Ingress
service:
loadbalance
NodePort 每个节点上都会有一个指定的端口 30000-32767
Clusterip 默认模式 只能内部访问
externalName
对外服务的Ingress
service: 网关的概念————标签来匹配pod。还能通过endpoint更新pod的变化。也可以实现负载均衡,四层代理。
service暴露的端口只能用于内网(局域网)访问。
loadbalnce————公有云————提供负载均衡的IP地址————公网地址。
Ingress:
Ingress:在k8s当中,Ingress是一个独立的组件(deployment ns svc)独立的配置。
Ingress只能通过yaml文件配置,不能在命令行配置。
定义请求如何转发到service的规则。
Ingress用过http或者https暴露内部的service,给service提供外部的url,负载均衡、SSL/TLS。基于域名的反向代理。
Ingress通过Ingress-controller来实现上述的功能。
数据流向:用户访问域名,Ingress通过svc名称,把流量转发到指定的svc当中,svc再把流量通过标签转发到pod,实现pod之间的轮询。
Ingress-cpntroller不是k8s自带的组件,这是一种插件的统称。
k8s维护的插件类型,google云的GCE
ingress-nginx————最常用的模式
traefik————可视化界面——ui界面————并发量只有ingress-nginx的流程。
Ingress-nginx暴露服务的方式:
1、deployment+loadbalance————>service
需要公有云提供负载均衡的IP地址————公网地址。
2、DaemonSet+HostNetwork+nodeSelector
ingress-controller会在每个节点都部署一个pod,Ingress-controller直接使用每个节点的80和443端口,直接实现流量的转发和访问。
数据流向:用户访问域名,ingress把流量转发到指定的svc,svc再把流量转发到pod中,其中pod使用的端口是节点上的端口。
3、Deployment+NodePort模式:
nodeport————>30000——80——80
ingress根据副本数和调度器在节点上部署多个pod。根据nodeport在每个节点打开一个指定的端口30000-32767
优点:不占用节点端口,配置简单,适用于内部并发不大的访问
缺点:性能差,多了一个nodeport,还涉及到nodeport的转发,实际上通过nat模式做地址转换,性能上有影响
数据流向:用户访问域名,ingress把流量转发到指定的svc,svc再把流量转发到pod中。nodeport端口映射service clusterip端口
客户端--------->www.xy102.com------------->service-------------->nodeport---------->clusterip-------pod端口
[root@master01 opt]# tar -xf ingree.contro-0.30.0.tar.gz [root@master01 opt]# docker load -i ingree.contro-0.30.0.tar wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/mandatory.yaml
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 111940/nginx: maste tcp 0 0 0.0.0.0:8181 0.0.0.0:* LISTEN 111940/nginx: maste tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 111940/nginx: maste
8181端口是nginx-controller的默认配置,当ingress没有资源可以匹配时,会自动转发到这个端口
wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "CN=CHINA/O=NJ"
req 表示指定证书请求和生成相关文件
-x509 生成自签名的x.509证书
-sha256 sha-256的散列算法
-nodes 生成的私钥不加密
-days 365 证书的有效期为365天
-newkey rsa:2048 表示使用RSA的密钥对,长度2048个单位
-keyout tls.key -out tls.crt 生成两个文件
-keyout 私钥保存到tls.key文件
-out 保存证书到tls.crt
-subj 添加证书的主题
3、DaemonSet+HostNetwork + NodeSelector模式
-----------------同步操作-------------------------- [root@master01 opt]# tar -xf ingree.contro-0.30.0.tar.gz [root@master01 opt]# docker load -i ingree.contro-0.30.0.tar [root@master01 opt]# mkdir ingress [root@master01 opt]# cd ingress/ [root@master01 ingress]# wget https://gitee.com/mirrors/ingress-nginx/raw/0.30.0/deploy/static/mandatory.yaml -------------------结束同步--------------------- [root@master01 ingress]# vim mandatory.yaml apiVersion: apps/v1 191 #kind: Deployment 192 kind: DaemonSet metadata: name: nginx-ingress-controller namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: 200 # replicas: 1 219 hostNetwork: true [root@master01 ingress]# kubectl apply -f mandatory.yaml [root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-ingress-controller-27lvf 1/1 Running 0 23s 192.168.168.81 master01 <none> <none> nginx-ingress-controller-29ckx 1/1 Running 0 23s 192.168.168.83 node02 <none> <none> nginx-ingress-controller-kn8ww 1/1 Running 0 23s 192.168.168.82 node01 <none> <none> ---------------开启同步------------------------- 打开同步查看80+443端口 [root@master01 ingress]# netstat -antp | grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 22509/nginx: master tcp 0 0 0.0.0.0:8181 0.0.0.0:* LISTEN 22509/nginx: master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 22509/nginx: master [root@node01 ingress]# netstat -antp | grep nginx [root@node02 ingress]# netstat -antp | grep nginx 8181 端口是nginx-controller的默认配置,当ingress没有资源可以匹配时,会自动转发到这个端口。 ---------------------查看节点端口开放---------------- [root@master01 ingress]# kubectl explain ingress KIND: Ingress VERSION: networking.k8s.io/v1 [root@master01 ingress]# vim ingress-nginx1.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nfs-pvc spec: accessModes: - ReadWriteMany storageClassName: nfs-client-storageclass resources: requests: storage: 2Gi --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-app labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.22 ports: - containerPort: 80 volumeMounts: - name: nfs-pvc mountPath: /usr/share/nginx/html volumes: - name: nfs-pvc persistentVolumeClaim: claimName: nfs-pvc --- apiVersion: v1 kind: Service metadata: name: nginx-daemon-svc spec: type: ClusterIP ports: - protocol: TCP port: 80 targetPort: 80 selector: app: nginx --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx-daemon-ingress spec: rules: - host: www.xy102.com http: paths: - path: / pathType: Prefix #前缀匹配,匹配/ /test1 /test1/test2 backend: #匹配的svc的名称----pod service: name: nginx-daemon-svc port: number: 80 [root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml [root@k8s5 k8s]# ll 总用量 0 drwxrwxrwx. 2 root root 6 9月 10 10:34 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9 drwxrwxrwx. 2 root root 62 9月 8 16:55 default-redis-data-redis-master-0-pvc-4c38e65b-5e5d-45c5-a58d-6d7c0bd69b39 drwxrwxrwx. 2 root root 62 9月 8 16:55 default-redis-data-redis-replica-0-pvc-eabc2e78-7b0c-4c72-ac16-bf44eca0d524 drwxrwxrwx. 2 root root 62 9月 8 16:43 default-redis-data-redis-replica-1-pvc-d5b0e813-8bed-4b00-8df6-69ad648ecc2c [root@k8s5 k8s]# rm -rf default-redis-data-redis-* [root@k8s5 k8s]# ll 总用量 0 drwxrwxrwx. 2 root root 6 9月 10 10:34 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9 [root@k8s5 k8s]# cd default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9/ [root@k8s5 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9]# ls [root@k8s5 default-nfs-pvc-pvc-8e552463-1055-4d12-9fcf-1f0da12cf3d9]# echo 123 > index.html [root@master01 ingress]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.168.81 master01 www.xy102.com 192.168.168.82 node01 192.168.168.83 node02 192.168.168.84 hub.test.com 192.168.168.85 k8s5 [root@master01 ingress]# curl www.xy102.com 123 [root@node01 ingress]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.168.81 master01 www.xy102.com [root@node01 ingress]# curl www.xy102.com 123 [root@node02 ingress]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.168.81 master01 www.xy102.com [root@node02 ingress]# curl www.xy102.com 123 [root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# mkdir test1 [root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# ll 总用量 4 -rw-r--r--. 1 root root 4 9月 10 11:51 index.html drwxr-xr-x. 2 root root 6 9月 10 12:32 test1 [root@k8s5 default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3]# cd test1/ [root@k8s5 test1]# echo 456 > index.html [root@k8s5 test1]# [root@master01 ingress]# curl www.xy102.com/test1 <html> <head><title>301 Moved Permanently</title></head> <body> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx/1.22.1</center> </body> </html> [root@master01 ingress]# curl -L www.xy102.com/test1 456 [root@k8s5 test1]# pwd /opt/k8s/default-nfs-pvc-pvc-51fc1314-0c17-4f04-b539-d2508ac35ca3/test1 [root@k8s5 test1]# ll 总用量 4 -rw-r--r--. 1 root root 4 9月 10 12:32 index.html [root@k8s5 test1]# mkdir test2 [root@k8s5 test1]# cd test2/ [root@k8s5 test2]# echo 789 > index.html [root@master01 ingress]# curl -L www.xy102.com/test1/test2 789
节点选择NodeSelector模式
[root@master01 ingress]# vim mandatory.yaml 190 apiVersion: apps/v1 191 #kind: Deployment 192 kind: DaemonSet #kind换成192行的 193 metadata: 194 name: nginx-ingress-controller 195 namespace: ingress-nginx 196 labels: 197 app.kubernetes.io/name: ingress-nginx 198 app.kubernetes.io/part-of: ingress-nginx 199 spec: 200 # replicas: 1 #这一行注释 201 selector: 202 matchLabels: 203 app.kubernetes.io/name: ingress-nginx 204 app.kubernetes.io/part-of: ingress-nginx 205 template: 206 metadata: 207 labels: 208 app.kubernetes.io/name: ingress-nginx 209 app.kubernetes.io/part-of: ingress-nginx 210 annotations: 211 prometheus.io/port: "10254" 212 prometheus.io/scrape: "true" 213 spec: 214 # wait up to five minutes for the drain of connections 215 terminationGracePeriodSeconds: 300 216 serviceAccountName: nginx-ingress-serviceaccount 217 nodeSelector: 218 kubernetes.io/os: linux 219 hostNetwork: true 220 nodeSelector: 221 ingress: "true" #加上220和221两行 [root@master01 ingress]# kubectl get nodes --show-labels 打上ingress=true标签 [root@master01 ingress]# kubectl label nodes node01 ingress=true node/node01 labeled [root@master01 ingress]# kubectl get nodes --show-labels NAME STATUS ROLES AGE VERSION LABELS master01 Ready control-plane,master 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=master01,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/master= node01 Ready <none> 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ingress=true,kubernetes.io/arch=amd64,kubernetes.io/hostname=node01,kubernetes.io/os=linux,memory=1000,test1=a,test3=b node02 Ready <none> 14d v1.20.15 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=node02,kubernetes.io/os=linux,test2=b,xy102=98 [root@master01 ingress]# kubectl apply -f mandatory.yaml [root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-ingress-controller-p52jc 1/1 Running 0 11s 192.168.168.82 node01 <none> <none> [root@node01 ingress]# curl www.xy102.com curl: (7) Failed connect to www.xy102.com:80; 拒绝连接 [root@node01 ingress]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.168.82 node01 www.xy102.com [root@node01 ingress]# curl www.xy102.com 123 [root@node01 ingress]# curl -L www.xy102.com/test1/test2 789 [root@node01 ingress]# curl -L www.xy102.com/test1 456
基于deployment+nodeport
[root@master01 ingress]# kubectl delete -f mandatory.yaml [root@master01 ingress]# vim mandatory.yaml 190 apiVersion: apps/v1 191 kind: Deployment 192 #kind: DaemonSet 193 metadata: 194 name: nginx-ingress-controller 195 namespace: ingress-nginx 196 labels: 197 app.kubernetes.io/name: ingress-nginx 198 app.kubernetes.io/part-of: ingress-nginx 199 spec: 200 replicas: 1 201 selector: 202 matchLabels: 203 app.kubernetes.io/name: ingress-nginx 204 app.kubernetes.io/part-of: ingress-nginx 205 template: 206 metadata: 207 labels: 208 app.kubernetes.io/name: ingress-nginx 209 app.kubernetes.io/part-of: ingress-nginx 210 annotations: 211 prometheus.io/port: "10254" 212 prometheus.io/scrape: "true" 213 spec: 214 # wait up to five minutes for the drain of connections 215 terminationGracePeriodSeconds: 300 216 serviceAccountName: nginx-ingress-serviceaccount 217 nodeSelector: 218 kubernetes.io/os: linux 219 # hostNetwork: true 220 # nodeSelector: 221 # ingress: "true" wget https://gitee.com/mirrors/ingress-nginx/raw/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml [root@master01 ingress]# kubectl apply -f mandatory.yaml [root@master01 ingress]# kubectl apply -f service-nodeport.yaml [root@master01 ingress]# kubectl get pod -o wide -n ingress-nginx NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-ingress-controller-54b86f8f7b-4qszc 1/1 Running 0 2m15s 10.244.2.239 node02 <none> <none> [root@master01 ingress]# kubectl get svc -o wide -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR ingress-nginx NodePort 10.96.183.19 <none> 80:31185/TCP,443:32676/TCP 19s app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx [root@master01 ingress]# netstat -antp | grep 31185 tcp 0 0 0.0.0.0:31185 0.0.0.0:* LISTEN 28697/kube-proxy [root@node01 ingress]# netstat -antp | grep 31185 tcp 0 0 0.0.0.0:31185 0.0.0.0:* LISTEN 20187/kube-proxy [root@node02 ingress]# netstat -antp | grep 31185 tcp 0 0 0.0.0.0:31185 0.0.0.0:* LISTEN 44530/kube-proxy [root@master01 ingress]# vim ingress-nginx1.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nfs-pvc spec: accessModes: - ReadWriteMany storageClassName: nfs-client-storageclass resources: requests: storage: 2Gi --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-app labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.22 ports: - containerPort: 80 volumeMounts: - name: nfs-pvc mountPath: /usr/share/nginx/html volumes: - name: nfs-pvc persistentVolumeClaim: claimName: nfs-pvc --- apiVersion: v1 kind: Service metadata: name: nginx-deployment-svc spec: type: ClusterIP ports: - protocol: TCP port: 80 targetPort: 80 selector: app: nginx --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx-deployment-ingress spec: rules: - host: www.xy102.com http: paths: - path: / pathType: Prefix #前缀匹配,匹配/ /test1 /test1/test2 backend: #匹配的svc的名称----pod service: name: nginx-deployment-svc port: number: 80 [root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml [root@master01 ingress]# curl www.xy102.com:31185 123
https
[root@master01 ingress]# mkdir https [root@master01 ingress]# cd https/ [root@master01 https]# ls [root@master01 https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ" Generating a 2048 bit RSA private key .............................+++ ...+++ writing new private key to 'tls.key' ----- ##解释 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=CHINA/O=NJ" req:表示指定证书请求和生成相关文件 -x509:生成自签名的x.509证书 -sha256:sha-256的散列算法 -nodes:生成的私钥不加密 -days 365: 证书的有效期为365天 -newkey rsa:2048::表示使用RSA的密钥队,长度2048个单位 -keyout tls.key -out tls.cr:生成两个文件 -keyout 私钥保存到tls.key文件 -out 保存证书到tls.crt -subj 添加证书的主题 [root@master01 https]# kubectl create secret tls tls.secret --key tls.key --cert tls.crt [root@master01 https]# kubectl create secret tls(指定type) tls.secret --key(指定密钥) tls.key --cert(指定证书) tls.crt [root@master01 ingress]# vim ingress-nginx1.yaml 55 apiVersion: networking.k8s.io/v1 56 kind: Ingress 57 metadata: 58 name: nginx-deployment-ingress 59 spec: #在59行后加入这几行 60 tls: 61 - hosts: 62 - www.xy102.com 63 secretName: tls.secret 64 #指定加密通信的域名,上下文一直,指定secret加密的名称,获取私钥和证书 [root@master01 ingress]# kubectl apply -f ingress-nginx1.yaml [root@master01 ingress]# curl -k https://www.xy102.com:32676 123