热门标签
热门文章
- 1《Arduino家居安全系统构建实战》——1.5 介绍用于机器学习的F
- 2Javacv在Windows下正常运行,在Linux上报异常~Could not initialize class org.bytedeco.javacv.FFmpegFrameGrabber
- 3前端刷题 | 网站_前端刷题网站
- 4产品经理面试问题及答案大全《一》
- 5Codeforces700A As Fast As Possible 数学推理_codeforces 700a
- 6YOLO基础教程(九):YOLO训练过程中一些知识点_yolov9
- 7SpringMVC 中的数据绑定如何使用 @InitBinder 注解_springmvc binder
- 8GNU ARM汇编--(十八)u-boot-采用nand_spl方式的启动方法_gnu uboot
- 92021-2024年中国两轮电动车企业经营情况对比_台铃 净利润
- 10数据结构-合并链表算法
当前位置: article > 正文
kubernetes搭建 十三、Ingerss
作者:alg789 | 2024-01-17 09:17:03
赞
踩
ingerss
一、Ingerss搭建
到github上下载Ingress的yaml文件进行修改
https://github.com/kubernetes/ingress-nginx/tree/nginx-0.18.0/deploy
1、先创建一个文件夹存放Ingress相关yaml文件
mkdir Ingress
cd Ingress
- 1
- 2
2、创建一个命名空间,放置ingress相关配置。
vim namespace.yaml
kubectl create -f namespace.yaml
[root@k8s-master-101 Ingress]# cat namespace.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
- 1
- 2
- 3
- 4
- 5
- 6
- 7
3、vim default-backend.yaml
这个文件用来创建default-backend的depolyment和service
如果外界访问的域名不存在的话,则会默认转发到defalut-http-backend这个service,会直接返回404
[root@k8s-master-101 Ingress]# cat default-backend.yaml --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: default-http-backend labels: app: default-http-backend namespace: ingress-nginx spec: replicas: 1 selector: matchLabels: app: default-http-backend template: metadata: labels: app: default-http-backend spec: terminationGracePeriodSeconds: 60 containers: - name: default-http-backend # Any image is permissible as long as: # 1. It serves a 404 page at / # 2. It serves 200 on a /healthz endpoint image: registry.cn-hangzhou.aliyuncs.com/google_containers/defaultbackend:1.4 livenessProbe: httpGet: path: /healthz port: 8080 scheme: HTTP initialDelaySeconds: 30 timeoutSeconds: 5 ports: - containerPort: 8080 resources: limits: cpu: 10m memory: 20Mi requests: cpu: 10m memory: 20Mi --- apiVersion: v1 kind: Service metadata: name: default-http-backend namespace: ingress-nginx labels: app: default-http-backend spec: ports: - port: 80 targetPort: 8080 selector: app: default-http-backend
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
kubectl create -f default-backend.yaml
- 1
4、configmap 存放tcp udp 虚拟主机的配置
vim tcp-services-configmap.yaml
vim udp-services-configmap.yaml
[root@k8s-master-101 Ingress]# cat tcp-services-configmap.yaml --- kind: ConfigMap apiVersion: v1 metadata: name: tcp-services namespace: ingress-nginx [root@k8s-master-101 Ingress]# cat udp-services-configmap.yaml --- kind: ConfigMap apiVersion: v1 metadata: name: udp-services namespace: ingress-nginx
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
创建configmap
kubectl create -f tcp-services-configmap.yaml
kubectl create -f udp-services-configmap.yaml
- 1
- 2
5、vim rbac.yaml 这个yaml文件主要是角色的创建和绑定,负责Ingress的RBAC授权的控制,其创建了Ingress用到的ServiceAccount、ClusterRole、Role、RoleBinding、ClusterRoleBinding
[root@k8s-master-101 Ingress]# cat rbac.yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: nginx-ingress-serviceaccount namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: nginx-ingress-clusterrole rules: - apiGroups: - "" resources: - configmaps - endpoints - nodes - pods - secrets verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "extensions" resources: - ingresses verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "extensions" resources: - ingresses/status verbs: - update --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: nginx-ingress-role namespace: ingress-nginx rules: - apiGroups: - "" resources: - configmaps - pods - secrets - namespaces verbs: - get - apiGroups: - "" resources: - configmaps resourceNames: # Defaults to "<election-id>-<ingress-class>" # Here: "<ingress-controller-leader>-<nginx>" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. - "ingress-controller-leader-nginx" verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resources: - endpoints verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: nginx-ingress-role-nisa-binding namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-ingress-role subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: nginx-ingress-clusterrole-nisa-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-ingress-clusterrole subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
创建rabc
kubectl create -f rbac.yaml
- 1
6、mv with-rbac.yaml deployment.yaml 改下名字
vim deployment.yaml
这个文件创建nginx-ingress-controller这个deployment,副本数选择两个,一个node一个。Ingress-controller的作用是将新加入的Ingress进行转化为Nginx的配置。
Ingress Contronler 通过与 Kubernetes API 交互,能够动态的获取cluster中Ingress rules的变化,生成一段 Nginx 配置,再写到 Nginx-ingress-control的 Pod 里,reload pod 使规则生效。从而实现注册的service及其对应域名/IP/Port的动态添加和解析。
[root@k8s-master-101 Ingress]# cat deployment.yaml --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-ingress-controller namespace: ingress-nginx spec: replicas: 2 selector: matchLabels: app: ingress-nginx template: metadata: labels: app: ingress-nginx annotations: prometheus.io/port: '10254' prometheus.io/scrape: 'true' spec: serviceAccountName: nginx-ingress-serviceaccount hostNetwork: true containers: - name: nginx-ingress-controller image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.18.0 args: - /nginx-ingress-controller - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace ports: - name: http containerPort: 80 - name: https containerPort: 443 livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
注释:
增加hostNetwork:true这一行,这是直接定义Pod网络的方式。定义后,Ingress-controller的IP就与宿主机上一样,并且端口也是宿主机上的端口。这样就可以通过宿主机直接访问到Ingress-controller,然后Ingress-controller则会转发我们的请求到响应后端。
默认下面部分还有args和env中间还有几行安全选项,删除后才能创建pod
kubectl create -f deployment.yaml
7、kubectl get pods -n ingress-nginx -o wide
每台node上一个nginx-ingress-controller
[root@k8s-master-101 Ingress]# kubectl get pods -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
default-http-backend-86569b9d95-8ggjw 1/1 Running 24 14d 172.17.71.8 10.0.0.103 <none>
nginx-ingress-controller-6b46769f55-sf7kg 1/1 Running 20 14d 10.0.0.102 10.0.0.102 <none>
nginx-ingress-controller-6b46769f55-xx4tj 1/1 Running 15 14d 10.0.0.103 10.0.0.103 <none>
- 1
- 2
- 3
- 4
- 5
二、http测试
1、创建nginx和httpd的deployment和pod
[root@k8s-master-101 ~]# kubectl run --image=nginx nginx
deployment.apps/nginx created
[root@k8s-master-101 ~]# kubectl run --image=httpd httpd
deployment.apps/httpd created
[root@k8s-master-101 ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
httpd-7db5849b8-bxpcg 1/1 Running 0 2m51s
nginx-dbddb74b8-wtr7v 1/1 Running 0 3m2s
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
2、创建service
[root@k8s-master-101 ~]# kubectl expose deployment nginx --port=80 --target-port=80
service/nginx exposed
[root@k8s-master-101 ~]# kubectl expose deployment httpd --port=80 --target-port=80
service/httpd exposed
#查看service地址
[root@k8s-master-101 ~]# kubectl get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
httpd ClusterIP 10.10.10.75 <none> 80/TCP 82s run=httpd
kubernetes ClusterIP 10.10.10.1 <none> 443/TCP 20d <none>
nginx ClusterIP 10.10.10.143 <none> 80/TCP 92s run=nginx
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
3、修改httpd容器首页信息
[root@k8s-master-101 ~]# kubectl exec -it httpd-7db5849b8-bxpcg bash
root@httpd-7db5849b8-bxpcg:/usr/local/apache2# cd htdocs/
root@httpd-7db5849b8-bxpcg:/usr/local/apache2/htdocs# echo "hello httpd!" > index.html
root@httpd-7db5849b8-bxpcg:/usr/local/apache2/htdocs# exit
- 1
- 2
- 3
- 4
4、修改nginx容器首页信息
[root@k8s-master-101 ~]# kubectl exec -it nginx-dbddb74b8-wtr7v bash
root@nginx-dbddb74b8-wtr7v:/# cd /usr/share/nginx/html/
root@nginx-dbddb74b8-wtr7v:/usr/share/nginx/html# echo "hello nginx!" > index.html
root@nginx-dbddb74b8-wtr7v:/usr/share/nginx/html# exit
- 1
- 2
- 3
- 4
5、在node节点curl测试一下能否访问
[root@k8s-node1-102 ~]# curl 10.10.10.75
hello httpd!
[root@k8s-node1-102 ~]# curl 10.10.10.143
hello nginx!
- 1
- 2
- 3
- 4
6、创建Ingress匹配serviceName
vim http.yaml
[root@k8s-master-101 Ingress]# cat http.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: httpd-test spec: rules: - host: foo.bar.com http: paths: - backend: serviceName: httpd servicePort: 80 - host: bar.baz.com http: paths: - backend: serviceName: nginx servicePort: 80
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
[root@k8s-master-101 Ingress]# kubectl create -f http.yaml
[root@k8s-master-101 Ingress]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
httpd-test foo.bar.com,bar.baz.com 80 14d
- 1
- 2
- 3
- 4
- 5
7、修改host文件,把域名和IP对应,用哪个node都可以,因为前面Ingress-controller在两个节点上都部署了。
8、在浏览器上访问
9、进入容器查看nginx-ingress-controller的具体实现
[root@k8s-master-101 Ingress]# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-86569b9d95-8ggjw 1/1 Running 25 15d
nginx-ingress-controller-6b46769f55-sf7kg 1/1 Running 21 14d
nginx-ingress-controller-6b46769f55-xx4tj 1/1 Running 16 15d
[root@k8s-master-101 Ingress]# kubectl exec -it nginx-ingress-controller-6b46769f55-sf7kg bash -n ingress-nginx
root@k8s-node1-102:/etc/nginx# more /etc/nginx/nginx.conf
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
10、里面主机的配置
#里面有相关配置 ## start server bar.baz.com server { server_name bar.baz.com ; listen 80; listen [::]:80; set $proxy_upstream_name "-"; location / { set $namespace "default"; set $ingress_name "httpd-test"; set $service_name "httpd"; set $service_port "80"; set $location_path "/"; rewrite_by_lua_block { balancer.rewrite() } log_by_lua_block { balancer.log() monitor.call() } port_in_redirect off; set $proxy_upstream_name "default-nginx-80"; client_max_body_size "1m"; proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend # Allow websocket connections proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $the_real_ip; proxy_set_header X-Forwarded-For $the_real_ip; proxy_set_header X-Forwarded-Host $best_http_host; proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; # Pass the original X-Forwarded-For proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; # mitigate HTTPoxy Vulnerability # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ proxy_set_header Proxy ""; # Custom headers to proxied server proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_buffering "off"; proxy_buffer_size "4k"; proxy_buffers 4 "4k"; proxy_request_buffering "on"; proxy_http_version 1.1; proxy_cookie_domain off; proxy_cookie_path off; # In case of errors try the next upstream server before returning an error proxy_next_upstream error timeout; proxy_next_upstream_tries 3; proxy_pass http://upstream_balancer; proxy_redirect off; } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
11、流程大概:首先创建deployment,和它所拥有的pod
然后创建service,和deployment关联
最后创建Ingress,和service关联
三、https测试
1、又得制作证书
mkdir -p /root/https
cd /root/https
cfssl print-defaults csr > ca-csr.json vim ca-csr.json [root@k8s-master-101 https]# cat ca-csr.json { "CN": "wangxiaoyu", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } cfssl print-defaults config >ca-config.json vim ca-config.json [root@k8s-master-101 https]# cat ca-config.json { "signing": { "default": { "expiry": "168h" }, "profiles": { "www": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "client auth" ] } } } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
cfssl gencert --initca ca-csr.json | cfssljson -bare ca –
- 1
- 2
cfssl print-defaults csr >server-csr.json vim server-csr.json [root@k8s-master-101 https]# cat server-csr.json { "CN": "www.wangxiaoyu.com", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile=www server-csr.json | cfssljson -bare server
- 1
kubectl create secret tls wangxiaoyu-https --key server-key.pem --cert server.pem
- 1
#查看secret
[root@k8s-master-101 https]# kubectl get secret
NAME TYPE DATA AGE
default-token-lshw2 kubernetes.io/service-account-token 3 20d
wangxiaoyu-https kubernetes.io/tls 2 14d
- 1
- 2
- 3
- 4
2、cd …/Ingress/
vim https.yaml
[root@k8s-master-101 Ingress]# cat https.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: https-test spec: tls: - hosts: - www.wangxiaoyu.com secretName: wangxiaoyu-https rules: - host: www.wangxiaoyu.com http: paths: - backend: serviceName: nginx servicePort: 80
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
kubectl create -f https.yaml
- 1
3、访问https
4、大概流程:制作证书,然后生成一个secret秘钥,在Ingress的yaml配置文件中指定secretName。在Ingress资源中引用此Secret即可让Ingress加载并配置为https服务。
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/article/detail/40803
推荐阅读
相关标签
