说明:本文档涉及docker镜像,yaml文件下载地址
链接:https://pan.baidu.com/s/1QuVelCG43_VbHiOs04R3-Q 密码:70q2
1. 环境
1.1 服务器信息
主机名 | IP地址 | os 版本 | 节点 |
k8s01 | 172.16.50.131 | CentOS Linux release 7.4.1708 (Core) | mmaster |
k8s02 | 172.16.50.132 | CentOS Linux release 7.4.1708 (Core) | node |
1.2 软件版本信息
名称 | 版本 | ||
kubernetes | v1.10.4 | ||
docker | 1.13.1 |
2. Master部署
2.1 服务器初始化
基础软件安装
yum install vim net-tools git -y
关闭selinux
编辑 /etc/sysconfig/selinux
SELINUX=disabled
关闭firewall防火墙
systemctl disable firewalld && systemctl stop firewalld
更新服务器后重启
yum upgrade -y && reboot
修改内核参数
创建/etc/sysctl.d/k8s.conf文件
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
sysctl -p /etc/sysctl.d/k8s.conf # 生效
如遇错误提示:
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
执行:
modprobe br_netfilter
2.2 kubeadm,kubectl,kubelet ,docker 安装
2.2.1 添加yum源
创建/etc/yum.repos.d/k8s.repo文件
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
2.2.2 安装
yum install kubeadm kubectl kubelet docker -y
systemctl enable docker && systemctl start docker
systemctl enable kubelet
2.3 导入docker镜像
镜像包列表
[root@k8s01 images]# ll
total 1050028
-rw-r--r-- 1 root root 193461760 Jun 14 11:15 etcd-amd64_3.1.12.tar
-rw-r--r-- 1 root root 45306368 Jun 14 11:15 flannel_v0.10.0-amd64.tar
-rw-r--r-- 1 root root 75337216 Jun 14 11:15 heapster-amd64_v1.5.3.tar
-rw-r--r-- 1 root root 41239040 Jun 14 11:15 k8s-dns-dnsmasq-nanny-amd64_1.14.8.tar
-rw-r--r-- 1 root root 50727424 Jun 14 11:15 k8s-dns-kube-dns-amd64_1.14.8.tar
-rw-r--r-- 1 root root 42481152 Jun 14 11:15 k8s-dns-sidecar-amd64_1.14.8.tar
-rw-r--r-- 1 root root 225355776 Jun 14 11:16 kube-apiserver-amd64_v1.10.4.tar
-rw-r--r-- 1 root root 148135424 Jun 14 11:16 kube-controller-manager-amd64_v1.10.4.tar
-rw-r--r-- 1 root root 98951168 Jun 14 11:16 kube-proxy-amd64_v1.10.4.tar
-rw-r--r-- 1 root root 102800384 Jun 14 11:16 kubernetes-dashboard-amd64_v1.8.3.tar
-rw-r--r-- 1 root root 50658304 Jun 14 11:16 kube-scheduler-amd64_v1.10.4.tar
-rw-r--r-- 1 root root 754176 Jun 14 11:16 pause-amd64_3.1.tar
导入
for j in `ls ./`; do docker load --input ./$j ; done
查看镜像
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
k8s.gcr.io/kube-proxy-amd64 v1.10.4 3f9ff47d0fca 7 days ago 97.1 MB
k8s.gcr.io/kube-controller-manager-amd64 v1.10.4 1a24f5586598 7 days ago 148 MB
k8s.gcr.io/kube-apiserver-amd64 v1.10.4 afdd56622af3 7 days ago 225 MB
k8s.gcr.io/kube-scheduler-amd64 v1.10.4 6fffbea311f0 7 days ago 50.4 MB
k8s.gcr.io/heapster-amd64 v1.5.3 f57c75cd7b0a 6 weeks ago 75.3 MB
k8s.gcr.io/etcd-amd64 3.1.12 52920ad46f5b 3 months ago 193 MB
k8s.gcr.io/kubernetes-dashboard-amd64 v1.8.3 0c60bcf89900 4 months ago 102 MB
quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 4 months ago 44.6 MB
k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64 1.14.8 c2ce1ffb51ed 5 months ago 41 MB
k8s.gcr.io/k8s-dns-sidecar-amd64 1.14.8 6f7f2dc7fab5 5 months ago 42.2 MB
k8s.gcr.io/k8s-dns-kube-dns-amd64 1.14.8 80cc5ea4b547 5 months ago 50.5 MB
k8s.gcr.io/pause-amd64 3.1 da86e6ba6ca1 5 months ago 742 kB
2.4 证书生成
拉取github脚本
git clone https://github.com/fandaye/k8s-tls.git && cd k8s-tls/
编辑apiserver.json文件
{
"CN": "kube-apiserver",
"hosts": [
"172.16.50.131", #本机IP地址
"10.96.0.1",
"k8s01", #本机主机名
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
}
}
执行 ./run.sh
进去到/etc/kubernetes/pki目录
编辑kubelet.json文件
{
"CN": "system:node:k8s01", #k8s01为主机名
"hosts": [""],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "system:nodes"
}
]
}
编辑node.sh 文件
ip="172.16.50.131" NODE="k8s01"
执行
./node.sh
查看证书
-rw-r--r-- 1 root root 1436 Jun 19 15:04 apiserver.crt
-rw------- 1 root root 1679 Jun 19 15:04 apiserver.key
-rw-r--r-- 1 root root 1257 Jun 19 15:04 apiserver-kubelet-client.crt
-rw------- 1 root root 1679 Jun 19 15:04 apiserver-kubelet-client.key
-rw-r--r-- 1 root root 1143 Jun 19 15:04 ca.crt
-rw------- 1 root root 1679 Jun 19 15:04 ca.key
-rw-r--r-- 1 root root 289 Jun 19 15:04 config.json
-rw-r--r-- 1 root root 1143 Jun 19 15:04 front-proxy-ca.crt
-rw------- 1 root root 1679 Jun 19 15:04 front-proxy-ca.key
-rw-r--r-- 1 root root 1208 Jun 19 15:04 front-proxy-client.crt
-rw------- 1 root root 1679 Jun 19 15:04 front-proxy-client.key
-rw-r--r-- 1 root root 114 Jun 19 15:04 kube-controller-manager.json
-rw-r--r-- 1 root root 157 Jun 19 15:07 kubelet.json
-rw-r--r-- 1 root root 141 Jun 19 15:04 kubernetes-admin.json
-rw-r--r-- 1 root root 105 Jun 19 15:04 kube-scheduler.json
-rwxr-xr-x 1 root root 3588 Jun 19 15:07 node.sh
-rw-r--r-- 1 root root 887 Jun 19 15:04 sa.key
-rw-r--r-- 1 root root 272 Jun 19 15:04 sa.pub
查看配置文件
# ll ../ | grep conf
-rw------- 1 root root 5789 Jun 19 15:10 admin.conf
-rw------- 1 root root 5849 Jun 19 15:10 controller-manager.conf
-rw------- 1 root root 5821 Jun 19 15:10 kubelet.conf
-rw------- 1 root root 5797 Jun 19 15:10 scheduler.conf
2.5 初始化master
# kubeadm init --apiserver-advertise-address=172.16.50.131 --pod-network-cidr=10.244.0.0/16 --kubernetes-version=v1.10.4
[init] Using Kubernetes version: v1.10.4
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks.
[WARNING FileExisting-crictl]: crictl not found in system path
Suggestion: go get github.com/kubernetes-incubator/cri-tools/cmd/crictl
[preflight] Starting the kubelet service
[certificates] Using the existing ca certificate and key.
[certificates] Using the existing apiserver certificate and key.
[certificates] Using the existing apiserver-kubelet-client certificate and key.
[certificates] Using the existing sa key.
[certificates] Using the existing front-proxy-ca certificate and key.
[certificates] Using the existing front-proxy-client certificate and key.
[certificates] Generated etcd/ca certificate and key.
[certificates] Generated etcd/server certificate and key.
[certificates] etcd/server serving cert is signed for DNS names [localhost] and IPs [127.0.0.1]
[certificates] Generated etcd/peer certificate and key.
[certificates] etcd/peer serving cert is signed for DNS names [k8s01] and IPs [172.16.50.131]
[certificates] Generated etcd/healthcheck-client certificate and key.
[certificates] Generated apiserver-etcd-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing up-to-date KubeConfig file: "/etc/kubernetes/scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests".
[init] This might take a minute or longer if the control plane images have to be pulled.
[apiclient] All control plane components are healthy after 16.504170 seconds
[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[markmaster] Will mark node k8s01 as master by adding a label and a taint
[markmaster] Master k8s01 tainted and labelled with key/value: node-role.kubernetes.io/master=""
[bootstraptoken] Using token: z9is98.bjzc1t2kyzhx247v
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join 172.16.50.131:6443 --token z9is98.bjzc1t2kyzhx247v --discovery-token-ca-cert-hash sha256:aefae64bbe8e0d6ce173a272c2d2fb36bee6f2b5553301a68500c4c931d8f488
后续操作
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
查看pod
kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system etcd-k8s01 1/1 Running 0 1m
kube-system kube-apiserver-k8s01 1/1 Running 0 1m
kube-system kube-controller-manager-k8s01 1/1 Running 0 1m
kube-system kube-dns-86f4d74b45-p2n2h 0/3 Pending 0 2m
kube-system kube-proxy-54kkv 1/1 Running 0 2m
kube-system kube-scheduler-k8s01 1/1 Running 0 1m
2.6 部署网络插件flannel
在压缩包yaml目录
cd /data/v1.10.4/yaml
# kubectl create -f kube-flannel.yaml
clusterrole.rbac.authorization.k8s.io "flannel" created
clusterrolebinding.rbac.authorization.k8s.io "flannel" created
serviceaccount "flannel" created
configmap "kube-flannel-cfg" created
daemonset.extensions "kube-flannel-ds" created
查看pod
kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system etcd-k8s01 1/1 Running 0 1m
kube-system kube-apiserver-k8s01 1/1 Running 0 1m
kube-system kube-controller-manager-k8s01 1/1 Running 0 1m
kube-system kube-dns-86f4d74b45-p2n2h 3/3 Running 0 2m
kube-system kube-flannel-ds-fvzsz 1/1 Running 0 1m
kube-system kube-proxy-54kkv 1/1 Running 0 2m
kube-system kube-scheduler-k8s01 1/1 Running 0 1m
3. Node部署
按照 2.1 ,2.2 ,2.3 步骤操作,如有多个node节点操作相同
加入集群
# kubeadm join 172.16.50.131:6443 --token z9is98.bjzc1t2kyzhx247v --discovery-token-ca-cert-hash sha256:aefae64bbe8e0d6ce173a272c2d2fb36bee6f2b5553301a68500c4c931d8f488
[preflight] Running pre-flight checks.
[WARNING FileExisting-crictl]: crictl not found in system path
Suggestion: go get github.com/kubernetes-incubator/cri-tools/cmd/crictl
[preflight] Starting the kubelet service
[discovery] Trying to connect to API Server "172.16.50.131:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://172.16.50.131:6443"
[discovery] Requesting info from "https://172.16.50.131:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "172.16.50.131:6443"
[discovery] Successfully established connection with API Server "172.16.50.131:6443"
This node has joined the cluster:
* Certificate signing request was sent to master and a response
was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the master to see this node join the cluster.
4.查看集群节点状态
kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s01 Ready master 15m v1.10.4
k8s02 Ready <none> 35s v1.10.4
5. 插件部署(可选)
5.1 监控插件
部署时序性数据库容器 用于存储监控数据
kubectl create -f influxdb.yaml
deployment.extensions "monitoring-influxdb" created
service "monitoring-influxdb" created
查看运行状态
kubectl get pods --all-namespaces | grep influxdb
kube-system monitoring-influxdb-544c584cbf-w2x58 1/1 Running 0 2m
Heapster默认设置为使用influxdb存储后端。Heapster作为集群中的一个容器运行,Heapster pod发现集群中的所有节点,并从节点的Kubelet查询使用情况信息,Kubelet本身从cAdvisor获取数据
# kubectl create -f heapster.yaml
clusterrolebinding.rbac.authorization.k8s.io "heapster" created
serviceaccount "heapster" created
deployment.extensions "heapster" created
service "heapster" created
查看运行状态
# kubectl get pods --all-namespaces | grep heapster
kube-system heapster-5df7bcbc7f-9wggz 1/1 Running 0 15s
部署grafana容器
# kubectl create -f grafana.yaml
deployment.extensions "monitoring-grafana" created
service "monitoring-grafana" created
查看运行状态
kubectl get pods --all-namespaces | grep grafana
kube-system monitoring-grafana-74577cfc59-jr75m 1/1 Running 0 1m
5.2 dashboard插件
# kubectl create -f kubernetes-dashboard.yaml
secret "kubernetes-dashboard-certs" created
serviceaccount "kubernetes-dashboard" created
role.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created
rolebinding.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created
deployment.apps "kubernetes-dashboard" created
service "kubernetes-dashboard" created
serviceaccount "kubernetes-dashboard-admin" created
clusterrolebinding.rbac.authorization.k8s.io "kubernetes-dashboard-admin" created
查看运行状态
# kubectl get pods --all-namespaces | grep dashboard
kube-system kubernetes-dashboard-66bdf954d6-qgknc 1/1 Running 0 1m
6. 导出证书
cat /etc/kubernetes/admin.conf | grep client-certificate-data | awk -F ': ' '{print $2}' | base64 -d > /etc/kubernetes/pki/client.crt
cat /etc/kubernetes/admin.conf | grep client-key-data | awk -F ': ' '{print $2}' | base64 -d > /etc/kubernetes/pki/client.key
openssl pkcs12 -export -inkey /etc/kubernetes/pki/client.key -in /etc/kubernetes/pki/client.crt -out /etc/kubernetes/pki/client.pfx
下载 /etc/kubernetes/pki/client.pfx 文件,导入浏览器,建议使用火狐浏览器。
7.监控查看
https://172.16.50.131:6443/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
8.仪表盘访问
使用token认证,查看token
# kubectl describe sa kubernetes-dashboard-admin -n kube-system
Name: kubernetes-dashboard-admin
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: kubernetes-dashboard-admin-token-wtk6d
Tokens: kubernetes-dashboard-admin-token-wtk6d
Events: <none>
# kubectl describe secrets kubernetes-dashboard-admin-token-wtk6d -n kube-system
Name: kubernetes-dashboard-admin-token-wtk6d
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=kubernetes-dashboard-admin
kubernetes.io/service-account.uid=e38d6bdf-6fa7-11e8-acf2-1e0086000052
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1143 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi13dGs2ZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImUzOGQ2YmRmLTZmYTctMTFlOC1hY2YyLTFlMDA4NjAwMDA1MiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.dVQ8CgMrYe0bJ2vt0EZIBeyl5TtG9pD4D-jkkvNGOR37efeyCAUGgSyUnR_Bqt0MbgPPWXLkpkXKbz3LIzker9mSBToeRYgEWSfmyVvhiKxpqkS0S_YiLgYL_KqvOPKNHFegNq8YerplK64kLw2-Tm4Ccnkf3d0iADJLzXuuw3A
9.Nginx Ingress 部署
yaml 文件参考如下:
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: default-http-backend
labels:
app: default-http-backend
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app: default-http-backend
template:
metadata:
labels:
app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissible as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: registry.cn-hangzhou.aliyuncs.com/googles_containers/defaultbackend:1.4
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: ingress-nginx
labels:
app: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
selector:
app: default-http-backend
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app: ingress-nginx
template:
metadata:
labels:
app: ingress-nginx
annotations:
prometheus.io/port: '10254'
prometheus.io/scrape: 'true'
spec:
hostNetwork: true
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.15.0
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
securityContext:
runAsNonRoot: false
---
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app: ingress-nginx
官方yaml文件中Deployment - nginx-ingress-controller 未暴露在本地端口,添加了hostNetwork: true,其中镜像改成了阿里云;官方参考:https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
官方Server - ingress-nginx 是独立的一个yaml,在这里添加到了一个yaml文件中,官方参考:https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml
创建Ingerss http
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo
spec:
rules:
- host: demo.bs.com
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
测试
172.16.50.104 为nginx-ingress-controller容器运行的服务器
echo "172.16.50.132 demo.bs.com" >> /etc/hosts
curl demo.bs.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
待更新....
转载于:https://blog.51cto.com/11889458/2129294