3.1 安装 ingress controller
ingress 官方网站
ingress 仓库地址
裸机部署 ingress-nginx 纯软件方案 MetalLB
MetalLB 为不在受支持的云提供程序上运行的 Kubernetes 群集提供了网络负载平衡器实现,从而有效地允许在任何群集中使用 LoadBalancer Services。
[!Note] Kubernetes-v1.22+ 需要使用 ingress-nginx>=1.0,因为
networking.k8s.io/v1beta已经移除Ingress and IngressClass resources have graduated to
networking.k8s.io/v1. Ingress and IngressClass types in theextensions/v1beta1andnetworking.k8s.io/v1beta1API versions are deprecated and will no longer be served in 1.22+. Persisted objects can be accessed via thenetworking.k8s.io/v1API. Notable changes inv1Ingress objects (v1beta1 field names are unchanged):
spec.backend->spec.defaultBackendserviceName->service.nameservicePort->service.port.name(for string values)servicePort->service.port.number(for numeric values)pathTypeno longer has a default value in v1; "Exact", "Prefix", or "ImplementationSpecific" must be specified Other Ingress API updates:- backends can now be resource or service backends
pathis no longer required to be a valid regular expression (#89778, @cmluciano) [SIG API Machinery, Apps, CLI, Network and Testing]
3.1.1 部署metallb
修改 kube-proxy 配置
kubectl get configmap kube-proxy -n kube-system -o yaml | \
sed -e "s/strictARP: false/strictARP: true/" | \
kubectl apply -f - -n kube-system
创建 namespace
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.11.0/manifests/namespace.yaml
执行完会创建一个名为 metallb-system 的名称空间。
部署 metallb
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.11.0/manifests/metallb.yaml
输出如下
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/controller created
podsecuritypolicy.policy/speaker created
serviceaccount/controller created
serviceaccount/speaker created
clusterrole.rbac.authorization.k8s.io/metallb-system:controller created
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created
role.rbac.authorization.k8s.io/config-watcher created
role.rbac.authorization.k8s.io/pod-lister created
role.rbac.authorization.k8s.io/controller created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created
rolebinding.rbac.authorization.k8s.io/config-watcher created
rolebinding.rbac.authorization.k8s.io/pod-lister created
rolebinding.rbac.authorization.k8s.io/controller created
daemonset.apps/speaker created
deployment.apps/controller created
配置
支持二层,BGP 等方式,这里简单的使用二层配置
二层配置:只需要配置 IP 地址池即可
tee metallb-config.yaml <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 192.168.122.191-192.168.122.200 # IP 地址池,根据实际情况分配
EOF
为 matallb 创建 configMap
kubectl apply -f metallb-config.yaml
configmap/config created
查看 pod 运行状态
kubectl get po -n metallb-system
输出如下
NAME READY STATUS RESTARTS AGE
controller-7dcc8764f4-4tjwz 1/1 Running 0 88s
speaker-4v79r 1/1 Running 0 88s
speaker-jj6sc 1/1 Running 0 88s
speaker-tls42 1/1 Running 0 88s
3.2 部署 ingress-nginx
部署 ingress-nginx
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/baremetal/deploy.yaml
输出如下
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
查看 pod 运行情况
kubectl get po -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create--1-ng9ct 0/1 Completed 0 55s
ingress-nginx-admission-patch--1-kkhst 0/1 Completed 0 55s
ingress-nginx-controller-778574f59b-bstjw 0/1 Running 0 56s
部署了 Metallb 的可以将 NodePort 修改为 LoadBalancer
kubectl patch svc -n ingress-nginx ingress-nginx-controller -p '{"spec":{"type": "LoadBalancer"}}'
service/ingress-nginx-controller patched
检查安装
kubectl get po -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create--1-ng9ct 0/1 Completed 0 2m
ingress-nginx-admission-patch--1-kkhst 0/1 Completed 0 2m
ingress-nginx-controller-778574f59b-bstjw 1/1 Running 0 2m1s
kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.102.200.139 192.168.122.191 80:31974/TCP,443:31677/TCP 107s
ingress-nginx-controller-admission ClusterIP 10.96.128.251 <none> 443/TCP 107s
看到已经分配了地址池中的一个地址 192.168.122.191。
检测安装版本信息
POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.1.1
Build: a17181e43ec85534a6fea968d95d019c5a4bc8cf
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.9
-------------------------------------------------------------------------------
后端 ingress 代理应用示例
创建 myapp 应用
kubectl apply -f - <<EOF
---
kind: Service
apiVersion: v1
metadata:
name: myapp
spec:
selector:
app: myapp
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: nginx:alpine
resources:
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 80
EOF
service/myapp created
deployment.apps/myapp created
创建 ingress 文件
kubectl apply -f - <<EOF
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-myapp
annotations:
# 指定 Ingress Controller 的类型
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myapp.hzde.com
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: myapp
port:
number: 80
EOF
ingress.networking.k8s.io/test-myapp created
添加 hosts 并尝试访问
查看 ingress 对应节点的端口
kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.102.200.139 192.168.122.191 80:31974/TCP,443:31677/TCP 3m43s
ingress-nginx-controller-admission ClusterIP 10.96.128.251 <none> 443/TCP 3m43s
echo '192.168.122.191 myapp.hzde.com' >> /etc/hosts
curl myapp.hzde.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
不修改hosts访问 myapp.hzde.com
在头部指定 host
curl -H "Host:myapp.hzde.com" http://192.168.122.191
ingress HTTPS 访问
参考文档TLS/HTTPS
创建自签证书文件
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginx/O=nginx"
Generating a 2048 bit RSA private key
......................................................+++
..........................+++
writing new private key to 'tls.key'
-----
创建 secret
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created
创建 tls ingress
kubectl apply -f - <<EOF
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-myapp
annotations:
# 指定 Ingress Controller 的类型
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- myapp2.hzde.com
secretName: tls-secret
rules:
- host: myapp2.hzde.com
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: myapp
port:
number: 80
EOF
ingress.networking.k8s.io/tls-myapp created
测试
echo '192.168.122.191 myapp2.hzde.com' >> /etc/hosts
curl -sSk https://myapp2.hzde.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
ingress 高级用法请查看官方文档。