Ingress
Ingress-nginx用来做http代理,能够实现服务对外公布,采纳service的tcp须要更多的ip和端口
部署ingress的controller
# 下载ingress contronller的部署文件$ wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml--2020-07-25 21:00:01-- https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/cloud/deploy.yaml正在解析主机 raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.192.133, 151.101.64.133, 151.101.0.133, ...正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|151.101.192.133|:443... 已连贯。已收回 HTTP 申请,正在期待回应... 200 OK长度:18133 (18K) [text/plain]正在保留至: “deploy.yaml”deploy.yaml 100%[==================================================>] 17.71K --.-KB/s 用时 0.05s 2020-07-25 21:00:01 (389 KB/s) - 已保留 “deploy.yaml” [18133/18133])下载后须要批改一些Service的type类型为NodePort,默认文件用的balancer
# Source: ingress-nginx/templates/controller-service.yamlapiVersion: v1kind: Servicemetadata: labels: helm.sh/chart: ingress-nginx-2.11.1 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.34.1 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginxspec: type: NodePort externalTrafficPolicy: Local ports: - name: http port: 80 nodePort: 30080 protocol: TCP targetPort: http - name: https port: 443 nodePort: 30443 protocol: TCP targetPort: https selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller# 执行ingress contronller部署$ kubectl apply -f deploy.yaml namespace/ingress-nginx createdserviceaccount/ingress-nginx createdconfigmap/ingress-nginx-controller createdclusterrole.rbac.authorization.k8s.io/ingress-nginx createdclusterrolebinding.rbac.authorization.k8s.io/ingress-nginx createdrole.rbac.authorization.k8s.io/ingress-nginx createdrolebinding.rbac.authorization.k8s.io/ingress-nginx createdservice/ingress-nginx-controller-admission createdservice/ingress-nginx-controller createddeployment.apps/ingress-nginx-controller createdvalidatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission createdclusterrole.rbac.authorization.k8s.io/ingress-nginx-admission createdclusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission createdjob.batch/ingress-nginx-admission-create createdjob.batch/ingress-nginx-admission-patch createdrole.rbac.authorization.k8s.io/ingress-nginx-admission createdrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission createdserviceaccount/ingress-nginx-admission created# 查看ingress-nginx命名空间下所创立的资源$kubectl get all -n ingress-nginxNAME READY STATUS RESTARTS AGEpod/ingress-nginx-admission-create-fvph7 0/1 Completed 0 5m46spod/ingress-nginx-admission-patch-gr48z 0/1 Completed 1 5m46spod/ingress-nginx-controller-c96557986-9rw9m 1/1 Running 0 5m56sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/ingress-nginx-controller NodePort 10.107.249.8 <none> 80:30080/TCP,443:30443/TCP 5m56sservice/ingress-nginx-controller-admission ClusterIP 10.104.5.150 <none> 443/TCP 5m56sNAME READY UP-TO-DATE AVAILABLE AGEdeployment.apps/ingress-nginx-controller 1/1 1 1 5m56sNAME DESIRED CURRENT READY AGEreplicaset.apps/ingress-nginx-controller-c96557986 1 1 1 5m56sNAME COMPLETIONS DURATION AGEjob.batch/ingress-nginx-admission-create 1/1 2s 5m56sjob.batch/ingress-nginx-admission-patch 1/1 3s 5m56sNodePort 会在所有节点裸露ingress端口
通过Ingress来代理HTTP利用
c$ cat tomcat-deploy.yaml kind: NamespaceapiVersion: v1metadata: name: testing labels: env: testing---# Tomcat deploymentsapiVersion: apps/v1kind: Deploymentmetadata: name: tomcat-deploy namespace: testingspec: replicas: 2 selector: matchLabels: app: tomcat template: metadata: labels: app: tomcat spec: containers: - name: tomcat image: tomcat:8.0.50-jre8-alpine ports: - containerPort: 8080 name: httpport - containerPort: 8009 name: ajpport---# Tomcat ServiceapiVersion: v1kind: Servicemetadata: name: tomcat-svc namespace: testing labels: app: tomcat-svcspec: selector: app: tomcat ports: - name: httpport port: 80 targetPort: 8080 protocol: TCP$ cat tomcat-ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata: name: tomcat namespace: testing annotations: kubernetes.io/ingress.class: "nginx"spec: rules: - host: tomcat.kubernetes.io http: paths: - path: backend: serviceName: tomcat-svc servicePort: 80通过Ingress来代理HTTPS
$ cat tomcat-ingress-tls.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata: name: tomcat-ingress-tls namespace: testing annotations: kubernetes.io/ingress.class: "nginx"spec: tls: - hosts: - tomcat.linux.io secretName: tomcat-ingress-secret rules: - host: tomcat.linux.io http: paths: - path: / backend: serviceName: tomcat-svc servicePort: 80$ openssl genrsa -out tls.key 2048Generating RSA private key, 2048 bit long modulus............................+++............................................................................................................................+++e is 65537 (0x10001)$ openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=GuangDong/L=GuangZhou/O=DevOps/CN=tomcat.kubernetes.io -days 3650ca0gu0@ca0gu0deMBP ingress % kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key -n testingsecret/tomcat-ingress-secret created$ kubectl apply -f tomcat-ingress-tls.yamlingress.extensions/tomcat-ingress-tls createdca0gu0@ca0gu0deMBP ingress % kubectl get svc -n testingNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEtomcat-svc ClusterIP 10.98.232.166 <none> 80/TCP 32m$ kubectl get ingress -n testingNAME CLASS HOSTS ADDRESS PORTS AGEtomcat <none> tomcat.kubernetes.io 10.107.249.8 80 32mtomcat-ingress-tls <none> tomcat.linux.io 80, 443 29s通过https协定拜访