简介
ingress-Nginx和ingress-Nginx-Controller的区别
ingress-Nginx:是每个服务自己创建的ingress,就是nginx的转发规则,生成Nginx的配置文件
ingress-Nginx-Controller:相当于Nginx的服务,监听API Server,根据用户编写的ingress-nginx规则(ingress.yaml文件),动态的去更改Nginx服务的配置文件,并且reload使其生效,此过程是自动化的,通过lua实现
ingress-Nginx-Controller 的Service类型
NodePort:用Deployment的方式部署一个ingress-nginx-controller,再创建一个type为NodePort的Service,这样就在集群的所有Node节点暴露了ingress-nginx-controller的端口,然后找几台机器挂在公有云的ELB后面,然后把域名解析到公有云的ELB就实现的服务的对外暴露
LoadBalance:用Deployment部署一个ingress-nginx-controller,再创建一个type为LoadBalancer的Service关联这组Pod.大部分公有云,都会为LoadBalancer的Service自动创建一个负载均衡器,通常还绑定的公网地址,只要把域名指向该地址,就实现了服务的对外暴露
部署ingress-Nginx-Controller
1.ingress-Nginx-Crontoller所需的ServiceAccount,用来访问API Server
apiVersion: v1 kind: ServiceAccount metadata: labels: app: nginx-ingress chart: nginx-ingress-1.26.2 heritage: Helm release: nginx-ingress name: nginx-ingress namespace: se secrets: - name: nginx-ingress-token-9bbd4
2.ingress-Nginx-Controller中ServiceAccount所需的Secret(通过base64加密之后的ca和token)
apiVersion: v1 data: ca.crt: LS0tLS1CUJBZ0lVUXVqazcwRmhXQm43dXQ1M3liMWdLeXNkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKb3N01DVGpPK2VNd0h3WURWUjBqQkJnd0ZvQVVXYTVCSzQvSApOMjdteEVvaVB3N01DVGpPK2VNd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJcDlveFJTb29OelNGQmJrMEMvCmIwbVNvTUFlSU5vOVYrNWFEdGg3eExjWjZPazJCYVFWV1ZLK2ZVYW45WQpjaTQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K namespace: c2U= token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnpaU0lzSW10MVltVnlibRTRXVlSjN2U0NlcTc5S25ENFdaWnoybXBvR1RuLVZHUFI4ai1B kind: Secret metadata: name: nginx-ingress-token-9bbd4 namespace: se type: kubernetes.io/service-account-token
3.ingress-Nginx-Controller的 Deployment配置文件
apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: nginx-ingress chart: nginx-ingress-1.26.2 component: controller heritage: Helm release: nginx-ingress name: nginx-ingress-controller namespace: se spec: replicas: 1 selector: matchLabels: app: nginx-ingress component: controller release: nginx-ingress template: metadata: labels: app: nginx-ingress component: controller release: nginx-ingress spec: containers: - args: - /nginx-ingress-controller - --default-backend-service=se/nginx-ingress-default-backend - --election-id=ingress-controller-leader - --ingress-class=nginx - --configmap=se/nginx-ingress-controller env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: hrb.xxxx.com/library/nginx-ingress-controller:0.26.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: nginx-ingress-controller ports: - containerPort: 80 name: http protocol: TCP - containerPort: 443 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 securityContext: allowPrivilegeEscalation: true capabilities: add: - NET_BIND_SERVICE drop: - ALL runAsUser: 33 serviceAccount: nginx-ingress serviceAccountName: nginx-ingress
4.ingress-Nginx-Controller的Service配置文件
apiVersion: v1 kind: Service metadata: labels: app: nginx-ingress chart: nginx-ingress-1.26.2 component: controller heritage: Helm release: nginx-ingress name: nginx-ingress-controller namespace: se spec: ports: - name: http nodePort: 30080 port: 80 protocol: TCP targetPort: http - name: https nodePort: 30443 port: 443 protocol: TCP targetPort: https selector: app: nginx-ingress component: controller release: nginx-ingress type: NodePort
5.查看ingress-Nginx-Controller的Service
kubectl get svc nginx-ingress-controller -n se NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-ingress-controller NodePort 192.168.2.67 <none> 80:30080/TCP,443:30443/TCP 1d
进行到这步,ingress-Nginx-Controller已经部署完了,所有的集群Node节点都已经监听30080和30443端口
AWS上申请ELB,然后找两个固定的Node节点,专门做转发用,不做Pod调度
- ELB的80端口-->Node节点的NodePort30080端口
- ELB的443端口-->Node节点的NodePort30443端口
部署一个测试用的服务
1.测试服务的Deployment配置文件
apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: test-docker env: stg name: test-docker namespace: test spec: replicas: 1 selector: matchLabels: app: test-docker template: metadata: labels: app: test-docker env: stg spec: containers: - env: - name: K8S_ENV value: stg - name: K8S_CLUSTER value: aws - name: CPU_REQUEST valueFrom: resourceFieldRef: containerName: test-docker divisor: "0" resource: requests.cpu - name: MEM_REQUEST valueFrom: resourceFieldRef: containerName: test-docker divisor: "0" resource: requests.memory - name: CPU_LIMIT valueFrom: resourceFieldRef: containerName: test-docker divisor: "0" resource: limits.cpu - name: MEM_LIMIT valueFrom: resourceFieldRef: containerName: test-docker divisor: "0" resource: limits.memory - name: TZ value: Asia/Shanghai - name: POD_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP image: hrb.xxx.com/test-docker:1.0.428.7eb2128 imagePullPolicy: IfNotPresent name: test-docker ports: - containerPort: 8025 protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /status port: 8025 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: "1" memory: 2000Mi requests: cpu: 100m memory: 2000Mi volumeMounts: - mountPath: /etc/localtime name: host-time readOnly: true - mountPath: /data/logs name: log - mountPath: /app/conf name: config-volume readOnly: true volumes: - hostPath: path: /etc/localtime type: "" name: host-time - hostPath: path: /data/logs/test-docker-stg type: "" name: log - configMap: defaultMode: 420 name: test-docker name: config-volume
2.测试服务的Service配置文件
apiVersion: v1 kind: Service metadata: name: test-docker namespace: test spec: ports: - name: http-8025 port: 8025 protocol: TCP targetPort: 8025 selector: app: test-docker type: ClusterIP
3.测试服务的ingress配置文件
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: test-docker namespace: test spec: rules: - host: test.baidu.com http: paths: - backend: serviceName: test-docker servicePort: 8025 path: /
到这里,测试服务部署完成,测试服务的域名可以解析到ELB,然后就完成通过域名访问了.
服务怎么通过ingress暴露出去,然后用域名访问的?
1.先创建ingress-nginx-controller,ingress-nginx-controller的Server通过NodePort方式暴露端口,这样所有K8S集群的Node节点全部监听NodePort端口,这个就相当于是Nginx的服务
那Nginx的配置文件怎么来呢,ingress-nginx-controller监听API Server,用户在K8S集群内创建完服务的ingress之后,ingress-nginx-controller就会加载这个ingress里面的规则信息,并更新到ingress-nginx-controller的配置文件里
2.创建一个AWS的ELB,解析到随便两台Node节点
3.用户创建一个服务,先创建Deployment、Service、ingress,然后ingress里写上域名 转发到 某个Service上,然后service会转发到 具体的Pod上的
4.ingress里配置的域名解析到ELB的地址,就行了,就能通过域名访问K8S集群的服务了.