[root@server2 ~]# kubectl expose deployment deployment --port=80
[root@server2 ~]# kubectl apply -f rs.yml
[root@server2 ~]# kubectl get svc
一.service
- service是由kube-proxy组件,加上iptables来共同实现的
- kube-proxy通过iptables处理service的过程,需要在宿主机上设置相当多的iptables规则,如果宿主机有大量的Pod,不断刷新iptables规则,会消耗大量的CPU资源。
- IPVS模式的service,可以使k8s集群支持更多量级的Pod。
server3、4也需要安装
[root@server2 ~]# yum install -y ipvsadm
[root@server2 ~]# kubectl -n kube-system edit cm kube-proxy
[root@server2 ~]# kubectl get pod -n kube-system |grep kube-proxy | awk '{system("kubectl delete pod "$1" -n kube-system")}'
[root@server2 ~]# kubectl get pod -n kube-system |grep kube-proxy
[root@server2 ~]# kubectl get svc
[root@server2 ~]# ipvsadm -ln
[root@server2 ~]# kubectl describe svc deployment
- IPVS模式下,kube-proxy会在service创建后,在宿主机上添加一个虚拟网卡:kube-ipvs0,并分配service ip
[root@server2 ~]# ip addr
[root@server2 ~]# vim demo.yml
---
apiVersion: v1
kind: Service
metadata:
name: myservice
spec:
selector:
app: myapp
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo2
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v2
[root@server2 ~]# kubectl apply -f demo.yml
[root@server2 ~]# kubectl get svc
[root@server2 ~]# kubectl describe svc myservice
[root@server3 ~]# ip addr
[root@server2 ~]# ipvsadm -ln
Headless Service"无头服务"
- Headless Service不需要分配一个VIP,而是直接以DNS记录的方式解析出被代理Pod的ip地址。
- 域名格式:
[root@server2 ~]# kubectl delete -f demo.yml
[root@server2 ~]# vim demo.yml
[root@server2 ~]# kubectl delete -f rs.yml
[root@server2 ~]# kubectl delete svc deployment
[root@server2 ~]# kubectl apply -f demo.yml
[root@server2 ~]# kubectl get svc
[root@server2 ~]# kubectl describe svc myservice
[root@server2 ~]# kubectl -n kube-system get svc
NodePort方式
[root@server2 ~]# kubectl delete -f demo.yml
[root@server2 ~]# vim demo.yml
[root@server2 ~]# kubectl apply -f demo.yml
[root@server2 ~]# kubectl get svc
[root@server2 ~]# ip addr
LoadBalancer
从外部访问Service的第二种方式,适用于公有云上的Kubernets服务。这时候,你可以指定一个LoadBalancer类型的Service。
[root@server2 ~]# vim demo.yml
[root@server2 ~]# kubectl apply -f demo.yml
[root@server2 ~]# kubectl get svc
[root@server2 ~]# kubectl describe svc myservice
[root@server2 ~]# kubectl delete svc myservice
[root@server2 ~]# kubectl apply -f demo.yml
[root@server2 ~]# kubectl get svc
[root@server2 ~]# kubectl describe svc myservice
ExternalName
从外部访问的第三种方式叫做ExternalName
service允许为其分配一个共有IP
[root@server2 ~]# vim demo.yml
[root@server2 ~]# kubectl apply -f demo.yml
[root@server2 ~]# kubectl get svc
[root@westos Desktop]# curl 192.168.3.100
[root@westos Desktop]# curl 192.168.3.100/hostname.html
[root@server2 ~]# vim exsvc.yml
apiVersion: v1
kind: Service
metadata:
name: exsvc
spec:
type: ExternalName
externalName: www.baidu.com
[root@server2 ~]# kubectl apply -f exsvc.yml
[root@server2 ~]# kubectl get svc
[root@server2 ~]# yum install bind-utils -y #dig安装包
[root@server2 ~]# dig -t A exsvc.default.svc.cluster.local. @10.96.0.10
二.网络通信
[root@server2 ~]# vim demo.yml
[root@server2 ~]# kubectl apply -f demo.yml
[root@server2 ~]# kubectl get pod
[root@server2 ~]# kubectl get pod -o wide
[root@server2 ~]# kubectl attach demo -it
/ # ping 10.244.1.53
可以通信
host-gw
[root@server2 ~]# kubectl -n kube-system edit cm kube-flannel-cfg
[root@server2 ~]# kubectl get pod -n kube-system |grep flannel | awk '{system("kubectl delete pod "$1" -n kube-system")}'
[root@server2 ~]# kubectl -n kube-system get pod
[root@server2 ~]# route -n
[root@server2 ~]# kubectl get pod -o wide
[root@server2 ~]# kubectl attach demo -it
/ # ping 10.244.1.53
vxlan
[root@server2 ~]# kubectl -n kube-system edit cm kube-flannel-cfg
[root@server2 ~]# kubectl get pod -n kube-system |grep flannel | awk '{system("kubectl delete pod "$1" -n kube-system")}'
[root@server2 ~]# kubectl attach demo -it
/ # ping 10.244.1.53
可以通信
ingress
service与集群外部客户端的通信(ingress、nodeport、loadbalancer)
[root@westos file_recv]# scp deploy.yaml root@192.168.3.202:
[root@westos file_recv]# scp ingress-nginx.tar root@192.168.3.201:
[root@server1 ~]# docker load -i ingress-nginx.tar
[root@server1 ~]# docker tag quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.33.0 reg.westos.org/library/nginx-ingress-controller:0.33.0
[root@server1 ~]# docker tag jettech/kube-webhook-certgen:v1.2.0 reg.westos.org/library/kube-webhook-certgen:v1.2.0
[root@server1 ~]# docker push reg.westos.org/library/nginx-ingress-controller:0.33.0
[root@server1 ~]# docker push reg.westos.org/library/kube-webhook-certgen:v1.2.0
[root@server2 ~]# kubectl delete svc exsvc
[root@server2 ~]# netstat -antlp | grep :80
[root@server2 ~]# vim demo.yml
[root@server2 ~]# kubectl apply -f demo.yml
[root@server2 ~]# kubectl apply -f deploy.yaml
[root@server2 ~]# kubectl -n ingress-nginx get pod
确认正常running
认证加密
创建一个ingress文件夹,把内容移到里面便于管理
[root@server2 ingress]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
[root@server2 ingress]# kubectl create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret created
[root@server2 ingress]# kubectl get cm
[root@server2 ingress]# kubectl get secrets
[root@server2 ingress]# kubectl describe secrets tls-secret
[root@server2 ingress]# yum install -y httpd-tools.x86_64
[root@server2 ingress]# htpasswd -c auth wxh
[root@server2 ingress]# htpasswd auth admin
[root@server2 ingress]# cat auth
[root@server2 ingress]# kubectl create secret generic basic-auth --from-file=auth
[root@server2 ingress]# kubectl get secrets
[root@server2 ingress]# kubectl get secret basic-auth -o yaml
[root@server2 ingress]# vim nginx-svc.yml
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: myapp
image: myapp:v1
[root@server2 ingress]# kubectl apply -f nginx-svc.yml
[root@server2 ingress]# kubectl get svc
[root@server2 ingress]# kubectl get pod
[root@server2 ingress]# vim nginx.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - wxh'
spec:
tls:
- hosts:
- www1.westos.org
secretName: tls-secret
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo2
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- host: www2.westos.org
http:
paths:
- backend:
serviceName: nginx-svc
servicePort: 80
path: /westos(/|$)(.*)
[root@server2 ingress]# vim /etc/hosts
192.168.3.204 www1.westos.org www2.westos.org
[root@server2 ingress]# kubectl apply -f nginx.yml
浏览器访问 www1.westos.org 、 www2.westos.org