- A+
在 Kubernetes 集群中,Ingress 是授权入站连接到达集群服务的规则集合,为您提供七层负载均衡能力,您可以通过 Ingress 配置提供外部可访问的 URL、负载均衡、SSL、基于名称的虚拟主机等。作为集群流量接入层,Ingress 的高可靠性显得尤为重要,本文探讨如何部署一套高性能高可靠的 Ingress 接入层。
部署高可靠Ingress Controlle
https://help.aliyun.com/document_detail/86750.html?spm=a2c4g.11186623.6.740.1120e4ab7cwcWT
代码托管在git
https://github.com/kubernetes/ingress-nginx/tree/master/deploy
https://www.cnblogs.com/zhangb8042/p/10149429.html?tdsourcetag=s_pctim_aiomsg
https://www.cnblogs.com/linuxk/p/9706720.html
可以用官方提供的yaml脚本,一键部署
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
启用hostNetwork网络
如果在Pod中使用hostNetwork:true配置网络,那么Pod中运行的应用程序可以直接使用node节点的端口,这样node节点主机所在网络的其他主机,都可以通过该端口访问到此应用程序。
#修改amndatory.yaml文件(211行)
serviceAccountName: nginx-ingress-serviceaccount hostNetwork: true #添加这行 containers:
可以事先在node节点pull镜像,防止下载过慢,然后绑定标签运行在指定node节点
nginx-ingress-controller
[root@k8s-node01 ~]# docker pull quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.22.0 [root@k8s-node02 ~]# docker images|grep nginx-ingress quay.io/kubernetes-ingress-controller/nginx-ingress-controller 0.22.0 71892ebf5ccc 4 weeks ago 555MB
指定运行节点,首先给node加标签
kubectl label node 192.168.20.213 nginx=nginx-ingress
查看node节点标签
[root@k8s-master01 ingress-nginx]# kubectl get nodes 192.168.20.213 --show-labels NAME STATUS ROLES AGE VERSION LABELS 192.168.20.213 Ready <none> 6d v1.12.5 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,env_role=dev,kubernetes.io/hostname=192.168.20.213,nginx=nginx-ingress
删除标签key后面增加减号
kubectl label node 192.168.20.213 nginx-
修改mandatory.yaml文件,指定nginx-ingress-controller运行到指定的 192.168.20.213 node节点上
spec: serviceAccountName: nginx-ingress-serviceaccount hostNetwork: true nodeSelector: nginx: "nginx-ingress" containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.22.0
导入
kubectl create -f mandatory.yaml
pod无法创建,或者报错
Error creating: pods "nginx-ingress-controller-565dfd6dff-g977n" is forbidden: SecurityContext.RunAsUser is forbidden
删除:SecurityContextDeny
# vim /opt/kubernetes/cfg/kube-apiserver systemctl restart kube-apiserver.service
原配置:
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node \
#查看
[root@k8s-master01 ingress-nginx]# kubectl get pods -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-6867f7cf74-bnqc4 1/1 Running 0 3m
测试
创建一个基于service和Deployment
[root@k8s-m yaml]# cat ingress-deploy-demo.yaml apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector: #标签选择 name: nginx ports: - port: 80 #服务器端口 name: http #名称 targetPort: 80 #容器端口 protocol: TCP #协议,默认TCP --- apiVersion: apps/v1 kind: Deployment metadata: name: my-nginx-deploy spec: replicas: 3 selector: matchLabels: name: nginx template: metadata: labels: name: nginx spec: containers: - name: nginx image: nginx:alpine #镜像 ports: - name: http containerPort: 80 #容器端口
#导入yaml文件
[root@k8s-m yaml]# kubectl apply -f ingress-deploy-demo.yaml service/nginx-svc unchanged deployment.apps/my-nginx-deploy created
#查看
[root@k8s-m yaml]# kubectl get pods NAME READY STATUS RESTARTS AGE my-nginx-deploy-799879696c-7rlhl 1/1 Running 0 41s my-nginx-deploy-799879696c-99v5g 1/1 Running 0 41s my-nginx-deploy-799879696c-ljqjd 1/1 Running 0 41s [root@k8s-m yaml]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 44m nginx-svc ClusterIP 10.96.182.50 <none> 80/TCP 3m43s
创建一个 基于 my-nginx-deploy的 ingress
[root@k8s-m yaml]# cat nginx-ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-nginx spec: rules: - host: liu.test.com http: paths: - backend: serviceName: nginx-svc servicePort: 80 [root@k8s-master01 ingress-nginx]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE ingress-nginx liu.test.com 80 1h
修改本地hosts解析(域名绑定到node节点上)
[root@k8s-master01 ingress-nginx]# cat /etc/hosts 192.168.20.213 liu.test.com
[root@k8s-master01 ingress-nginx]# curl liu.test.com
生产实例1
[root@k8s-M1 ~]# vim ingress01.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: fgateway namespace: test spec: rules: - host: test2.xxx.com http: paths: - backend: serviceName: fgateway servicePort: 80 path: / - backend: serviceName: show-h5 servicePort: 80 path: /h5
生产实例2
[root@k8s-M1 ~]# vim ingress02.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: show-admin # ingress 名称 namespace: test # 命名空间 spec: rules: - host: show-admin2.xxx.com http: paths: - path: / backend: serviceName: show-admin # 后端service servicePort: 80 # service 端口 - path: /admin backend: serviceName: fadmin-gateway servicePort: 80
查看ingress
[root@k8s-M ingress]# kubectl -n test get ingress NAME HOSTS ADDRESS PORTS AGE fgateway test2.xxx.com 80 21d show-admin show-admin2.xxx.com 80 2m