NGINX Ingress的安装和使用
一、安装NGINX Ingress Controller
1. 安装helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
2. 安装IC
# 安装
kubectl create namespace ingress-nginx
helm install my-release nginx-stable/nginx-ingress --set enableSnippets=true --set controller.service.type=NodePort -n ingress-nginx
# 查看组件状态
[root@kube-controller-manager ~]# kubectl get all
NAME READY STATUS RESTARTS AGE
pod/my-release-nginx-ingress-controller-54f956cfd7-2lmtj 1/1 Running 0 17h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 4d22h
service/my-release-nginx-ingress-controller LoadBalancer 10.100.189.0 <pending> 80:31020/TCP,443:32145/TCP 17h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/my-release-nginx-ingress-controller 1/1 1 1 17h
NAME DESIRED CURRENT READY AGE
replicaset.apps/my-release-nginx-ingress-controller-54f956cfd7 1 1 1 17h
在这中间出了一个问题,报错open /proc/sys/net/ipv4/ip_unprivileged_port_start: no such file or directory: unknown
,
经检查是Linux内核问题,我将内核升级到5.4解决问题
3. 暴露ingress-nginx服务
因为我这是在虚拟机上安装的,检查两个参数的设置
- type: NodePort
- externalTrafficPolicy: Cluster
第二个参数确定集群中的每个节点的IP都可以访问到ingress的控制器,如果为Local只能部署IC的Pod所在节点IP能访问
查看服务
[root@kube-controller-manager ~]# kubectl -n ingress-nginx get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
my-release-nginx-ingress-controller NodePort 10.109.66.211 <none> 80:30080/TCP,443:30935/TCP 2d2h
在浏览器上访问 http://nodeIP:30080,应该出现404页面。表示IC可用。
二、Ingress的使用
这里展示如何使用ingress代理后端服务
1. 创建deploymet
kubectl create deployment kubernetes-bootcamp --image=jocatalin/kubernetes-bootcamp:v1
2. 为deployment创建服务
kubectl expose deployment/kubernetes-bootcamp --type="ClusterIP" --port 8080
3. 创建ingress
bootcamp_ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-ingress
spec:
ingressClassName: nginx
rules:
- host: kube.local
http:
paths:
- path: /v1/
pathType: Prefix
backend:
service:
name: kubernetes-bootcamp
port:
number: 8080
创建服务
kubectl applay -f bootcamp_ingress.yaml
创建域名映射
在客户端的hosts中添加
192.168.1.190 kube.local
4. 测试后端服务是否代理成功
在浏览器中访问 http://kube.local:30080/v1/
5. 启用https
- 生成证书和私钥文件
umask 077;openssl genrsa -out kube.local.key
openssl req -new -x509 -key kube.local.key -out kube.local.crt -subj /C=CN/ST=Hunan/L=Changsha/O=IT/CN=kube.loca
-
将证书写进secret
kubectl create secret tls kube-local-ingress-secret --cert=kube.local.crt --key=kube.local.key
-
修改ingress资源
添加tls的配置
spec:
ingressClassName: nginx
rules:
- host: kube.local
http:
paths:
- backend:
service:
name: kubernetes-bootcamp
port:
number: 8080
path: /v1/
pathType: Prefix
tls:
- hosts:
- kube.local
secretName: kube-local-ingress-secret
访问http://kube.local:30080/v1/可用
6. 如何去掉域名后的端口
现在的域名kube.local:30080,不是默认的80端口号,是因为Kubernetes 的默认Node Port范围是30000-32767
我们将它改成80-32767
修改文件/etc/kubernetes/manifests/kube-apiserver.yaml
在 --service-cluster-ip-range下添加一行
- --service-cluster-ip-range=10.96.0.0/12
- --service-node-port-range=80-3276
修改IC的service文件,将nodePort改成80和443
kubectl -n ingress-nginx edit svc my-release-nginx-ingress-controller
ports:
- name: http
nodePort: 80
port: 80
protocol: TCP
targetPort: 80
- name: https
nodePort: 443
port: 443
protocol: TCP
targetPort: 443