Ingress

11. Ingress

ingress概述

 ingress实现的功能是在应用层对客户端请求的host名称或请求的URL路径把请求转发到指定的service资源的规则，即用于将kubernetes集群外部的请求资源转发之集群内部的service，再被service转发之pod处理客户端的请求

ingress controller

 ingress资源需要指定监听地址，请求的host和URL等配置，然后根据这些规则的匹配机制将客户端请求进行转发，这种能够为ingress配置资源监听并转发流量的组件成为ingress控制器，ingress controller是一个组件，需要单独部署

Ingress 部署的方式有多种，一般情况下需要考虑场景才选择部署方式。以下是笔者摘抄的常见部署方式：
Deployment + LoadBalancer

 如果要把 ingress 部署在公有云，那用这种方式比较合适。用 Deployment 部署 ingress-controller，创建一个 type 为 LoadBalancer 的 service 关联这组 pod。大部分公有云，都会为 LoadBalancer 的 service 自动创建一个负载均衡器，通常还绑定了公网地址。只要把域名解析指向该地址，就实现了集群服务的对外暴露。

Deployment + NodePort

 同样用 deployment 模式部署 ingress-controller，并创建对应的服务，但是 type 为 NodePort。这样，ingress 就会暴露在集群节点 ip 的特定端口上。由于 nodeport 暴露的端口是随机端口，一般会在前面再搭建一套负载均衡器来转发请求。该方式一般用于宿主机是相对固定的环境 ip 地址不变的场景。NodePort 方式暴露 ingress 虽然简单方便，但是 NodePort 多了一层 NAT，在请求量级很大时可能对性能会有一定影响。

DaemonSet + HostNetwork + nodeSelector

 用 DaemonSet 结合 nodeselector 来部署 ingress-controller 到特定的 node 上，然后使用 HostNetwork 直接把该 pod 与宿主机 node 的网络打通，直接使用宿主机的 80/433 端口就能访问服务。这时，ingress-controller 所在的 node 机器就很类似传统架构的边缘节点，比如机房入口的 nginx 服务器。该方式整个请求链路最简单，性能相对 NodePort 模式更好。缺点是由于直接利用宿主机节点的网络和端口，一个 node 只能部署一个 ingress-controller pod。比较适合大并发的生产环境使用。

11.1 Ingrees 部署文件方法一

使用的镜像

 # controller镜像对应地址，所有的node都要docker pull
image: k8s.gcr.io/ingress-nginx/controller:v1.0.0  -> https://hub.docker.com/r/willdockerhub/ingress-nginx-controller
docker pull willdockerhub/ingress-nginx-controller:v1.0.0
    
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0 -> https://hub.docker.com/r/jettech/kube-webhook-certgen/tags
docker pull jettech/kube-webhook-certgen:v1.0.0

官方的YAML文件

 wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/cloud/deploy.yaml

修改如下

  Deployment修改点
  template:            
    metadata:          
      labels:          
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:              
      dnsPolicy: ClusterFirstWithHostNet  #既能使用宿主机DNS，又能使用集群DNS  原文line：319
      hostNetwork: true                   #与宿主机共享网络
      nodeName: k8s-master-1              #设置只能在k8s-master-1节点运行
      tolerations:                        #设置能容忍master污点
      - key: node-role.kubernetes.io/master
        operator: Exists
      containers:   
        - name: controller
          image: willdockerhub/ingress-nginx-controller:v1.0.0
          imagePullPolicy: IfNotPresent

最终的文件要不官方文件有时候网络原因下载不下来

 [root@master01 ingress-nginx]# cat deploy.yaml 
 
apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
 
---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - configmaps
    resourceNames:
      - ingress-controller-leader
    verbs:
      - get
      - update
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
      appProtocol: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10
  minReadySeconds: 0
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true 
      nodeName: node01
      containers:
        - name: controller
          image: master01:5000/willdockerhub/ingress-nginx-controller:v1.0.0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            runAsUser: 101
            allowPrivilegeEscalation: true
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:
            failureThreshold: 5
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: webhook
              containerPort: 8443
              protocol: TCP
          volumeMounts:
            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 90Mi
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/controller-ingressclass.yaml
# We don't support namespaced ingressClass yet
# So a ClusterRole and a ClusterRoleBinding is required
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: nginx
  namespace: ingress-nginx
spec:
  controller: k8s.io/ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:
  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /networking/v1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - get
      - create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-admission
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:
  template:
    metadata:
      name: ingress-nginx-admission-create
      labels:
        helm.sh/chart: ingress-nginx-4.0.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.0.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: create
          image: master01:5000/jettech/kube-webhook-certgen:v1.0.0 
          imagePullPolicy: IfNotPresent
          args:
            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
  annotations:
    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-4.0.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
spec:
  template:
    metadata:
      name: ingress-nginx-admission-patch
      labels:
        helm.sh/chart: ingress-nginx-4.0.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 1.0.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: patch
          image: master01:5000/jettech/kube-webhook-certgen:v1.0.0 
          imagePullPolicy: IfNotPresent
          args:
            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000

11.2 DaemonSet + HostNetwork + nodeSelector 方法二

留意一下镜像

 #直接使用文件
[root@master01 ingress-nginx]# cat ingress.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 
---
 
kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: tcp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: udp-services
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
      - "networking.k8s.io"
    resources:
      - ingresses/status
    verbs:
      - update
 
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
 
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx
 
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx
 
---
 
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  #replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
    spec:
      # wait up to five minutes for the drain of connections
      terminationGracePeriodSeconds: 300
      serviceAccountName: nginx-ingress-serviceaccount
      nodeSelector:
        ingress: "true"
      hostNetwork: true
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            # www-data -> 101
            runAsUser: 101
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
 
---
 
apiVersion: v1
kind: LimitRange
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  limits:
  - min:
      memory: 90Mi
      cpu: 100m
    type: Container

11.3 Helm 安装 Ingress-nginx 方式三

下载连接参考：

Helm3 下载安装 · Helm (zhaowenyu.com)

 #下载好对应k8s集群的版本
[root@master01 ~]# wget https://get.helm.sh/helm-v3.7.2-linux-amd64.tar.gz
 
[root@master01 ~]# helm  repo add ingress-nginx  https://kubernetes.github.io/ingress-nginx 
"ingress-nginx" has been added to your repositories
[root@master01 ~]# helm repo list
NAME         	URL                                       
ingress-nginx	https://kubernetes.github.io/ingress-nginx
 
#查看一下ingress-nginx的包
[root@master01 ~]# helm search repo ingress-nginx
NAME                       	CHART VERSION	APP VERSION	DESCRIPTION                                       
ingress-nginx/ingress-nginx	4.3.0        	1.4.0      	Ingress controller for Kubernetes using NGINX a...
 
#创建一个临时目录
[root@master01 ~]# helm create helm-test
Creating helm-test
[root@master01 ~]# cd helm-test/
[root@master01 helm-test]# tree .
.
├── charts
├── Chart.yaml
├── templates
│   ├── deployment.yaml
│   ├── _helpers.tpl
│   ├── hpa.yaml
│   ├── ingress.yaml
│   ├── NOTES.txt
│   ├── serviceaccount.yaml
│   ├── service.yaml
│   └── tests
│       └── test-connection.yaml
└── values.yaml
 
3 directories, 10 files
 
 
#这个解析关系放进去
[root@master01 helm-test]# echo '20.205.243.166 github.com ' >> /etc/host
 
#在重新添加-重复可以不用管
[root@master01 helm-test]# helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 
[root@master01 helm-test]# helm repo list
NAME         	URL                                                                   
ingress-nginx	https://kubernetes.github.io/ingress-nginx                           
repo_name1   	https://aliacs-app-catalog.oss-cn-hangzhou.aliyuncs.com/charts-incubator
aliyun       	https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts   
 
#更新 
[root@master01 helm-test]# helm repo update
 
#查询镜像
[root@master01 helm-test]# helm search repo ingress-nginx
NAME                           	CHART VERSION	APP VERSION    	DESCRIPTION                                       
ingress-nginx/ingress-nginx    	4.3.0        	1.4.0          	Ingress controller for Kubernetes using NGINX a...
repo_name1/ack-ingress-nginx   	3.23.5       	0.44.0         	For kubernetes version <= 1.20.0. Ingress contr...
repo_name1/ack-ingress-nginx-v1	4.0.16       	v1.2.1-aliyun.1	For kubernetes version >= 1.19.0. Ingress contr...
 
#拉取镜像
[root@master01 helm-test]# helm pull ingress-nginx/ingress-nginx
[root@master01 helm-test]# ll
total 52
drwxr-xr-x 2 root root     6 Nov  6 13:44 charts
-rw-r--r-- 1 root root  1145 Nov  6 13:44 Chart.yaml
-rw-r--r-- 1 root root 42495 Nov  6 13:50 ingress-nginx-4.3.0.tgz
drwxr-xr-x 3 root root   162 Nov  6 13:44 templates
-rw-r--r-- 1 root root  1876 Nov  6 13:44 values.yaml
[root@master01 helm-test]# 
 
#然后解压就可以用了

11.4 Ingress 生产扩容/缩容

DaemonSet 会监听集群因为它是每一个节点都会部署一个DaemonSet
所以扩容的时候把一个节点打上相同的标签即可反而不是扩副本

 [root@master01 ingress-nginx]# kubectl get pods -n ingress-nginx -o wide
NAME                             READY   STATUS    RESTARTS   AGE   IP           NODE     NOMINATED NODE   READINESS GATES
nginx-ingress-controller-qvv4j   1/1     Running   0          10m   10.0.0.152   node01   <none>           <none>
 
#节点node01 已经有ingress=true 在把node02弄上标签
[root@master01 ingress-nginx]# kubectl label nodes node02 ingress=true
node/node02 labeled
[root@master01 ingress-nginx]# kubectl get nodes --show-labels 
....中间省略了太长
 
#自动扩容
[root@master01 ingress-nginx]# kubectl get pods -n ingress-nginx -o wide
NAME                             READY   STATUS    RESTARTS   AGE   IP           NODE     NOMINATED NODE   READINESS GATES
nginx-ingress-controller-q6z64   0/1     Running   0          5s    10.0.0.153   node02   <none>           <none>
nginx-ingress-controller-qvv4j   1/1     Running   0          11m   10.0.0.152   node01   <none>           <none>

缩容

 # 需要注意的是要把你要缩容的pod流量给切走，也就是在ingress上一层负载均衡上面把去缩容的节点IP给关闭即可 要不容易导致服务宕机的情况

11.5 Ingress使用

官方使用文档：Rewrite - NGINX Ingress Controller (kubernetes.github.io)
写ingress规则

 [root@master01 ingress-nginx]# cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: example
spec:
#  ingressClassName: nginx
  rules:        #一个Ingress可以配置多个rules
  - host: foo.bar.com  #域名配置，可以不写匹配*  也可以写 *.bar.com
    http:
      paths:    #相当于nginx的location配合，同一个host可以配置多个Path / /abc
      - backend:
          serviceName: nginx-svc
          servicePort: 80

流量流程

 #查看域名规则是否生成
[root@master01 ingress-nginx]# kubectl get ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME      CLASS    HOSTS         ADDRESS   PORTS   AGE
example   <none>   foo.bar.com             80      46h
 
#查看svc名称与端口
[root@master01 ingress-nginx]# kubectl get svc
NAME                 TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                      AGE
kubernetes           ClusterIP      10.254.0.1      <none>          443/TCP                      3d6h
nginx-externalname   ExternalName   <none>          www.baidu.com   <none>                       2d9h
nginx-svc            NodePort       10.254.172.22   <none>          80:31000/TCP,443:32141/TCP   2d10h
nginx-svc-external   ClusterIP      10.254.29.15    <none>          80/TCP,443/TCP               2d10h
 
#查看ep资源有没有pods的IP加入
[root@master01 ingress-nginx]# kubectl get ep
NAME                 ENDPOINTS                              AGE
kubernetes           10.0.0.151:6443                        3d6h
nginx-svc                                                   2d10h
nginx-svc-external   140.205.220.96:443,140.205.220.96:80   2d9h
 
#查看有没有相同svc标签的pods
[root@master01 ingress-nginx]# kubectl get pods --show-labels 
NAME                     READY   STATUS        RESTARTS   AGE     LABELS
busybox                  0/1     Terminating   8          2d10h   app=busybox
nginx-66bbc9fdc5-fbzkr   1/1     Running       7          2d2h    app=nginx,pod-template-hash=66bbc9fdc5
nginx-66bbc9fdc5-wxwvd   0/1     Terminating   1          2d11h   app=nginx,pod-template-hash=66bbc9fdc5
nginx-66bbc9fdc5-xksz7   1/1     Running       5          2d11h   app=nginx,pod-template-hash=66bbc9fdc5
 
#然后主机做域名劫持 看好pods在那个节点上 这样就能访问成功

参考

 root@k8s-master1:~/4.Ingress-cases# cat 2.1.ingress_single-host.yaml 
#apiVersion: networking.k8s.io/v1beta1
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: demo
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/use-regex: "true" ##指定后面rules定义的path可以使用正则表达式
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" ##连接超时时间,默认为5s
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600" ##后端服务器回转数据超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600" ##后端服务器响应超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-body-size: "50m" ##客户端上传文件，最大大小，默认为20m
    #nginx.ingress.kubernetes.io/rewrite-target: / ##URL重写
    nginx.ingress.kubernetes.io/app-root: /index.html
 
spec:
  rules:	#路由规则
  - host: www.jiege.com		#客户端访问的host域名
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: magedu-tomcat-app1-service 	#转发至哪个service
            port:
              number: 80		#转发至service的端口号

11.6 Ingress多域名使用

规则

 [root@master01 ingress-nginx]# cat ingress.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: example
spec:
#  ingressClassName: nginx
  rules:        #一个Ingress可以配置多个rules
  - host: foo.bar.com  #域名配置，可以不写匹配*  也可以写 *.bar.com
    http:
      paths:    #相当于nginx的location配合，同一个host可以配置多个Path / /abc
      - backend:
          serviceName: nginx-svc
          servicePort: 80 
  - host: foo2.bar.com  #域名配置，可以不写匹配*  也可以写 *.bar.com
    http:
      paths:    #相当于nginx的location配合，同一个host可以配置多个Path / /abc
      - backend:
          serviceName: nginx-svc-external
          servicePort: 80

参考

 root@k8s-master1:~/4.Ingress-cases# cat 2.2.ingress_multi-host.yaml 
#apiVersion: networking.k8s.io/v1beta1
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: magedu
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/use-regex: "true" ##指定后面rules定义的path可以使用正则表达式
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" ##连接超时时间,默认为5s
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600" ##后端服务器回转数据超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600" ##后端服务器响应超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-body-size: "10m" ##客户端上传文件，最大大小，默认为20m
    #nginx.ingress.kubernetes.io/rewrite-target: / ##URL重写
    nginx.ingress.kubernetes.io/app-root: /index.html
spec:
  rules:
  - host: www.jiege.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: magedu-tomcat-app1-service
            port:
              number: 80
 
 
  - host: mobile.jiege.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: magedu-tomcat-app2-service
            port:
              number: 80

11.7 Ingress域名多url

 root@k8s-master1:~/4.Ingress-cases# cat 3.1.ingress-url.yaml 
#apiVersion: networking.k8s.io/v1beta1
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: magedu
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/use-regex: "true" ##指定后面rules定义的path可以使用正则表达式
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" ##连接超时时间,默认为5s
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600" ##后端服务器回转数据超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600" ##后端服务器响应超时时间,默认为60s
    nginx.ingress.kubernetes.io/proxy-body-size: "10m" ##客户端上传文件，最大大小，默认为20m
    #nginx.ingress.kubernetes.io/rewrite-target: / ##URL重写
    nginx.ingress.kubernetes.io/app-root: /index.html
spec:
  rules:
  - host: www.jiege.com
    http:
      paths:
      - pathType: Prefix
        path: "/app1"
        backend:
          service:
            name: magedu-tomcat-app1-service
            port:
              number: 80
 
      - pathType: Prefix
        path: "/app2"
        backend:
          service:
            name: magedu-tomcat-app2-service
            port:
              number: 80

11.8 Ingress配置https

自签域名

 certs# openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.jiegeca.com'
certs# openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.jiege.com'
certs# openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
 
#证书上传至k8s：  使用第一种即可
kubectl  create secret tls  tls-secret-www     --cert=server.crt     --key=server.key      -n magedu #第一种方法通过文件直接创建
kubectl  create secret tls  tls-secret-mobile  --cert=server2022.crt --key=server2022.key  -n magedu #等于第一个方法，
kubectl  create secret    generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key -n magedu #第二种方法
 
#检查是否上传成功
kubectl get secrets -n magedu

配置https

 root@k8s-master1:~/4.Ingress-cases# cat 4.1.ingress-https-magedu_single-host.yaml 
#apiVersion: networking.k8s.io/v1beta1
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web
  namespace: magedu
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/ssl-redirect: 'true' #SSL重定向，即将http请求强制重定向至https，等于nginx中的全站https
spec:
  tls:
  - hosts:
    - www.jiege.com
    secretName: tls-secret-www
  rules:
  - host: www.jiege.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: magedu-tomcat-app1-service
            port:
              number: 80

11.9 Ingress配置https多证书

 #多域名：两个域名分别对应两个secret
# openssl req -new -newkey rsa:4096 -keyout mobile.key -out mobile.csr -nodes -subj '/CN=mobile.jiege.com' #域名要和ingress配置文件中对应
# openssl x509 -req -sha256 -days 3650 -in mobile.csr -CA ca.crt -CAkey ca.key -set_serial 01  -out mobile.crt
# kubectl  create secret tls  tls-secret-mobile     --cert=mobile.crt     --key=mobile.key  -n magedu 
root@k8s-master1:~/4.Ingress-cases# cat 4.2.ingress-https-magedu_multi-host.yaml 
#apiVersion: networking.k8s.io/v1beta1
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-web-mobile
  namespace: magedu
  annotations:
    kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
  tls:
  - hosts:
    - mobile.jiege.com
    secretName: tls-secret-mobile 
  - hosts:
    - www.jiege.com
    secretName: tls-secret-www
  rules:
  - host: www.jiege.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: magedu-tomcat-app1-service
            port:
              number: 80
  - host: mobile.jiege.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: magedu-tomcat-app2-service
            port:
              number: 80

11.10 Ingress证书更新

 1.找到你需要更新的证书也就是secret
2.使用edit在线编辑进去复制里面公钥与私钥
3.使用在线的base64来进行加密，重新加密就重新续了时间
4.把原来的公钥私钥删除换成加密的私钥与公钥！！`切记粘贴过来了内容不要就换行可以通过shift + 6 +4 来判断`
5.更改完保存退出、会立即生效、然后通过证书块过期的时间与刚刚生成的时间对比看一下、应该就换成了刚刚生成的时间

posted @ 2023-01-02 12:01 YIDADA-SRE 阅读(120) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

相关博文：

· nerdctl buildkitd containerd构建容器镜像

· 部署kuboard与使用

· 在k8s（kubernetes）上安装 ingress V1.1.3

· 十四、Kubernetes之Ingress

· kubunetes部署ingress

阅读排行：
· 全程不用写代码，我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了，比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15：你的「微服务管家」又秀新绝活了

阅读目录(Content)

此页目录为空

YIDADA-SRE

念两句诗

Ingress

11. Ingress

11.1 Ingrees 部署文件方法一

11.2 DaemonSet + HostNetwork + nodeSelector 方法二

11.3 Helm 安装 Ingress-nginx 方式三

11.4 Ingress 生产扩容/缩容

11.5 Ingress使用

11.6 Ingress多域名使用

11.7 Ingress域名多url

11.8 Ingress配置https

11.9 Ingress配置https多证书

11.10 Ingress证书更新

公告

个人信息

日历

搜索

常用链接

随笔分类

随笔档案

相册

阅读排行榜

评论排行榜

最新评论

	# controller镜像对应地址，所有的node都要docker pull
	image: k8s.gcr.io/ingress-nginx/controller:v1.0.0 -> https://hub.docker.com/r/willdockerhub/ingress-nginx-controller
	docker pull willdockerhub/ingress-nginx-controller:v1.0.0

	image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0 -> https://hub.docker.com/r/jettech/kube-webhook-certgen/tags
	docker pull jettech/kube-webhook-certgen:v1.0.0

	Deployment修改点
	template:
	metadata:
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/component: controller
	spec:
	dnsPolicy: ClusterFirstWithHostNet #既能使用宿主机DNS，又能使用集群DNS 原文line：319
	hostNetwork: true #与宿主机共享网络
	nodeName: k8s-master-1 #设置只能在k8s-master-1节点运行
	tolerations: #设置能容忍master污点
	- key: node-role.kubernetes.io/master
	operator: Exists
	containers:
	- name: controller
	image: willdockerhub/ingress-nginx-controller:v1.0.0
	imagePullPolicy: IfNotPresent

	[root@master01 ingress-nginx]# cat deploy.yaml

	apiVersion: v1
	kind: Namespace
	metadata:
	name: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx

	---
	# Source: ingress-nginx/templates/controller-serviceaccount.yaml
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: controller
	name: ingress-nginx
	namespace: ingress-nginx
	automountServiceAccountToken: true
	---
	# Source: ingress-nginx/templates/controller-configmap.yaml
	apiVersion: v1
	kind: ConfigMap
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: controller
	name: ingress-nginx-controller
	namespace: ingress-nginx
	data:
	---
	# Source: ingress-nginx/templates/clusterrole.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	name: ingress-nginx
	rules:
	- apiGroups:
	- ''
	resources:
	- configmaps
	- endpoints
	- nodes
	- pods
	- secrets
	verbs:
	- list
	- watch
	- apiGroups:
	- ''
	resources:
	- nodes
	verbs:
	- get
	- apiGroups:
	- ''
	resources:
	- services
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingresses
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- ''
	resources:
	- events
	verbs:
	- create
	- patch
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingresses/status
	verbs:
	- update
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingressclasses
	verbs:
	- get
	- list
	- watch
	---
	# Source: ingress-nginx/templates/clusterrolebinding.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	name: ingress-nginx
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: ingress-nginx
	subjects:
	- kind: ServiceAccount
	name: ingress-nginx
	namespace: ingress-nginx
	---
	# Source: ingress-nginx/templates/controller-role.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: controller
	name: ingress-nginx
	namespace: ingress-nginx
	rules:
	- apiGroups:
	- ''
	resources:
	- namespaces
	verbs:
	- get
	- apiGroups:
	- ''
	resources:
	- configmaps
	- pods
	- secrets
	- endpoints
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- ''
	resources:
	- services
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingresses
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingresses/status
	verbs:
	- update
	- apiGroups:
	- networking.k8s.io
	resources:
	- ingressclasses
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- ''
	resources:
	- configmaps
	resourceNames:
	- ingress-controller-leader
	verbs:
	- get
	- update
	- apiGroups:
	- ''
	resources:
	- configmaps
	verbs:
	- create
	- apiGroups:
	- ''
	resources:
	- events
	verbs:
	- create
	- patch
	---
	# Source: ingress-nginx/templates/controller-rolebinding.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: controller
	name: ingress-nginx
	namespace: ingress-nginx
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: ingress-nginx
	subjects:
	- kind: ServiceAccount
	name: ingress-nginx
	namespace: ingress-nginx
	---
	# Source: ingress-nginx/templates/controller-service-webhook.yaml
	apiVersion: v1
	kind: Service
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: controller
	name: ingress-nginx-controller-admission
	namespace: ingress-nginx
	spec:
	type: ClusterIP
	ports:
	- name: https-webhook
	port: 443
	targetPort: webhook
	appProtocol: https
	selector:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/component: controller
	---
	# Source: ingress-nginx/templates/controller-service.yaml
	apiVersion: v1
	kind: Service
	metadata:
	annotations:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: controller
	name: ingress-nginx-controller
	namespace: ingress-nginx
	spec:
	type: LoadBalancer
	externalTrafficPolicy: Local
	ports:
	- name: http
	port: 80
	protocol: TCP
	targetPort: http
	appProtocol: http
	- name: https
	port: 443
	protocol: TCP
	targetPort: https
	appProtocol: https
	selector:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/component: controller
	---
	# Source: ingress-nginx/templates/controller-deployment.yaml
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: controller
	name: ingress-nginx-controller
	namespace: ingress-nginx
	spec:
	selector:
	matchLabels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/component: controller
	revisionHistoryLimit: 10
	minReadySeconds: 0
	template:
	metadata:
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/component: controller
	spec:
	dnsPolicy: ClusterFirstWithHostNet
	hostNetwork: true
	nodeName: node01
	containers:
	- name: controller
	image: master01:5000/willdockerhub/ingress-nginx-controller:v1.0.0
	imagePullPolicy: IfNotPresent
	lifecycle:
	preStop:
	exec:
	command:
	- /wait-shutdown
	args:
	- /nginx-ingress-controller
	- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
	- --election-id=ingress-controller-leader
	- --controller-class=k8s.io/ingress-nginx
	- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
	- --validating-webhook=:8443
	- --validating-webhook-certificate=/usr/local/certificates/cert
	- --validating-webhook-key=/usr/local/certificates/key
	securityContext:
	capabilities:
	drop:
	- ALL
	add:
	- NET_BIND_SERVICE
	runAsUser: 101
	allowPrivilegeEscalation: true
	env:
	- name: POD_NAME
	valueFrom:
	fieldRef:
	fieldPath: metadata.name
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	- name: LD_PRELOAD
	value: /usr/local/lib/libmimalloc.so
	livenessProbe:
	failureThreshold: 5
	httpGet:
	path: /healthz
	port: 10254
	scheme: HTTP
	initialDelaySeconds: 10
	periodSeconds: 10
	successThreshold: 1
	timeoutSeconds: 1
	readinessProbe:
	failureThreshold: 3
	httpGet:
	path: /healthz
	port: 10254
	scheme: HTTP
	initialDelaySeconds: 10
	periodSeconds: 10
	successThreshold: 1
	timeoutSeconds: 1
	ports:
	- name: http
	containerPort: 80
	protocol: TCP
	- name: https
	containerPort: 443
	protocol: TCP
	- name: webhook
	containerPort: 8443
	protocol: TCP
	volumeMounts:
	- name: webhook-cert
	mountPath: /usr/local/certificates/
	readOnly: true
	resources:
	requests:
	cpu: 100m
	memory: 90Mi
	nodeSelector:
	kubernetes.io/os: linux
	serviceAccountName: ingress-nginx
	terminationGracePeriodSeconds: 300
	volumes:
	- name: webhook-cert
	secret:
	secretName: ingress-nginx-admission
	---
	# Source: ingress-nginx/templates/controller-ingressclass.yaml
	# We don't support namespaced ingressClass yet
	# So a ClusterRole and a ClusterRoleBinding is required
	apiVersion: networking.k8s.io/v1
	kind: IngressClass
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: controller
	name: nginx
	namespace: ingress-nginx
	spec:
	controller: k8s.io/ingress-nginx
	---
	# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
	# before changing this value, check the required kubernetes version
	# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
	apiVersion: admissionregistration.k8s.io/v1
	kind: ValidatingWebhookConfiguration
	metadata:
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	name: ingress-nginx-admission
	webhooks:
	- name: validate.nginx.ingress.kubernetes.io
	matchPolicy: Equivalent
	rules:
	- apiGroups:
	- networking.k8s.io
	apiVersions:
	- v1
	operations:
	- CREATE
	- UPDATE
	resources:
	- ingresses
	failurePolicy: Fail
	sideEffects: None
	admissionReviewVersions:
	- v1
	clientConfig:
	service:
	namespace: ingress-nginx
	name: ingress-nginx-controller-admission
	path: /networking/v1/ingresses
	---
	# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: ingress-nginx-admission
	namespace: ingress-nginx
	annotations:
	helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
	helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	---
	# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: ingress-nginx-admission
	annotations:
	helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
	helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	rules:
	- apiGroups:
	- admissionregistration.k8s.io
	resources:
	- validatingwebhookconfigurations
	verbs:
	- get
	- update
	---
	# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: ingress-nginx-admission
	annotations:
	helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
	helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: ingress-nginx-admission
	subjects:
	- kind: ServiceAccount
	name: ingress-nginx-admission
	namespace: ingress-nginx
	---
	# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: ingress-nginx-admission
	namespace: ingress-nginx
	annotations:
	helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
	helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	rules:
	- apiGroups:
	- ''
	resources:
	- secrets
	verbs:
	- get
	- create
	---
	# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: ingress-nginx-admission
	namespace: ingress-nginx
	annotations:
	helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
	helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: ingress-nginx-admission
	subjects:
	- kind: ServiceAccount
	name: ingress-nginx-admission
	namespace: ingress-nginx
	---
	# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: ingress-nginx-admission-create
	namespace: ingress-nginx
	annotations:
	helm.sh/hook: pre-install,pre-upgrade
	helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	spec:
	template:
	metadata:
	name: ingress-nginx-admission-create
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	spec:
	containers:
	- name: create
	image: master01:5000/jettech/kube-webhook-certgen:v1.0.0
	imagePullPolicy: IfNotPresent
	args:
	- create
	- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
	- --namespace=$(POD_NAMESPACE)
	- --secret-name=ingress-nginx-admission
	env:
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	restartPolicy: OnFailure
	serviceAccountName: ingress-nginx-admission
	nodeSelector:
	kubernetes.io/os: linux
	securityContext:
	runAsNonRoot: true
	runAsUser: 2000
	---
	# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: ingress-nginx-admission-patch
	namespace: ingress-nginx
	annotations:
	helm.sh/hook: post-install,post-upgrade
	helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	spec:
	template:
	metadata:
	name: ingress-nginx-admission-patch
	labels:
	helm.sh/chart: ingress-nginx-4.0.1
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/instance: ingress-nginx
	app.kubernetes.io/version: 1.0.0
	app.kubernetes.io/managed-by: Helm
	app.kubernetes.io/component: admission-webhook
	spec:
	containers:
	- name: patch
	image: master01:5000/jettech/kube-webhook-certgen:v1.0.0
	imagePullPolicy: IfNotPresent
	args:
	- patch
	- --webhook-name=ingress-nginx-admission
	- --namespace=$(POD_NAMESPACE)
	- --patch-mutating=false
	- --secret-name=ingress-nginx-admission
	- --patch-failure-policy=Fail
	env:
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	restartPolicy: OnFailure
	serviceAccountName: ingress-nginx-admission
	nodeSelector:
	kubernetes.io/os: linux
	securityContext:
	runAsNonRoot: true
	runAsUser: 2000

	#直接使用文件
	[root@master01 ingress-nginx]# cat ingress.yaml
	apiVersion: v1
	kind: Namespace
	metadata:
	name: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx

	---

	kind: ConfigMap
	apiVersion: v1
	metadata:
	name: nginx-configuration
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx

	---
	kind: ConfigMap
	apiVersion: v1
	metadata:
	name: tcp-services
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx

	---
	kind: ConfigMap
	apiVersion: v1
	metadata:
	name: udp-services
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx

	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: nginx-ingress-serviceaccount
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx

	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRole
	metadata:
	name: nginx-ingress-clusterrole
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	rules:
	- apiGroups:
	- ""
	resources:
	- configmaps
	- endpoints
	- nodes
	- pods
	- secrets
	verbs:
	- list
	- watch
	- apiGroups:
	- ""
	resources:
	- nodes
	verbs:
	- get
	- apiGroups:
	- ""
	resources:
	- services
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- ""
	resources:
	- events
	verbs:
	- create
	- patch
	- apiGroups:
	- "extensions"
	- "networking.k8s.io"
	resources:
	- ingresses
	verbs:
	- get
	- list
	- watch
	- apiGroups:
	- "extensions"
	- "networking.k8s.io"
	resources:
	- ingresses/status
	verbs:
	- update

	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: Role
	metadata:
	name: nginx-ingress-role
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	rules:
	- apiGroups:
	- ""
	resources:
	- configmaps
	- pods
	- secrets
	- namespaces
	verbs:
	- get
	- apiGroups:
	- ""
	resources:
	- configmaps
	resourceNames:
	# Defaults to "<election-id>-<ingress-class>"
	# Here: "<ingress-controller-leader>-<nginx>"
	# This has to be adapted if you change either parameter
	# when launching the nginx-ingress-controller.
	- "ingress-controller-leader-nginx"
	verbs:
	- get
	- update
	- apiGroups:
	- ""
	resources:
	- configmaps
	verbs:
	- create
	- apiGroups:
	- ""
	resources:
	- endpoints
	verbs:
	- get

	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: RoleBinding
	metadata:
	name: nginx-ingress-role-nisa-binding
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: nginx-ingress-role
	subjects:
	- kind: ServiceAccount
	name: nginx-ingress-serviceaccount
	namespace: ingress-nginx

	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: nginx-ingress-clusterrole-nisa-binding
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: nginx-ingress-clusterrole
	subjects:
	- kind: ServiceAccount
	name: nginx-ingress-serviceaccount
	namespace: ingress-nginx

	---

	apiVersion: apps/v1
	kind: DaemonSet
	metadata:
	name: nginx-ingress-controller
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	spec:
	#replicas: 1
	selector:
	matchLabels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	template:
	metadata:
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	annotations:
	prometheus.io/port: "10254"
	prometheus.io/scrape: "true"
	spec:
	# wait up to five minutes for the drain of connections
	terminationGracePeriodSeconds: 300
	serviceAccountName: nginx-ingress-serviceaccount
	nodeSelector:
	ingress: "true"
	hostNetwork: true
	containers:
	- name: nginx-ingress-controller
	image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
	args:
	- /nginx-ingress-controller
	- --configmap=$(POD_NAMESPACE)/nginx-configuration
	- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
	- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
	- --publish-service=$(POD_NAMESPACE)/ingress-nginx
	- --annotations-prefix=nginx.ingress.kubernetes.io
	securityContext:
	allowPrivilegeEscalation: true
	capabilities:
	drop:
	- ALL
	add:
	- NET_BIND_SERVICE
	# www-data -> 101
	runAsUser: 101
	env:
	- name: POD_NAME
	valueFrom:
	fieldRef:
	fieldPath: metadata.name
	- name: POD_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	ports:
	- name: http
	containerPort: 80
	protocol: TCP
	- name: https
	containerPort: 443
	protocol: TCP
	livenessProbe:
	failureThreshold: 3
	httpGet:
	path: /healthz
	port: 10254
	scheme: HTTP
	initialDelaySeconds: 10
	periodSeconds: 10
	successThreshold: 1
	timeoutSeconds: 10
	readinessProbe:
	failureThreshold: 3
	httpGet:
	path: /healthz
	port: 10254
	scheme: HTTP
	periodSeconds: 10
	successThreshold: 1
	timeoutSeconds: 10
	lifecycle:
	preStop:
	exec:
	command:
	- /wait-shutdown

	---

	apiVersion: v1
	kind: LimitRange
	metadata:
	name: ingress-nginx
	namespace: ingress-nginx
	labels:
	app.kubernetes.io/name: ingress-nginx
	app.kubernetes.io/part-of: ingress-nginx
	spec:
	limits:
	- min:
	memory: 90Mi
	cpu: 100m
	type: Container

	#下载好对应k8s集群的版本
	[root@master01 ~]# wget https://get.helm.sh/helm-v3.7.2-linux-amd64.tar.gz

	[root@master01 ~]# helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
	"ingress-nginx" has been added to your repositories
	[root@master01 ~]# helm repo list
	NAME URL
	ingress-nginx https://kubernetes.github.io/ingress-nginx

	#查看一下ingress-nginx的包
	[root@master01 ~]# helm search repo ingress-nginx
	NAME CHART VERSION APP VERSION DESCRIPTION
	ingress-nginx/ingress-nginx 4.3.0 1.4.0 Ingress controller for Kubernetes using NGINX a...

	#创建一个临时目录
	[root@master01 ~]# helm create helm-test
	Creating helm-test
	[root@master01 ~]# cd helm-test/
	[root@master01 helm-test]# tree .
	.
	├── charts
	├── Chart.yaml
	├── templates
	│ ├── deployment.yaml
	│ ├── _helpers.tpl
	│ ├── hpa.yaml
	│ ├── ingress.yaml
	│ ├── NOTES.txt
	│ ├── serviceaccount.yaml
	│ ├── service.yaml
	│ └── tests
	│ └── test-connection.yaml
	└── values.yaml

	3 directories, 10 files


	#这个解析关系放进去
	[root@master01 helm-test]# echo '20.205.243.166 github.com ' >> /etc/host

	#在重新添加-重复可以不用管
	[root@master01 helm-test]# helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

	[root@master01 helm-test]# helm repo list
	NAME URL
	ingress-nginx https://kubernetes.github.io/ingress-nginx
	repo_name1 https://aliacs-app-catalog.oss-cn-hangzhou.aliyuncs.com/charts-incubator
	aliyun https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts

	#更新
	[root@master01 helm-test]# helm repo update

	#查询镜像
	[root@master01 helm-test]# helm search repo ingress-nginx
	NAME CHART VERSION APP VERSION DESCRIPTION
	ingress-nginx/ingress-nginx 4.3.0 1.4.0 Ingress controller for Kubernetes using NGINX a...
	repo_name1/ack-ingress-nginx 3.23.5 0.44.0 For kubernetes version <= 1.20.0. Ingress contr...
	repo_name1/ack-ingress-nginx-v1 4.0.16 v1.2.1-aliyun.1 For kubernetes version >= 1.19.0. Ingress contr...

	#拉取镜像
	[root@master01 helm-test]# helm pull ingress-nginx/ingress-nginx
	[root@master01 helm-test]# ll
	total 52
	drwxr-xr-x 2 root root 6 Nov 6 13:44 charts
	-rw-r--r-- 1 root root 1145 Nov 6 13:44 Chart.yaml
	-rw-r--r-- 1 root root 42495 Nov 6 13:50 ingress-nginx-4.3.0.tgz
	drwxr-xr-x 3 root root 162 Nov 6 13:44 templates
	-rw-r--r-- 1 root root 1876 Nov 6 13:44 values.yaml
	[root@master01 helm-test]#

	#然后解压就可以用了

	[root@master01 ingress-nginx]# kubectl get pods -n ingress-nginx -o wide
	NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
	nginx-ingress-controller-qvv4j 1/1 Running 0 10m 10.0.0.152 node01 <none> <none>

	#节点node01 已经有ingress=true 在把node02弄上标签
	[root@master01 ingress-nginx]# kubectl label nodes node02 ingress=true
	node/node02 labeled
	[root@master01 ingress-nginx]# kubectl get nodes --show-labels
	....中间省略了太长

	#自动扩容
	[root@master01 ingress-nginx]# kubectl get pods -n ingress-nginx -o wide
	NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
	nginx-ingress-controller-q6z64 0/1 Running 0 5s 10.0.0.153 node02 <none> <none>
	nginx-ingress-controller-qvv4j 1/1 Running 0 11m 10.0.0.152 node01 <none> <none>

	[root@master01 ingress-nginx]# cat ingress.yaml
	apiVersion: extensions/v1beta1
	kind: Ingress
	metadata:
	annotations:
	nginx.ingress.kubernetes.io/rewrite-target: /$2
	name: example
	spec:
	# ingressClassName: nginx
	rules: #一个Ingress可以配置多个rules
	- host: foo.bar.com #域名配置，可以不写匹配* 也可以写 *.bar.com
	http:
	paths: #相当于nginx的location配合，同一个host可以配置多个Path / /abc
	- backend:
	serviceName: nginx-svc
	servicePort: 80

	#查看域名规则是否生成
	[root@master01 ingress-nginx]# kubectl get ingress
	Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
	NAME CLASS HOSTS ADDRESS PORTS AGE
	example <none> foo.bar.com 80 46h

	#查看svc名称与端口
	[root@master01 ingress-nginx]# kubectl get svc
	NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
	kubernetes ClusterIP 10.254.0.1 <none> 443/TCP 3d6h
	nginx-externalname ExternalName <none> www.baidu.com <none> 2d9h
	nginx-svc NodePort 10.254.172.22 <none> 80:31000/TCP,443:32141/TCP 2d10h
	nginx-svc-external ClusterIP 10.254.29.15 <none> 80/TCP,443/TCP 2d10h

	#查看ep资源有没有pods的IP加入
	[root@master01 ingress-nginx]# kubectl get ep
	NAME ENDPOINTS AGE
	kubernetes 10.0.0.151:6443 3d6h
	nginx-svc 2d10h
	nginx-svc-external 140.205.220.96:443,140.205.220.96:80 2d9h

	#查看有没有相同svc标签的pods
	[root@master01 ingress-nginx]# kubectl get pods --show-labels
	NAME READY STATUS RESTARTS AGE LABELS
	busybox 0/1 Terminating 8 2d10h app=busybox
	nginx-66bbc9fdc5-fbzkr 1/1 Running 7 2d2h app=nginx,pod-template-hash=66bbc9fdc5
	nginx-66bbc9fdc5-wxwvd 0/1 Terminating 1 2d11h app=nginx,pod-template-hash=66bbc9fdc5
	nginx-66bbc9fdc5-xksz7 1/1 Running 5 2d11h app=nginx,pod-template-hash=66bbc9fdc5

	#然后主机做域名劫持看好pods在那个节点上这样就能访问成功

	root@k8s-master1:~/4.Ingress-cases# cat 2.1.ingress_single-host.yaml
	#apiVersion: networking.k8s.io/v1beta1
	apiVersion: networking.k8s.io/v1
	kind: Ingress
	metadata:
	name: nginx-web
	namespace: demo
	annotations:
	kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
	nginx.ingress.kubernetes.io/use-regex: "true" ##指定后面rules定义的path可以使用正则表达式
	nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" ##连接超时时间,默认为5s
	nginx.ingress.kubernetes.io/proxy-send-timeout: "600" ##后端服务器回转数据超时时间,默认为60s
	nginx.ingress.kubernetes.io/proxy-read-timeout: "600" ##后端服务器响应超时时间,默认为60s
	nginx.ingress.kubernetes.io/proxy-body-size: "50m" ##客户端上传文件，最大大小，默认为20m
	#nginx.ingress.kubernetes.io/rewrite-target: / ##URL重写
	nginx.ingress.kubernetes.io/app-root: /index.html

	spec:
	rules: #路由规则
	- host: www.jiege.com #客户端访问的host域名
	http:
	paths:
	- pathType: Prefix
	path: "/"
	backend:
	service:
	name: magedu-tomcat-app1-service #转发至哪个service
	port:
	number: 80 #转发至service的端口号

	certs# openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 3560 -nodes -subj '/CN=www.jiegeca.com'
	certs# openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=www.jiege.com'
	certs# openssl x509 -req -sha256 -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

	#证书上传至k8s：使用第一种即可
	kubectl create secret tls tls-secret-www --cert=server.crt --key=server.key -n magedu #第一种方法通过文件直接创建
	kubectl create secret tls tls-secret-mobile --cert=server2022.crt --key=server2022.key -n magedu #等于第一个方法，
	kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key -n magedu #第二种方法

	#检查是否上传成功
	kubectl get secrets -n magedu

	#多域名：两个域名分别对应两个secret
	# openssl req -new -newkey rsa:4096 -keyout mobile.key -out mobile.csr -nodes -subj '/CN=mobile.jiege.com' #域名要和ingress配置文件中对应
	# openssl x509 -req -sha256 -days 3650 -in mobile.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out mobile.crt
	# kubectl create secret tls tls-secret-mobile --cert=mobile.crt --key=mobile.key -n magedu
	root@k8s-master1:~/4.Ingress-cases# cat 4.2.ingress-https-magedu_multi-host.yaml
	#apiVersion: networking.k8s.io/v1beta1
	apiVersion: networking.k8s.io/v1
	kind: Ingress
	metadata:
	name: nginx-web-mobile
	namespace: magedu
	annotations:
	kubernetes.io/ingress.class: "nginx" ##指定Ingress Controller的类型
	nginx.ingress.kubernetes.io/ssl-redirect: 'true'
	spec:
	tls:
	- hosts:
	- mobile.jiege.com
	secretName: tls-secret-mobile
	- hosts:
	- www.jiege.com
	secretName: tls-secret-www
	rules:
	- host: www.jiege.com
	http:
	paths:
	- pathType: Prefix
	path: "/"
	backend:
	service:
	name: magedu-tomcat-app1-service
	port:
	number: 80
	- host: mobile.jiege.com
	http:
	paths:
	- pathType: Prefix
	path: "/"
	backend:
	service:
	name: magedu-tomcat-app2-service
	port:
	number: 80

	1.找到你需要更新的证书也就是secret
	2.使用edit在线编辑进去复制里面公钥与私钥
	3.使用在线的base64来进行加密，重新加密就重新续了时间
	4.把原来的公钥私钥删除换成加密的私钥与公钥！！`切记粘贴过来了内容不要就换行可以通过shift + 6 +4 来判断`
	5.更改完保存退出、会立即生效、然后通过证书块过期的时间与刚刚生成的时间对比看一下、应该就换成了刚刚生成的时间

YIDADA-SRE

念两句诗

Ingress

11. Ingress

11.1 Ingrees 部署文件 方法一

11.2 DaemonSet + HostNetwork + nodeSelector 方法二

11.3 Helm 安装 Ingress-nginx 方式三

11.4 Ingress 生产扩容/缩容

11.5 Ingress使用

11.6 Ingress多域名使用

11.7 Ingress域名多url

11.8 Ingress配置https

11.9 Ingress配置https多证书

11.10 Ingress证书更新

公告

个人信息

日历

搜索

常用链接

随笔分类

随笔档案

相册

阅读排行榜

评论排行榜

最新评论

11.1 Ingrees 部署文件方法一