主机 | IP地址 | 服务 |
---|---|---|
master | 192.168.1.21 | k8s |
node01 | 192.168.1.22 | k8s |
node02 | 192.168.1.23 | k8s |
1、首先确定要运行ingress-nginx-controller服务。
[root@master ingress]# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.29.0/deploy/static/mandatory.yaml
[root@master ingress]# vim mandatory.yaml
hostNetwork: true #213
[root@master ingress]# kubectl apply -f mandatory.yaml
[root@master ingress]# kubectl get pod -n ingress-nginx
[root@master yaml]# vim service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
[root@master ingress]# kubectl apply -f service-nodeport.yaml
[root@master ingress]# kubectl get svc -n ingress-nginx
[root@master yaml]# vim deploy1.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy1
spec:
replicas: 2
template:
metadata:
labels:
app: nginx1
spec:
containers:
- name: nginx1
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: svc-1
spec:
selector:
app: nginx1
ports:
- port: 80
targetPort: 80
[root@master yaml]# kubectl apply -f deploy1.yaml
[root@master yaml]# kubectl get pod
[root@master yaml]# kubectl get svc
[root@master yaml]# vim deploy2.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy2
spec:
replicas: 2
template:
metadata:
labels:
app: nginx2
spec:
containers:
- name: nginx2
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: svc-2
spec:
selector:
app: nginx2
ports:
- port: 80
targetPort: 80
[root@master yaml]# kubectl apply -f deploy2.yaml
[root@master yaml]# kubectl get deployments.
[root@master yaml]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-1
spec:
rules:
- host: www1.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-1
servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-2
spec:
rules:
- host: www2.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-2
servicePort: 80
[root@master yaml]# kubectl apply -f ingress.yaml
[root@master yaml]# kubectl get ingresses.
[root@master yaml]# kubectl describe ingresses. ingress-1
[root@master yaml]# kubectl describe ingresses. ingress-2
[root@master yaml]# kubectl get svc -n ingress-nginx
//查看映射的端口
http://www1.bdqn.com:30817/
http://www2.bdqn.com:30817/
后端pod===》service====》ingress规则====》写入Ingress-nginx-controller配置文件并自动重载使更改生效===》对本机进行域名解析====》实现client通过域名的IP+端口都可以访问到后端pod
在上面的操作中,实现了使用ingress-nginx为后端所有pod提供一个统一的入口,那么,有一个非常严肃的问题需要考虑,就是如何为我们的pod配置CA证书来实现HTTPS访问?在pod中直接配置CA么?那需要进行多少重复性的操作?而且,pod是随时可能被kubelet杀死再创建的。当然这些问题有很多解决方法,比如直接将CA配置到镜像中,但是这样又需要很多个CA证书。
这里有更简便的一种方法,就拿上面的情况来说,后端有多个pod,pod与service进行关联,service又被ingress规则发现并动态写入到ingress-nginx-controller容器中,然后又为ingress-nginx-controller创建了一个Service映射到群集节点上的端口,来供client来访问。
在上面的一系列流程中,关键的点就在于ingress规则,我们只需要在ingress的yaml文件中,为域名配置CA证书即可,只要可以通过HTTPS访问到域名,至于这个域名是怎么关联到后端提供服务的pod,这就是属于k8s群集内部的通信了,即便是使用http来通信,也无伤大雅。
[root@master yaml]# mkdir https
//创建一个放置证书的目录
[root@master yaml]# cd https/
[root@master https]# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=testsvc /O=testsvc"
//生成证书
[root@master https]# kubectl create secret tls tls-secret --key=tls.key --cert tls.crt
[root@master yaml]# vim deploy3.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: deploy3
spec:
replicas: 2
template:
metadata:
labels:
app: nginx3
spec:
containers:
- name: nginx3
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: svc-3
spec:
selector:
app: nginx3
ports:
- port: 80
targetPort: 80
[root@master https]# kubectl apply -f deploy3.yaml
[root@master https]# kubectl get pod
[root@master https]# kubectl get svc
[root@master https]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-3
spec:
tls:
- hosts:
- www3.bdqn.com #域名
secretName: tls-secret #保存的证书
rules:
- host: www3.bdqn.com
http:
paths:
- path: /
backend:
serviceName: svc-3
servicePort: 80
[root@master https]# kubectl apply -f ingress.yaml
[root@master https]# kubectl get ingresses.
[root@master https]# kubectl get svc -n ingress-nginx
https://www3.bdqn.com:31372/
k8s集群利用了“一切皆为资源”的原理,把生成的ca证书当成一个公共的资源来使用,使用时只需绑定保存的ca证书即可,不像之前一样,需要一个一个的创建ca证书,然后在关联起来,方便好用又快捷。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。