1.定义ingress前,必须先部署ingress controller ,以实现为所有后端的service 提供一个统一的入口。在ingress-controller的rc文件中定义了一个默认后端。所以在部署ingress controller前要先启动默认后端的pod,否则启动ingress-controller会不成功.
default-http-backend.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: default-http-backend
spec:
replicas: 1
selector:
app: default-http-backend
template:
metadata:
labels:
app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissable as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: index.tenxcloud.com/google_containers/defaultbackend:1.0
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
kubectl expose rc default-http-backend --port=80 --target-port=8080 --name=default-http-backend
ingress-controller.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ingress-lb
labels:
name: nginx-ingress-lb
namespace: kube-system
spec:
template:
metadata:
labels:
name: nginx-ingress-lb
# annotations:
# prometheus.io/port: '80'
# prometheus.io/scrape: 'true'
spec:
terminationGracePeriodSeconds: 60
hostNetwork: true
containers:
- image: index.tenxcloud.com/google_containers/nginx-ingress-controller:0.8.3
name: nginx-ingress-lb
readinessProbe:
httpGet:
path: /healthz #定义ingress-controller自检的url 和端口
port: 80
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 80
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 1
ports:
- containerPort: 80
hostPort: 80
- containerPort: 443
hostPort: 443
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUBERNETES_MASTER
value: http://192.168.23.128:8080 #访问master 获取service信息
args:
- /nginx-ingress-controller
- --default-backend-service=default/default-http-backend
启动ingress-controller之后
可以根据需要暴露的服务配置ingress规则
以下是我测试的服务
rails-rc.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: rails
labels:
name: rails
spec:
replicas: 1
selector:
name: rails
template:
metadata:
labels:
name: rails
spec:
containers:
- name: rails
image: index.tenxcloud.com/docker_library/rails
imagePullPolicy: IfNotPresent
command: [ "rails","server","-b","0.0.0.0"]
rails-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: rails
labels:
name: rails
spec:
selector:
name: rails
ports:
- port: 3000
targetPort: 3000
ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: rails-ingress
spec:
rules:
- http:
paths:
- path: /rails
backend:
serviceName: rails
servicePort: 3000
访问方法 http://nodeip/rails
代理到后端的rails 服务
可以通过kubectl describe ing rails查看具体规则
也可以通过直接进入ingress-controller容器中查看其中的/etc/nginx/nginx_conf 里面有没有自动生成配置规则。
ps daemonset 如果删不掉可能有结点挂了。启动daemonset之后没有个node结点都会启动ingress-controller容器。所以也可以设置ingress-controller为deployment
参考文档:http://blog.csdn.net/u013812710/article/details/52801656
https://github.com/kubernetes/ingress/blob/master/controllers/nginx/README.md#https
tls -ingress
mkdir /etc/kubernetes/ssl
cd /etc/kubernetes/ssl
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"
cat >> openssl.cnf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS = dashboard.yiwu.com
IP.1 = 10.254.0.1 #k8s 集群service ip
IP.2 = 192.168.23.128
EOF
openssl genrsa -out ingress-key.pem 2048
openssl req -new -key ingress-key.pem -out ingress.csr -subj "/CN=dashboard.yiwu.com" -config openssl.cnf
openssl x509 -req -in ingress.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ingress.pem -days 365 -extensions v3_req -extfile openssl.cnf
kubectl create secret tls ingress-secret --key ingress-key.pem --cert ingress.pem -n kube-system
kubectl create -f /opt/docker/conf/dashboard/dashboard-ingress-tls.yaml
dashboard-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: k8s-dashboard
namespace: kube-system
spec:
tls:
- hosts:
- dashboard.yiwu.com
secretName: ingress-secret
rules:
- host: dashboard.yiwu.com
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 80
path: /
openssl x509 -noout -test -in /etc/kubernetes/ssl/ingress.pem
curl https://dashboard.yiwu.com -v --cert /etc/kubernetes/ssl/ingress.pem --key /etc/kubernetes/ssl/ingress-key.pem --cacert /etc/kubernetes/ssl/ca.pem
curl https://dashboard.yiwu.com -v -k
参考:https://my.oschina.net/lemonzone2010/blog/467213?p=1
ingress 重写规则
参考:https://github.com/kubernetes/ingress/tree/master/examples/rewrite/nginx
例子:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/rewrite-target: /
name: rewrite
namespace: default
spec:
rules:
- host: rewrite.bar.com
http:
paths:
- backend:
serviceName: echoheaders
servicePort: 80
path: /something
网友评论