1、Ingress

在Kubernetes中，服務和Pod的IP地址僅可以在叢集網路內部使用，對於叢集外的應用是不可見的。為了使外部的應用能夠訪問叢集內的服務，在Kubernetes中可以通過NodePort和LoadBalancer這兩種型別的服務，或者使用Ingress。Ingress本質是通過http代理伺服器將外部的http請求轉發到叢集內部的後端服務。

2、ingress-nginx部署

ingress-nginx元件有幾個部分組成：

• configmap.yaml:提供configmap可以線上更行nginx的配置
• default-backend.yaml:提供一個預設的後臺錯誤頁面 404
• namespace.yaml:建立一個獨立的名稱空間 ingress-nginx
• rbac.yaml:建立對應的role rolebinding 用於rbac
• tcp-services-configmap.yaml:修改L4負載均衡配置的configmap
• udp-services-configmap.yaml:修改L4負載均衡配置的configmap
• with-rbac.yaml:有應用rbac的nginx-ingress-controller元件
• service-nodeport:指定nginx的80埠和443埠

下載部署檔案,整理的github

for file in configmap.yaml default-backend.yaml namespace.yaml rbac.yaml tcp-services-configmap.yaml udp-services-configmap.yaml with-rbac.yaml service-nodeport.yaml；do
    wget https://raw.githubusercontent.com/fungitive/kubernetes/master/ingress-nginx/$file
done
 

建立名稱空間

kubectl apply -f namespace.yaml

部署其他

kubectl apply -f .

部署成功如下

[[email protected] ~]# kubectl get pods -n ingress-nginx NAME                                        READY     STATUS    RESTARTS   AGE default-http-backend-8477465f57-fzgr8       1/1       Running   0          1d nginx-ingress-controller-6bd7c597cb-hwgwz   1/1       Running   0          1d

[[email protected] ~]# kubectl get svc -n ingress-nginx NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE default-http-backend   ClusterIP   10.97.181.78    <none>        80/TCP                       1d ingress-nginx          NodePort    10.109.51.251   <none>        80:30080/TCP,443:30643/TCP   1d

部署一個nginx應用，使用ingress-nginx服務

vi nginx-test.yaml

apiVersion: v1
kind: Service
metadata:
  name: test-ingress
  namespace: default
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: test-ingress
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: test-ingress
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: test-ingress
    spec:
      containers:
      - image: nginx:latest
        imagePullPolicy: IfNotPresent
        name: test-nginx
        ports:
        - containerPort: 80

vi nginx-ingress-yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: feiutest.cn
    http:
      paths:
      - path:
        backend:
          serviceName: test-ingress
          servicePort: 80

建立成功，在pods所在node上解析域名

vi /etc/hosts

192.168.0.22 feiutest.cn

測試

[[email protected] demo]# curl http://feiutest.cn:30080 this is test ingress-nginx

3、https配置

第一步：製作自簽證書

[[email protected] demo]# openssl genrsa -out tls.key 2048

[[email protected] demo]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Guangdong/L=Guangzhou/O=devops/CN=feiutest.cn

生成兩個檔案：

[[email protected] demo]# ls tls.crt  tls.key

第二步：建立secret secret介紹

[[email protected] demo]# kubectl create secret tls nginx-test --cert=tls.crt --key=tls.key

[[email protected] demo]# kubectl get secret NAME                     TYPE                                  DATA      AGE nginx-test               kubernetes.io/tls                     2         17s

第三步：修改ingress

vi nginx-ingress-yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: feiutest.cn
    http:
      paths:
      - path:
        backend:
          serviceName: test-ingress
          servicePort: 80
  tls:
  - hosts:
    - feiutest.cn
    secretName: nginx-test

kubectl apply -f nginx-ingress-yaml

測試訪問

https://feiutest.cn:30643

正常訪問，成功了！

參考