国企门户网站建设情况汇报,做cpa的电影网站模板,咨询工程师,浏览器正能量网站2021Kubernetes集群 服务暴露 Nginx Ingress Controller 一、ingress控制器
1.1 ingress控制器作用
#xff08;类似于slb#xff0c;做代理服务#xff09; ingress controller可以为kubernetes 集群外用户访问Kubernetes集群内部pod提供代理服务。
提供全局访问代理访问流程…Kubernetes集群 服务暴露 Nginx Ingress Controller 一、ingress控制器
1.1 ingress控制器作用
类似于slb做代理服务 ingress controller可以为kubernetes 集群外用户访问Kubernetes集群内部pod提供代理服务。
提供全局访问代理访问流程 用户–ingress controller–service–pod 1.2 ingress控制器种类
1.2.1 Kubernetes Ingress Controller 参考链接http://github.com/nginxinc/kubernetes-ingress 实现Go/Luanginx 是用 C 写的 许可证Apache 2.0 Kubernetes 的“官方”控制器之所以称为官方是想把它区别于 NGINX 公司的控制器。这是社区开发的控制器它基于 nginx Web 服务器并补充了一组用于实现额外功能的 Lua 插件。 由于 NGINX 十分流行再加上把它用作控制器时所需的修改较少它对于 K8s 普通工程师来说可能是最简单和最直接的选择。
1.2.2 NGINX Ingress Controller 参考链接http://github.com/kubernetes/ingress-nginx 实现Go 许可证Apache 2.0 这是 NGINX 公司开发的官方产品它也有一个基于 NGINX Plus 的商业版。NGINX 的控制器具有很高的稳定性、持续的向后兼容性且没有任何第三方模块。 由于消除了 Lua 代码和官方控制器相比它保证了较高的速度但也因此受到较大限制。相较之下它的付费版本有更广泛的附加功能如实时指标、JWT 验证、主动健康检查等。 NGINX Ingress 重要的优势是对 TCP/UDP 流量的全面支持最主要缺点是缺乏流量分配功能。
1.2.3 Kong Ingress 参考链接http://github.com/Kong/kubernetes-ingress-controller 实现Go 许可证Apache 2.0 Kong Ingress 由 Kong Inc 开发有两个版本商业版和免费版。它基于 NGINX 构建并增加了扩展其功能的 Lua 模块。 最初Kong Ingress 主要用作 API 网关用于 API 请求的处理和路由。现在它已经成为成熟的 Ingress 控制器主要优点是拥有大量易于安装和配置的附加模块、插件包括第三方插件。它开启了控制器具备大量附加功能的先河其内置函数也提供了许多可能性。Kong Ingress 配置是用 CRD 执行的。 Kong Ingress 的一个重要特性是它只能在一个环境中运行而不支持跨命名空间。这是一个颇有争议的话题有些人认为这是一个缺点因为必须为每个环境生成实例而另一些人认为这是一个特殊特性因为它是更高级别的隔离控制器故障的影响仅限于其所在的环境。
1.2.4 Traefik 参考链接http://github.com/containous/traefik 实现Go 许可证MIT 最初这个代理是为微服务请求及其动态环境的路由而创建的因此具有许多有用的功能连续更新配置不重新启动、支持多种负载均衡算法、Web UI、指标导出、对各种服务的支持协议、REST API、Canary 版本等。 支持开箱即用的 Let’s Encrypt 是它的另一个不错的功能但它的主要缺点也很明显就是为了控制器的高可用性必须安装并连接其 Key-value store。 在 2019 年 9 月发布的 Traefik v2.0 中虽然它增加许多不错的新功能如带有 SNI 的 TCP/SSL、金丝雀部署、流量镜像/shadowing 和经过改进的 Web UI但一些功能如 WAF 支持还在策划讨论中。 与新版本同期推出的还有一个名叫 Mesh 的服务网格它建在 Traefik 之上对kubernetes内部服务访问做到受控及被监控。
1.2.5 HAProxy Ingress 参考链接http://github.com/jcmoraisjr/haproxy-ingress 实现GoHAProxy 是用 C 写的 许可证Apache 2.0 HAProxy 是众所周知的代理服务器和负载均衡器。作为 Kubernetes 集群的一部分它提供了“软”配置更新无流量损失、基于 DNS 的服务发现和通过 API 进行动态配置。 HAProxy 还支持完全自定义配置文件模板通过替换 ConfigMap以及在其中使用 Spring Boot 函数。 通常工程师会把重点放在已消耗资源的高速、优化和效率上。而 HAProxy 的优点之一正是支持大量负载均衡算法。值得一提的是在2020年 6 月发布的 v2.0 中HAProxy 增加了许多新功能其即将推出的 v2.1 有望带来更多新功能包括 OpenTracing 支持。
1.2.6 Voyager 参考链接http://github.com/appscode/voyager 实现Go 许可证Apache 2.0 Voyager 基于 HAProxy并作为一个通用的解决方案提供给大量供应商。它最具代表性的功能包括 L7 和 L4 上的流量负载均衡其中TCP L4 流量负载均衡称得上是该解决方案最关键的功能之一。 在2020年早些时候尽管 Voyager 在 v9.0.0 中推出了对 HTTP/2 和 gRPC 协议的全面支持但总的来看对证书管理Let’s Encrypt 证书的支持仍是 Voyager 集成的最突出的新功能。
1.2.7 Contour 参考链接http://github.com/heptio/contour 实现Go 许可证Apache 2.0 Contour 和 Envoy 由同一个作者开发它基于 Envoy。它最特别的功能是可以通过 CRDIngressRoute管理 Ingress 资源对于多团队需要同时使用一个集群的组织来说这有助于保护相邻环境中的流量使它们免受 Ingress 资源更改的影响。 它还提供了一组扩展的负载均衡算法镜像、自动重复、限制请求率等以及详细的流量和故障监控。对某些工程师而言它不支持粘滞会话可能是一个严重缺陷。
1.2.8 Istio Ingress 参考链接http://istio.io/docs/tasks/traffic-management/ingress 实现Go 许可证Apache 2.0 Istio 是 IBM、Google 和 Lyft 的联合开发项目它是一个全面的服务网格解决方案——不仅可以管理所有传入的外部流量作为 Ingress 控制器还可以控制集群内部的所有流量。 Istio 将 Envoy 用作每种服务的辅助代理。从本质上讲它是一个可以执行几乎所有操作的大型处理器其中心思想是最大程度的控制、可扩展性、安全性和透明性。 通过 Istio Ingress可以对流量路由、服务之间的访问授权、均衡、监控、金丝雀发布等进行优化。
1.2.9 Ambassador 参考链接http://github.com/datawire/ambassador 实现Python 许可证Apache 2.0 Ambassador 也是一个基于 Envoy 的解决方案它有免费版和商业版两个版本。 Ambassador 被称为“Kubernetes 原生 API 微服务网关”它与 K8s 原语紧密集成拥有所期望的从 Ingress controller 获得的功能包它还可以与各种服务网格解决方案如 Linkerd、Istio 等一起使用。 顺便提一下Ambassador 博客日前发布了一份基准测试结果比较了 Envoy、HAProxy 和 NGINX 的基础性能。
1.2.10 Gloo 参考链接http://github.com/solo-io/gloo 实现Go 许可证Apache 2.0 Gloo 是在 Envoy 之上构建的新软件于 2018 年 3 月发布由于它的作者坚持认为“网关应该从功能而不是服务中构建 API”它也被称为“功能网关”。其“功能级路由”的意思是它可以为后端实现是微服务、无服务器功能和遗留应用的混合应用路由流量。 由于拥有可插拔的体系结构Gloo 提供了工程师期望的大部分功能但是其中一些功能仅在其商业版本Gloo Enterprise中可用。
1.2.11 Skipper 参考链接http://github.com/zalando/skipper 实现Go 许可证Apache 2.0 Skipper 是 HTTP 路由器和反向代理因此不支持各种协议。从技术上讲它使用 Endpoints API而不是 Kubernetes Services将流量路由到 Pod。它的优点在于其丰富的过滤器集所提供的高级 HTTP 路由功能工程师可以借此创建、更新和删除所有 HTTP 数据。 Skipper 的路由规则可以在不停机的情况下更新。正如它的作者所述Skipper 可以很好地与其他解决方案一起使用比如 AWS ELB。
二、nginx ingress controller
2.1 nginx ingress controller位置 参考链接https://www.nginx.com/products/nginx/kubernetes-ingress-controller
2.2 nginx ingress controller部署
项目地址https://github.com/kubernetes/ingress-nginx
2.2.1 下载并修改配置文件 [rootk8s-master1 ~]# curl -k https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml -o deploy.yaml[rootk8s-master1 ~]# ls
deploy.yaml[rootk8s-master1 ~]# vim deploy.yaml
......
323 spec:
324 ports:
325 - appProtocol: http
326 name: http
327 port: 80
328 protocol: TCP
329 targetPort: http
330 - appProtocol: https
331 name: https
332 port: 443
333 protocol: TCP
334 targetPort: https
335 selector:
336 app.kubernetes.io/component: controller
337 app.kubernetes.io/instance: ingress-nginx
338 app.kubernetes.io/name: ingress-nginx
339 type: NodePort把339行修改为LoadBalancer
323 spec:
324 ports:
325 - appProtocol: http
326 name: http
327 port: 80
328 protocol: TCP
329 targetPort: http
330 - appProtocol: https
331 name: https
332 port: 443
333 protocol: TCP
334 targetPort: https
335 selector:
336 app.kubernetes.io/component: controller
337 app.kubernetes.io/instance: ingress-nginx
338 app.kubernetes.io/name: ingress-nginx
339 type: LoadBalancer
2.2.2 应用资源清单文件
[rootk8s-master1 ~]# kubectl apply -f deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
serviceaccount/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
configmap/ingress-nginx-controller created
service/ingress-nginx-controller created
service/ingress-nginx-controller-admission created
deployment.apps/ingress-nginx-controller created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created2.2.3 验证部署结果 注意镜像较大可提前下载至集群node节点 [rootk8s-master1 ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-xdpgp 0/1 Completed 0 91s
ingress-nginx-admission-patch-lgnxs 0/1 Completed 1 91s
ingress-nginx-controller-9596689c-j9p9l 1/1 Running 0 91s[rootk8s-master1 ng]# kubectl get all -n ingress-nginx
NAME READY STATUS RESTARTS AGE
pod/ingress-nginx-admission-create-xdpgp 0/1 Completed 0 3m24s
pod/ingress-nginx-admission-patch-lgnxs 0/1 Completed 1 3m24s
pod/ingress-nginx-controller-9596689c-j9p9l 1/1 Running 0 3m24sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ingress-nginx-controller LoadBalancer 10.96.183.188 192.168.10.91 80:32369/TCP,443:31775/TCP 3m25s
service/ingress-nginx-controller-admission ClusterIP 10.96.212.14 none 443/TCP 3m25sNAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/ingress-nginx-controller 1/1 1 1 3m24sNAME DESIRED CURRENT READY AGE
replicaset.apps/ingress-nginx-controller-9596689c 1 1 1 3m24sNAME COMPLETIONS DURATION AGE
job.batch/ingress-nginx-admission-create 1/1 2s 3m24s
job.batch/ingress-nginx-admission-patch 1/1 3s 3m24s2.3 ingress对象应用案例
2.3 1 ingress-http案例 基于名称的负载均衡 2.3.1.1 创建deployment控制器类型应用
[rootk8s-master1 ~]# vim nginx.yml
apiVersion: apps/v1
kind: Deployment
metadata:name: nginxnamespace: ingress-nginx
spec:replicas: 2selector:matchLabels:app: nginxtemplate:metadata:labels:app: nginxspec:containers:- name: c1image: nginx:1.15-alpineimagePullPolicy: IfNotPresent应用YAML
[rootk8s-master1 ~]# kubectl apply -f nginx.yml
deployment.extensions/nginx created验证pod
[rootk8s-master1 ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-79654d7b8-nhxpm 1/1 Running 0 12s
nginx-79654d7b8-tp8wg 1/1 Running 0 13s
nginx-ingress-controller-77db54fc46-kwwkt 1/1 Running 0 11m2.3.1.2 创建service
[rootk8s-master1 ~]# vim nginx-service.yml
apiVersion: v1
kind: Service
metadata:name: nginx-servicenamespace: ingress-nginxlabels:app: nginx
spec:ports:- port: 80targetPort: 80selector:app: nginx应用YAML
[rootk8s-master1 ~]# kubectl apply -f nginx-service.yml
service/nginx-service created验证service
[rootk8s-master1 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-service ClusterIP 10.2.115.144 none 80/TCP 5s2.3.1.3 创建ingress对象
[rootk8s-master1 ~]# vim ingress-nginx.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-nginx #自定义ingress名称namespace: ingress-nginxannotations:ingressclass.kubernetes.io/is-default-class: truekubernetes.io/ingress.class: nginx
spec:rules:- host: www.kubemsb.com # 自定义域名http:paths:- pathType: Prefixpath: /backend:service:name: nginx-service # 对应上面创建的service名称port:number: 80应用YAML
[rootk8s-master1 ~]# kubectl apply -f ingress-nginx.yaml
ingress.extensions/ingress-nginx created验证ingress
[rootk8s-master1 ~]# kubectl get ingress -n ingress-nginx
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-nginx none www.kubemsb.com 192.168.10.12 80 113s描述查看ingress信息
[rootk8s-master1 ~]# kubectl describe ingress ingress-nginx -n ingress-nginx
Name: ingress-nginx
Namespace: ingress-nginx
Address: 192.168.10.12
Default backend: default-http-backend:80 (error: endpoints default-http-backend not found)
Rules:Host Path Backends---- ---- --------www.kubemsb.com/ nginx-service:80 (10.244.159.160:80,10.244.194.110:80)
Annotations: kubernetes.io/ingress.class: nginx
Events:Type Reason Age From Message---- ------ ---- ---- -------Normal Sync 2m (x2 over 2m56s) nginx-ingress-controller Scheduled for sync[rootk8s-master1 ~]# kubectl get pods -o wide -n ingress-nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESnginx-646d5c7b67-mpw9r 1/1 Running 0 4m15s 10.244.194.110 k8s-worker1 none none
nginx-646d5c7b67-v99gz 1/1 Running 0 4m15s 10.244.159.160 k8s-master1 none none
可以看到两个pod的IP正好对应ingress域名对应的IP确认nginx-ingress-controller的podIP为192.168.10.91
2.3.1.4 模拟客户端访问
1, 确认nginx-ingress-controller的podIP, 下面命令查询的结果为192.168.10.91
[rootk8s-master1 ~]# kubectl get svc -n ingress-nginx |grep ingress
ingress-nginx-controller LoadBalancer 10.96.183.188 192.168.10.91 80:32369/TCP,443:31775/TCP 11m
ingress-nginx-controller-admission ClusterIP 10.96.212.14 none 443/TCP 11m2, 在集群之外任一主机中添加上述域名与IP地址解析(模拟公网DNS)
[roototherhost ~]# vim /etc/hosts192.168.10.91 www.kubemsb.com3, 准备pod内容器运行的web主页
[rootk8s-master1 ~]# kubectl get pods -n ingress-nginx
nginx-646d5c7b67-mpw9r 1/1 Running 0 8m34s
nginx-646d5c7b67-v99gz 1/1 Running 0 8m34s[rootk8s-master1 ~]# kubectl exec -it nginx-646d5c7b67-mpw9r -n ingress-nginx -- /bin/sh
/ # echo ingress web1 /usr/share/nginx/html/index.html
/ # exit[rootk8s-master1 ~]# kubectl exec -it nginx-646d5c7b67-v99gz -n ingress-nginx -- /bin/sh
/ # echo ingress web2 /usr/share/nginx/html/index.html
/ # exit4, 访问及结果展示
[roototherhost ~]# curl www.kubemsb.com
ingress web1
[roototherhost ~]# curl www.kubemsb.com
ingress web22.3.2 ingress-http案例扩展 基于URI的负载均衡 2.3.2.1 创建第一个应用
[rootk8s-master1 ~]# vim nginx-uri-1.yml
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-uri-1namespace: ingress-nginx
spec:replicas: 2selector:matchLabels:app: nginx-uri-1template:metadata:labels:app: nginx-uri-1spec:containers:- name: c1image: nginx:1.15-alpineimagePullPolicy: IfNotPresent[rootk8s-master1 ~]# vim nginx-service-uri-1.yml
apiVersion: v1
kind: Service
metadata:name: nginx-service-uri-1namespace: ingress-nginxlabels:app: nginx-uri-1
spec:ports:- port: 80targetPort: 80selector:app: nginx-uri-1# kubectl apply -f nginx-uri-1.yaml# kubectl apply -f nginx-service-uri-1.yaml2.3.2.2 创建第二个应用
[rootk8s-master1 ~]# vim nginx-uri-2.yml
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx-uri-2namespace: ingress-nginx
spec:replicas: 2selector:matchLabels:app: nginx-uri-2template:metadata:labels:app: nginx-uri-2spec:containers:- name: c1image: nginx:1.15-alpineimagePullPolicy: IfNotPresent[rootk8s-master1 ~]# vim nginx-service-uri-2.yml
apiVersion: v1
kind: Service
metadata:name: nginx-service-uri-2namespace: ingress-nginxlabels:app: nginx-uri-2
spec:ports:- port: 80targetPort: 80selector:app: nginx-uri-2# kubectl apply -f nginx-uri-2.yaml# kubectl apply -f nginx-service-uri-2.yaml# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEnginx-service-uri-1 ClusterIP 10.96.171.135 none 80/TCP 7m24s
nginx-service-uri-2 ClusterIP 10.96.234.164 none 80/TCP 4m11s2.3.2.3 创建ingress对象
[rootk8s-master1 ~]# vim ingress-nginx.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-urinamespace: ingress-nginxannotations:ingressclass.kubernetes.io/is-default-class: truekubernetes.io/ingress.class: nginx
spec:rules:- host: www.kubemsburi.comhttp:paths:- path: /svc1pathType: Prefixbackend:service:name: nginx-service-uri-1port:number: 80- path: /svc2pathType: Prefixbackend:service:name: nginx-service-uri-2port:number: 80应用YAML
[rootmaster1 ~]# kubectl apply -f ingress-nginx-uri.yaml
ingress.networking.k8s.io/ingress-uri created验证ingress
[rootmaster1 ~]# kubectl get ingress -n ingress-nginx
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-uri none www.kubemsburi.com 80 13s描述查看ingress信息
[rootmaster1 ~]# kubectl describe ingress ingress-uri -n ingress-nginx
Name: ingress-uri
Namespace: ingress-nginx
Address: 192.168.10.12
Default backend: default-http-backend:80 (error: endpoints default-http-backend not found)
Rules:Host Path Backends---- ---- --------www.kubemsburi.com/svc1 nginx-service-uri-1:80 (10.244.159.158:80,10.244.194.111:80)/svc2 nginx-service-uri-2:80 (10.244.159.159:80,10.244.194.112:80)
Annotations: kubernetes.io/ingress.class: nginx
Events:Type Reason Age From Message---- ------ ---- ---- -------Normal Sync 4s (x2 over 32s) nginx-ingress-controller Scheduled for sync[rootk8s-master1 ~]# kubectl get pods -o wide -n ingress-nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESnginx-uri-1-7d7d75f86-dws96 1/1 Running 0 14m 10.244.159.158 k8s-master1 none none
nginx-uri-1-7d7d75f86-s8js4 1/1 Running 0 14m 10.244.194.111 k8s-worker1 none none
nginx-uri-2-7cdf7f89b7-8s4mg 1/1 Running 0 10m 10.244.194.112 k8s-worker1 none none
nginx-uri-2-7cdf7f89b7-gj8x6 1/1 Running 0 10m 10.244.159.159 k8s-master1 none none
确认nginx-ingress-controller的podIP为192.168.10.91
2.3.1.4 模拟客户端访问
1, 确认nginx-ingress-controller的podIP, 下面命令查询的结果为192.168.10.91
[rootk8s-master1 ~]# kubectl get svc -n ingress-nginx |grep ingress
ingress-nginx-controller LoadBalancer 10.96.183.188 192.168.10.91 80:32369/TCP,443:31775/TCP 11m
ingress-nginx-controller-admission ClusterIP 10.96.212.14 none 443/TCP 11m2, 在集群之外任一主机中添加上述域名与IP地址解析(模拟公网DNS)
[roototherhost ~]# vim /etc/hosts192.168.10.91 www.kubemsburi.com3, 准备pod内容器运行的web主页
[rootk8s-master1 ~]# kubectl exec -it nginx-uri-1-7d7d75f86-dws96 -n ingress-nginx -- /bin/sh
/ # mkdir /usr/share/nginx/html/svc1
/ # echo sssvc1 /usr/share/nginx/html/svc1/index.html
/ # exit
[rootk8s-master1 ~]# kubectl exec -it nginx-uri-1-7d7d75f86-s8js4 -n ingress-nginx -- /bin/sh
/ # mkdir /usr/share/nginx/html/svc1
/ # echo sssvc1 /usr/share/nginx/html/svc1/index.html
/ # exit
[rootk8s-master1 ~]# kubectl exec -it nginx-uri-2-7cdf7f89b7-8s4mg -n ingress-nginx -- /bin/sh
/ # mkdir /usr/share/nginx/html/svc2
/ # echo sssvc2 /usr/share/nginx/html/svc1/index.html
/ # exit
[rootk8s-master1 ~]# kubectl exec -it nginx-uri-2-7cdf7f89b7-gj8x6 -n ingress-nginx -- /bin/sh
/ # mkdir /usr/share/nginx/html/svc2
/ # echo sssvc2 /usr/share/nginx/html/svc1/index.html
/ # exit4, 访问及结果展示
[roototherhost ~]# curl www.kubemsburi.com/svc1/index.html
sssvc1
[roototherhost ~]# curl www.kubemsburi.com/svc2/index.html
sssvc22.3.3 ingress-https案例
2.3.3.1 创建自签证书
[rootk8s-master1 ~]# mkdir ingress-https
[rootk8s-master1 ~]# cd ingress-https/
[rootk8s-master1 ingress-https]# openssl genrsa -out nginx.key 2048
[rootk8s-master1 ingress-https]# openssl req -new -x509 -key nginx.key -out nginx.pem -days 365
......
......
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:IT
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your servers hostname) []:kubemsbhost
Email Address []:adminkubemsbhost.com[rootk8s-master1 ingress-https]# ls
nginx.key nginx.pem2.3.3.2 将证书创建成secret
[rootk8s-master1 ingress-https]# kubectl create secret tls nginx-tls-secret --certnginx.pem --keynginx.key -n ingress-nginx
secret/nginx-tls-secret created[rootk8s-master1 ingress-https]# kubectl get secrets -n ingress-nginx |grep nginx-tls-secret
nginx-tls-secret kubernetes.io/tls 2 38s2.3.3.3 编排YAML并创建
[rootk8s-master1 ingress-https]# vim ingress-https.yml
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx2namespace: ingress-nginx
spec:replicas: 2selector:matchLabels:app: nginx2template:metadata:labels:app: nginx2spec:containers:- name: c1image: nginx:1.15-alpineimagePullPolicy: IfNotPresentports:- name: httpcontainerPort: 80- name: httpscontainerPort: 443
---
apiVersion: v1
kind: Service
metadata:name: nginx-service2namespace: ingress-nginxlabels:app: nginx2
spec:ports:- name: httpport: 80targetPort: 80- name: httpsport: 443targetPort: 443selector:app: nginx2
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-nginx2namespace: ingress-nginxannotations:ingressclass.kubernetes.io/is-default-class: truekubernetes.io/ingress.class: nginx
spec:tls:- hosts:- www.kubemsbhost.com # 域名secretName: nginx-tls-secret # 调用前面创建的secretrules:- host: www.kubemsbhost.com # 域名http:paths:- pathType: Prefixpath: /backend:service:name: nginx-service2 # 对应服务名port:number: 80[rootk8s-master1 ingress-https]# kubectl apply -f ingress-https.yml
deployment.apps/nginx2 created
service/nginx-service2 created
ingress.extensions/ingress-nginx2 created验证
[rootk8s-master1 ~]# kubectl get ingress -n ingress-nginx
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-nginx2 none www.kubemsbhost.com 192.168.10.12 80, 443 2m14s2.3.3.4 模拟客户端访问
[roototherhost ~]# vim /etc/hosts192.168.10.91 www.kubemsbhost.com 添加这行模拟DNS[roototherhost ~]# firefox https://www.kubemsbhost.com
[1] 10892关于可信任证书的说明
如果需要在互联网中访问kubernetes集群中的服务是可信的建议使用互联网中申请的SSL证书。2.3.4 ingressnodeport服务
[rootk8s-master1 ~]# vim ingress-nodeport.yml
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx3namespace: ingress-nginx
spec:replicas: 2selector:matchLabels:app: nginx3template:metadata:labels:app: nginx3spec:containers:- name: c1image: nginx:1.15-alpineimagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:name: nginx-service3namespace: ingress-nginxlabels:app: nginx3
spec:type: NodePort # NodePort类型服务ports:- port: 80targetPort: 80selector:app: nginx3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-nginx3namespace: ingress-nginxannotations:ingressclass.kubernetes.io/is-default-class: truekubernetes.io/ingress.class: nginx
spec:rules:- host: www.kubemsb3.com # 域名http:paths:- pathType: Prefixpath: /backend:service:name: nginx-service3 # 对应服务名port:number: 80[rootk8s-master1 ~]# kubectl apply -f ingress-nodeport.ymlrootk8s-master1 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-service ClusterIP 10.2.115.144 none 80/TCP 22h
nginx-service2 ClusterIP 10.2.237.70 none 80/TCP,443/TCP 22h
nginx-service3 NodePort 10.2.75.250 none 80:26765/TCP 3m51s
nginx-service3是nodeport类型[roototherhost ~]# vim /etc/hosts192.168.10.91 www.kubemsb3.com 添加这行模拟DNS[roototherhost ~]# curl www.kubemsb3.com
