Ingress-Nginx 快速入门
一、 安装 Ingress
1. 使用资源清单文件部署Ingress-Nginx
官网:
https://kubernetes.github.io/ingress-nginx/deploy/#bare-metal-clusters
在 Kubernetes 集群中部署 ingress-nginx 时,官方推荐监听 80 和 443 端口。80 端口用于 HTTP,443 端口用于 HTTPS,这是 Web 服务的标准端口,符合互联网访问习惯。这样,客户端可以直接通过 http://yourdomain.com 访问应用,而无需指定端口号,如 http://yourdomain.com:8080。但是kubernetes 具有 NodePort 可见性的服务保留的端口范围默认为30000-32767,此处要想使用80和443端口,需要修改 api-server 的配置参数如下:
- 修改 kube-apiserver 默认端口范围
vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.16.192.31:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=172.16.192.31
...
- --service-node-port-range=1-65535
- 修改资源清单
~/k8s-cluster-repo# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml
~/k8s-cluster-repo# cp deploy.yaml ingress-nginx.yaml
~/k8s-cluster-repo# diff deploy.yaml ingress-nginx.yaml
347c347,348
< externalTrafficPolicy: Local
---
> # externalTrafficPolicy: Local
> externalTrafficPolicy: Cluster # 修改Local为Cluster;流量可以转发到其他节点上的Pod
356a358
> nodePort: 80 # 添加nodePort,指定监听80端口
361a364
> nodePort: 443 # 添加nodePort,指定监听443端口
366c369,370
< type: LoadBalancer
---
> # type: LoadBalancer
> type: NodePort # 修改Service类型为NodePort
445c449,450
< image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
---
> # image: registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
> image: registry.cn-beijing.aliyuncs.com/dengyouf/ingress-nginx:controller-v1.12.0 # 替换镜像
547c552,553
< image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
---
> # image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
> image: registry.cn-beijing.aliyuncs.com/dengyouf/ingress-nginx:kube-webhook-certgen-v1.5.0 # 替换镜像
601c607,608
< image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
---
> # image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.0@sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
> image: registry.cn-beijing.aliyuncs.com/dengyouf/ingress-nginx:kube-webhook-certgen-v1.5.0 # 替换镜像
~/k8s-cluster-repo# kubectl apply -f ingress-nginx.yaml
~/k8s-cluster-repo# kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-admission-create-w88gz 0/1 Completed 0 6m2s 10.233.84.3 worker01 <none> <none>
ingress-nginx-admission-patch-bjp6m 0/1 Completed 0 6m2s 10.233.108.2 worker02 <none> <none>
ingress-nginx-controller-54b59c54-xzbms 1/1 Running 0 6m2s 10.233.108.3 worker02 <none> <none>
~/k8s-cluster-repo# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 10.233.50.40 <none> 80:80/TCP,443:443/TCP 6m15s
ingress-nginx-controller-admission ClusterIP 10.233.26.25 <none> 443/TCP 6m15s
二、 使用Ingress
2.1 公开后端服务
- 创建第一个 Deployment
echo "---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demoapp-deploy-v10
labels:
app: demoapp
spec:
replicas: 1
selector:
matchLabels:
app: demoapp
version: v1.0
strategy: {}
template:
metadata:
labels:
app: demoapp
version: v1.0
spec:
containers:
- name: demoapp-v10
image: ikubernetes/demoapp:v1.0"|tee demoapp-deploy-v10.yaml|kubectl apply -f -
- 创建Service-
demoapp-v10
echo "---
apiVersion: v1
kind : Service
metadata:
name: demoapp-v10-svc
labels:
app: demoapp
spec:
type: ClusterIP
ports:
- name: http-80
port: 80
targetPort: 80
selector:
app: demoapp
version: v1.0"|tee demoapp-v10-svc.yaml|kubectl apply -f -
- 创建ingress规则
~# kubectl get svc/demoapp-v10-svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp-v10-svc ClusterIP 10.233.20.86 <none> 80/TCP 25s
echo "---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demoapp-v10-ingress
spec:
rules:
- host: demoapp-v10.linux.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: demoapp-v10-svc
port:
number: 80
ingressClassName: nginx"|tee demoapp-v10-ingress.yaml|kubectl apply -f -
- 验证
~ curl -H 'Host: demoapp-v10.linux.io' 192.168.122.21
iKubernetes demoapp v1.0 !! ClientIP: 10.233.108.3, ServerName: demoapp-deploy-v10-65c669c5f4-r2c4f, ServerIP: 10.233.84.4!
2.2 URL重写
- 创建第二个Deployment
echo "---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demoapp-deploy-v11
labels:
app: demoapp
spec:
replicas: 1
selector:
matchLabels:
app: demoapp
version: v1.1
strategy: {}
template:
metadata:
labels:
app: demoapp
version: v1.1
spec:
containers:
- name: demoapp-v11
image: ikubernetes/demoapp:v1.1"|tee demoapp-deploy-v11.yaml|kubectl apply -f -
echo "---
apiVersion: v1
kind : Service
metadata:
name: demoapp-v11-svc
labels:
app: demoapp
spec:
type: ClusterIP
ports:
- name: http-80
port: 80
targetPort: 80
selector:
app: demoapp
version: v1.1"|tee demoapp-v11-svc.yaml|kubectl apply -f -
~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp-v10-svc ClusterIP 10.233.20.86 <none> 80/TCP 3m5s
demoapp-v11-svc ClusterIP 10.233.55.35 <none> 80/TCP 8s
- url重写规则
echo '---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demoapp-ingress
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- host: demoapp.linux.io
http:
paths:
- path: /v10(/|$)(.*)
pathType: ImplementationSpecific
backend:
service:
name: demoapp-v10-svc
port:
number: 80
- path: /v11(/|$)(.*)
pathType: ImplementationSpecific
backend:
service:
name: demoapp-v11-svc
port:
number: 80
ingressClassName: nginx
' |tee demoapp-ingress.yaml|kubectl apply -f -
- 验证
~# curl -H 'Host: demoapp.linux.io' 192.168.122.22/v10
iKubernetes demoapp v1.0 !! ClientIP: 10.233.108.3, ServerName: demoapp-deploy-v10-65c669c5f4-r2c4f, ServerIP: 10.233.84.4!
~# curl -H 'Host: demoapp.linux.io' 192.168.122.22/v11
iKubernetes demoapp v1.1 !! ClientIP: 10.233.108.3, ServerName: demoapp-deploy-v11-579c9d54c-zhtsg, ServerIP: 10.233.108.4!
2.3 HTTPS
- 创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=http-svc.linux.io/O=http-svc.linux.io"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
- 部署服务
echo "apiVersion: apps/v1
kind: Deployment
metadata:
name: http-svc
spec:
replicas: 1
selector:
matchLabels:
app: http-svc
template:
metadata:
labels:
app: http-svc
spec:
containers:
- name: http-svc
image: dengyouf/echoserver:2.3
ports:
- containerPort: 8080
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
---
apiVersion: v1
kind: Service
metadata:
name: http-svc
labels:
app: http-svc
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: http-svc
" |tee http-svc.yaml|kubectl apply -f -
- 创建ingress规则
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: http-svc-tls-ingress
spec:
tls:
- hosts:
- http-svc.linux.io
# This assumes tls-secret exists and the SSL
# certificate contains a CN for foo.bar.com
secretName: tls-secret
ingressClassName: nginx
rules:
- host: http-svc.linux.io
http:
paths:
- path: /
pathType: Prefix
backend:
# This assumes http-svc exists and routes to healthy endpoints
service:
name: http-svc
port:
number: 80
"|tee http-svc-tls-ingress.yaml|kubectl apply -f -
- 验证
~]# curl -H 'Host: http-svc.linux.io' -k https://192.168.122.21
浙公网安备 33010602011771号