Ingress对外暴露端口

http,https端口

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - ks.hongda.com
    secretName: hongda-com-tls-secret
  rules:
  - host: ks.hongda.com
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

执行：

kubectl apply -f ingress-kubernetes-dashboard.yaml

具体说明

kubernetes.io/ingress.class: "nginx"：Inginx Ingress Controller 根据该注解自动发现 Ingress；
nginx.ingress.kubernetes.io/backend-protocol: Controller 向后端 Service 转发时使用 HTTPS 协议
secretName: kube-dasboard-ssl：https 证书 Secret；
host: ks.hongda.com：对外访问的域名；
serviceName: kubernetes-dashboard：集群对外暴露的 Service 名称；
servicePort: 443：service 监听的端口；

注意：创建的 Ingress 必须要和对外暴露的 Service 在同一命名空间下！

ConfigMap暴露TCP端口

Ingress 不支持TCP 和 UDP 服务，可以通过 Ingress controller 来实现

默认的yaml中已经设置：

...
spec:
   hostNetwork: true # <--
   containers:
   - args:
     - /nginx-ingress-controller
     - --configmap=$(POD_NAMESPACE)/nginx-configuration
     - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
     - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
     - --publish-service=$(POD_NAMESPACE)/ingress-nginx
     - --annotations-prefix=nginx.ingress.kubernetes.io
     env:
...

通过 tcp-services-configmap.yaml 设置映射tcp，通过 udp-services-configmap.yaml 映射udp

tcp-services-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services
  namespace: ingress-nginx
data:
  2181: "kafka/kafka-zookeeper:2181"
  9092: "kafka/kafka:9092"

udp-services-configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: udp-services
  namespace: ingress-nginx
data:
  53: "kube-system/kube-dns:53"

Ingress服务公开端口

更新Ingress安装文件

controller:
  replicaCount: 1
  hostNetwork: true
  nodeSelector:
    node-role.kubernetes.io/edge: ''
  affinity:
    podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
            - key: app
              operator: In
              values:
              - nginx-ingress
            - key: component
              operator: In
              values:
              - controller
          topologyKey: kubernetes.io/hostname
  tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: PreferNoSchedule
defaultBackend:
  nodeSelector:
    node-role.kubernetes.io/edge: ''
  tolerations:
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: PreferNoSchedule
# TCP service key:value pairs
tcp:
   2181: "kafka/kafka-zookeeper:2181"
   9092: "kafka/kafka:9092"

底部新增了

# TCP service key:value pairs
tcp:
   2181: "kafka/kafka-zookeeper:2181"
   9092: "kafka/kafka:9092"

更新：

helm upgrade nginx-ingress stable/nginx-ingress \
-f ingress-nginx.yaml

查看：

[root@master home]# netstat -ano |grep 2181
tcp        0      0 0.0.0.0:2181            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp6       0      0 :::2181                 :::*                    LISTEN      off (0.00/0/0)

这样暴露以后就可以直接调用zk,连接地址：