k8s之nginx-ingress、 Daemonset实现生产案例

上一篇中用node ip + 非80端口,访问k8s集群内部的服务.实际生产中更希望用node ip + 80端口的方式,访问k8s集群内的服务.

# 修改mandatory.yaml中创建控制器部分的内容
apiVersion: apps/v1
kind: Daemonset
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app: ingress-nginx
  template:
    metadata:
      labels:
        app: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      hostNetwork: true
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            # www-data -> 33
            runAsUser: 33
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - name: http
              containerPort: 80
            - name: https
              containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
      nodeSelector:
        custom/ingress-controller-ready: "true"

修改了这几处:

将deployment改为DaemonSet;删掉replicas;

将之前的标签改的简单点--app: ingress-nginx;

hostNetwork: true,添加该字段,使pod共享宿主机网络,暴露所监听的端口;

nodeSelector: 有custom/ingress-controller-ready标签的节点才会部署该pod.

# 给节点打标签
kubectl label nodes k8s-node1 custom/ingress-controller-ready=true
kubectl label nodes k8s-node2 custom/ingress-controller-ready=true

# 通过Ingress把myapp-svc发布出去,这部分内容没发生变化
cat ingress-myapp.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myapp
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myapp.lixiang.com
    http:
      paths: 
      - path: /
        backend:
          serviceName: myapp-svc
          servicePort: 80
kubectl apply -f test-ingress.yaml
常规做法是在node1和node2这两个节点上安装keepalive,生成一个vip,在dns上把域名和vip做映射.

参考博客:http://blog.itpub.net/28916011/viewspace-2214747/