露以后就可以直接調用zk,連接地址：

zk.hongda.com:2181
18.16.202.163:2181

參考：

使用 Kubernetes Ingress 對外暴露服務

使用OpenVPN將Kubernetes集群網絡暴露給本地開發網絡

Kubernetes Ingress實戰(二)：使用Ingress將第一個HTTP服務暴露到集群外部

IngressController使用和它的高可用落地

Kubernetes Ingress管理

Exposing TCP and UDP services

TCP LoadBalancing

How to load balance Ingress traffic to TCP or UDP based application

Kubernetes Ingress Controller的使用介紹及高可用落地