k8s搭建和部署应用完成后,可以通过NodePort,Loadbalancer,Ingress方式将应用端口暴露到集群外部,提供外部访问。
缺点:
NodePort占用端口,大量暴露端口非常不安全,并且有端口数量限制【不推荐】;
Loadbalancer 非常好用,但是得加钱才行【视情况定】
Ingress 配置稍微复杂,并且需要内部DNS解析转发【推荐】
Ingress-nginx-controller 安装部署见k8s安装ingress-nginx DaemonSet + HostNetwork + nodeSelector
因为Ingress-nginx-controller是部署在k8s集群内部以pod方式运行,是可以访问到集群内部k8s的各个服务的,而只需要将Ingress-nginx-controller监听的80/443端口提供暴露给外部访问,并安装一定规则进行代理转发,即可实现外部通过Ingress-nginx-controller访问到内部应用中。
简易理解ingress 同 svc,pod关系,ingress --转发–> svc --转发–> pods
这里简易部署nginx、tomcat为例:
vi nginx-tomcat-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx-pod
template:
metadata:
labels:
app: nginx-pod
spec:
containers:
- name: nginx-container
image: nginx:latest
ports:
- name: nginx-port
containerPort: 80
protocol: TCP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deployment
namespace: default
spec:
replicas: 2
selector:
matchLabels:
app: tomcat-pod
template:
metadata:
labels:
app: tomcat-pod
spec:
containers:
- name: tomcat-container
image: tomcat:8.5-jre10-slim
ports:
- name: tomcat-port
containerPort: 8080
protocol: TCP
执行部署
kubectl apply -f nginx-tomcat-deployment.yaml
配置nginx和tomcat访问服务svc脚本,监听nginx-80/tomcat-8080端口nginx-tomcat-service.yaml
vi nginx-tomcat-service.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
namespace: default
spec:
selector:
app: nginx-pod
type: ClusterIP # 默认使用ClusterIP不使用NodePort方式
# clusterIP: None
ports:
- protocol: TCP
port: 80
targetPort: 80 # 部署的nginx端口
---
apiVersion: v1
kind: Service
metadata:
name: tomcat-svc
namespace: default
spec:
selector:
app: tomcat-pod
type: ClusterIP # 默认使用ClusterIP不使用NodePort方式
# clusterIP: None
ports:
- protocol: TCP
port: 8080
targetPort: 8080 # 部署的tomcat端口
执行部署
kubectl apply -f nginx-tomcat-service.yaml
编写ingress脚本,ingress目的就是访问将指定访问url或域名的配置提交给ingress-nginx-controller做反向代理转发到选择绑定的service中,实现pod应用暴露给外部访问。
nginx-tomcat-ingress.yaml由nginx代理转发到nginx/tomcat的svc端口
vi nginx-tomcat-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-nginx-http
annotations:
kubernetes.io/ingress.class: "nginx" # 必须添加防止访问404
spec:
rules:
- host: ng.yunzaixin.top # 配置转发地址
http:
paths:
- path: /
pathType: Prefix # 前缀匹配
backend:
service:
name: nginx-svc # 转发到那个svc中
port:
number: 80 # 转发到svc中绑定的端口
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-tomcat-http
annotations:
kubernetes.io/ingress.class: "nginx" # 必须添加防止访问404
spec:
rules:
- host: tomcat.yunzaixin.top # 配置转发地址
http:
paths:
- path: /
pathType: Prefix # 前缀匹配
backend:
service:
name: tomcat-svc # 转发到那个svc中
port:
number: 8080 # 转发到svc中绑定的端口
执行部署
kubectl apply -f nginx-tomcat-ingress.yaml
相当于访问tomcat.yunzaixin.top 或者ng.yunzaixin.top ,ingress-nginx-controller将会转发到nginx-svc或tomcat-svc,nginx-svc或tomcat-svc转发到对应得nginx或tomcat中
在运行ingress-nginx-controller节点主机上访问:
curl ng.yunzaixin.top
curl tomcat.yunzaixin.top
注意:这里的ng.yunzaixin.top和tomcat.yunzaixin.top在ingress-nginx-controller配置上server:
server {
server_name ng.yunzaixin.top;
}
server {
server_name tomcat.yunzaixin.top;
}
通过监听 server_name 实现转发到k8s的svc上;这里的 ng.yunzaixin.top tomcat.yunzaixin.top集群内部的DNS映射,通常会需要一台接入公网的主机做统一的转发,相当于解析一个域名,所有的接口都是通过这一个域名作为入口,具体访问那个应用需要自己去定义,cloud.yunzaixian.top/nginx/、cloud.yunzaixian.top/tomcat 、cloud.yunzaixian.top/xxx,做对应的转发和主机内部DNS映射配置。
vi /etc/hosts
# 公网入口主机内部DNS转发到ngress-nginx-controller
1.14.10.23 nginx.yunzaixian.top
43.139.67.59 nginx.yunzaixian.top
1.14.10.23 tomcat.yunzaixian.top
43.139.67.59 tomcat.yunzaixian.top
配置对外主机nginx
server {
server_name ng.yunzaixin.top;
listen 80;
# tomcat访问 http://cloud.yunzaixian.top/tomcat
location /tomcat {
rewrite ^/tomcat/(.*)$ /$1 break;
proxy_pass http://tomcat.yunzaixin.top;
}
# ng访问 http://cloud.yunzaixian.top/nginx
location /tomcat {
rewrite ^/nginx/(.*)$ /$1 break;
proxy_pass http://nginx.yunzaixin.top;
}
}
浏览器访问:
http://cloud.yunzaixian.top/tomcat
http://cloud.yunzaixian.top/nginx
2760
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
