文章目录
1、pod间通信
1.1 同节点之间的通信
- 同一节点的pod之间通过cni网桥转发数据包。
1.2 不同节点的pod之间的通信需要网络插件支持(详解)
1.2.1 Flannel vxlan模式跨主机通信原理
1.2.2 vxlan模式(默认模式)
[root@server2 ~]# vim demo.yml
---
apiVersion: v1
kind: Service
metadata:
name: myservice
spec:
selector:
app: myapp
ports:
- protocol: TCP
port: 80
targetPort: 80
#clusterIP: None
#type: NodePort
#type: LoadBalancer
externalIPs:
- 192.168.0.10
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: demo2
spec:
replicas: 2
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v2
[root@server2 ~]# kubectl apply -f demo.yml
service/myservice unchanged
deployment.apps/demo2 configured
[root@server2 ~]# kubectl get pod ##查看详细信息
[root@server2 ~]# kubectl get pod -o wide
[root@server2 ~]# kubectl attach demo -it
[ root@demo:/ ]$ ping 10.244.2.66
PING 10.244.2.66 (10.244.2.66): 56 data bytes
64 bytes from 10.244.2.66: seq=0 ttl=62 time=0.817 ms
64 bytes from 10.244.2.66: seq=1 ttl=62 time=0.605 ms
[root@server2 ~]# cat /run/flannel/subnet.env
[root@server4 ~]# ip n
[root@server4 ~]# bridge fdb
[root@server4 ~]# arp -n
[root@server3 ~]# ip addr
[root@server3 ~]# ip addr
[root@server4 ~]# bridge fdb
1.2.3 host-gw模式
[root@server3 ~]# yum install -y tcpdump
[root@server2 ~]# kubectl -n kube-system edit cm kube-flannel-cfg ##修改模式为host-gw
"Type": "host-gw"
[root@server2 ~]# kubectl get pod -n kube-system |grep flannel | awk '{system("kubectl delete pod "$1" -n kube-system")}'
[root@server3 ~]# ip route ##每个节点都可以通过这条命令查看route,也可以用route -n
1.2.4 Directrouting
[root@server2 ~]# kubectl -n kube-system edit cm kube-flannel-cfg ##修改模式
"Type": "vxlan",
"Directrouting": true
[root@server2 ~]# kubectl get pod -n kube-system |grep flannel | awk '{system("kubectl delete pod "$1" -n kube-system")}'
[root@server2 ~]# kubectl get pod -o wide
[root@server2 ~]# kubectl attach demo -it
[root@server3 ~]# tcpdump -i eth0 -nn icmp #抓包
[root@server3 ~]# tcpdump -i flannel.1 -nn
2、Ingress服务
- 一种全局的、为了代理不同后端 Service 而设置的负载均衡服务,就是 Kubernetes 里的Ingress 服务。
Ingress由两部分组成:Ingress controller和Ingress服务。
Ingress Controller 会根据你定义的 Ingress 对象,提供对应的代理能力。业界常用的各种反向代理项目,比如 Nginx、HAProxy、Envoy、Traefik 等,都已经为Kubernetes 专门维护了对应的 Ingress Controller。
2.1 部署ingress服务
- 用DaemonSet结合nodeselector来部署ingress-controller到特定的node上,然后使用HostNetwork直接把该pod与宿主机node的网络打通,直接使用宿主机的80/443端口就能访问服务。
优点是整个请求链路最简单,性能相对NodePort模式更好。
缺点是由于直接利用宿主机节点的网络和端口,一个node只能部署一个ingress-controller pod。
比较适合大并发的生产环境使用。
[root@foundation50 Desktop]# scp ingress-nginx.tar 192.168.0.1:
[root@server1 ~]# docker load -i ingress-nginx.tar ##加载镜像
[root@server1 ~]# docker images | grep webhook
[root@server1 ~]# docker images | grep ingress
[root@server1 ~]# docker tag quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.33.0 reg.westos.org/library/nginx-ingress-controller:0.33.0
[root@server1 ~]# docker tag jettech/kube-webhook-certgen:v1.2.0 reg.westos.org/library/kube-webhook-certgen:v1.2.0
[root@server1 ~]# docker push reg.westos.org/library/nginx-ingress-controller:0.33.0 ##上传到harbor仓库
[root@server1 ~]# docker push reg.westos.org/library/kube-webhook-certgen:v1.2.0
[root@server2 ~]# kubectl delete -f damo.yml ##先删除前面实验添加的172.25.13.100的svc
[root@server2 ~]# mkdir ingress ##创建对应文件夹方便实验
[root@server2 ~]# cp deploy.yaml ingress/
[root@server2 ~]# cd ingress/
[root@server2 ingress]# kubectl apply -f deploy.yaml
[root@server2 ingress]# kubectl get ns ##安装成功后出现新的namespace:ingress-nginx
[root@server2 ingress]# kubectl get all -n ingress-nginx ##查看服务是否安装成功
[root@server2 ingress]# kubectl get all -o wide -n ingress-nginx ##查看新namespace详细信息
[root@server2 ingress]# kubectl -n ingress-nginx get pod ##查看是否运行成功,READY状态必须为1
[root@server2 ~]# kubectl -n ingress-nginx describe pod ingress-nginx-controller-w62nz
2.2 Ingress配置
2.2.1 配置基本的测试文件
一个host
[root@server2 ~]# kubectl apply -f demo.yml
service/myservice created
deployment.apps/demo2 created
[root@server2 ~]# kubectl describe svc myservice
[root@foundation50 Desktop]# vim /etc/hosts
192.168.0.4 www1.westos.org
[root@server2 ingress]# vim nginx.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
spec:
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
[root@server2 ingress]# kubectl apply -f nginx.yml ##创建ingress
[root@server2 ingress]# kubectl -n ingress-nginx get pod
[root@server2 ingress]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-demo <none> www1.westos.org 192.168.0.4 80 7m37s
[root@server4 ~]# netstat -antlp | grep :80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7799/nginx: master
tcp6 0 0 :::80 :::* LISTEN 7799/nginx: master
[root@foundation50 Desktop]# curl www1.westos.org/hostname.html
demo2-67f8c948cf-4tt69
[root@foundation50 Desktop]# curl www1.westos.org/hostname.html
demo2-67f8c948cf-dh9ch
两个host
[root@foundation50 Desktop]# vim /etc/hosts
192.168.0.4 www1.westos.org www2.westos.org
[root@server2 ingress]# vim nginx-svc.yml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-demo
spec:
rules:
- host: www1.westos.org
http:
paths:
- path: /
backend:
serviceName: myservice
servicePort: 80
- host: www2.westos.org
http:
paths:
- path: /
backend:
serviceName: nginx-svc
servicePort: 80
[root@server2 ingress]# kubectl apply -f nginx-svc.yml
service/nginx-svc created
deployment.apps/deployment created
[root@server2 ingress]# kubectl get pod -L app
[root@server2 ingress]# kubectl get svc
[root@server2 ingress]# kubectl describe svc nginx-svc
[root@server2 ingress]# vim nginx.yml
[root@server2 ingress]# kubectl apply -f nginx.yml
[root@server2 ingress]# kubectl describe ingress ingress-demo
[root@foundation50 Desktop]# curl www1.westos.org
Hello MyApp | Version: v2 | <a href="hostname.html">Pod Name</a>
[root@foundation50 Desktop]# curl www2.westos.org
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
2.2.2 证书加密
[root@server2 ingress]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc" ##生成证书文件
[root@server2 ingress]# ls
deploy.yaml nginx-svc.yml nginx.yml tls.crt tls.key
[root@server2 ingress]# kubectl create secret tls tls-secret --key tls.key --cert tls.crt ##生成缓存的密钥文件,相当于缓存到secret这个文件中
secret/tls-secret created
[root@server2 ingress]# kubectl get secrets ##查看生成的密钥文件
[root@server2 ingress]# kubectl describe secrets tls-secret ##查看密钥详细信息
[root@server2 ingress]# vim nginx.yml
[root@server2 ingress]# kubectl apply -f nginx.yml
[root@server2 ingress]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-demo <none> www1.westos.org 192.168.0.4 80, 443 42m
ingress-demo2 <none> www2.westos.org 192.168.0.4 80 7m27s
[root@foundation50 Desktop]# curl www1.westos.org
[root@foundation50 Desktop]# curl www1.westos.org -I 重定向
[root@foundation50 Desktop]# curl www2.westos.org
2.2.3 证书加密与用户认证
[root@server2 ingress]# yum provides */htpasswd ##查看htpasswd软件属于哪个安装包
[root@server2 ingress]# yum install httpd-tools-2.4.6-88.el7.x86_64 -y ##安装对应软件
[root@server2 ingress]# htpasswd -c auth linux
[root@server2 ingress]# htpasswd auth admin
Adding password for user admin
[root@server2 ingress]# cat auth
linux:$apr1$sE8wr.cb$/9RcGgU6FWUgNFkMPYnSA1
admin:$apr1$OlUpLQ4G$..EN8P96UNwofaHsuytHg/
[root@server2 ingress]# kubectl create secret generic basic-auth --from-file=auth ##存储用户认证文件
secret/basic-auth created
[root@server2 ingress]# kubectl get secrets
[root@server2 ingress]# kubectl get secret basic-auth -o yaml ##通过yaml文件查看用户认证信息
[root@server2 ingress]# cat nginx.yml
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - linux'
[root@server2 ingress]# kubectl apply -f nginx.yml ##创建
[root@server2 ingress]# kubectl describe ingress ingress-demo
网页访问www1.westos.org发现需要用户认证,登陆即可
2.2.4 简单设置重定向
[root@server2 ingress]# vim nginx.yml
[root@server2 ingress]# kubectl apply -f nginx.yml
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /hostname.html ##设置重定向信息,可以直接访问到www1.westos.org/hostname.html
[root@foundation50 Desktop]# curl www2.westos.org
deployment-6456d7c676-fl56x
[root@foundation50 Desktop]# curl www2.westos.org
deployment-6456d7c676-vbhts
2.2.5 地址重写(复杂的重定向)
[root@server2 ingress]# vim nginx.yml
[root@server2 ingress]# kubectl apply -f nginx.yml
[root@server2 ingress]# kubectl describe ingress ingress-demo2
[root@foundation50 Desktop]# curl www2.westos.org/westos -I
[root@foundation50 Desktop]# curl www2.westos.org/westos/hostname.html
deployment-6456d7c676-vbhts
[root@foundation50 Desktop]# curl www2.westos.org/westos
Hello MyApp | Version: v1 | <a href="hostname.html">Pod Name</a>
