1、使用Deployment管理pod
通常来说,在编写yml 时,Pod与Deployment 成对出现。因为弹性伸缩的需要,Deployment 扮演着Pod 的监管者角色。仅仅通过Deployment配置文件就可以启动pod,所以不需要单独写pod的配置文件。如何系统中已经存在对应的pod,Deployment会根据matchLabels标签选择匹配上pod,纳入到自己的管理中。
apiVersion: apps/v1 #这里要注意了,单独创建Pod时是v1,换成Deployment后,这里要改写为apps/v1
kind: Deployment #指定要创建的类型
metadata: #译名为元数据,即 Deployment 的一些基本属性和信息
name: k3s-test #deployment 的名称
labels: #标签,可以灵活定位一个或多个资源,其中key和value均可自定义,可以定义多组,目前不需要理解
app: k3s-test #app 为key ,k3s-test 为value,还可以定义多个
spec: #这里开始就是Deployment的属性配置了
replicas: 3 #指定Pod的数量
selector: #标签选择器,与上面的标签共同作用,目前不需要理解
matchLabels: #选择包含标签app:k3s-test-pod的资源
app: k3s-test-pod
template:
template: #Pod模板
metadata:
labels: #Pod的标签,上面的selector即选择包含标签app:k3s-test-pod的Pod
app: k3s-test-pod
spec: #期望Pod实现的功能(即在pod中部署)
containers: #容器信息
- name: test
image: hello-world-app:latest #还是我们的Node Demo
imagePullPolicy: Never
ports: #这里代表Pod 可输出的端口,7001是我们Node Demo 默认可访问的端口
- containerPort: 3000
执行完上述命令后,我们在输出终端也看到有一个Pod 被创建出来,IP地址为10.42.0.34
。这个IP地址如Kubernetes(k3s)学习(二) -- 基于最小的pod单元来创建应用所讲,只允许被Kubenetes 内部环境所访问,外网不能正常访问。
#在server 节点访问的结果
ubuntu@server:~$ curl http://10.42.0.34:3000
#输出
Hello, World!
#在本机外正常环境的访问(如浏览器)
#输出
curl http://10.42.0.34:3000
#输出
#没有结果
怎样才能让外界能够访问容器呢?
2、使用Service
在 Kubernetes 中,Service
是一种抽象,它定义了一组 Pod 的访问策略。Service
有多种类型,其中 ClusterIP
和 NodePort
是最常用的两种类型。它们的主要区别在于暴露服务的方式和访问范围。
apiVersion: v1 #apiVersion 需要回到v1 命名
kind: Service #指定要创建的类型
metadata:
name: k3s-test-service
labels:
app: k3s-test-pod
spec:
selector: #选择器,需要与pod 的命名是一致
app: k3s-test-pod
type: NodePort #先介绍NodePort,后面再介绍ClusterIp
ports:
- name: k3s-test-service-port
protocol: TCP
port: 80
nodePort: 31000
targetPort: 3000
#targetPort: 要映射去Pod 的可访问端口
#port: Kubenetes 内部环境可访问的端口
#nodePort : 外部环境可访问,但Kubenetes内部环境不能访问的端口。
#如果不指定,将由Kubenetes 自动分配端口
执行kubectl 的通用命令
ubuntu@server:~$ sudo kubectl apply -f create-service.yml
#输出内容
service/k3s-test-service created
#通过命令检查是否创建成功
ubuntu@server:~$ sudo kubectl get services -o wide
#得到的输出结果
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
k3s-test-service NodePort 10.43.190.140 <none> 80:31000/TCP 4m32s app=k3s-test
kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 9d <none>
验证测试,service中80是kubenetes 内部环境通过service ip可访问的端口,31000是外部环境可访问,但Kubenetes内部环境不能访问的端口。
#通过service的ip允许直接访问80端口
ubuntu@server:~$ curl http://10.43.190.140
#输出
Hello, World!
#不允许访问31000端口,因为该端口是给外部访问的
ubuntu@server:~$ curl http://10.43.190.140:31000
#没有输出,不允许访问31000端口
#直接输入pod的ip访问也是可以的。(先查找pod的ip地址,3000是pod中容器应用的端口)
ubuntu@node1:~$ curl http://10.42.0.34:3000
#外部环境
#其中192.168.110.45是server节点的IP地址,
#31000端口对外暴露输出,在浏览器中输入http://192.168.110.45:31000/
#正常输出 :Hello, World!
Service 除了NodePort类型外默认选择是ClusterIp。ClusterIp其区别在于不能定义对外暴露端口
。实际项目执行中,我偏向于使用Cluster类型,减少Master节点被过多暴露端口。
3、服务发布
Kubenetes 提供了一种基于 Ingress 的服务发布式,通过配置 Ingress 和外部实现的 Ingress Controller 可以方便的实现服务发布的功能。k3s 默认集成了基于 Traefix 的 Ingress Controller,但是下面我们使用ingress-nginx作为Ingress Controller。
要在 k3s 上安装 ingress-nginx,可以按照以下步骤进行操作:
1)部署 ingress-nginx:
使用 kubectl
执行以下命令部署 ingress-nginx。k3s 默认启用了内置的 traefik
作为 ingress 控制器,但你可以安装 nginx-ingress
作为替代。
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
修改下载的deploy.yaml配置文件,把其中的type:Loadblance修改为NodePort,并且该ingree-nginx暴露的端口http为30080和https为30443。
运行yaml文件
kubectl apply -f deploy.yaml
k3s安装ingress遇到问题:
1、这里不能直接使用此 yaml 文件进行部署,deploy.yaml 文件中涉及到两个镜像(下载不到)
image: registry.k8s.io/ingress-nginx/controller:v1.8.0
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407
然后并没有找到 kube-webhook-certgen:v20230407 该版本的镜像
解决办法:把 yaml 文件中的 image 信息修改成以上的两个源如下
...
image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.8.2
...
image: docker.io/anjia0532/google-containers.ingress-nginx.kube-webhook-certgen:v1.1.1
...
2、ingress-nginx-admission需要挂载webhook-cert证书
webhook-cert
通常指的是用于 Kubernetes Webhook 的证书 Secret。它通常包含 Webhook 服务器的 TLS 证书和密钥,用于安全地加密与 Webhook 服务器的通信。
解决方法:
(1)创建webhoob-cert Secret
由于deploy.yaml文件中的证书挂载的目录在/usr/local/certificates,固在该目录下生成证书
(2)生成自签名证书和私钥:
mkdir /usr/local/certificates
cd /usr/local/certificates
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout webhook.key -out webhook.crt \
-subj "/CN=webhook.cert"
会在/usr/local/certificates/下生成两个证书
(3)创建secret
使用 Kubernetes kubectl
命令将这些文件创建成 Secret。假设你的证书文件名为 webhook.crt
和密钥文件名为 webhook.key
,你可以这样创建 Secret:
kubectl create secret tls webhook-cert \
--cert=webhook.crt \
--key=webhook.key \
--namespace=ingress-nginx
这个命令会创建一个名为 webhook-cert
的 Secret,并将其放在 ingress-nginx
命名空间中。
(4)更新webhook配置
确保你的 Webhook 配置中引用了 webhook-cert
Secret。修改deploy.yaml文件中的指定证书的目录
2)修改deploy.yaml文件对外暴露80端口
修改下载下来的deploy.yaml 还是 name: ingress-nginx-controller ,这一段。
增加 NodePort:80 和NodePort:443
这样直接执行,会出现错误:nodePort: Invalid value valid ports is 30000-32767,
是因为k8s的node节点的端口默认被限制在30000-32767的范围,
k3s中先修改kube的默认配置:
vim /etc/rancher/k3s/config.yaml
在配置文件中添加 service-node-port-range
参数以设置 NodePort 端口范围。例如,要设置为 1 到 65535:
启动 k3s 服务以应用新的配置:
systemctl start k3s
3)验证部署:
部署完成后,你可以检查 ingress-nginx 的 Pods 和服务是否正常运行:
kubectl get pods -n ingress-nginx
kubectl get svc -n ingress-nginx
你应该能看到 ingress-nginx-controller
服务正在运行。
注意上面的ingress-nginx-contorller的TYPE为NodePort类型
4)配置 Ingress 规则:
创建一个示例 Ingress 规则来验证配置。可以使用以下 YAML 文件定义一个简单的 Ingress 规则:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: retrieval.com #这里是外界入口可访问的域名配置
http:
paths:
- pathType: Prefix
path: "/app1" #可配置访问的入口路径
backend:
service:
name: k3s-test-service #选择器,代表访问Service:k3s-test-service
port:
number: 80 #对外暴露的端口
5)应用这个 Ingress 规则:
kubectl apply -f your-ingress.yaml
查看ingress的类型和信息
记得根据实际情况调整 host
和 service
名称。
#返回到本机的“终端”
# 修改linux服务器上的hosts
sudo vi /etc/hosts
# 在该文件中添加一条解析记录
192.168.110.45 retrieval.com
#如果要在浏览器中能正常访问,也需要配置windons上的hosts文件
#导航到 C:\Windows\System32\drivers\etc\ 文件夹。在 hosts 文件中,你可以添加新的条目。
192.168.110.45 retrieval.com
5)验证:
完整的deploy.yaml文件如下:
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "false"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
nodePort: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
nodePort: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/webhook.crt
- --validating-webhook-key=/usr/local/certificates/webhook.key
- --enable-metrics=false
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.8.2
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: docker.io/anjia0532/google-containers.ingress-nginx.kube-webhook-certgen:v1.1.1
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: docker.io/anjia0532/google-containers.ingress-nginx.kube-webhook-certgen:v1.1.1
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.11.2
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
更多请参考:Kubernetes(k3s)基础学习(三) -- Deployment、Service、Ingress - 简书
Installation Guide - Ingress-Nginx Controller
安装ingress参考:k8s 安装 ingress-CSDN博客