kubernetes 的service服务我们提到过。service 可以用nodePort的方式和调用公有云LBAAS服务 来对于集群外的client提供服务访问,但是service是工作的osi7层协议中的4层,故而他无法进行 https的证书卸载工作(这里不包含使用LBAAS服务,因为现在公有云LB 服务一般是支持挂载证书的),而且四层协议不理解域名和基于restful风格的api。这样的接口暴露并不是我们想要的。
kubernetes 引入了一个新的概念叫 ingress(抽象层) 和 ingress 控制下的 Pod( ingress controller)
流量走向
ingress -------> ingress controller ------------> pod 其中 pod 之上的一层service 用来做分类,把配置信息动态注入 ingress 使 ingress controller 直接 接触底层pod
安装一个官方的ingress 来深入理解一下
准备一个 tomcat service 采用 clluster 方式即可
官方文档地址
https://kubernetes.github.io/ingress-nginx/deploy/#prerequisite-generic-deployment-command
安装步骤分三步
第一步
[root@master ~]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply namespace/ingress-nginx configured 创建命名空间 configmap/nginx-configuration created 创建 nginx configmap configmap/tcp-services created 创建 tcp configmap configmap/udp-services created 创建 upd configmap serviceaccount/nginx-ingress-serviceaccount created clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created role.rbac.authorization.k8s.io/nginx-ingress-role created rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created rbac 角色访问控制执行 deployment.apps/nginx-ingress-controller created 底层pod 执行 得到结果为 pod运行了一个 可以来理解为一个nginx 实例
[root@master song]# kubectl get pod -n ingress-nginx -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-ingress-controller-797b884cbc-zcqsv 1/1 Running 0 10h 10.244.2.182 k8s-node1 <none> <none>
第二步
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml
[root@master song]# cat cloud-generic.yaml kind: Service apiVersion: v1 metadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: type: NodePort selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx ports: - name: http port: 80 targetPort: http nodePort: 30080 - name: https port: 443 targetPort: https nodePort: 30443
运行结果
[root@master song]# kubectl get svc -n ingress-nginx -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
ingress-nginx NodePort 10.99.227.13 <none> 80:30080/TCP,443:30443/TCP 9m16s app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
第三步启动 ingress
[root@master song]# cat ingress-1.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: test-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - http: paths: - path: / backend: serviceName: tomcat servicePort: 8080
[root@master song]# kubectl apply -f ingress-1.yaml
ingress.extensions/test-ingress created
[root@master song]# kubectl describe ingresses.extensions
Name: test-ingress
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
*
/ tomcat:8080 (<none>)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"nginx.ingress.kubernetes.io/rewrite-target":"/"},"name":"test-ingress","namespace":"default"},"spec":{"rules":[{"http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":"/"}]}}]}}
nginx.ingress.kubernetes.io/rewrite-target: /
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 7h9m nginx-ingress-controller Ingress default/test-ingress