共计 5346 个字符,预计需要花费 14 分钟才能阅读完成。
Ingress
Ingress-nginx 用来做 http 代理,能够实现服务对外公布,采纳 service 的 tcp 须要更多的 ip 和端口
部署 ingress 的 controller
# 下载 ingress contronller 的部署文件
$ wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml
--2020-07-25 21:00:01-- https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml
正在解析主机 raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.192.133, 151.101.64.133, 151.101.0.133, ...
正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|151.101.192.133|:443... 已连贯。已收回 HTTP 申请,正在期待回应... 200 OK
长度:18133 (18K)
正在保留至:“deploy.yaml”deploy.yaml 100%[==================================================>] 17.71K --.-KB/s 用时 0.05s
2020-07-25 21:00:01 (389 KB/s) - 已保留“deploy.yaml”[18133/18133])
下载后须要批改一些 Service 的 type 类型为 NodePort,默认文件用的 balancer
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
helm.sh/chart: ingress-nginx-2.11.1
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.34.1
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: NodePort
externalTrafficPolicy: Local
ports:
- name: http
port: 80
nodePort: 30080
protocol: TCP
targetPort: http
- name: https
port: 443
nodePort: 30443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller# 执行 ingress contronller 部署
$ kubectl apply -f deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created# 查看 ingress-nginx 命名空间下所创立的资源
$kubectl get all -n ingress-nginx
NAME READY STATUS RESTARTS AGE
pod/ingress-nginx-admission-create-fvph7 0/1 Completed 0 5m46s
pod/ingress-nginx-admission-patch-gr48z 0/1 Completed 1 5m46s
pod/ingress-nginx-controller-c96557986-9rw9m 1/1 Running 0 5m56s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ingress-nginx-controller NodePort 10.107.249.8 <none> 80:30080/TCP,443:30443/TCP 5m56s
service/ingress-nginx-controller-admission ClusterIP 10.104.5.150 <none> 443/TCP 5m56s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/ingress-nginx-controller 1/1 1 1 5m56s
NAME DESIRED CURRENT READY AGE
replicaset.apps/ingress-nginx-controller-c96557986 1 1 1 5m56s
NAME COMPLETIONS DURATION AGE
job.batch/ingress-nginx-admission-create 1/1 2s 5m56s
job.batch/ingress-nginx-admission-patch 1/1 3s 5m56s
NodePort 会在所有节点裸露 ingress 端口
通过 Ingress 来代理 HTTP 利用
c$ cat tomcat-deploy.yaml
kind: Namespace
apiVersion: v1
metadata:
name: testing
labels:
env: testing
---
# Tomcat deployments
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: testing
spec:
replicas: 2
selector:
matchLabels:
app: tomcat
template:
metadata:
labels:
app: tomcat
spec:
containers:
- name: tomcat
image: tomcat:8.0.50-jre8-alpine
ports:
- containerPort: 8080
name: httpport
- containerPort: 8009
name: ajpport
---
# Tomcat Service
apiVersion: v1
kind: Service
metadata:
name: tomcat-svc
namespace: testing
labels:
app: tomcat-svc
spec:
selector:
app: tomcat
ports:
- name: httpport
port: 80
targetPort: 8080
protocol: TCP
$ cat tomcat-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat
namespace: testing
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.kubernetes.io
http:
paths:
- path:
backend:
serviceName: tomcat-svc
servicePort: 80
通过 Ingress 来代理 HTTPS
$ cat tomcat-ingress-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-ingress-tls
namespace: testing
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.linux.io
secretName: tomcat-ingress-secret
rules:
- host: tomcat.linux.io
http:
paths:
- path: /
backend:
serviceName: tomcat-svc
servicePort: 80$ openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
............................................................................................................................+++
e is 65537 (0x10001)
$ openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=GuangDong/L=GuangZhou/O=DevOps/CN=tomcat.kubernetes.io -days 3650
ca0gu0@ca0gu0deMBP ingress % kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key -n testing
secret/tomcat-ingress-secret created
$ kubectl apply -f tomcat-ingress-tls.yaml
ingress.extensions/tomcat-ingress-tls created
ca0gu0@ca0gu0deMBP ingress % kubectl get svc -n testing
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
tomcat-svc ClusterIP 10.98.232.166 <none> 80/TCP 32m
$ kubectl get ingress -n testing
NAME CLASS HOSTS ADDRESS PORTS AGE
tomcat <none> tomcat.kubernetes.io 10.107.249.8 80 32m
tomcat-ingress-tls <none> tomcat.linux.io 80, 443 29s
通过 https 协定拜访
正文完