阿里云 ACK集群文档,容器服务ACK在基因计算、AI大数据等领域提供了高度集成的解决方案,结合IaaS高性能计算、网络能力,发挥容器的最佳性能。在多云混合云领域,容器服务ACK提供了多集群统一管理能力,您可在容器服务控制台,统一管理来自线下IDC,或者其他云上的Kubernetes集群。
购买集群、节点池
- 购买地址,托管版本集群
- 选择节点池,并放在同一个VPC网络 -> 交换机** **下面。
- 购买单台服务架设VPN
- 购买2个公网IP
- NAT 网关 负责SNAT DNAT
集群拓架构图
安装必要组件
阿里云安装的集群托管版,是有一些必要的组件是需要手动安装的
Ingress
安装
在右上角搜索
ingress体验原汁原味的K8S 选择Nginx Ingress Controller进行安装
安装参数默认参数;点击确定即可
配置
修改
kube-system命名空间配置下的nginx-ingress-controller配置;调度修改成0新增
DaemonSet守护进程,保证每个宿主机节点必须有一个Ingress入网口
apiVersion: apps/v1kind: DaemonSetmetadata:annotations:component.revision: '2'component.version: 1.1.0deployment.kubernetes.io/revision: '3'deprecated.daemonset.template.generation: '1'kubectl.kubernetes.io/last-applied-configuration: >{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"component.revision":"2","component.version":"1.1.0"},"labels":{"app":"ingress-nginx"},"name":"nginx-ingress-controller","namespace":"kube-system"},"spec":{"minReadySeconds":0,"replicas":2,"revisionHistoryLimit":10,"selector":{"matchLabels":{"app":"ingress-nginx"}},"template":{"metadata":{"annotations":{"prometheus.io/port":"10254","prometheus.io/scrape":"true"},"labels":{"app":"ingress-nginx"}},"spec":{"affinity":{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"type","operator":"NotIn","values":["virtual-kubelet"]},{"key":"k8s.aliyun.com","operator":"NotIn","values":["true"]}]}]}},"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app","operator":"In","values":["ingress-nginx"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}},"containers":[{"args":["/nginx-ingress-controller","--election-id=ingress-controller-leader-nginx","--ingress-class=nginx","--watch-ingress-without-class","--controller-class=k8s.io/ingress-nginx","--configmap=$(POD_NAMESPACE)/nginx-configuration","--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services","--udp-services-configmap=$(POD_NAMESPACE)/udp-services","--annotations-prefix=nginx.ingress.kubernetes.io","--publish-service=$(POD_NAMESPACE)/nginx-ingress-lb","--validating-webhook=:8443","--validating-webhook-certificate=/usr/local/certificates/cert","--validating-webhook-key=/usr/local/certificates/key","--v=2"],"env":[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}},{"name":"LD_PRELOAD","value":"/usr/local/lib/libmimalloc.so"}],"image":"registry-vpc.cn-shanghai.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.2","imagePullPolicy":"IfNotPresent","lifecycle":{"preStop":{"exec":{"command":["/wait-shutdown"]}}},"livenessProbe":{"failureThreshold":5,"httpGet":{"path":"/healthz","port":10254,"scheme":"HTTP"},"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1},"name":"nginx-ingress-controller","ports":[{"containerPort":80,"name":"http","protocol":"TCP"},{"containerPort":443,"name":"https","protocol":"TCP"},{"containerPort":8443,"name":"webhook","protocol":"TCP"}],"readinessProbe":{"failureThreshold":3,"httpGet":{"path":"/healthz","port":10254,"scheme":"HTTP"},"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1},"resources":{"requests":{"cpu":"90m","memory":"100Mi"}},"securityContext":{"allowPrivilegeEscalation":true,"capabilities":{"add":["NET_BIND_SERVICE"],"drop":["ALL"]},"runAsUser":101},"volumeMounts":[{"mountPath":"/usr/local/certificates/","name":"webhook-cert","readOnly":true},{"mountPath":"/etc/localtime","name":"localtime","readOnly":true}]}],"dnsPolicy":"ClusterFirst","hostNetwork":false,"initContainers":[{"command":["/bin/sh","-c","mount-o remount rw /proc/sys\nsysctl -w net.core.somaxconn=65535\nsysctl -wnet.ipv4.ip_local_port_range=\"1024 65535\"\nsysctl -wkernel.core_uses_pid=0\n"],"image":"registry-vpc.cn-shanghai.aliyuncs.com/acs/busybox:v1.29.2","name":"init-sysctl","securityContext":{"capabilities":{"add":["SYS_ADMIN"],"drop":["ALL"]}}}],"nodeSelector":{"kubernetes.io/os":"linux"},"priorityClassName":"system-node-critical","serviceAccountName":"ingress-nginx","terminationGracePeriodSeconds":300,"volumes":[{"name":"webhook-cert","secret":{"secretName":"ingress-nginx-admission"}},{"hostPath":{"path":"/etc/localtime","type":"File"},"name":"localtime"}]}}}}creationTimestamp: '2022-04-08T09:58:33Z'generation: 1labels:app: ingress-nginxmanagedFields:- apiVersion: apps/v1fieldsType: FieldsV1fieldsV1:'f:spec':'f:progressDeadlineSeconds': {}'f:replicas': {}'f:strategy':'f:rollingUpdate':.: {}'f:maxSurge': {}'f:maxUnavailable': {}'f:type': {}manager: rcoperation: Updatetime: '2022-03-10T06:14:09Z'- apiVersion: apps/v1fieldsType: FieldsV1fieldsV1:'f:metadata':'f:annotations':.: {}'f:component.revision': {}'f:component.version': {}'f:deployment.kubernetes.io/revision': {}'f:deprecated.daemonset.template.generation': {}'f:kubectl.kubernetes.io/last-applied-configuration': {}'f:labels':.: {}'f:app': {}'f:spec':'f:revisionHistoryLimit': {}'f:selector': {}'f:template':'f:metadata':'f:annotations':.: {}'f:prometheus.io/port': {}'f:prometheus.io/scrape': {}'f:labels':.: {}'f:app': {}'f:spec':'f:affinity':.: {}'f:podAntiAffinity':.: {}'f:preferredDuringSchedulingIgnoredDuringExecution': {}'f:containers':'k:{"name":"nginx-ingress-controller"}':.: {}'f:args': {}'f:env':.: {}'k:{"name":"LD_PRELOAD"}':.: {}'f:name': {}'f:value': {}'k:{"name":"POD_NAME"}':.: {}'f:name': {}'f:valueFrom':.: {}'f:fieldRef': {}'k:{"name":"POD_NAMESPACE"}':.: {}'f:name': {}'f:valueFrom':.: {}'f:fieldRef': {}'f:image': {}'f:imagePullPolicy': {}'f:lifecycle':.: {}'f:preStop':.: {}'f:exec':.: {}'f:command': {}'f:livenessProbe':.: {}'f:failureThreshold': {}'f:httpGet':.: {}'f:path': {}'f:port': {}'f:scheme': {}'f:initialDelaySeconds': {}'f:periodSeconds': {}'f:successThreshold': {}'f:timeoutSeconds': {}'f:name': {}'f:ports':.: {}'k:{"containerPort":443,"protocol":"TCP"}':.: {}'f:containerPort': {}'f:name': {}'f:protocol': {}'k:{"containerPort":80,"protocol":"TCP"}':.: {}'f:containerPort': {}'f:name': {}'f:protocol': {}'k:{"containerPort":8443,"protocol":"TCP"}':.: {}'f:containerPort': {}'f:name': {}'f:protocol': {}'f:readinessProbe':.: {}'f:failureThreshold': {}'f:httpGet':.: {}'f:path': {}'f:port': {}'f:scheme': {}'f:initialDelaySeconds': {}'f:periodSeconds': {}'f:successThreshold': {}'f:timeoutSeconds': {}'f:resources':.: {}'f:requests':.: {}'f:cpu': {}'f:memory': {}'f:securityContext':.: {}'f:allowPrivilegeEscalation': {}'f:capabilities':.: {}'f:add': {}'f:drop': {}'f:runAsUser': {}'f:terminationMessagePath': {}'f:terminationMessagePolicy': {}'f:volumeMounts':.: {}'k:{"mountPath":"/etc/localtime"}':.: {}'f:mountPath': {}'f:name': {}'f:readOnly': {}'k:{"mountPath":"/usr/local/certificates/"}':.: {}'f:mountPath': {}'f:name': {}'f:readOnly': {}'f:dnsPolicy': {}'f:initContainers':.: {}'k:{"name":"init-sysctl"}':.: {}'f:command': {}'f:image': {}'f:imagePullPolicy': {}'f:name': {}'f:resources': {}'f:securityContext':.: {}'f:capabilities':.: {}'f:add': {}'f:drop': {}'f:terminationMessagePath': {}'f:terminationMessagePolicy': {}'f:nodeSelector': {}'f:priorityClassName': {}'f:restartPolicy': {}'f:schedulerName': {}'f:securityContext': {}'f:serviceAccount': {}'f:serviceAccountName': {}'f:terminationGracePeriodSeconds': {}'f:volumes':.: {}'k:{"name":"localtime"}':.: {}'f:hostPath':.: {}'f:path': {}'f:type': {}'f:name': {}'k:{"name":"webhook-cert"}':.: {}'f:name': {}'f:secret':.: {}'f:defaultMode': {}'f:secretName': {}'f:updateStrategy':'f:rollingUpdate':.: {}'f:maxSurge': {}'f:maxUnavailable': {}'f:type': {}manager: ACK-Console Apache-HttpClientoperation: Updatetime: '2022-04-08T09:58:33Z'- apiVersion: apps/v1fieldsType: FieldsV1fieldsV1:'f:status':'f:availableReplicas': {}'f:conditions':.: {}'k:{"type":"Available"}':.: {}'f:lastTransitionTime': {}'f:lastUpdateTime': {}'f:message': {}'f:reason': {}'f:status': {}'f:type': {}'k:{"type":"Progressing"}':.: {}'f:lastTransitionTime': {}'f:lastUpdateTime': {}'f:message': {}'f:reason': {}'f:status': {}'f:type': {}'f:currentNumberScheduled': {}'f:desiredNumberScheduled': {}'f:numberAvailable': {}'f:numberMisscheduled': {}'f:numberReady': {}'f:observedGeneration': {}'f:readyReplicas': {}'f:replicas': {}'f:updatedNumberScheduled': {}'f:updatedReplicas': {}manager: kube-controller-manageroperation: Updatesubresource: statustime: '2022-04-10T09:21:25Z'name: nginx-ingress-controllernamespace: kube-systemresourceVersion: '47048176'uid: 78293e59-c8ea-4b19-9307-d4a097095fc5spec:revisionHistoryLimit: 10selector:matchLabels:app: ingress-nginxtemplate:metadata:annotations:prometheus.io/port: '10254'prometheus.io/scrape: 'true'labels:app: ingress-nginxspec:affinity:podAntiAffinity:preferredDuringSchedulingIgnoredDuringExecution:- podAffinityTerm:labelSelector:matchExpressions:- key: appoperator: Invalues:- ingress-nginxtopologyKey: kubernetes.io/hostnameweight: 100containers:- args:- /nginx-ingress-controller- '--election-id=ingress-controller-leader-nginx'- '--ingress-class=nginx'- '--watch-ingress-without-class'- '--controller-class=k8s.io/ingress-nginx'- '--configmap=$(POD_NAMESPACE)/nginx-configuration'- '--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services'- '--udp-services-configmap=$(POD_NAMESPACE)/udp-services'- '--annotations-prefix=nginx.ingress.kubernetes.io'- '--publish-service=$(POD_NAMESPACE)/nginx-ingress-lb'- '--validating-webhook=:8443'- '--validating-webhook-certificate=/usr/local/certificates/cert'- '--validating-webhook-key=/usr/local/certificates/key'- '--v=2'env:- name: POD_NAMEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:apiVersion: v1fieldPath: metadata.namespace- name: LD_PRELOADvalue: /usr/local/lib/libmimalloc.soimage: >-registry-vpc.cn-shanghai.aliyuncs.com/acs/aliyun-ingress-controller:v1.1.0-aliyun.2imagePullPolicy: IfNotPresentlifecycle:preStop:exec:command:- /wait-shutdownlivenessProbe:failureThreshold: 5httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 1name: nginx-ingress-controllerports:- containerPort: 80name: httpprotocol: TCP- containerPort: 443name: httpsprotocol: TCP- containerPort: 8443name: webhookprotocol: TCPreadinessProbe:failureThreshold: 3httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 1resources:requests:cpu: 90mmemory: 100MisecurityContext:allowPrivilegeEscalation: truecapabilities:add:- NET_BIND_SERVICEdrop:- ALLrunAsUser: 101terminationMessagePath: /dev/termination-logterminationMessagePolicy: FilevolumeMounts:- mountPath: /usr/local/certificates/name: webhook-certreadOnly: true- mountPath: /etc/localtimename: localtimereadOnly: truednsPolicy: ClusterFirstinitContainers:- command:- /bin/sh- '-c'- |mount -o remount rw /proc/syssysctl -w net.core.somaxconn=65535sysctl -w net.ipv4.ip_local_port_range="1024 65535"sysctl -w kernel.core_uses_pid=0image: 'registry-vpc.cn-shanghai.aliyuncs.com/acs/busybox:v1.29.2'imagePullPolicy: IfNotPresentname: init-sysctlresources: {}securityContext:capabilities:add:- SYS_ADMINdrop:- ALLterminationMessagePath: /dev/termination-logterminationMessagePolicy: FilenodeSelector:kubernetes.io/os: linuxpriorityClassName: system-node-criticalrestartPolicy: AlwaysschedulerName: default-schedulersecurityContext: {}serviceAccount: ingress-nginxserviceAccountName: ingress-nginxterminationGracePeriodSeconds: 300volumes:- name: webhook-certsecret:defaultMode: 420secretName: ingress-nginx-admission- hostPath:path: /etc/localtimetype: Filename: localtimeupdateStrategy:rollingUpdate:maxSurge: 0maxUnavailable: 1type: RollingUpdatestatus:currentNumberScheduled: 3desiredNumberScheduled: 3numberAvailable: 3numberMisscheduled: 0numberReady: 3observedGeneration: 1updatedNumberScheduled: 3
修改
kube-system命名空间配置下的Service配置nginx-ingress-lb
- 外部流量策略:一定要选择
Local否则在Cluster集群模式下会重新转发一次请求网关,导致源IP会丢失- 节点端口:我这边不采用负载均衡,成本过高,采用
节点端口``4层网络暴露给SLB
apiVersion: v1kind: Servicemetadata:annotations:kubectl.kubernetes.io/last-applied-configuration: >{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"service.beta.kubernetes.io/alibaba-cloud-loadbalancer-resource-group-id":"rg-aekzhqulpipexny"},"labels":{"app":"nginx-ingress-lb"},"name":"nginx-ingress-lb","namespace":"kube-system"},"spec":{"externalTrafficPolicy":"Local","ipFamilyPolicy":"SingleStack","ports":[{"name":"http","port":80,"targetPort":80},{"name":"https","port":443,"targetPort":443}],"selector":{"app":"ingress-nginx"},"type":"LoadBalancer"}}service.beta.kubernetes.io/alibaba-cloud-loadbalancer-resource-group-id: rg-aekzhqulpipexnycreationTimestamp: '2022-03-10T06:14:09Z'labels:app: nginx-ingress-lbmanagedFields:- apiVersion: v1fieldsType: FieldsV1fieldsV1:'f:metadata':'f:annotations':.: {}'f:kubectl.kubernetes.io/last-applied-configuration': {}'f:service.beta.kubernetes.io/alibaba-cloud-loadbalancer-resource-group-id': {}'f:labels':.: {}'f:app': {}'f:spec':'f:allocateLoadBalancerNodePorts': {}'f:internalTrafficPolicy': {}'f:ipFamilyPolicy': {}'f:ports':.: {}'k:{"port":443,"protocol":"TCP"}':.: {}'f:name': {}'f:port': {}'f:protocol': {}'f:targetPort': {}'k:{"port":80,"protocol":"TCP"}':.: {}'f:name': {}'f:port': {}'f:protocol': {}'f:targetPort': {}'f:selector': {}'f:sessionAffinity': {}manager: rcoperation: Updatetime: '2022-03-10T06:14:09Z'- apiVersion: v1fieldsType: FieldsV1fieldsV1:'f:spec':'f:externalTrafficPolicy': {}'f:ports':'k:{"port":443,"protocol":"TCP"}':'f:nodePort': {}'k:{"port":80,"protocol":"TCP"}':'f:nodePort': {}'f:type': {}manager: ACK-Console Apache-HttpClientoperation: Updatetime: '2022-03-28T07:51:54Z'name: nginx-ingress-lbnamespace: kube-systemresourceVersion: '42014734'uid: 38f86a16-1cd1-430a-9a9d-5bb913b92ebbspec:clusterIP: 172.16.161.244clusterIPs:- 172.16.161.244externalTrafficPolicy: ClusterinternalTrafficPolicy: ClusteripFamilies:- IPv4ipFamilyPolicy: SingleStackports:- name: httpnodePort: 31080port: 80protocol: TCPtargetPort: 80- name: httpsnodePort: 31443port: 443protocol: TCPtargetPort: 443selector:app: ingress-nginxsessionAffinity: Nonetype: NodePortstatus:loadBalancer: {}
若有收获,就点个赞吧
0 人点赞
