Shulou(Shulou.com)06/03 Report--

Environment introduction

Host IP address Service master192.168.1.21k8snode01192.168.1.22k8snode02192.168.1.23k8s

1. First make sure you want to run the ingress-nginx-controller service.

Find the yaml file for the required ingress on gitbub

4. Download [root@master ingress] # wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.29.0/deploy/static/mandatory.yaml5. from master Modify mandatory.yaml file [root@master ingress] # vim mandatory.yaml hostNetwork: true # 213

(1) execute [root@master ingress] # kubectl apply-f mandatory.yaml (2) check [root@master ingress] # kubectl get pod-n ingress-nginx

2. Expose ingress-nginx-controller as a Service resource object. [root@master yaml] # vim service-nodeport.yaml apiVersion: v1kind: Servicemetadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginxspec: type: NodePort ports:-name: http port: 80 targetPort: 80 protocol: TCP-name: https port: 443 targetPort: 443 protocol: TCP selector: app.kubernetes.io/name: Ingress-nginx app.kubernetes.io/part-of: ingress-nginx--- (1) execute [root@master ingress] # kubectl apply-f service-nodeport.yaml (2) check [root@master ingress] # kubectl get svc-n ingress-nginx

3. Create a deployment resource and a service resource, and associate them with each other. [root@master yaml] # vim deploy1.yamlapiVersion: extensions/v1beta1kind: Deploymentmetadata: name: deploy1spec: replicas: 2 template: metadata: labels: app: nginx1 spec: containers:-name: nginx1 image: nginx---apiVersion: v1kind: Servicemetadata: name: svc-1spec: selector: app: nginx1 ports:-port: 80 targetPort: 80 execute [root@master yaml] # kubectl apply-f deploy1. Yaml check [root@master yaml] # kubectl get pod

[root@master yaml] # kubectl get svc

Then copy the deploy1.yaml resource worker to create another "pair" of services. [root@master yaml] # vim deploy2.yamlapiVersion: extensions/v1beta1kind: Deploymentmetadata: name: deploy2spec: replicas: 2 template: metadata: labels: app: nginx2 spec: containers:-name: nginx2 image: nginx---apiVersion: v1kind: Servicemetadata: name: svc-2spec: selector: app: nginx2 ports:-port: 80 targetPort: 80 execute [root@master yaml] # kubectl apply-f deploy2. Yaml, check out [root@master yaml] # kubectl get deployments.

4. Create a yaml file for ingress The association is svc1 and svc2 [root @ master yaml] # vim ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata: name: rules:-host: www1.bdqn.com http: paths:-path: / backend: serviceName: svc-1 servicePort: 80---apiVersion: extensions/v1beta1kind: Ingressmetadata: name: ingress-2spec: rules:-host: www2.bdqn.com Http: paths:-path: / backend: serviceName: svc-2 servicePort: 80 execute [root@master yaml] # kubectl apply-f ingress.yaml to check [root@master yaml] # kubectl get ingresses.

[root@master yaml] # kubectl describe ingresses. Ingress-1

[root@master yaml] # kubectl describe ingresses. Ingress-2

5. Due to the limitations of the experimental environment, I use it to simulate a domain name. Enter the local C:\ Windows\ System32\ drivers\ etc, modify the hosts file, and add the node IP where Pod (ingress-controller) is running.

Visit [root@master yaml] # kubectl get svc-n ingress-nginx / / to view the mapped port

Http://www1.bdqn.com:30817/

Http://www2.bdqn.com:30817/

Summarize how the pod of the above example can be accessed by client step by step, as follows:

Backend pod=== "service====" ingress rule = = "write to the Ingress-nginx-controller configuration file and automatically overload to make the changes take effect = =" to resolve the local domain name = "to enable client to access the backend pod through the IP+ port of the domain name

Ingress resources enable secure access to https agents.

In the above operation, we have implemented the use of ingress-nginx to provide a unified entry for all backend pod, so there is a very serious problem to consider, that is, how to configure CA certificates for our pod to achieve HTTPS access? Configure CA directly in pod? How many repetitive operations are required? Moreover, pod can be killed and re-created by kubelet at any time. Of course, there are many solutions to these problems, such as configuring CA directly into the image, but this requires a lot of CA certificates.

Here is an easier way, for example, in the case above, there are multiple pod,pod associated with service at the back end, and the service is discovered by ingress rules and dynamically written into the ingress-nginx-controller container, and then a Service mapping port on the cluster node is created for ingress-nginx-controller to be accessed by client.

In the above series of processes, the key point is the ingress rules. We only need to configure the CA certificate for the domain name in the yaml file of ingress. As long as the domain name can be accessed through HTTPS, as for how the domain name is associated with the pod that provides services at the back end, this is the communication within the K8s cluster. Even using http to communicate is harmless.

1. Generate certificate [root@master yaml] # mkdir https// create a directory [root@master yaml] # cd https/ [root@master https] # openssl req-x509-sha256-nodes-days 365newkey rsa:2048-keyout tls.key-out tls.crt-subj "/ CN=testsvc / O=testsvc" / / generate a certificate

two。 Create a secret resource and save the certificate. [root@master https] # kubectl create secret tls tls-secret-- key=tls.key-- cert tls.crt3, create a deploy3.yaml file to simulate a web service. [root@master yaml] # vim deploy3.yamlapiVersion: extensions/v1beta1kind: Deploymentmetadata: name: deploy3spec: replicas: 2 template: metadata: labels: app: nginx3 spec: containers:-name: nginx3 image: nginx---apiVersion: v1kind: Servicemetadata: name: svc-3spec: selector: app: nginx3 ports:-port: 80 targetPort: 80 execute [root@master https] # kubectl apply-f deploy3. Yaml check [root@master https] # kubectl get pod

[root@master https] # kubectl get svc

4. Create corresponding ingress rules. [root@master https] # vim ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata: name: ingress-3spec: tls:-hosts:-www3.bdqn.com # Domain name secretName: tls-secret # saved certificate rules:-host: www3.bdqn.com http: paths:-path: / backend: serviceName: svc-3 ServicePort: 80 execute [root@master https] # kubectl apply-f ingress.yaml to check [root@master https] # kubectl get ingresses.

5. Find the mapped port of port 443 of service nodePort and access it directly with your browser. Enter the local C:\ Windows\ System32\ drivers\ etc, modify the hosts file, and add the node IP where Pod (ingress-controller) is running.

View the mapped port [root@master https] # kubectl get svc-n ingress-nginx

Https://www3.bdqn.com:31372/

K8s cluster uses the principle of "everything is a resource" and uses the generated ca certificate as a public resource. You only need to bind the saved ca certificate when using it. Unlike before, you need to create a ca certificate one by one, and then associate it with each other, which is convenient and fast.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.