In Kubernetes in, IP address, service and Pod can be used only within the cluster network, application for outside the cluster is not visible. In order to make external applications to access services within the cluster, currently offers several options in Kubernetes:
NodePort
LoadBalancer
Ingress
This section focuses on the deployment of ingress and ingress control ingress-nginx-controller for a brief introduction and history.
The following system component version:
Cloud server: centos version 7.6.1810, k8s version 1.15.0, docker version 18.06.1-ce, ingress-nginx-controller version 0.25.0
Ingress
Ingress composition?
Nginx configuration will be abstracted into a Ingress objects, each adding a new service simply write a new file to Ingress of yaml
The newly added Ingress converted into Nginx configuration files and entry into force
ingress controller
ingress Service
Ingress works?
- ingress controller and kubernetes api through interactive, dynamic cluster to perceive the ingress rule change,
- It then reads, in accordance with the custom rule, the rule is stated which corresponds to the domain name service which generates some nginx configuration,
- And then wrote pod nginx-ingress-controller's this Ingress
the Controller of the pod in a running Nginx service, the controller will generate a write /etc/nginx.conf nginx configuration file, - Then reload it to validate the configuration. In order to achieve sub-domain names configured and updated dynamically.
Ingress can solve any problem?
Dynamic configuration services
If Traditionally, when adding a new service, we may need to add a reverse proxy traffic entry point to our new service. And if the Ingress, only need to configure this service, when the service starts, it will automatically register the operation, no out of the Ingress.
Reduce unnecessary exposure of the port
Configuring had k8s are aware that the first step is to turn off the firewall, mainly because k8s of many services will NodePort mapped out, this is equivalent to host a lot of holes to play, neither safe nor elegant. And Ingress avoid this problem, in addition to its own Ingress services you may need to be mapped out, and other services do not use the NodePort way
Ingress current implementation?
ingress-nginx-controller
The latest version of ingress-nginx-controller, with lua achieved when upstream changes do not reload, greatly reducing the nginx reload a production environment due to restart services, IP upgrade due to changes caused.
Following on ingress-nginx-controller deployments do simple records:
yaml as follows:
kubectl apply -f {如下文件}
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
---
In the wall will pull less than the following image:
quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0
You can use domestic Ali cloud images:
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.25.0
After installation, in the ingress-nginx namespace you can see the pod has been pending, describe pod reported the following warning:
View the default master node plus a stain, it is generally not allowed pod scheduling to master node:
If k8s only one cluster node can be set under spec pod tolerate the stain:
which is:
spec:
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
See ingress-nginx pod is scheduled to the master node, and becomes Running
Look logs reported the following warning:
W0714 13:31:04.883127 6 queue.go:130] requeuing &ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,UID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{},OwnerReferences:[],Finalizers:[],ClusterName:,Initializers:nil,ManagedFields:[],}, err services "ingress-nginx" not found
Need to create a service called ingress-nginx are:
kubectl apply -f {如下文件}
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
externalTrafficPolicy: Local
type: LoadBalancer
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
reference:
ingress deploy
https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md
Taint and Toleration (stains and tolerance)
https://jimmysong.io/kubernetes-handbook/concepts/taint-and-toleration.html
k8s 1.12 deploy ingress-nginx
https://www.jianshu.com/p/e30b06906b77
This public number free offer csdn download service, massive IT learning resources, if you are going into IT pit, inspirational excellent program ape, then these resources is for you, including, but not limited to, java, go, python, springcloud, elk, embedded style, big data, interview data, front-end and other resources. At the same time we set up a technical exchange group, there are many chiefs, will share technical articles from time to time, if you want to come together to improve learning, the public can reply back number [ 2 ], plus free technical exchange group invited to improve learning from each other, will not IT-related programming on a regular basis to share resources.
Scan code concerned, exciting content to the first time you push