热门标签
热门文章
- 1OpenHarmony解读之设备认证:数据接收管理-获取HiChain实例(2)
- 2【华为鸿蒙系统学习】- HarmonyOS4.0开发|自学篇
- 3Yolov5、rtsp-server、ffmpeg、vlc,实现实时检测视频推拉流
- 4弹性搜索引擎Elasticsearch:本地部署与远程访问指南
- 5如何用文心一言开发前端代码_文心一言上下文长度
- 6【23届秋招总结】本科小学弟成功签约滴滴后端开发offer_滴滴现在offer还能接吗
- 7DevOps基础设施配置之jenkins对接K8S_jenkins k8s
- 8计算机网络原理之【网络层】IP数据报分片
- 9【IDEA】常用插件、设置、注释_idea注释插件
- 10arm服务器和麒麟v10安装nacos
当前位置: article > 正文
【kubernetes搭建(四)】搭建Ingress_kubernetes.io/ingress.class
作者:思考机器6 | 2024-01-17 09:15:21
赞
踩
kubernetes.io/ingress.class
一、介绍
Ingress 的实现分为两个部分 Ingress Controller 和 Ingress。
Ingress Controller 是流量的入口,是一个实体软件, 一般是Nginx 和 Haproxy(较少使用)。
Ingress 描述具体的路由规则。
Ingress Controller 会监听 api server上的 /ingresses 资源 并实时生效。
Ingerss 描述了一个或者多个 域名的路由规则,以 ingress 资源的形式存在。
简单说: Ingress 描述路由规则, Ingress Controller 实时实现规则。
二、安装Ingress Controller(ingress-nginx)
vim ~/ingress-nginx.yaml
- apiVersion: v1
- kind: Namespace
- metadata:
- name: ingress-nginx
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
-
- ---
- # Source: ingress-nginx/templates/controller-serviceaccount.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
- automountServiceAccountToken: true
- ---
- # Source: ingress-nginx/templates/controller-configmap.yaml
- apiVersion: v1
- kind: ConfigMap
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
- data:
- ---
- # Source: ingress-nginx/templates/clusterrole.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- name: ingress-nginx
- rules:
- - apiGroups:
- - ''
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- verbs:
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - get
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
- ---
- # Source: ingress-nginx/templates/clusterrolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- name: ingress-nginx
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/controller-role.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
- rules:
- - apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
- - apiGroups:
- - ''
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ''
- resources:
- - configmaps
- resourceNames:
- - ingress-controller-leader
- verbs:
- - get
- - update
- - apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - create
- - apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
- ---
- # Source: ingress-nginx/templates/controller-rolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx
- namespace: ingress-nginx
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/controller-service-webhook.yaml
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller-admission
- namespace: ingress-nginx
- spec:
- type: ClusterIP
- ports:
- - name: https-webhook
- port: 443
- targetPort: webhook
- appProtocol: https
- selector:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- ---
- # Source: ingress-nginx/templates/controller-deployment.yaml
- apiVersion: apps/v1
- kind: DaemonSet
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: ingress-nginx-controller
- namespace: ingress-nginx
- spec:
- selector:
- matchLabels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- revisionHistoryLimit: 10
- minReadySeconds: 0
- template:
- metadata:
- labels:
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/component: controller
- spec:
- hostNetwork: true
- dnsPolicy: ClusterFirst
- containers:
- - name: controller
- image: registry.cn-beijing.aliyuncs.com/kole_chang/controller:v1.0.0
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- args:
- - /nginx-ingress-controller
- - --election-id=ingress-controller-leader
- - --controller-class=k8s.io/ingress-nginx
- - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- - --validating-webhook=:8444
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- - --watch-ingress-without-class=true
- securityContext:
- capabilities:
- drop:
- - ALL
- add:
- - NET_BIND_SERVICE
- runAsUser: 101
- allowPrivilegeEscalation: true
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- ports:
- - name: http
- containerPort: 80
- protocol: TCP
- - name: https
- containerPort: 443
- protocol: TCP
- - name: webhook
- containerPort: 8444
- protocol: TCP
- volumeMounts:
- - name: webhook-cert
- mountPath: /usr/local/certificates/
- readOnly: true
- resources:
- requests:
- #cpu: 100m
- memory: 90Mi
- nodeSelector:
- kubernetes.io/os: linux
- serviceAccountName: ingress-nginx
- terminationGracePeriodSeconds: 300
- volumes:
- - name: webhook-cert
- secret:
- secretName: ingress-nginx-admission
- ---
- # Source: ingress-nginx/templates/controller-ingressclass.yaml
- # We don't support namespaced ingressClass yet
- # So a ClusterRole and a ClusterRoleBinding is required
- apiVersion: networking.k8s.io/v1
- kind: IngressClass
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
- name: nginx
- namespace: ingress-nginx
- spec:
- controller: k8s.io/ingress-nginx
- ---
- # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
- # before changing this value, check the required kubernetes version
- # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
- apiVersion: admissionregistration.k8s.io/v1
- kind: ValidatingWebhookConfiguration
- metadata:
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- name: ingress-nginx-admission
- webhooks:
- - name: validate.nginx.ingress.kubernetes.io
- matchPolicy: Equivalent
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- failurePolicy: Fail
- sideEffects: None
- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- namespace: ingress-nginx
- name: ingress-nginx-controller-admission
- path: /networking/v1/ingresses
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: ingress-nginx-admission
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- rules:
- - apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: ingress-nginx-admission
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx-admission
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- name: ingress-nginx-admission
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- rules:
- - apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - create
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: ingress-nginx-admission
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx-admission
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
- apiVersion: batch/v1
- kind: Job
- metadata:
- name: ingress-nginx-admission-create
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: pre-install,pre-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- template:
- metadata:
- name: ingress-nginx-admission-create
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: create
- image: registry.cn-beijing.aliyuncs.com/kole_chang/kube-webhook-certgen:v1.0
- imagePullPolicy: IfNotPresent
- args:
- - create
- - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=ingress-nginx-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- restartPolicy: OnFailure
- serviceAccountName: ingress-nginx-admission
- nodeSelector:
- kubernetes.io/os: linux
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
- ---
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
- apiVersion: batch/v1
- kind: Job
- metadata:
- name: ingress-nginx-admission-patch
- namespace: ingress-nginx
- annotations:
- helm.sh/hook: post-install,post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- template:
- metadata:
- name: ingress-nginx-admission-patch
- labels:
- helm.sh/chart: ingress-nginx-4.0.1
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/version: 1.0.0
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: admission-webhook
- spec:
- containers:
- - name: patch
- image: registry.cn-beijing.aliyuncs.com/kole_chang/kube-webhook-certgen:v1.0
- imagePullPolicy: IfNotPresent
- args:
- - patch
- - --webhook-name=ingress-nginx-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=ingress-nginx-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- restartPolicy: OnFailure
- serviceAccountName: ingress-nginx-admission
- nodeSelector:
- kubernetes.io/os: linux
- securityContext:
- runAsNonRoot: true
- runAsUser: 2000
kubectl apply -f ingress-nginx.yaml
三、安装ingress
vim ~/ingress.yaml
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- name: sumengnan.com
- annotations:
- nginx.ingress.kubernetes.io/rewrite-target: /
- nginx.ingress.kubernetes.io/ssl-redirect: "true"
- nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-body-size: "100m"
- kubernetes.io/ingress.class: "nginx"
- nginx.inaress.kubernetes.io/use-reaex: "true"
- spec:
- rules:
- - host: sumengnan.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: tomcat-service
- port:
- number: 8080
表示:当接收的域名为sumengnan.com时,把请求转发到service的name为tomcat-service的8080端口
kubectl apply -f ingress.yaml
四、配置SSL证书
1、先获取到证书key和crt文件
2、创建tls secret
kubectl create secret tls sumengnan.com-secret --key sumengnan.com.key --cert sumengnan.com.crt
3、修改ingress.yaml
增加tls配置
- spec:
- tls:
- - hosts:
- - "sumengnan.com"
- secretName: sumengnan.com-secret
- rules:
- - host: sumengnan.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: tomcat-service
- port:
- number: 8080
应用:kubectl apply -f ingress.yaml
五、通过ingress访问service(svc)组件
1、通过ingress访问grafana
(1)、创建tls secret:
kubectl create secret tls grafana.sumengnan.com-secret --key grafana.sumengnan.com.key --cert grafana.sumengnan.com.crt -n ns-monitor
(2)、创建ingress
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- namespace: ns-monitor
- name: grafana.sumengnan.com
- annotations:
- nginx.ingress.kubernetes.io/ssl-redirect: "true"
- nginx.ingress.kubernetes.io/rewrite-target: /
- nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-body-size: "100m"
- kubernetes.io/ingress.class: "nginx"
- nginx.inaress.kubernetes.io/use-reaex: "true"
- spec:
- tls:
- - hosts:
- - "grafana.sumengnan.com"
- secretName: grafana.sumengnan.com-secret
- rules:
- - host: grafana.sumengnan.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: grafana-service
- port:
- number: 3000
kubectl apply -f grafana-ingress.yml
(3)、去掉grafana.yaml文件中的nodePort: 30001(可选)
搭建grafana参考:【kubernetes搭建(三)】搭建Promethus+grafana监控平台_sumengnan的博客-CSDN博客
因为不需要外部访问集群了,所以去掉,只留下内部的3000端口即可
kubectl apply -f grafana.yaml
(4)、访问地址验证
2、通过ingress访问kubernetes-dashboard
(1)、创建tls secret:
kubectl create secret tls kubernetes.sumengnan.com-secret --key kubernetes.sumengnan.com.key --cert kubernetes.sumengnan.com.crt -n kubernetes-dashboard
(2)、创建ingress
kubernetes-dashboard由于后端需要https访问,所以需要增加
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- namespace: kubernetes-dashboard
- name: kubernetes.sumengnan.com
- annotations:
- nginx.ingress.kubernetes.io/rewrite-target: /
- nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-body-size: "100m"
- kubernetes.io/ingress.class: "nginx"
- nginx.inaress.kubernetes.io/use-reaex: "true"
- #注意后端也是需要https访问的
- nginx.ingress.kubernetes.io/ssl-redirect: "true"
- nginx.ingress.kubernetes.io/secure-backends: "true"
- nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
- spec:
- tls:
- - hosts:
- - "kubernetes.sumengnan.com"
- secretName: kubernetes.sumengnan.com-secret
- rules:
- - host: kubernetes.sumengnan.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: kubernetes-dashboard
- port:
- number: 8443
kubectl apply -f kubernetes-dashboard-ingress.yml
注:如果报错failed calling webhook "validate.nginx.ingress.kubernetes.io": failed to call webhook:
则需要执行:kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
删除ValidatingWebhookConfiguration
(3)、去掉kubernetes-dashboard.yml文件中的nodePort: 30000(可选)
搭建kubernetes-dashboard参考:【kubernetes搭建(二)】搭建kubernetes-dashborad_sumengnan的博客-CSDN博客
通过集群内部端口访问即可,不需要通过外部端口访问
kubectl apply -f kubernetes-dashboard.yml
(4)、访问地址验证
3、通过ingress访问tomcat
(1)、创建deployment:
kubectl create deployment tomcat --image=tomcat --replicas=2 --port=8080
运行2个tomcat环境在8080端口
(2)、创建service(svc组件)
可以使用命令:kubectl expose deployment/tomcat --port=8080 --target-port=8080
创建svc资源:kubectl create service nodeport tomcat-service --tcp=8080:8080
也可以手动创建svc组件:(推荐)
vim ~/tomcat-service.yml
- apiVersion: v1
- kind: Service
- metadata:
- name: tomcat-service
- labels:
- name: tomcat-service
- spec:
- type: NodePort
- ports:
- - port: 8080
- targetPort: 8080
- protocol: TCP
- selector:
- app: tomcat
注意:最后的selector是选择器,选择label为tomcat的pod组成一组服务
kubectl apply -f tomcat-service.yml
(3)、创建ingress
vim ~/tomcat-ingress.yml
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- name: sumengnan.com
- annotations:
- nginx.ingress.kubernetes.io/rewrite-target: /
- # 是否开启客户端证书验证
- #nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
- # 信任链
- #nginx.ingress.kubernetes.io/auth-tls-secret: "tls.secret"
- # 信任链校验层数
- #nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
- # 是否传递证书给后端服务
- #nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
- #ingress.kubernetes.io/ssl-redirect: "true"
- nginx.ingress.kubernetes.io/ssl-redirect: "true"
- nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
- nginx.ingress.kubernetes.io/proxy-body-size: "100m"
- kubernetes.io/ingress.class: "nginx"
- nginx.inaress.kubernetes.io/use-reaex: "true"
- spec:
- tls:
- - hosts:
- - "sumengnan.com"
- secretName: sumengnan.com-secret
- rules:
- - host: sumengnan.com
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: tomcat-service
- port:
- number: 8080
kubectl apply -f tomcat-ingress.yml
(4)、配置证书
kubectl create secret tls sumengnan.com-secret --key sumengnan.com.key --cert sumengnan.com.crt
(5)、访问地址验证
完毕
六、ingress只允许在master节点上运行
当后续多节点部署后,ingress可能会分配到别的node节点,这并不是我们想的
1、给mater节点node打上一个自定义的标签
kubectl label nodes tencent-centos7.6 custem/ingress-controller-ready=true
2、修改ingress-nginx.yml文件
增加custem/ingress-controller-ready: true
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/article/detail/40791
推荐阅读
相关标签
