3.1 安装 ingress controller

ingress 官方网站

ingress 仓库地址

裸机部署 ingress-nginx 纯软件方案 MetalLB

MetalLB 为不在受支持的云提供程序上运行的 Kubernetes 群集提供了网络负载平衡器实现,从而有效地允许在任何群集中使用 LoadBalancer Services

MetalLB 仓库地址

MetalLB 安装文档

[!Note] Kubernetes-v1.22+ 需要使用 ingress-nginx>=1.0,因为networking.k8s.io/v1beta已经移除

Ingress and IngressClass resources have graduated to networking.k8s.io/v1. Ingress and IngressClass types in the extensions/v1beta1 and networking.k8s.io/v1beta1 API versions are deprecated and will no longer be served in 1.22+. Persisted objects can be accessed via the networking.k8s.io/v1 API. Notable changes in v1 Ingress objects (v1beta1 field names are unchanged):

  • spec.backend -> spec.defaultBackend
  • serviceName -> service.name
  • servicePort -> service.port.name (for string values)
  • servicePort -> service.port.number (for numeric values)
  • pathType no longer has a default value in v1; "Exact", "Prefix", or "ImplementationSpecific" must be specified Other Ingress API updates:
  • backends can now be resource or service backends
  • path is no longer required to be a valid regular expression (#89778, @cmluciano) [SIG API Machinery, Apps, CLI, Network and Testing]

详情见CHANGELOG-1.19

3.1.1 部署metallb

修改 kube-proxy 配置

kubectl get configmap kube-proxy -n kube-system -o yaml | \
sed -e "s/strictARP: false/strictARP: true/" | \
kubectl apply -f - -n kube-system

创建 namespace

kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.11.0/manifests/namespace.yaml

执行完会创建一个名为 metallb-system 的名称空间。

部署 metallb

kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.11.0/manifests/metallb.yaml

输出如下

Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/controller created
podsecuritypolicy.policy/speaker created
serviceaccount/controller created
serviceaccount/speaker created
clusterrole.rbac.authorization.k8s.io/metallb-system:controller created
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created
role.rbac.authorization.k8s.io/config-watcher created
role.rbac.authorization.k8s.io/pod-lister created
role.rbac.authorization.k8s.io/controller created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created
rolebinding.rbac.authorization.k8s.io/config-watcher created
rolebinding.rbac.authorization.k8s.io/pod-lister created
rolebinding.rbac.authorization.k8s.io/controller created
daemonset.apps/speaker created
deployment.apps/controller created

配置

支持二层,BGP 等方式,这里简单的使用二层配置

二层配置:只需要配置 IP 地址池即可

tee metallb-config.yaml <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    address-pools:
    - name: default
      protocol: layer2
      addresses:
      - 192.168.122.191-192.168.122.200 # IP 地址池,根据实际情况分配
EOF

matallb 创建 configMap

kubectl apply -f metallb-config.yaml
configmap/config created

查看 pod 运行状态

kubectl get po -n metallb-system

输出如下

NAME                          READY   STATUS    RESTARTS   AGE
controller-7dcc8764f4-4tjwz   1/1     Running   0          88s
speaker-4v79r                 1/1     Running   0          88s
speaker-jj6sc                 1/1     Running   0          88s
speaker-tls42                 1/1     Running   0          88s

3.2 部署 ingress-nginx

部署 ingress-nginx

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/baremetal/deploy.yaml

输出如下

namespace/ingress-nginx created
serviceaccount/ingress-nginx created
configmap/ingress-nginx-controller created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
service/ingress-nginx-controller-admission created
service/ingress-nginx-controller created
deployment.apps/ingress-nginx-controller created
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
serviceaccount/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created

查看 pod 运行情况

kubectl get po -n ingress-nginx
NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create--1-ng9ct     0/1     Completed   0          55s
ingress-nginx-admission-patch--1-kkhst      0/1     Completed   0          55s
ingress-nginx-controller-778574f59b-bstjw   0/1     Running     0          56s

部署了 Metallb 的可以将 NodePort 修改为 LoadBalancer

kubectl patch svc -n ingress-nginx ingress-nginx-controller  -p '{"spec":{"type": "LoadBalancer"}}'
service/ingress-nginx-controller patched

检查安装

kubectl get po -n ingress-nginx
NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create--1-ng9ct     0/1     Completed   0          2m
ingress-nginx-admission-patch--1-kkhst      0/1     Completed   0          2m
ingress-nginx-controller-778574f59b-bstjw   1/1     Running     0          2m1s

kubectl get svc -n ingress-nginx
NAME                                 TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.102.200.139   192.168.122.191   80:31974/TCP,443:31677/TCP   107s
ingress-nginx-controller-admission   ClusterIP      10.96.128.251    <none>            443/TCP                      107s

看到已经分配了地址池中的一个地址 192.168.122.191

检测安装版本信息

POD_NAMESPACE=ingress-nginx
POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')
kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.1.1
  Build:         a17181e43ec85534a6fea968d95d019c5a4bc8cf
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.9

-------------------------------------------------------------------------------

后端 ingress 代理应用示例

创建 myapp 应用

kubectl apply -f - <<EOF
---
kind: Service
apiVersion: v1
metadata:
  name: myapp
spec:
  selector:
    app: myapp
  type: ClusterIP
  ports:
  - name: http
    port: 80
    targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
spec:
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp
        image: nginx:alpine
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 80
EOF
service/myapp created
deployment.apps/myapp created

创建 ingress 文件

kubectl apply -f - <<EOF
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-myapp
  annotations:
    # 指定 Ingress Controller 的类型
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myapp.hzde.com
    http:
      paths:
      - path: "/"
        pathType: Prefix
        backend:
          service:
            name: myapp
            port:
              number: 80
EOF
ingress.networking.k8s.io/test-myapp created

添加 hosts 并尝试访问

查看 ingress 对应节点的端口

kubectl get svc -n ingress-nginx
NAME                                 TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.102.200.139   192.168.122.191   80:31974/TCP,443:31677/TCP   3m43s
ingress-nginx-controller-admission   ClusterIP      10.96.128.251    <none>            443/TCP                      3m43s
echo '192.168.122.191 myapp.hzde.com' >> /etc/hosts
curl myapp.hzde.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

不修改hosts访问 myapp.hzde.com

在头部指定 host

curl -H "Host:myapp.hzde.com" http://192.168.122.191

ingress HTTPS 访问

参考文档TLS/HTTPS

创建自签证书文件

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginx/O=nginx"
Generating a 2048 bit RSA private key
......................................................+++
..........................+++
writing new private key to 'tls.key'
-----

创建 secret

kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created

创建 tls ingress

kubectl apply -f - <<EOF
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-myapp
  annotations:
    # 指定 Ingress Controller 的类型
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - myapp2.hzde.com
    secretName: tls-secret
  rules:
  - host: myapp2.hzde.com
    http:
      paths:
      - path: "/"
        pathType: Prefix
        backend:
          service:
            name: myapp
            port:
              number: 80
EOF
ingress.networking.k8s.io/tls-myapp created

测试

echo '192.168.122.191 myapp2.hzde.com' >> /etc/hosts

curl -sSk https://myapp2.hzde.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

ingress 高级用法请查看官方文档。

Copyright © huangzhongde.cn 2021 all right reserved,powered by Gitbook该文件修订时间: 2022-01-28 21:41:24

results matching ""

    No results matching ""