①下载Ingress-controller相关的YAML文件,并给Ingress-controller创建独立的名称空间;
②部署后端的服务,如tomcat,并通过service进行暴露;
③部署Ingress-controller的service,以实现接入集群外部流量;
④部署Ingress,进行定义规则,使Ingress-controller和后端服务的Pod组进行关联。
官方文档https://github.com/kubernetes/ingress-nginx
选择0.20.0版本下载
[root@master]# unzip nginx-0.20.0.zip[root@master]# cd /opt/ingress-nginx-nginx-0.20.0/deploy[root@master deploy]# for i in namespace.yaml configmap.yaml rbac.yaml tcp-services-configmap.yaml with-rbac.yaml udp-services-configmap.yaml default-backend.yaml;do kubectl apply -f ${i};donenamespace "ingress-nginx" createdconfigmap "nginx-configuration" createdserviceaccount "nginx-ingress-serviceaccount" createdclusterrole "nginx-ingress-clusterrole" createdrole "nginx-ingress-role" createdrolebinding "nginx-ingress-role-nisa-binding" createdclusterrolebinding "nginx-ingress-clusterrole-nisa-binding" createdconfigmap "tcp-services" createddeployment "nginx-ingress-controller" createdconfigmap "udp-services" createddeployment "default-http-backend" createdservice "default-http-backend" created
拉取镜像失败,由于防火墙的原因,无法直接从gcr.io拉取镜像
[root@master deploy]# kubectl get pods -n ingress-nginx -o wideNAME READY STATUS RESTARTS AGE IP NODEdefault-http-backend-698f69dbc4-5mvbz 0/1 ImagePullBackOff 0 23m 172.20.123.15 172.16.10.198nginx-ingress-controller-648c6774cb-dt47z 0/1 CrashLoopBackOff 8 23m 172.20.215.21 172.16.10.196#查看拉取失败的镜像[root@master deploy]# kubectl describe pod default-http-backend-698f69dbc4-5mvbz -n ingress-nginxWarning Failed 23m (x4 over 25m) kubelet, 172.16.10.198 Failed to pull image "k8s.gcr.io/defaultbackend-amd64:1.5": rpc error: code = Unknown desc = Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)Warning Failed 23m (x4 over 25m) kubelet, 172.16.10.198 Error: ErrImagePullNormal BackOff 23m (x6 over 25m) kubelet, 172.16.10.198 Back-off pulling image "k8s.gcr.io/defaultbackend-amd64:1.5"Warning Failed 57s (x97 over 25m) kubelet, 172.16.10.198 Error: ImagePullBackOff
手动在node1节点上拉取镜像,从docker.io仓库拉取,然后重新打标签
[root@work1 ~]# docker pull googlecontainer/defaultbackend-amd64:1.1
[root@work1 ~]# docker tag googlecontainer/defaultbackend-amd64:1.1 k8s.gcr.io/defaultbackend-amd64:1.5
pod运行成功
[root@master ~]# kubectl get pods -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
default-http-backend-5c9bb94849-w6wvj 1/1 Running 0 3h15m 10.244.2.3 work1 <none> <none>
nginx-ingress-controller-76747f564f-78g7l 1/1 Running 0 3h15m 10.244.2.2 work1 <none> <none>
创建NodePort类型service以接入集群外部流量
[root@master demo]# cat service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app: ingress-nginx
[root@master demo]# kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
[root@master demo]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default-http-backend ClusterIP 10.101.50.194 <none> 80/TCP 3h42m
ingress-nginx NodePort 10.110.240.115 <none> 80:30080/TCP,443:30443/TCP 8s
部署tomcat服务
[root@master_10.66.20.35 ~/ingress]# cat tomcat-deploy.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
name: tomcat
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5.37-jre8-alpine
ports:
- name: http
containerPort: 8080
- name: ajp
containerPort: 8009
[root@master demo]# kubectl apply -f tomcat-deploy.yaml
service/tomcat created
deployment.apps/tomcat-deploy created
进入tomcat的pod中进行查看是否监听8080和8009端口,并查看tomcat的svc
[root@master demo]# kubectl get pods -o wide |grep tomcat
tomcat-deploy-5f76d57bc5-2pnbv 1/1 Running 0 99s 10.244.0.7 master
tomcat-deploy-5f76d57bc5-2zvbx 1/1 Running 0 99s 10.244.1.3 work2
tomcat-deploy-5f76d57bc5-x72vn 1/1 Running 0 99s 10.244.2.5 work1
[root@master demo]# kubectl exec tomcat-deploy-5f76d57bc5-2pnbv -- netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1/java
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 1/java
tcp 0 0 0.0.0.0:8009 0.0.0.0:* LISTEN 1/java
编写tomcat的ingress规则,并创建ingress资源
[root@master demo]# cat ingress-tomcat.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.7even.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master demo]# kubectl apply -f ingress-tomcat.yaml
ingress.extensions/ingress-tomcat created
[root@master demo]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-tomcat tomcat.7even.com 80 82s
[root@master demo]# kubectl describe ingress
Name: ingress-tomcat
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
tomcat.7even.com
tomcat:8080 (10.244.0.8:8080,10.244.1.4:8080,10.244.2.6:8080)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx"},"name":"ingress-tomcat","namespace":"default"},"spec":{"rules":[{"host":"tomcat.7even.com","http":{"paths":[{"backend":{"serviceName":"tomcat","servicePort":8080},"path":null}]}}]}}
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 60s nginx-ingress-controller Ingress default/ingress-tomcat
为tomcat服务增加TLS认证
自签证书
[root@master demo]# openssl genrsa -out tls.key 2048
Generating RSA private key, 2048 bit long modulus
...............+++
.........+++
e is 65537 (0x10001)
[root@master demo]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Hangzhou/L=dtstack/O=DevOps/CN=tomcat.7even.com
将证书转换成secret对象
[root@master demo]# kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
secret/tomcat-ingress-secret created
[root@master demo]# kubectl get secret
NAME TYPE DATA AGE
default-token-5qgfw kubernetes.io/service-account-token 3 4h26m
tomcat-ingress-secret kubernetes.io/tls 2 7s
[root@master demo]# kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1294 bytes
tls.key: 1679 bytes
创建ingress
[root@master demo]# cat ingress-tomcat-tls.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.magedu.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.magedu.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
[root@master demo]# kubectl apply -f ingress-tomcat-tls.yaml
ingress.extensions/ingress-tomcat-tls created
[root@master demo]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
ingress-myapp robin.7even.com 80 14m
ingress-tomcat tomcat.7even.com 80 7m22s
ingress-tomcat-tls tomcat.7even.com 80, 443 40s
若有收获,就点个赞吧
0 人点赞
