kubernetes 部署 nginx-ingress-controller

本文涉及的产品
全局流量管理 GTM,标准版 1个月
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
云解析 DNS,旗舰版 1个月
简介: kubernetes 部署 nginx-ingress-controller

此文章是基于 kubernetes v1.19.7 版本写的

  • rbacrbac.authorization.k8s.io/v1 版本
  • ingressnetworking.k8s.io/v1 版本
  • 可以使用 kubectl api-versions 命令来查看自己当前的 api 版本是否支持,不同的 api 版本, yaml 文件内的字段使用会不一样

准备 yaml 文件

namespace.yaml

---
apiVersion: v1
kind: Namespace
metadata:
  labels:
    name: ingress-nginx
  name: ingress-nginx

nginx-ingress-controller-sa.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx

nginx-ingress-controller-rbac.yaml

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-ingress-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - secrets
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-ingress-role
  namespace: ingress-nginx
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resourceNames:
  - ingress-controller-leader-nginx
  resources:
  - configmaps
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
- kind: ServiceAccount
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-ingress-clusterrole-nisa-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
  name: nginx-ingress-serviceaccount
  namespace: ingress-nginx

nginx-ingress-controller-cm.yaml

---
apiVersion: v1
data:
  use-forwarded-headers: "true"
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-configuration
  namespace: ingress-nginx

udp-service-cm.yaml

---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: udp-services
  namespace: ingress-nginx

tcp-service-cm.yaml

---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: tcp-services
  namespace: ingress-nginx

nginx-ingress-controller-ds.yaml

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  type: NodePort
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: nginx-ingress-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
  template:
    metadata:
      annotations:
        prometheus.io/port: "10254"
        prometheus.io/scrape: "true"
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --configmap=$(POD_NAMESPACE)/nginx-configuration
        - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
        - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
        - --publish-service=$(POD_NAMESPACE)/ingress-nginx
        - --annotations-prefix=nginx.ingress.kubernetes.io
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.26.1
        lifecycle:
          preStop:
            exec:
              command:
              - /wait-shutdown
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 10
        name: nginx-ingress-controller
        ports:
        - containerPort: 80
          name: http
        - containerPort: 443
          name: https
        - containerPort: 10254
          name: metrics
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 10
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsUser: 33
      hostNetwork: true
      serviceAccountName: nginx-ingress-serviceaccount
      terminationGracePeriodSeconds: 30

部署 nginx-ingress-controller

kubectl apply -f namespace.yaml
kubectl apply -f nginx-ingress-controller-sa.yaml
kubectl apply -f nginx-ingress-controller-rbac.yaml
kubectl apply -f nginx-ingress-controller-cm.yaml
kubectl apply -f upd-service-cm.yaml
kubectl apply -f tcp-service-cm.yaml
kubectl apply -f nginx-ingress-controller-ds.yaml

配置 ingress 规则

  • 准备一个 nginx 服务,如果已有,可以跳过这一步
  • 这里配置了两个 service,一个是 ClusterIP,一个是 NodePort,用来做对比
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx
  name: nginx-ingress
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx
  name: nginx-nodeport
spec:
  type: NodePort
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-dp
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
EOF
  • 查看 NodePort 端口,因为没有在 yaml 文件里面去指定端口
  • 这里是方便学习,没有去指定 namespace,实际使用的时候,一定要区分 namespace,不要去使用 default 这个 namespace
kubectl get svc

可以看到,暴露出来的端口是 32074

NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
kubernetes       ClusterIP   10.254.0.1      <none>        443/TCP        42h
nginx-ingress    ClusterIP   10.254.96.138   <none>        80/TCP         72s
nginx-nodeport   NodePort    10.254.87.143   <none>        80:32074/TCP   72s

通过 netstat命令可以过滤到 32074 这个端口,并且是 kube-proxy 开放出来的,也可以去其他节点验证

netstat -anput | grep 32074

可以通过访问 ip:32074 来验证

curl -I 192.168.11.150:32074

返回状态码 200,表示成功

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 08 Jul 2023 10:00:07 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 04 Dec 2018 14:44:49 GMT
Connection: keep-alive
ETag: "5c0692e1-264"
Accept-Ranges: bytes

在没有 ingress 规则的时候,我们去访问 80 端口是返回 404

curl -I 192.168.11.150
HTTP/1.1 404 Not Found
Server: openresty/1.15.8.2
Date: Sat, 08 Jul 2023 10:01:11 GMT
Content-Type: text/html
Content-Length: 159
Connection: keep-alive

下面来配置 ingress 规则

cat <<EOF | kubectl apply -f -
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
   name: ingress-study
spec:
  rules:
  # host 字段不写,表示使用 ip 访问
  ## host 字段可以写域名,如果没有 dns 解析,可以本地做 hosts 来验证
  - host: 
    http:
      paths:
      - backend:
          service:
            name: nginx-ingress
            port: 
              number: 80
        path: /
        pathType: Prefix
EOF

这个时候就可以用 80 端口来验证了

curl -I 192.168.11.150

返回的状态码变成 200

HTTP/1.1 200 OK
Server: openresty/1.15.8.2
Date: Sat, 08 Jul 2023 10:09:32 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Tue, 04 Dec 2018 14:44:49 GMT
ETag: "5c0692e1-264"
Accept-Ranges: bytes

使用域名的方式

cat <<EOF | kubectl apply -f -
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
   name: ingress-study-domain
spec:
  rules:
  # host 字段不写,表示使用 ip 访问
  ## host 字段可以写域名,如果没有 dns 解析,可以本地做 hosts 来验证
  - host: nginx.ingress.study
    http:
      paths:
      - backend:
          service:
            name: nginx-ingress
            port: 
              number: 80
        path: /
        pathType: Prefix
EOF

增加本地 hosts 解析,这里拿 linux 举栗子

echo '192.168.11.150 nginx.ingress.study' >> /etc/hosts

这个时候去访问域名,一样可以返回 200

curl -I nginx.ingress.study
HTTP/1.1 200 OK
Server: openresty/1.15.8.2
Date: Sat, 08 Jul 2023 10:14:07 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Tue, 04 Dec 2018 14:44:49 GMT
ETag: "5c0692e1-264"
Accept-Ranges: bytes

tcp-services 和 udp-services

通过 ingress-nginx-controller 来暴露本地的端口,通过不同的 configmap 来指定端口的协议

定义格式:<本机暴露的端口>: <service 的 namespace>/<需要转发的 service 的名字>:<需要转发的 service 的端口>

exposing-tcp-udp-services

cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: ConfigMap
data: 
  8888: default/nginx-ingress:80
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: tcp-services
  namespace: ingress-nginx
EOF

使用 ip 访问 8888 端口,一样可以返回 200

curl -I 192.168.11.150:8888
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 08 Jul 2023 10:32:24 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 04 Dec 2018 14:44:49 GMT
Connection: keep-alive
ETag: "5c0692e1-264"
Accept-Ranges: bytes


相关实践学习
通过Ingress进行灰度发布
本场景您将运行一个简单的应用,部署一个新的应用用于新的发布,并通过Ingress能力实现灰度发布。
容器应用与集群管理
欢迎来到《容器应用与集群管理》课程,本课程是“云原生容器Clouder认证“系列中的第二阶段。课程将向您介绍与容器集群相关的概念和技术,这些概念和技术可以帮助您了解阿里云容器服务ACK/ACK Serverless的使用。同时,本课程也会向您介绍可以采取的工具、方法和可操作步骤,以帮助您了解如何基于容器服务ACK Serverless构建和管理企业级应用。 学习完本课程后,您将能够: 掌握容器集群、容器编排的基本概念 掌握Kubernetes的基础概念及核心思想 掌握阿里云容器服务ACK/ACK Serverless概念及使用方法 基于容器服务ACK Serverless搭建和管理企业级网站应用
目录
相关文章
|
1月前
|
Kubernetes 持续交付 Docker
利用 Docker 和 Kubernetes 实现微服务部署
【10月更文挑战第2天】利用 Docker 和 Kubernetes 实现微服务部署
|
1月前
|
Prometheus Kubernetes 监控
k8s部署针对外部服务器的prometheus服务
通过上述步骤,您不仅成功地在Kubernetes集群内部署了Prometheus,还实现了对集群外服务器的有效监控。理解并实施网络配置是关键,确保监控数据的准确无误传输。随着监控需求的增长,您还可以进一步探索Prometheus生态中的其他组件,如Alertmanager、Grafana等,以构建完整的监控与报警体系。
121 60
|
1月前
|
Prometheus Kubernetes 监控
k8s部署针对外部服务器的prometheus服务
通过上述步骤,您不仅成功地在Kubernetes集群内部署了Prometheus,还实现了对集群外服务器的有效监控。理解并实施网络配置是关键,确保监控数据的准确无误传输。随着监控需求的增长,您还可以进一步探索Prometheus生态中的其他组件,如Alertmanager、Grafana等,以构建完整的监控与报警体系。
210 62
|
1月前
|
Kubernetes 应用服务中间件 nginx
k8s学习--YAML资源清单文件托管服务nginx
k8s学习--YAML资源清单文件托管服务nginx
k8s学习--YAML资源清单文件托管服务nginx
|
1月前
|
前端开发 JavaScript 应用服务中间件
使用nginx部署网站
使用nginx部署网站
|
1月前
|
JavaScript 应用服务中间件 nginx
nginx部署vue项目
本文介绍了将Vue项目部署到Nginx的步骤,包括构建Vue项目、上传dist文件夹到服务器、安装Nginx、配置Nginx代理静态文件以及重启Nginx,确保了Vue应用可以通过域名或IP地址访问。
104 1
|
1月前
|
Kubernetes Docker 微服务
微服务实践k8s&dapr开发部署实验(1)服务调用(一)
微服务实践k8s&dapr开发部署实验(1)服务调用(一)
49 2
|
1月前
|
Kubernetes 网络安全 容器
基于Ubuntu-22.04安装K8s-v1.28.2实验(一)部署K8s
基于Ubuntu-22.04安装K8s-v1.28.2实验(一)部署K8s
210 2
|
1月前
|
前端开发 JavaScript 应用服务中间件
linux安装nginx和前端部署vue项目(实际测试react项目也可以)
本文是一篇详细的教程,介绍了如何在Linux系统上安装和配置nginx,以及如何将打包好的前端项目(如Vue或React)上传和部署到服务器上,包括了常见的错误处理方法。
284 0
linux安装nginx和前端部署vue项目(实际测试react项目也可以)
|
1月前
|
监控 应用服务中间件 网络安全
部署Django应用:使用Gunicorn和Nginx构建高效的生产环境
部署Django应用:使用Gunicorn和Nginx构建高效的生产环境
106 0