linux怎么查看本机内存大小
238
2022-10-27
kubernetes Ingress组件
kubernetes Ingress组件
Ingress组件的功能
k8s对外暴露的方法; Ingress 和 Ingress-controller 简介 使用 Ingress 对外暴露服务 通过 Ingress 访问nginx-deployment
k8s对外暴露的方法
k8s对外部暴露服务的方式有三种:NodePort,LoadBalancer和Ingress。其中各自的方式有不同的局限性;NodePort 方式在服务变多的情况下开放的端口会越来越多,不好管理。而 LoadBalancer 更适合结合云提供商的 LB 来使用,但是外网的 LB 的成本花费也是一笔不容小觑的花费。而 Ingres 是 k8s 官方提供的用于对暴露服务的方式,也是目前生产环境的主流。 Ingress 从我的角度来看更像是一个 Nginx 反向代理的调度器,作为对外集群流量的统一出口,可以基于域名,url 等进行后端代理功能。
Ingress 和 Ingress-controller 简介
Ingress 是 k8s 资源对象,用于对外暴露服务,该资源对象定义了不同主机名(域名)及 URL 和对应后端 Service(k8s Service)的绑定,根据不同的路径路由 和 流量。而 Ingress Contoller 是一个 pod 服务,封装了一个 web 前端负载均衡器,同时在其基础上实现了动态感知 Ingress 并根据 Ingress 的定义动态生成 前端 web 负载均衡器的配置文件,比如 Nginx-Ingress-Controller 本质上就是一个 Nginx,只不过它能根据 Ingress 资源的定义动态生成 Nginx 的配置文件,然后动态 Reload。个人觉得 Ingress Controller 的重大作用是将前端负载均衡器和 Kubernetes 完美地结合了起来,一方面在云、容器平台下方便配置的管理,另一方面实现了集群统一的流量入口,而不是像 nodePort 那样给集群打多个孔。所以,总的来说要使用 Ingress,得先部署 Ingress-Controller 实体(相当于前端 Nginx),然后再创建 Ingress (相当于 Nginx 配置的 k8s 资源体现),Ingress Controller 部署好后会动态检测 Ingress 的创建情况生成相应配置。Ingress Controller 的实现有很多种:有基于 Nginx 的,也有基于 HAProxy 的,还有基于 OpenResty 的 Kong Ingress Controller 等,更多 Controller 见:Nginx 的 Ingress-Controller:ingress-nginx。
使用Ingress对外暴露服务,版本:二进制安装k8s v1.16.0按照我之前的博客部署一个nginx服务,然后通过Ingress对外暴露服务;Deployment + Service:nginx-deployment.yml --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx-deployment name: nginx-deployment spec: replicas: 1 selector: matchLabels: app: nginx-deployment template: metadata: labels: app: nginx-deployment spec: containers: - image: nginx:1.8 name: nginx ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: labels: app: nginx-deployment name: nginx-deployment spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: nginx-deployment kubectl apply -f nginx-deployment.yml 安装 Ingress-controller 控制器;mandatory.yaml因为本地node数量少,默认 Deployment 类型无法实现解析地址的自动漂移,所以我们选择 DaemonSet 控制器,这样每个节点都会有一个 Ingress-controller 供我们正常调度访问,不会出现单一负载的情况;因为 Ingress-controller 镜像本身大于500MB,所以生产环境我们可以使用 Deployment 类型,Node 之间采用 KeepAlived 进行高可用的 VIP 访问;
apiVersion: apps/v1
kind: DaemonSet
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "
kubectl apply -f mandatory.yaml
然后创建 ingress 对外暴露的 nginx-deployment service 80 端口 # http apiVersion: extensions/v1beta1 kind: Ingress metadata: name: example-ingress spec: rules: - host: blog.ljy.com http: paths: - backend: serviceName: nginx-deployment servicePort: 80 说明: host: nginx.kube.com:对外访问的域名; serviceName: nginx:对外暴露的 Service 名称; servicePort: 80:nginx service 监听的端口;
然后hosts写上对应解析,浏览器访问即可测试;
[root@master1 ingress]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.16.1.75 master1.ljy.com master 172.16.1.76 node1.ljy.com node1 172.16.1.77 node2.ljy.com node2 172.16.1.78 master2.ljy.com master2 127.0.0.1 blog.ljy.com [root@master1 ingress]# curl blog.ljy.com
If you see this page, the nginx web server is successfully installed and working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
设置 访问
则需要我们把证书导入至 k8s 中,公开信任的证书需要到证书机构进行购买使用,我们本地测试就使用本地CA颁发,使用cfssl进行颁发。
生成对应域名密钥
curl -L -o /usr/local/bin/cfssl
curl -L -o /usr/local/bin/cfssljson
curl -L -o /usr/local/bin/cfssl-certinfo
cp -rf cfssl cfssl-certinfo cfssljson /usr/local/bin
chmod +x /usr/local/bin/cfssl*
cat > ca-config.json < 把生成的密钥导入至 k8s secret 中 [root@master1 TLS]# kubectl create secret tls blog-ljy-com --cert=blog.ljy.com.pem --key=blog.ljy.com-key.pem
[root@master1 TLS]# kubectl get secret
NAME TYPE DATA AGE
blog-ljy-com kubernetes.io/tls 2 3h10m
default-token-nsxx5 kubernetes.io/service-account-token 3 8d 写一个带 访问的 ingress.yamlsecretName: blog-ljy-com 就是 k8s 加入的密钥; # http
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-ingress
spec:
rules:
- host: blog.ljy.com
http:
paths:
- backend:
serviceName: nginx-deployment
servicePort: 80
# https
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tls-example-ingress
spec:
tls:
- hosts:
- blog.ljy.com
secretName: blog-ljy-com
rules:
- host: blog.ljy.com
http:
paths:
- path: /
backend:
serviceName: nginx-deployment
servicePort: 80 浏览器访问测试(事先需要写hosts本地解析,对应至后端任意Node节点地址均可)
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
相关文章
发表评论
暂时没有评论,来抢沙发吧~