k8s 1.19.11 Ingress-nginx 的部署
| Ingress-NGINX version | k8s supported version | Alpine Version | |
|---|---|---|---|
| v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 |
| v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† |
| v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† |
| v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† |
| v1.2.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6 | 1.19.10† |
| v1.1.3 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† |
| v1.1.2 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† |
| v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† |
| v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† |
| v1.0.5 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† |
| v1.0.4 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† |
| v1.0.3 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† |
| v1.0.2 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† |
| v1.0.1 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† |
| v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 |
-
文件地址:
mkdir -p /root/ingress && cd /root/ingress
# namespace
cat > namespace.yaml <<EOF
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
EOF
kubectl apply -f namespace.yamlconfigmap:
# configmap
cat > configmap.yaml <<EOF
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app: ingress-nginx
EOFdefault-backend:
# default-backend
cat > default-backend.yaml <<EOF
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: default-http-backend
labels:
app: default-http-backend
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app: default-http-backend
template:
metadata:
labels:
app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissible as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: registry.cn-hangzhou.aliyuncs.com/imges/defaultbackend:1.4 #gcr.io/google_containers/defaultbackend:1.4
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: ingress-nginx
labels:
app: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
selector:
app: default-http-backend
EOFrabc:
cat > rbac.yaml<<EOF
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
EOFtcp-services-configmap:
cat > tcp-services-configmap.yaml<<EOF
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
EOFudp-services-configmap:
cat > udp-services-configmap.yaml<<EOF
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
EOFwith-rbac:
vim with-rbac.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app: ingress-nginx
template:
metadata:
labels:
app: ingress-nginx
annotations:
prometheus.io/port: '10254'
prometheus.io/scrape: 'true'
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
#quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.17.1
image: registry.cn-hangzhou.aliyuncs.com/imges/nginx-ingress-controller:0.17.1
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
---启动镜像:
kubectl apply -f .
# 测试部署是否成功
kubectl get all -n ingress-nginx
NAME READY STATUS RESTARTS AGE
pod/default-http-backend-7486957d96-fl847 1/1 Running 0 68s
pod/nginx-ingress-controller-cd778548-46fwl 1/1 Running 5 4m1s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/default-http-backend ClusterIP 10.254.96.141 <none> 80/TCP 68s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/default-http-backend 1/1 1 1 68s
deployment.apps/nginx-ingress-controller 1/1 1 1 4m1s
NAME DESIRED CURRENT READY AGE
replicaset.apps/default-http-backend-7486957d96 1 1 1 68s
replicaset.apps/nginx-ingress-controller-cd778548 1 1 1 4m1s
mkdir -p /root/ingress/test && cd /root/ingress/test
cat > deploy-demo.yaml<<EOF
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: default
spec:
selector:
app: myapp
release: canary
ports:
- name: http
targetPort: 80
port: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-backend-pod
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: myapp
release: canary
template:
metadata:
labels:
app: myapp
release: canary
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v2
ports:
- name: http
containerPort: 80
EOF部署nginx:
# 1.部署
kubectl apply -f deploy-demo.yaml
service/myapp created
deployment.apps/myapp-backend-pod created
# 2.查看pod
kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-backend-pod-58b7f5cf77-2m9b2 1/1 Running 0 32s
myapp-backend-pod-58b7f5cf77-jf7g4 1/1 Running 0 32s
myapp-backend-pod-58b7f5cf77-zvw6r 1/1 Running 0 32s部署nginx service:
cat > service-nodeport.yaml<<EOF
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
nodePort: 30080 #通过nodeport 30080转发到pod的80端口
- name: https
port: 443
targetPort: 443
protocol: TCP
nodePort: 30443
selector:
app: ingress-nginx
EOF部署ingress-nginx service:
通过ingress-controller对外提供服务,现在还需要手动给ingress-controller建立一个service,接收集群外部流量。
# 1.创建ingress-controller的service
kubectl apply -f service-nodeport.yaml
service/ingress-nginx created
# 2.查创建情况
kubectl get svc -n ingress-nginx
ingress-nginx NodePort 10.254.18.79 <none> 80:30080/TCP,443:30443/TCP 2m8s浏览器访问ingress-controller的service:
http://192.168.80.45:30080/ --> 页面出现default backend - 404。
cat > ingress-myapp.yaml<<EOF
apiVersion: extensions/v1beta1 #api版本
kind: Ingress #清单类型
metadata: #元数据
name: ingress-myapp #ingress的名称
namespace: default #所属名称空间
annotations: #注解信息
kubernetes.io/ingress.class: "nginx"
spec: #规格
rules: #定义后端转发的规则
- host: tomcat.lucky.com #通过域名进行转发
http:
paths:
- path: #配置访问路径,如果通过url进行转发,需要修改;空默认为访问的路径为"/"
backend: #配置后端服务
serviceName: myapp
servicePort: 80
EOF部署ingress:
# 1.部署
kubectl apply -f ingress-myapp.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/ingress-myapp created
# 2.查看ing描述
kubectl describe ingress ingress-myapp
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: ingress-myapp
Namespace: default
Address:
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
tomcat.lucky.com
myapp:80 (10.244.58.235:80,10.244.58.236:80,10.244.85.228:80)
Annotations: kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 14s nginx-ingress-controller Ingress default/ingress-myapp修改Windows本地C:\Windows\System32\drivers\etc\hosts
192.168.80.45 tomcat.lucky.com
访问页面:tomcat.lucky.com:30080
# 命令行
curl --resolve tomcat.lucky.com:30080:192.168.80.45 http://tomcat.lucky.com:30080
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
cat > tomcat-demo.yaml <<EOF
---
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: default
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
targetPort: 8080
port: 8080
- name: ajp
targetPort: 8009
port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:8.5.34-jre8-alpine
ports:
- name: http
containerPort: 8080
name: ajp
containerPort: 8009
EOF部署:
# 启动svc和pod
kubectl apply -f tomcat-demo.yaml
service/tomcat created
deployment.apps/tomcat-deploy created
# 2.查看pod启动
kubectl get svc,pod
service/tomcat ClusterIP 10.254.166.213 <none> 8080/TCP,8009/TCP 115s
pod/tomcat-deploy-66b67fcf7b-6kw5s 1/1 Running 0 115s
pod/tomcat-deploy-66b67fcf7b-bmxkp 1/1 Running 0 115s
pod/tomcat-deploy-66b67fcf7b-cktcc 1/1 Running 0 115scat > ingress-tomcat.yaml<<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: tomcat.lucky6.com #主机域名
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
EOF启动:
kubectl apply -f ingress-tomcat.yaml
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/tomcat created修改Windows本地文件C:\Windows\System32\drivers\etc\hosts
192.168.80.45 tomcat.lucky6.com
访问:tomcat.lucky6.com:30080
# 命令行
curl --resolve tomcat.lucky6.com:30080:192.168.80.45 http://tomcat.lucky6.com:30080
三、配置https访问
# 1.准备证书,在k8s的master节点操作
mkdir -p /root/ingress/tls && cd /root/ingress/tls
openssl genrsa -out tls.key 2048
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=tomcat.lucky.com
# 2.生成secret,在k8s的master节点操作
kubectl create secret tls tomcat-ingress-secret --cert=tls.crt --key=tls.key
# 3.查看secret
kubectl get secret | grep tomcat
tomcat-ingress-secret kubernetes.io/tls 2 7m48s
# 4.查看tomcat-ingress-secret详细信息
kubectl describe secret tomcat-ingress-secret
Name: tomcat-ingress-secret
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tls
Data
====
tls.crt: 1310 bytes
tls.key: 1679 bytes
# 5.创建ingress
cat > ingress-tomcat-tls.yaml<<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- tomcat.lucky.com
secretName: tomcat-ingress-secret
rules:
- host: tomcat.lucky.com
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
EOF
# 6.创建ingress
kubectl apply -f ingress-tomcat-tls.yaml
ingress.extensions/ingress-tomcat-tls created访问:https://tomcat.lucky.com:30443,这里30443映射的是service的443端口,文章上面nginx-ingress service可以看到。
注意node节点dns解析,如果没有解析会出现访问不到页面的问题。
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
