国产 无码 综合区,色欲AV无码国产永久播放,无码天堂亚洲国产AV,国产日韩欧美女同一区二区

  1. Toy模板網(wǎng)首頁
  2. >Toy博客

K8s: Ingress對象, 創(chuàng)建Ingress控制器, 創(chuàng)建Ingress資源并暴露服務(wù)

1年前作者:Wang's Blog分類:Toy博客閱讀(36)違法舉報(bào)

這篇具有很好參考價(jià)值的文章主要介紹了K8s: Ingress對象, 創(chuàng)建Ingress控制器, 創(chuàng)建Ingress資源并暴露服務(wù)。希望對大家有所幫助。如果存在錯誤或未考慮完全的地方,請大家不吝賜教,您也可以點(diǎn)擊"舉報(bào)違法"按鈕提交疑問。

Ingress對象


1 )概述

  • Ingress 是對集群中服務(wù)的外部訪問進(jìn)行管理的 API 對象,典型的訪問方式是 HTTP
  • Ingress-nginx 本質(zhì)是網(wǎng)關(guān),當(dāng)你請求 abc.com/service/a, Ingress 就把對應(yīng)的地址轉(zhuǎn)發(fā)給你,底層運(yùn)行了一個 nginx
  • 但 K8s 為什么不直接使用 nginx 呢,是因?yàn)?K8s 也需要把轉(zhuǎn)發(fā)的路由規(guī)則納入它的配置管理
  • 變成 ingress 對象,所有才有 ingress 這個資源對象, Ingress 公開了從集群外部到集群內(nèi)服務(wù)的 HTTP 和 HTTPS 路由
  • 流量路由由 Ingress 資源上定義的規(guī)則控制
  • 所以,它的功能類似 Nginx,可以根據(jù)域名、路徑把請求轉(zhuǎn)發(fā)到不同的 Service
  • Ingress 為外部訪問集群提供了一個統(tǒng)一入口,避免了對外暴露集群端口,也可以配置 https

2 )示例圖

  • 下面是一個將所有流量都發(fā)送到同一 Service 的簡單 Ingress 示例
K8s: Ingress對象, 創(chuàng)建Ingress控制器, 創(chuàng)建Ingress資源并暴露服務(wù),Git | Linux | Docker | K8S,kubernetes,容器,云原生
  • 在 Service 層已經(jīng)可以對外提供服務(wù)了,但是
  • 在后端 Service 安全權(quán)限非常高的情況下,直連 Service 層風(fēng)險(xiǎn)非常大
  • 從客戶端里,通過Ingress的controller調(diào)度到Ingress服務(wù),Ingress 可以理解為一個反向代理服務(wù)
  • 這樣,避免了直連Service層的風(fēng)險(xiǎn),所以,Ingress 也類似于網(wǎng)關(guān)層,調(diào)度到Service之后
  • 再由底層調(diào)度到相關(guān)的 Pod 中訪問對應(yīng)的服務(wù)
  • Ingress 有兩種實(shí)踐方法
    • 一種是, Ingress Nginx 實(shí)現(xiàn),在Nginx官方中有相關(guān)說明
    • 另一種就是在 K8s 中的實(shí)踐
  • 對于典型生產(chǎn)環(huán)境來說,有上圖這樣一套調(diào)用鏈
  • 可以將 Ingress 配置為服務(wù)提供外部可訪問的 URL、負(fù)載均衡流量、終止 SSL/TLS,以及提供基于名稱的虛擬主機(jī)等能力
  • Ingress控制器通常負(fù)責(zé)通過負(fù)載均衡器來實(shí)現(xiàn) Ingress

3 )最小 Ingress 資源示例

  • 定義 ing-min.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:   # 除了 http 還可以定義其他路由規(guī)則
      paths:  # 這個名稱意味著可以定義多個 path
        - path: /testpath
          pathType: Prefix
          backend:
            service:
              name: test
              port:
                number: 80
  • 基于以上的配置定義,客戶端可以通過比如 xxx.com/testpath 請求
  • 通過這個請求,會被 Ingress 捕獲,根據(jù)這個請求規(guī)則,會匹配后端的 backend service
  • 這個 service 名稱就是 k8s 中的 service 名稱,下面是對應(yīng)的端口號
  • 通過這個轉(zhuǎn)發(fā),類似于 nginx,實(shí)現(xiàn)路由規(guī)則的http轉(zhuǎn)發(fā)
  • 關(guān)于 Ingress 規(guī)則,每個 HTTP 規(guī)則都包含以下信息
    • 1 )可選的 host
      • 在此示例中,未指定 host,因此該規(guī)則適用于通過指定 IP 地址的所有入站 HTTP 通信
      • 如果提供了 host(例如 foo.bar.com),則 rules 適用于該 host
    • 2 )路徑列表 paths(例如,/testpath)
      • 每個路徑都有一個由 serviceName 和 servicePort 定義的關(guān)聯(lián)后端
      • 在負(fù)載均衡器將流量定向到引用的服務(wù)之前,主機(jī)和路徑都必須匹配傳入請求的內(nèi)容
    • 3 )backend(后端)
      • 是 Service 文檔中所述的服務(wù)和端口名稱的組合
      • 與規(guī)則的 host 和 path 匹配的對 Ingress 的 HTTP(和 HTTPS )請求將發(fā)送到列出的 backend

4 )Ingress 控制器

  • 關(guān)于 Ingress 控制器

    • 為了讓 Ingress 資源工作,集群必須有一個正在運(yùn)行的 Ingress 控制器
    • 與其他類型的控制器不同,Ingress 控制器不是隨集群自動啟動的

  • 版本對應(yīng)

    • 介于之前試錯的經(jīng)驗(yàn),在各個版本的K8s上部署不同的yaml配置,會導(dǎo)致各種不一樣的報(bào)錯,
    • 我在官方github上找到這個對應(yīng)的版本信息,如下
      • https://github.com/kubernetes/ingress-nginx
      • 目前我的K8s的版本是1.22.4,所以這個控制器最高可以選擇 版本 v1.4.0
      • https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml
      • 這個文件下載下來后,需要做一些修改
      • 注意:如果上述github無法訪問,可以找gitee中對應(yīng)的鏡像里的對應(yīng)的版本

  • 安裝 Ingress 控制器

    • 這里創(chuàng)建一個 ing-nginx-ctrl.yaml 文件
    • 和上面官方不同的幾點(diǎn)是:

      • 在第一個Service中找到 spec 下

        • externalTrafficPolicy: Local 修改為 externalTrafficPolicy: Cluster
        • 并在這個配置的上面添加一行: clusterIP: 10.1.211.240
        • name: http 下添加一行 nodePort: 31686
        • name: https 下添加一行 ``
        • 找到 type: LoadBalancer 修改為 type: NodePort

      • 替換通用鏡像

        • 先找到 image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143
        • 修改為: image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v1.4.0
        • 再找到 image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f
        • 修改為: image: registry.aliyuncs.com/google_containers/kube-webhook-certgen:v1.4.0
        • 注意,這些鏡像可以先拉到本地
          • $ sudo docker pull registry.aliyuncs.com/google_containers/nginx-ingress-controller:v1.4.0
          • $ sudo docker pull registry.aliyuncs.com/google_containers/kube-webhook-certgen:v1.4.0

      • 修改后的 ing-nginx-ctrl.yaml 文件內(nèi)容如下

        apiVersion: v1
kind: Namespace
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx
  namespace: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resourceNames:
  - ingress-controller-leader
  resources:
  - configmaps
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - coordination.k8s.io
  resourceNames:
  - ingress-controller-leader
  resources:
  - leases
  verbs:
  - get
  - update
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - secrets
  - namespaces
  verbs:
  - list
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-admission
rules:
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-admission
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
- kind: ServiceAccount
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-admission
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: v1
data:
  allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  clusterIP: 10.1.211.240
  externalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - appProtocol: http
    name: http
    nodePort: 31686
    port: 80
    protocol: TCP
    targetPort: http
  - appProtocol: https
    name: https
    nodePort: 30036
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: NodePort
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  ports:
  - appProtocol: https
    name: https-webhook
    port: 443
    targetPort: webhook
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  minReadySeconds: 0
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
        - --election-id=ingress-controller-leader
        - --controller-class=k8s.io/ingress-nginx
        - --ingress-class=nginx
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
        image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v1.4.0
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            exec:
              command:
              - /wait-shutdown
        livenessProbe:
          failureThreshold: 5
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: controller
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          name: https
          protocol: TCP
        - containerPort: 8443
          name: webhook
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 100m
            memory: 90Mi
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsUser: 101
        volumeMounts:
        - mountPath: /usr/local/certificates/
          name: webhook-cert
          readOnly: true
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
      - name: webhook-cert
        secret:
          secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.4.0
      name: ingress-nginx-admission-create
    spec:
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: registry.aliyuncs.com/google_containers/kube-webhook-certgen:v1.4.0
        imagePullPolicy: IfNotPresent
        name: create
        securityContext:
          allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.4.0
      name: ingress-nginx-admission-patch
    spec:
      containers:
      - args:
        - patch
        - --webhook-name=ingress-nginx-admission
        - --namespace=$(POD_NAMESPACE)
        - --patch-mutating=false
        - --secret-name=ingress-nginx-admission
        - --patch-failure-policy=Fail
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: registry.aliyuncs.com/google_containers/kube-webhook-certgen:v1.4.0
        imagePullPolicy: IfNotPresent
        name: patch
        securityContext:
          allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: nginx
spec:
  controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.4.0
  name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: ingress-nginx-controller-admission
      namespace: ingress-nginx
      path: /networking/v1/ingresses
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: validate.nginx.ingress.kubernetes.io
  rules:
  - apiGroups:
    - networking.k8s.io
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - ingresses
  sideEffects: None

      • 簡單來說 ingress controller 實(shí)際在系統(tǒng)里面創(chuàng)建一系列的pod

      • 本質(zhì)上就是運(yùn)行在 K8s服務(wù)器上的一系列的 pod, 通過 pod 來接管

      • 外部到 K8s work node 上的請求,所以,它就是類似于 nginx 的組件

      • $ kubectl apply -f ing-nginx-ctrl.yaml

        namespace/ingress-nginx created
serviceaccount/ingress-nginx created
serviceaccount/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
configmap/ingress-nginx-controller created
service/ingress-nginx-controller created
service/ingress-nginx-controller-admission created
deployment.apps/ingress-nginx-controller created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created

      • $ kubectl get all -n ingress-nginx 查看命名空間下的所有信息

          NAME                                            READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create--1-8nbrv     0/1     Completed   0          65s
pod/ingress-nginx-admission-patch--1-2q9x9      0/1     Completed   3          65s
pod/ingress-nginx-controller-6747799754-v2vhq   1/1     Running     0          65s

NAME                                         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
service/ingress-nginx-controller             NodePort    10.1.211.240   <none>        80:31686/TCP,443:30036/TCP   65s
service/ingress-nginx-controller-admission   ClusterIP   10.1.195.73    <none>        443/TCP                      65s

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/ingress-nginx-controller   1/1     1            1           65s

NAME                                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/ingress-nginx-controller-6747799754   1         1         1       65s

NAME                                       COMPLETIONS   DURATION   AGE
job.batch/ingress-nginx-admission-create   1/1           21s        65s
job.batch/ingress-nginx-admission-patch    1/1           44s        65s
        • 這里,發(fā)現(xiàn)namespace為ingress-nginx的三個pod已經(jīng)成功完成
        • status為Completed的兩個pod為job類型資源,Completed表示job已經(jīng)成功執(zhí)行
        • status為Running的pod就是控制器

      • 有了這樣的一個組件在K8s平臺運(yùn)行起來之后,可以檢查部署版本,粘貼如下

        • $ POD_NAMESPACE=ingress-nginx
        • $ POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')
        • $ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version
          -------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.4.0
  Build:         50be2bf95fd1ef480420e2aa1d6c5c7c138c95ea
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.10

-------------------------------------------------------------------------------

      • $ kubectl get svc -n ingress-nginx 查看可用Services

        NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.1.211.240   <none>        80:31686/TCP,443:30036/TCP   9m49s
ingress-nginx-controller-admission   ClusterIP   10.1.195.73    <none>        443/TCP                      9m49s

      • 到現(xiàn)在為止,服務(wù)已經(jīng)搭建起來了,我們來驗(yàn)證一下

        • $ curl node1.k8s:31686curl node2.k8s:31686
        • 說明: node1.k8s 或 node2.k8s 是可用的work node, 本地配置了 hosts,才可這樣訪問
        • 如果結(jié)果顯示如下,則表示服務(wù)已經(jīng)通了
          <html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

      • 綜上,ingress 的控制器已經(jīng)搭建完畢

5 )基于 ingress 控制器創(chuàng)建 ingress 資源,并對外暴露服務(wù)文章來源地址http://www.zghlxwxcb.cn/news/detail-860426.html

  • 在創(chuàng)建 ingress 資源之前,先部署我們的后端應(yīng)用服務(wù),這里做最簡單的示例
    • $ kubectl create deployment web --image=registry.cn-beijing.aliyuncs.com/qingfeng666/hello-app:1.0 基于 development 維護(hù)一個pod
      deployment.apps/web created
    • $ kubectl get po -w 監(jiān)控pod的狀態(tài),等待 Running
      NAME                   READY   STATUS    RESTARTS   AGE
web-6db77f5fdb-qkk6n   1/1     Running   0          7s
    • $ kubectl expose deployment web --type=NodePort --port=8080 將 development 服務(wù)暴露出來
      service/web exposed
    • $ kubectl get svc 獲取目前的服務(wù)
      NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)          AGE
kubernetes   ClusterIP   10.1.0.1     <none>        443/TCP          5d8h
web          NodePort    10.1.47.34   <none>        8080:32041/TCP   8s
    • $ curl node1.k8s:32041curl node2.k8s:32041
       Hello, world!
 Version: 1.0.0
 Hostname: web-6db77f5fdb-65wfv
      • 可見,在集群內(nèi)部,我們的服務(wù)已經(jīng)啟動起來了
    • 現(xiàn)在內(nèi)部pod和Service已經(jīng)就緒,現(xiàn)在可以進(jìn)行創(chuàng)建 ingress 資源了
    • $ vi ing-demo.yaml
      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-nginx
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
   ingressClassName: nginx
   rules:
   - host: hello-world.info
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: web
             port:
               number: 8080
    • $ kubectl apply -f ing-demo.yaml 創(chuàng)建 ingress 資源
      ingress.networking.k8s.io/ingress-nginx created
    • $ kubectl get ing 查看 ingress 資源
      NAME            CLASS   HOSTS              ADDRESS        PORTS   AGE
ingress-nginx   nginx   hello-world.info   10.1.211.240   80      2m13s
    • $ sudo vi /etc/hosts 添加一行, 對當(dāng)前ip進(jìn)行域名的配置
      10.1.211.240  hello-world.info
    • $ curl hello-world.info 訪問域名,發(fā)現(xiàn)通了
      Hello, world!
Version: 1.0.0
Hostname: web-6db77f5fdb-65wfv
    • 這樣,就完成了集群外的暴露,但是還需要再客戶端機(jī)器或云服務(wù)器的域名解析,這里選擇前者
      • 比如,在 我的Mac電腦上連接當(dāng)前 hello-world服務(wù),這里前提是: Mac電腦和Centos可以連通
      • 在 Mac 上配置某個 Centos 的work node的host, $ sudo vi /etc/hosts
        10.211.55.11  hello-world.info
      • 這里的 10.211.55.11 對應(yīng) work node 的 ip
    • 在我的 Mac 上瀏覽器訪問: http://hello-world.info:31686,如下
      • 像是這種訪問不方便: http://hello-world.info:31686 這個端口比較麻煩
      • 可以修改成 80端口, 這樣,就可以這樣訪問了:http://hello-world.info, 這里不演示了,參考如下
      • 參考: https://blog.csdn.net/qq_32060101/article/details/135691179
        • k8s修改NodePort支持80端口
      • 參考: https://blog.csdn.net/qq_32060101/article/details/135691441
        • ingress控制器修改NodePort成80端口
K8s: Ingress對象, 創(chuàng)建Ingress控制器, 創(chuàng)建Ingress資源并暴露服務(wù),Git | Linux | Docker | K8S,kubernetes,容器,云原生

到了這里,關(guān)于K8s: Ingress對象, 創(chuàng)建Ingress控制器, 創(chuàng)建Ingress資源并暴露服務(wù)的文章就介紹完了。如果您還想了解更多內(nèi)容,請?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章,希望大家以后多多支持TOY模板網(wǎng)!

本文來自互聯(lián)網(wǎng)用戶投稿,該文觀點(diǎn)僅代表作者本人,不代表本站立場。本站僅提供信息存儲空間服務(wù),不擁有所有權(quán),不承擔(dān)相關(guān)法律責(zé)任。如若轉(zhuǎn)載,請注明出處: 如若內(nèi)容造成侵權(quán)/違法違規(guī)/事實(shí)不符,請點(diǎn)擊違法舉報(bào)進(jìn)行投訴反饋,一經(jīng)查實(shí),立即刪除!

領(lǐng)支付寶紅包贊助服務(wù)器費(fèi)用

相關(guān)文章

  • 17-k8s控制器資源-job控制

    17-k8s控制器資源-job控制

    job控制器:就是一次性任務(wù)的pod控制器,pod完成作業(yè)后不會重啟,其重啟策略是:Never ? ? ? ? 啟動一個pod,執(zhí)行完成一個事件,然后pod關(guān)閉; ? ? ? ? 事件:計(jì)算π的值,取前5000位; [root@k8s231 pi]# vim job.yaml apiVersion: batch/v1 kind: Job metadata: ? name: job-pi spec: ? #定義pod模板 ?

    2024年02月20日
    瀏覽(23)
  • 13-k8s的控制器資源-rc控制器replicationcontrollers

    13-k8s的控制器資源-rc控制器replicationcontrollers

    ? ? ? ? replicationcontrollers控制器資源,簡稱:rc控制器; ? ? ? ? 簡單理解,rc控制器就是控制相同的pod副本數(shù)量; ? ? ? ? 使用rc控制器資源創(chuàng)建pod,就可以設(shè)定創(chuàng)建pod的數(shù)量; [root@k8s231 rc]# vim rc.yaml apiVersion: v1 kind: ReplicationController metadata: ? name: rc01 spec: ? #控制pod的副本

    2024年02月20日
    瀏覽(35)
  • 第12關(guān) 精通K8s下的Ingress-Nginx控制器:生產(chǎn)環(huán)境實(shí)戰(zhàn)配置指南

    第12關(guān) 精通K8s下的Ingress-Nginx控制器:生產(chǎn)環(huán)境實(shí)戰(zhàn)配置指南

    ------ 課程視頻同步分享在今日頭條和B站 大家好,我是博哥愛運(yùn)維,這節(jié)課帶來k8s的流量入口ingress,作為業(yè)務(wù)對外服務(wù)的公網(wǎng)入口,它的重要性不言而喻,大家一定要仔細(xì)閱讀,跟著博哥的教程一步步實(shí)操去理解。 Ingress基本概念 在Kubernetes集群中,Ingress作為集群內(nèi)服務(wù)對外

    2024年02月03日
    瀏覽(23)

  • K8s: 控制器之StatefulSets對象

    StatefulSet 1 ) 概述 Stateful,也就是有狀態(tài)應(yīng)用,微服務(wù)無狀態(tài)是一個理想的這么一個環(huán)境 有些應(yīng)用是有狀態(tài)的,比如這個web服務(wù)器,它只能運(yùn)行在一臺server上 因?yàn)樗L問一些持久化的存儲 比如說 mysql 它就是一個典型的有狀態(tài)的應(yīng)用,不希望應(yīng)用隨時(shí)漂移到別的節(jié)點(diǎn)上,然

    2024年04月26日
    瀏覽(23)
  • 第13關(guān) 解決K8s中Ingress Nginx控制器無法獲取真實(shí)客戶端IP的問題

    第13關(guān) 解決K8s中Ingress Nginx控制器無法獲取真實(shí)客戶端IP的問題

    ------ 課程視頻同步分享在今日頭條和B站 大家好,我是博哥愛運(yùn)維。 這節(jié)課帶大家探索并分享最全面的解決在使用Kubernetes(K8s)和Ingress-Nginx-Controller中無法獲取客戶端真實(shí)IP問題的視頻教程,幫助你快速理解并解決這一問題。 如果我們按下面網(wǎng)絡(luò)架構(gòu)圖,暴露我們服務(wù)到公

    2024年02月03日
    瀏覽(24)

  • k8s控制器之DaemonSet--第二彈創(chuàng)建DaemonSet

    下面是 DaemonSet 的 YAML 文件示例 daemonset.yaml。該例子中的 DaemonSet 運(yùn)行了一個 fluentd-elasticsearch 的 docker 鏡像: 執(zhí)行如下命令可創(chuàng)建該 DaemonSet: 執(zhí)行結(jié)果: 與其他所有 Kubernetes API 對象相同,DaemonSet 需要如下字段: apiVersion kind metadata 除此之外,DaemonSet 還需要 .spec 字段 .spec

    2024年02月10日
    瀏覽(25)
  • Kubernetes 啟動Pod的方法-Pod的調(diào)度算法-Pod間的通信-k8s的控制器-Pod資源控制-發(fā)布Service服務(wù)

    Kubernetes 啟動Pod的方法-Pod的調(diào)度算法-Pod間的通信-k8s的控制器-Pod資源控制-發(fā)布Service服務(wù)

    目錄 Pod 參考文檔:Pod | Kubernetes Pod配置文件:simple-pod.yaml 對master進(jìn)行如下操作 Pod的狀態(tài)有: 參考文檔:(70條消息) Pod生命周期中的狀態(tài)解釋_pod狀態(tài)_鬧玩兒扣眼珠子的博客-CSDN博客 進(jìn)入Pod內(nèi)的nginx容器: 當(dāng)我們創(chuàng)建一個Pod,其中的步驟是什么?(啟動Pob的流程) 大概步驟:

    2024年02月13日
    瀏覽(100)
  • K8s控制器

    K8s控制器

    kubectl create tabtab 下面的所有都可以創(chuàng)建模板文件 --dry-run=client -o yaml 查詢資源對象的幫助信息 ????????kubectl explain pod.spec.restartPolicy? ? ? ? ? ? #這里對上下層級關(guān)系需要清楚 獲取Pod模板 ????????kubectl run mypod --image=xxxx --dry-run=client -o yaml 獲取Deployment ????????ku

    2024年02月03日
    瀏覽(53)

  • k8s 控制器

    Kubernetes(K8S)是一種開源的容器編排平臺,它可以自動化地管理容器化應(yīng)用程序的部署、擴(kuò)展和運(yùn)行。K8S中的控制器是一種重要的組件,它可以確保應(yīng)用程序的狀態(tài)與期望的狀態(tài)一致。在K8S中,有五種常見的控制器,它們分別是: 1. ReplicaSet控制器 ReplicaSet控制器用于確保P

    2024年02月13日
    瀏覽(23)
  • k8s---pod控制器

    k8s---pod控制器

    工作負(fù)載,workload用于管理pod的中間層,確保pod資源符合預(yù)期的狀態(tài)。 預(yù)期狀態(tài): 1、副本數(shù) 2、容器重啟策略 3、鏡像拉取策略 pod出故障的出去等等 1、replicaset:指定pod副本的數(shù)量 三個組件: ????????????????1、pod的副本 ????????????????2、標(biāo)簽選擇器,判斷

    2024年01月18日
    瀏覽(25)

覺得文章有用就打賞一下文章作者

支付寶掃一掃打賞

博客贊助

微信掃一掃打賞

請作者喝杯咖啡吧~博客贊助

支付寶掃一掃領(lǐng)取紅包,優(yōu)惠每天領(lǐng)

二維碼1

領(lǐng)取紅包

二維碼2

領(lǐng)紅包