zoukankan      html  css  js  c++  java
  • Kubernetes之Ingress-Nginx

    简介

    ingress-Nginx和ingress-Nginx-Controller的区别

    ingress-Nginx:是每个服务自己创建的ingress,就是nginx的转发规则,生成Nginx的配置文件

    ingress-Nginx-Controller:相当于Nginx的服务,监听API Server,根据用户编写的ingress-nginx规则(ingress.yaml文件),动态的去更改Nginx服务的配置文件,并且reload使其生效,此过程是自动化的,通过lua实现

    ingress-Nginx-Controller 的Service类型

    NodePort:用Deployment的方式部署一个ingress-nginx-controller,再创建一个type为NodePort的Service,这样就在集群的所有Node节点暴露了ingress-nginx-controller的端口,然后找几台机器挂在公有云的ELB后面,然后把域名解析到公有云的ELB就实现的服务的对外暴露   

    LoadBalance:用Deployment部署一个ingress-nginx-controller,再创建一个type为LoadBalancer的Service关联这组Pod.大部分公有云,都会为LoadBalancer的Service自动创建一个负载均衡器,通常还绑定的公网地址,只要把域名指向该地址,就实现了服务的对外暴露

    部署ingress-Nginx-Controller

    1.ingress-Nginx-Crontoller所需的ServiceAccount,用来访问API Server

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      
      labels:
        app: nginx-ingress
        chart: nginx-ingress-1.26.2
        heritage: Helm
        release: nginx-ingress
      name: nginx-ingress
      namespace: se
    secrets:
    - name: nginx-ingress-token-9bbd4

    2.ingress-Nginx-Controller中ServiceAccount所需的Secret(通过base64加密之后的ca和token)

    apiVersion: v1
    data:
      ca.crt: LS0tLS1CUJBZ0lVUXVqazcwRmhXQm43dXQ1M3liMWdLeXNkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKb3N01DVGpPK2VNd0h3WURWUjBqQkJnd0ZvQVVXYTVCSzQvSApOMjdteEVvaVB3N01DVGpPK2VNd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJcDlveFJTb29OelNGQmJrMEMvCmIwbVNvTUFlSU5vOVYrNWFEdGg3eExjWjZPazJCYVFWV1ZLK2ZVYW45WQpjaTQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
      namespace: c2U=
      token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnpaU0lzSW10MVltVnlibRTRXVlSjN2U0NlcTc5S25ENFdaWnoybXBvR1RuLVZHUFI4ai1B
    kind: Secret
    metadata:
     
      name: nginx-ingress-token-9bbd4
      namespace: se
    
    type: kubernetes.io/service-account-token

    3.ingress-Nginx-Controller的 Deployment配置文件

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        app: nginx-ingress
        chart: nginx-ingress-1.26.2
        component: controller
        heritage: Helm
        release: nginx-ingress
      name: nginx-ingress-controller
      namespace: se
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: nginx-ingress
          component: controller
          release: nginx-ingress
      template:
        metadata:
          labels:
            app: nginx-ingress
            component: controller
            release: nginx-ingress
        spec:
          containers:
          - args:
            - /nginx-ingress-controller
            - --default-backend-service=se/nginx-ingress-default-backend
            - --election-id=ingress-controller-leader
            - --ingress-class=nginx
            - --configmap=se/nginx-ingress-controller
            env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            image: hrb.xxxx.com/library/nginx-ingress-controller:0.26.1
            imagePullPolicy: IfNotPresent
            livenessProbe:
              failureThreshold: 3
              httpGet:
                path: /healthz
                port: 10254
                scheme: HTTP
              initialDelaySeconds: 10
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            name: nginx-ingress-controller
            ports:
            - containerPort: 80
              name: http
              protocol: TCP
            - containerPort: 443
              name: https
              protocol: TCP
            readinessProbe:
              failureThreshold: 3
              httpGet:
                path: /healthz
                port: 10254
                scheme: HTTP
              initialDelaySeconds: 10
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            securityContext:
              allowPrivilegeEscalation: true
              capabilities:
                add:
                - NET_BIND_SERVICE
                drop:
                - ALL
              runAsUser: 33
          serviceAccount: nginx-ingress
          serviceAccountName: nginx-ingress

    4.ingress-Nginx-Controller的Service配置文件

    apiVersion: v1
    kind: Service
    metadata:
      labels:
        app: nginx-ingress
        chart: nginx-ingress-1.26.2
        component: controller
        heritage: Helm
        release: nginx-ingress
      name: nginx-ingress-controller
      namespace: se
    
    spec:
      ports:
      - name: http
        nodePort: 30080
        port: 80
        protocol: TCP
        targetPort: http
      - name: https
        nodePort: 30443
        port: 443
        protocol: TCP
        targetPort: https
      selector:
        app: nginx-ingress
        component: controller
        release: nginx-ingress
      type: NodePort

    5.查看ingress-Nginx-Controller的Service

    kubectl get  svc  nginx-ingress-controller -n se
    NAME                       TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
    nginx-ingress-controller   NodePort   192.168.2.67   <none>        80:30080/TCP,443:30443/TCP   1d

    进行到这步,ingress-Nginx-Controller已经部署完了,所有的集群Node节点都已经监听30080和30443端口

    AWS上申请ELB,然后找两个固定的Node节点,专门做转发用,不做Pod调度

    • ELB的80端口-->Node节点的NodePort30080端口
    • ELB的443端口-->Node节点的NodePort30443端口

    部署一个测试用的服务

    1.测试服务的Deployment配置文件

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        app: test-docker
        env: stg
      name: test-docker
      namespace: test
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: test-docker
      template:
        metadata: 
          labels:
            app: test-docker
            env: stg
        spec:
          containers:
          - env:
            - name: K8S_ENV
              value: stg
            - name: K8S_CLUSTER
              value: aws
            - name: CPU_REQUEST
              valueFrom:
                resourceFieldRef:
                  containerName: test-docker
                  divisor: "0"
                  resource: requests.cpu
            - name: MEM_REQUEST
              valueFrom:
                resourceFieldRef:
                  containerName: test-docker
                  divisor: "0"
                  resource: requests.memory
            - name: CPU_LIMIT
              valueFrom:
                resourceFieldRef:
                  containerName: test-docker
                  divisor: "0"
                  resource: limits.cpu
            - name: MEM_LIMIT
              valueFrom:
                resourceFieldRef:
                  containerName: test-docker
                  divisor: "0"
                  resource: limits.memory
            - name: TZ
              value: Asia/Shanghai
            - name: POD_IP
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: status.podIP
            image: hrb.xxx.com/test-docker:1.0.428.7eb2128
            imagePullPolicy: IfNotPresent
            name: test-docker
            ports:
            - containerPort: 8025
              protocol: TCP
            readinessProbe:
              failureThreshold: 3
              httpGet:
                path: /status
                port: 8025
                scheme: HTTP
              initialDelaySeconds: 10
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 5
            resources:
              limits:
                cpu: "1"
                memory: 2000Mi
              requests:
                cpu: 100m
                memory: 2000Mi
            volumeMounts:
            - mountPath: /etc/localtime
              name: host-time
              readOnly: true
            - mountPath: /data/logs
              name: log
            - mountPath: /app/conf
              name: config-volume
              readOnly: true
    
          volumes:
          - hostPath:
              path: /etc/localtime
              type: ""
            name: host-time
          - hostPath:
              path: /data/logs/test-docker-stg
              type: ""
            name: log
          - configMap:
              defaultMode: 420
              name: test-docker
            name: config-volume

    2.测试服务的Service配置文件

    apiVersion: v1
    kind: Service
    metadata:
      name: test-docker
      namespace: test
    spec:
      ports:
      - name: http-8025
        port: 8025
        protocol: TCP
        targetPort: 8025
      selector:
        app: test-docker
      type: ClusterIP

    3.测试服务的ingress配置文件

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: test-docker
      namespace: test
    spec:
      rules:
      - host: test.baidu.com
        http:
          paths:
          - backend:
              serviceName: test-docker
              servicePort: 8025
            path: /

    到这里,测试服务部署完成,测试服务的域名可以解析到ELB,然后就完成通过域名访问了.

    服务怎么通过ingress暴露出去,然后用域名访问的?

    1.先创建ingress-nginx-controller,ingress-nginx-controller的Server通过NodePort方式暴露端口,这样所有K8S集群的Node节点全部监听NodePort端口,这个就相当于是Nginx的服务

      那Nginx的配置文件怎么来呢,ingress-nginx-controller监听API Server,用户在K8S集群内创建完服务的ingress之后,ingress-nginx-controller就会加载这个ingress里面的规则信息,并更新到ingress-nginx-controller的配置文件里

    2.创建一个AWS的ELB,解析到随便两台Node节点

    3.用户创建一个服务,先创建Deployment、Service、ingress,然后ingress里写上域名 转发到 某个Service上,然后service会转发到 具体的Pod上的

    4.ingress里配置的域名解析到ELB的地址,就行了,就能通过域名访问K8S集群的服务了.

  • 相关阅读:
    内网穿透教程
    深入浅出 TCP/IP 协议栈
    STM32CUBEMX配置RTC闹钟
    RT-Thread STM32 系列 BSP 制作教程
    RT-Thread 在stm小内存系列产品的nano+msh完整移植教程
    C语言字符串与数字相互转换
    SD卡 TF卡 接口引脚定义
    定位数据格式
    安信可ESP-12F连接阿里云教程
    电脑使用网络调试助手连接阿里云步骤
  • 原文地址:https://www.cnblogs.com/chadiandianwenrou/p/14050250.html
Copyright © 2011-2022 走看看