专业术语:
在这个文档中,您将看到一些在其他地方可以互换使用的术语,这可能会引起混淆。本节试图澄清这些问题。
节点:Kubernetes集群中的一个虚拟或物理机器。
2018-04-15
集群:从internet上防火墙的一组节点,这是由Kubernetes管理的主要计算资源。
边缘路由器:为你的集群执行防火墙策略的路由器。这可能是由云提供商或物理硬件组成的网关。
集群网络:根据Kubernetes网络模型,一组链接,逻辑或物理,可以促进集群内的通信。集群网络的示例包括诸如法兰绒或诸如OVS之类的sdn的覆盖。
服务:Kubernetes服务,它使用标签选择器识别一组豆荚。除非另有提及,否则服务假定只有在集群网络中具有可路由的虚拟ip。
搭建ingress 一、理论:
组件:
1、default-http-backend 提供一个404页面。当访问无效rul时,就会跳转到这个页面
2、nginx-ingress-controller.yaml ingress的控制器,实时监控集群API,根据ingress里的规则去修改后端的Nginx服务的配置文件
3、ingress 修改匹配虚拟域名的规则
4、deployment.yaml 生成服务的配置文件。
---------------------------------------------------------------------------------------------------
二、搭建
1、创建404页面
[root@iaas-01 as]# cat defautl-http-backend.yaml
apiVersion: extensions/v1beta1
kind: Deployment 指定pod类型
metadata:
name: default-http-backend 给pod起个名字
labels:
app: default-heep-backend 给标签起个名字
spec:
replicas: 1 启动几个pod
template:
metadata:
labels:
app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissable as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: docker.io/googlecontainer/defaultbackend:1.0
livenessProbe:
httpGet: 健康状态检查
path: /healthz
port: 8080 本地端口
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080 容器中的端口
resources: 指定消耗的系统资源
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
labels:
app: default-http-backend
spec:
ports:
- port: 80 对外端口
protocol: TCP 协议类型
targetPort: 8080 容器内端口
selector: 指向上面的pod的name
app: default-http-backend
2、cat nginx-ingress-controller.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: nginx-ingress-lb
labels:
name: nginx-ingress-lb
spec:
replicas: 1
template:
metadata:
labels:
name: nginx-ingress-lb
annotations:
prometheus.io/port: '10254'
prometheus.io/scrape: 'true'
spec:
terminationGracePeriodSeconds: 60
hostNetwork: true
containers:
- image: docker.io/zerosre/nginx-ingress-controller-0.9.0
name: nginx-ingress-lb
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 1
ports:
- containerPort: 80
hostPort: 80
- containerPort: 443
hostPort: 443
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUBERNETES_MASTER
value: http://192.168.11.101:8080 apiserver的IP和端口。默认是8080
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend指定默认的后端端口
3、cat deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: dashboard-server
spec:
replicas: 1
template:
metadata:
labels:
k8s-app: dashboard-server
version: 1.6.3
kubernetes.io/cluster-service: "true"
spec:
containers:
- name: dashboard-server
image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.6.3
resources:
# keep request = limit to keep this container in guaranteed class
limits:
cpu: 100m
memory: 50Mi
requests:
cpu: 100m
memory: 50Mi
ports:
- containerPort: 9090
livenessProbe:
httpGet:
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
---
apiVersion: v1
kind: Service
metadata:
name: dashboard-server
labels:
k8s-app: dashboard-server
kubernetes.io/cluster-service: "true"
spec:
selector:
k8s-app: dashboard-server
ports:
- port: 80
targetPort: 9090
4、创建ingress
cat jenkins-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-weblogic-ingress
spec:
rules:
- host: www.k8s-app.com
http:
paths:
- path: /jenkins
backend:
serviceName: jenkins
servicePort: 8015
- path: /
backend:
serviceName: dashboard-server
servicePort: 80
选自:
http://www.cnblogs.com/ericnie/p/6965091.html
基于不同域名访问的ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-weblogic-ingress
spec:
rules:
- host: www.k8s-app.com
http:
paths:
- path: /
backend:
serviceName: dashboard-server
servicePort: 80
- host: www.k8s-jenkins.com
http:
paths:
- path: /
backend:
serviceName: jenkins-huhu
servicePort: 8018
基于不同路径访问、
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-weblogic-ingress
annotations:
ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- www.k8s-app.com
secretName: ingress-secret
rules:
- host: www.k8s-app.com
http:
paths:
- path: /
backend:
serviceName: dashboard-server
servicePort: 80
- path: /w2
backend:
serviceName: nginx
servicePort: 80
TLS访问
自动跳转到HTTPS的URL
生成证书:
1、生成CA自签证书
mkdir cert && cd cert
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"
2、修改OpenSSL配置文件
cp /etc/pki/tls/openssl.cnf .
vim openssl.cnf
# 主要修改如下
[req]
req_extensions = v3_req # 这行默认注释关着的 把注释删掉
# 下面配置是新增的
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.k8s-app.com
#DNS.2 = kibana.mritd.me
DNS.1指的是自己的虚拟域名
3、生成证书
openssl genrsa -out ingress-key.pem 2048
openssl req -new -key ingress-key.pem -out ingress.csr -subj "/CN=www.k8s-app.com" -config openssl.cnf
openssl x509 -req -in ingress.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ingress.pem -days 365 -extensions v3_req -extfile openssl.cnf
-subj /CN=虚拟域名
4、创建保密字典(secret)
kubectl create secret tls ingress-secret --namespace=kube-system --key cert/ingress-key.pem --cert cert/ingress.pem
kubectl get secret --all-namespaces 查看保密字典
1、一定要注意namespaces的设置,必须要在统一个命名空间中
2、将ingress.yaml文件中的端口改为443
京公网安备 11010802041100号