Kubernetes（十三）ingress-nginx

在 Kubernetes 集群中，Ingress 是授权入站连接到达集群服务的规则集合，为您提供七层负载均衡能力，您可以通过 Ingress 配置提供外部可访问的 URL、负载均衡、SSL、基于名称的虚拟主机等。作为集群流量接入层，Ingress 的高可靠性显得尤为重要，本文探讨如何部署一套高性能高可靠的 Ingress 接入层。

部署高可靠Ingress Controlle

https://help.aliyun.com/document_detail/86750.html?spm=a2c4g.11186623.6.740.1120e4ab7cwcWT

代码托管在git

https://github.com/kubernetes/ingress-nginx/tree/master/deploy

https://www.cnblogs.com/zhangb8042/p/10149429.html?tdsourcetag=s_pctim_aiomsg

https://www.ilanni.com/?p=14501#%E4%BA%94%E3%80%81%E5%AE%89%E8%A3%85%E5%92%8C%E9%85%8D%E7%BD%AEingress-controller

https://www.cnblogs.com/linuxk/p/9706720.html

可以用官方提供的yaml脚本，一键部署

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml

启用hostNetwork网络

如果在Pod中使用hostNetwork:true配置网络，那么Pod中运行的应用程序可以直接使用node节点的端口，这样node节点主机所在网络的其他主机，都可以通过该端口访问到此应用程序。

#修改amndatory.yaml文件（211行）

    serviceAccountName: nginx-ingress-serviceaccount
    hostNetwork: true  #添加这行
    containers:

可以事先在node节点pull镜像，防止下载过慢，然后绑定标签运行在指定node节点

nginx-ingress-controller

[root@k8s-node01 ~]# docker pull quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.22.0
[root@k8s-node02 ~]# docker images|grep nginx-ingress
quay.io/kubernetes-ingress-controller/nginx-ingress-controller                   0.22.0              71892ebf5ccc        4 weeks ago         555MB

指定运行节点，首先给node加标签

kubectl label node 192.168.20.213 nginx=nginx-ingress

查看node节点标签

[root@k8s-master01 ingress-nginx]# kubectl get nodes 192.168.20.213 --show-labels
NAME             STATUS    ROLES     AGE       VERSION   LABELS
192.168.20.213   Ready     <none>    6d        v1.12.5   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,env_role=dev,kubernetes.io/hostname=192.168.20.213,nginx=nginx-ingress

删除标签key后面增加减号

kubectl label node 192.168.20.213 nginx-

修改mandatory.yaml文件，指定nginx-ingress-controller运行到指定的 192.168.20.213 node节点上

spec:
      serviceAccountName: nginx-ingress-serviceaccount
      hostNetwork: true
      nodeSelector:
        nginx: "nginx-ingress"
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.22.0

导入

kubectl create -f  mandatory.yaml

pod无法创建，或者报错

Error creating: pods "nginx-ingress-controller-565dfd6dff-g977n" is forbidden: SecurityContext.RunAsUser is forbidden

删除：SecurityContextDeny 

# vim /opt/kubernetes/cfg/kube-apiserver
systemctl restart kube-apiserver.service

原配置：

--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node \

#查看

[root@k8s-master01 ingress-nginx]#  kubectl  get pods -n ingress-nginx
NAME                                        READY     STATUS    RESTARTS   AGE
nginx-ingress-controller-6867f7cf74-bnqc4   1/1       Running   0          3m

测试

创建一个基于service和Deployment

[root@k8s-m yaml]# cat ingress-deploy-demo.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-svc
spec:
  selector: #标签选择
    name: nginx
  ports:
  - port: 80 #服务器端口
    name: http #名称
    targetPort: 80 #容器端口
    protocol: TCP #协议,默认TCP
 
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-nginx-deploy
spec:
  replicas: 3
  selector:
    matchLabels:
      name: nginx
  template:
    metadata:
      labels:
        name: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:alpine #镜像
        ports:
        - name: http
          containerPort: 80 #容器端口

#导入yaml文件

[root@k8s-m yaml]# kubectl apply -f   ingress-deploy-demo.yaml
service/nginx-svc unchanged
deployment.apps/my-nginx-deploy created

#查看

[root@k8s-m yaml]# kubectl  get pods
NAME                               READY   STATUS    RESTARTS   AGE
my-nginx-deploy-799879696c-7rlhl   1/1     Running   0          41s
my-nginx-deploy-799879696c-99v5g   1/1     Running   0          41s
my-nginx-deploy-799879696c-ljqjd   1/1     Running   0          41s
[root@k8s-m yaml]# kubectl  get svc
NAME         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1      <none>        443/TCP   44m
nginx-svc    ClusterIP   10.96.182.50   <none>        80/TCP    3m43s

创建一个 基于 my-nginx-deploy的 ingress

[root@k8s-m yaml]# cat nginx-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-nginx
spec:
  rules:
  - host: liu.test.com
    http:
      paths:
      - backend:
          serviceName: nginx-svc
          servicePort: 80

[root@k8s-master01 ingress-nginx]# kubectl  get ingress
NAME            HOSTS          ADDRESS   PORTS     AGE
ingress-nginx   liu.test.com             80        1h

修改本地hosts解析（域名绑定到node节点上）

[root@k8s-master01 ingress-nginx]# cat /etc/hosts
192.168.20.213 liu.test.com

[root@k8s-master01 ingress-nginx]# curl liu.test.com

生产实例1

[root@k8s-M1 ~]# vim ingress01.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: fgateway
  namespace: test
spec:
  rules:
  - host: test2.xxx.com
    http:
      paths:
      - backend:
          serviceName: fgateway
          servicePort: 80
        path: /
      - backend:
          serviceName: show-h5
          servicePort: 80
        path: /h5

生产实例2

[root@k8s-M1 ~]# vim ingress02.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: show-admin            # ingress 名称
  namespace: test        # 命名空间
spec:
  rules:
  - host: show-admin2.xxx.com
    http:
      paths:
      - path: /
        backend:
          serviceName: show-admin # 后端service         
          servicePort: 80 # service 端口
      - path: /admin
        backend:
          serviceName: fadmin-gateway
          servicePort: 80

查看ingress

[root@k8s-M ingress]# kubectl -n test get ingress 
NAME         HOSTS                         ADDRESS   PORTS     AGE
fgateway     test2.xxx.com                   80        21d
show-admin   show-admin2.xxx.com             80        2m