1,Ingress介绍
Kubernetes 暴露服务的方式目前只有三种:LoadBlancer Service、NodePort Service、Ingress;前两种估计都应该很熟悉,下面详细的了解下这个 Ingress
Ingress由两部分组成:Ingress Controller 和 Ingress 服务。
Ingress Contronler 通过与 Kubernetes API 交互,动态的去感知集群中 Ingress 规则变化,然后读取它,按照自定义的规则,规则就是写明了哪个域名对应哪个service,生成一段 Nginx 配置,再写到 Nginx-ingress-control的 Pod 里,这个Ingress Contronler 的pod里面运行着一个nginx服务,控制器会把生成的nginx配置写入/etc/nginx.conf文件中,然后 reload 一下使用配置生效。以此来达到域名分配置及动态更新的问题。
看个简单的图方便理解:
ingress控制器有两种:nginx和haproxy 这里是以nginx为讲解。
2,部署一个Nginx Ingress
ingress的部署文件在github Ingress 仓库找到. 针对官方配置我们单独添加了 nodeselector 指定,绑定LB地址 以方便DNS 做解析。
主要用到的文件:
$lsdefault-backend.yamljenkins-ingress.ymlnginx-ingress-controller-rbac.ymlnginx-ingress-controller.yaml---default-backend.yaml:这是官方要求必须要给的默认后端,提供404页面的。它还提供了一个http检测功能,检测nginx-ingress-controll健康状态的,通过每隔一定时间访问nginx-ingress-controll的/healthz页面,如是没有响应就返回404之类的错误码。nginx-ingress-controller-rbac.yml:这ingress的RBAC授权文件nginx-ingress-controller.yaml:这是控制器的部署文件。jenkins-ingress.yml:这是Ingress服务文件,这个可以是任意web程序,里面配置域名与service的对应关系,Ingress称之为规则。
第一个是要部署RBAC文件:
catnginx-ingress-controller-rbac.yml#apiVersion:v1#kind:Namespace#metadata:#这里是创建一个namespace,因为此namespace早有了就不用再创建了#name:kube-system---apiVersion:v1kind:ServiceAccountmetadata:name:nginx-ingress-serviceaccount#创建一个serveerAcountnamespace:kube-system---apiVersion:rbac.authorization.k8s.io/v1beta1kind:ClusterRolemetadata:name:nginx-ingress-clusterrole#这个ServiceAcount所绑定的集群角色rules:-apiGroups:-""resources:#此集群角色的权限,它能操作的API资源-configmaps-endpoints-nodes-pods-secretsverbs:-list-watch-apiGroups:-""resources:-nodesverbs:-get-apiGroups:-""resources:-servicesverbs:-get-list-watch-apiGroups:-"extensions"resources:-ingressesverbs:-get-list-watch-apiGroups:-""resources:-eventsverbs:-create-patch-apiGroups:-"extensions"resources:-ingresses/statusverbs:-update---apiVersion:rbac.authorization.k8s.io/v1beta1kind:Rolemetadata:name:nginx-ingress-role#这是一个角色,而非集群角色namespace:kube-systemrules:#角色的权限-apiGroups:-""resources:-configmaps-pods-secrets-namespacesverbs:-get-apiGroups:-""resources:-configmapsresourceNames:#Defaultsto"<election-id>-<ingress-class>"#Here:"<ingress-controller-leader>-<nginx>"#Thishastobeadaptedifyouchangeeitherparameter#whenlaunchingthenginx-ingress-controller.-"ingress-controller-leader-nginx"verbs:-get-update-apiGroups:-""resources:-configmapsverbs:-create-apiGroups:-""resources:-endpointsverbs:-get-create-update---apiVersion:rbac.authorization.k8s.io/v1beta1kind:RoleBinding#角色绑定metadata:name:nginx-ingress-role-nisa-bindingnamespace:kube-systemroleRef:apiGroup:rbac.authorization.k8s.iokind:Rolename:nginx-ingress-rolesubjects:-kind:ServiceAccountname:nginx-ingress-serviceaccount#绑定在这个用户namespace:kube-system---apiVersion:rbac.authorization.k8s.io/v1beta1kind:ClusterRoleBinding#集群绑定metadata:name:nginx-ingress-clusterrole-nisa-bindingroleRef:apiGroup:rbac.authorization.k8s.iokind:ClusterRolename:nginx-ingress-clusterrolesubjects:-kind:ServiceAccountname:nginx-ingress-serviceaccount#集群绑定到这个serviceacountnamespace:kube-system#集群角色是可以跨namespace,但是这里只指明给这个namespce来使用
创建:
$kubectlcreate-fnginx-ingress-controller-rbac.ymlserviceaccount"nginx-ingress-serviceaccount"createdclusterrole"nginx-ingress-clusterrole"createdrole"nginx-ingress-role"createdrolebinding"nginx-ingress-role-nisa-binding"createdclusterrolebinding"nginx-ingress-clusterrole-nisa-binding"created
RBAC创建完后,就创建default backend服务:
$catdefault-backend.yamlapiVersion:extensions/v1beta1kind:Deploymentmetadata:name:default-http-backendlabels:k8s-app:default-http-backendnamespace:kube-systemspec:replicas:1template:metadata:labels:k8s-app:default-http-backendspec:terminationGracePeriodSeconds:60containers:-name:default-http-backend#Anyimageispermissableaslongas:#1.Itservesa404pageat/#2.Itserves200ona/healthzendpointimage:gcr.io/google_containers/defaultbackend:1.0livenessProbe:httpGet:path:/healthz#这个URI是nginx-ingress-controller中nginx里配置好的localtionport:8080scheme:HTTPinitialDelaySeconds:30#30s检测一次/healthztimeoutSeconds:5ports:-containerPort:8080resources:limits:cpu:10mmemory:20Mirequests:cpu:10mmemory:20MinodeSelector:#指定调度到些Node,以便后面DNS解析kubernetes.io/hostname:10.3.1.17---apiVersion:v1kind:Service#为defaultbackend创建一个servicemetadata:name:default-http-backendnamespace:kube-systemlabels:k8s-app:default-http-backendspec:ports:-port:80targetPort:8080selector:k8s-app:default-http-backend
创建:
$kubectlcreate-fdefault-backend.yamldeployment"default-http-backend"createdservice"default-http-backend"created
创建之后查看:
root@ubuntu15:/data/ingress#kubectlgetrs,pod,svc-nkube-systemNAMEDESIREDCURRENTREADYAGErs/default-http-backend-857b544d941111mNAMEREADYSTATUSRESTARTSAGEpo/default-http-backend-857b544d94-bwgjd1/1Running01mNAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGEsvc/default-http-backendClusterIP10.254.208.144<none>80/TCP1m
创建好default backend后就要创建nginx-ingress-controller了:
$catnginx-ingress-controller.yamlapiVersion:extensions/v1beta1kind:Deploymentmetadata:name:nginx-ingress-controllerlabels:k8s-app:nginx-ingress-controllernamespace:kube-systemspec:replicas:1template:metadata:labels:k8s-app:nginx-ingress-controllerspec:#hostNetworkmakesitpossibletouseipv6andtopreservethesourceIPcorrectlyregardlessofdockerconfiguration#however,itisnotaharddependencyofthenginx-ingress-controlleritselfanditmaycauseissuesifport10254alreadyistakenonthehost#thatsaid,sincehostPortisbrokenonCNI(https://github.com/kubernetes/kubernetes/issues/31307)wehavetousehostNetworkwhereCNIisused#likewithkubeadm#hostNetwork:true#注释表示不使用宿主机的80口,terminationGracePeriodSeconds:60hostNetwork:true#表示容器使用和宿主机一样的网络serviceAccountName:nginx-ingress-serviceaccount#引用前面创建的serviceacountcontainers:-image:gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.1#容器使用的镜像name:nginx-ingress-controller#容器名readinessProbe:#启动这个服务时要验证/healthz端口10254会在运行的node上监听。httpGet:path:/healthzport:10254scheme:HTTPlivenessProbe:httpGet:path:/healthzport:10254scheme:HTTPinitialDelaySeconds:10#每隔10做健康检查timeoutSeconds:1ports:-containerPort:80hostPort:80#80映射到80-containerPort:443hostPort:443env:-name:POD_NAMEvalueFrom:fieldRef:fieldPath:metadata.name-name:POD_NAMESPACEvalueFrom:fieldRef:fieldPath:metadata.namespaceargs:-/nginx-ingress-controller---default-backend-service=$(POD_NAMESPACE)/default-http-backend#---default-ssl-certificate=$(POD_NAMESPACE)/ingress-secret#这是启用Https时用的nodeSelector:#指明运行在哪,此IP要和defaultbackend是同一个IPkubernetes.io/hostname:10.3.1.17#上面映射到了hostport80,确保此IP80,443没有占用.
这个控制器就是一个deployment ,里面运行一个容器gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.1 ,有点像nginx容器,现在创建:
$kubectlcreate-fnginx-ingress-controller.yamldeployment"nginx-ingress-controller"created
root@ubuntu15:/data/ingress#kubectlgetrs,pod,svc-nkube-systemNAMEDESIREDCURRENTREADYAGErs/default-http-backend-857b544d9411112mrs/nginx-ingress-controller-8576d4545d11027sNAMEREADYSTATUSRESTARTSAGEpo/default-http-backend-857b544d94-bwgjd1/1Running012mpo/nginx-ingress-controller-8576d4545d-9tjnv0/1ContainerCreating027sNAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGEsvc/default-http-backendClusterIP10.254.208.144<none>80/TCP12m
现在ingress controller 控制器已部署好了,那么如何使用了,那就要写一个ingress规则了,此处就以已存在的jenkins服务为例,配置如何使用域名访问这个service:
$kubectlgetsvc,epNAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGEsvc/jenkinsserviceNodePort10.254.70.47<none>8080:30002/TCP3hNAMEENDPOINTSAGEep/jenkinsservice172.30.10.15:8080,172.30.11.7:80803h
现在写个jenkins service的Ingress 规则:
$catjenkins-ingress.ymlapiVersion:extensions/v1beta1kind:Ingressmetadata:name:jenkins-ingressnamespace:default#服务在哪个空间内就写哪个空间annotations:kubernetes.io/ingress.class:"nginx"spec:rules:-host:ingress.jenkins.com#此service的访问域名http:paths:-backend:serviceName:jenkinsserviceservicePort:8080
创建它:
$kubectlcreate-fjenkins-ingress.ymlingress"jenkins-ingress"created$kubectlgetingressNAMEHOSTSADDRESSPORTSAGEjenkins-ingressingress.jenkins.com8010s
到这里就已经部署完成了,配置好域名后,就可以用此域名来访问了:
部署完成了,现在看下nginx-ingress-controller 里nginx配置文件发生了哪些变化:
upstreamdefault-jenkinsservice-8080{least_conn;server172.30.10.15:8080max_fails=0fail_timeout=0;server172.30.11.7:8080max_fails=0fail_timeout=0;}upstreamupstream-default-backend{least_conn;server172.30.11.6:8080max_fails=0fail_timeout=0;}server{server_nameingress.jenkins.com;listen[::]:80;location/{...proxy_passhttp://default-jenkinsservice-8080;...}}这些配置都是ingress-controller 自已写入的,动态更新就是它能通过K8S API感知到service的endpoint 发生了变化,然后修改nginx配置并执行reload.
至此,部署完成。
Ingress还有很多部署方式,比如配置https访问的, 以后再写。
kubernetes之Ingress部署
原文地址:http://blog.51cto.com/newfly/2060587