In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/03 Report--
Kubernetes of the Kubernetes series uses ingress-nginx as a reverse proxy
# I. introduction to Ingress
In Kubernetes, the IP addresses of services and Pod can only be used within the cluster network, and are not visible to applications outside the cluster. In order to enable external applications to access services within the cluster, the following solutions are currently provided in Kubernetes:
NodePort
LoadBalancer
Ingress
# 1. Ingress composition
Ingress controller
Convert the newly added Ingress into a configuration file for Nginx and make it effective
Ingress service
Abstract the configuration of Nginx into an Ingress object, and you only need to write a new yaml file of Ingress for each new service added.
# 2. How Ingress works
1.ingress controller dynamically perceives the changes of ingress rules in the cluster by interacting with kubernetes api.
two。 Then read it. According to the custom rules, the rule is to specify which domain name corresponds to which service, and generate a nginx configuration.
3. Then write to the pod of nginx-ingress-control, where there is a Nginx service running in the pod of Ingress controller, and the controller will write the generated nginx configuration to the / etc/nginx.conf file.
4. Then reload to make the configuration take effect. In order to achieve the problem of domain name configuration and dynamic update.
# 3. What problems can be solved by Ingress
1. Dynamic configuration service
If we follow the traditional way, when we add a new service, we may need to add a reverse proxy at the traffic entrance to point to our new K8s service. If you use Ingress, you only need to configure the service. When the service starts, it will automatically register in Ingress without any additional operation.
two。 Reduce unnecessary port exposure
Anyone who has configured K8s knows that the first step is to turn off the firewall, mainly because many services of K8s will be mapped out in NodePort, which is tantamount to drilling a lot of holes into the host, which is neither safe nor elegant. While Ingress can avoid this problem, except that Ingress's own services may need to be mapped out, other services should not use NodePort mode.
# II. Deploy and configure ingress-nginx
1. Download configuration file (downloaded integration file)
# cd / data/kubernetes/ingress-nginx# wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
2. Document description
Can be divided into five separate files 1.namespace.yaml to create a separate namespace ingress-nginx
2.configmap.yaml
ConfigMap stores common configuration variables, similar to configuration files, so that users can unify the environment variables used for different modules in the distributed system into one object to manage; but it is different from the configuration file in that it exists in the "environment" of the cluster and supports all common operation calls in the K8S cluster.
From a data perspective, the type of ConfigMap is just a key-value group, which is used to store information accessed by Pod or other resource objects such as RC. This is similar to the design philosophy of secret, the main difference is that ConfigMap is not usually used to store sensitive information, but only simple text information.
ConfigMap can save the properties of environment variables, or you can save configuration files.
When creating a pod, bind the configmap, and the applications in the pod can directly refer to the configuration of the ConfigMap. It is equivalent to configmap encapsulating the configuration for the application / runtime environment.
Pod uses ConfigMap, which is commonly used to set the value of environment variables, set command-line parameters, and create configuration files.
3.default-backend.yaml
If the domain name accessed by the outside world does not exist, it will be forwarded to the Service default-http-backend by default, which will directly return 404:
4.rbac.yaml
Responsible for the control of RBAC authorization for Ingress, which creates ServiceAccount, ClusterRole, Role, RoleBinding, ClusterRoleBinding used in Ingress
5.with-rbac.yaml
Is the core of Ingress and is used to create ingress-controller. As mentioned earlier, the role of ingress-controller is to convert the newly added Ingress into a Nginx configuration
3. Select the node to be deployed
# tag master002 and master003
Kubectl label nodes huoban-k8s-master02 kubernetes.io=nginx-ingress
Kubectl label nodes huoban-k8s-master03 kubernetes.io=nginx-ingress
4. Modify the configuration file vim mandatory.yaml
ApiVersion: v1
Kind: Namespace
Metadata:
Name: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
Kind: ConfigMap
ApiVersion: v1
Metadata:
Name: nginx-configuration
Namespace: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginxs
Data:
Proxy-body-size: "200m"
Kind: ConfigMap
ApiVersion: v1
Metadata:
Name: tcp-services
Namespace: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
Kind: ConfigMap
ApiVersion: v1
Metadata:
Name: udp-services
Namespace: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
ApiVersion: v1
Kind: ServiceAccount
Metadata:
Name: nginx-ingress-serviceaccount
Namespace: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
ApiVersion: rbac.authorization.k8s.io/v1beta1
Kind: ClusterRole
Metadata:
Name: nginx-ingress-clusterrole
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
Rules:
ApiGroups: ""
Resources:configmapsendpointsnodespodssecrets
Verbs:listwatchapiGroups: ""
Resources:nodes
Verbs:getapiGroups: ""
Resources:services
Verbs:getlistwatchapiGroups: ""
Resources:events
Verbs:createpatchapiGroups: "extensions"networking.k8s.io"
Resources:ingresses
Verbs:getlistwatchapiGroups: "extensions"networking.k8s.io"
Resources:ingresses/status
Verbs:update
ApiVersion: rbac.authorization.k8s.io/v1beta1
Kind: Role
Metadata:
Name: nginx-ingress-role
Namespace: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
Rules:
ApiGroups: ""
Resources:configmapspodssecretsnamespaces
Verbs:getapiGroups: ""
Resources:configmaps
ResourceNames:Defaults to "-" Here: "-" This has to be adapted if you change either parameterwhen launching the nginx-ingress-controller. "ingress-controller-leader-nginx"
Verbs:getupdateapiGroups: ""
Resources:configmaps
Verbs:createapiGroups: ""
Resources:endpoints
Verbs:get
ApiVersion: rbac.authorization.k8s.io/v1beta1
Kind: RoleBinding
Metadata:
Name: nginx-ingress-role-nisa-binding
Namespace: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
RoleRef:
ApiGroup: rbac.authorization.k8s.io
Kind: Role
Name: nginx-ingress-role
Subjects:
Kind: ServiceAccount
Name: nginx-ingress-serviceaccount
Namespace: ingress-nginx
ApiVersion: rbac.authorization.k8s.io/v1beta1
Kind: ClusterRoleBinding
Metadata:
Name: nginx-ingress-clusterrole-nisa-binding
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
RoleRef:
ApiGroup: rbac.authorization.k8s.io
Kind: ClusterRole
Name: nginx-ingress-clusterrole
Subjects:
Kind: ServiceAccount
Name: nginx-ingress-serviceaccount
Namespace: ingress-nginx
ApiVersion: apps/v1
Kind: Deployment
Metadata:
Name: nginx-ingress-controller
Namespace: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
Spec:
Replicas: 2
Selector:
MatchLabels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
Template:
Metadata:
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
Annotations:
Prometheus.io/port: "10254"
Prometheus.io/scrape: "true"
Spec:
NodeSelector:
Kubernetes.io: nginx-ingress
Tolerations:
Effect: NoSchedule
Operator: Exists
HostNetwork: true
ServiceAccountName: nginx-ingress-serviceaccount
Containers:name: nginx-ingress-controller
Image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.25.1
ImagePullPolicy: IfNotPresent
Args:/nginx-ingress-controller--configmap=$ (POD_NAMESPACE) / nginx-configuration--tcp-services-configmap=$ (POD_NAMESPACE) / tcp-services--udp-services-configmap=$ (POD_NAMESPACE) / udp-services--publish-service=$ (POD_NAMESPACE) / ingress-nginx--annotations-prefix=nginx.ingress.kubernetes.io
SecurityContext:
AllowPrivilegeEscalation: true
Capabilities:
Drop:ALL
Add:NET_BIND_SERVICEwww-data-> 33
RunAsUser: 33
Env:
Name: POD_NAME
ValueFrom:
FieldRef:
FieldPath: metadata.namename: POD_NAMESPACE
ValueFrom:
FieldRef:
FieldPath: metadata.namespace
Ports:name: http
ContainerPort: 80name: https
ContainerPort: 443
VolumeMounts:name: ssl
MountPath: / etc/ingress-controller/ssl
LivenessProbe:
FailureThreshold: 3
HttpGet:
Path: / healthz
Port: 10254
Scheme: HTTP
InitialDelaySeconds: 10
PeriodSeconds: 10
SuccessThreshold: 1
TimeoutSeconds: 10
ReadinessProbe:
FailureThreshold: 3
HttpGet:
Path: / healthz
Port: 10254
Scheme: HTTP
PeriodSeconds: 10
SuccessThreshold: 1
TimeoutSeconds: 10
Volumes:name: ssl
Nfs:
Path: / conf/global_sign_ssl
Server: 0a52248244-vcq8.cn-hangzhou.nas.aliyuncs.com
ApiVersion: v1
Kind: Service
Metadata:
Name: ingress-nginx
Namespace: ingress-nginx
Labels:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx
Spec:
Ports:
Name: http
Port: 80
TargetPort: 80
Protocol: TCPname: https
Port: 443
TargetPort: 443
Protocol: TCP
Selector:
App.kubernetes.io/name: ingress-nginx
App.kubernetes.io/part-of: ingress-nginx5, deploy kubectl apply-f mandatory.yaml
Namespace/ingress-nginx created
Configmap/nginx-configuration created
Configmap/tcp-services created
Configmap/udp-services created
Serviceaccount/nginx-ingress-serviceaccount created
Clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
Role.rbac.authorization.k8s.io/nginx-ingress-role created
Rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
Clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
Deployment.apps/nginx-ingress-controller created
Service/ingress-nginx created
6. Access test kubectl get pods-n ingress-nginx-o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
Nginx-ingress-controller-b44c4d4d7-9rprz 1 huoban-k8s-master03 1 Running 0 63s 172.16.17.192
Nginx-ingress-controller-b44c4d4d7-zfj5n 1/1 Running 0 63s 172.16.17.193 huoban-k8s-master02
[root@HUOBAN-K8S-MASTER01 mq1] # curl 172.16.17.192
404 Not Found
404 Not Found
Openresty/1.15.8.1
[root@HUOBAN-K8S-MASTER01 mq1] # curl 172.16.17.193
404 Not Found
404 Not Found
Openresty/1.15.8.1
Kubectl get svc-n ingress-nginx-o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGE SELECTOR
Ingress-nginx ClusterIP 10.100.243.171 80/TCP,443/TCP 112s app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
Curl http://10.100.243.171
404 Not Found
404 Not Found
Openresty/1.15.8.1
7. Deploy an application to test it
1. Create a nginx application
Vim app-nginx.yaml
ApiVersion: v1
Kind: Service
Metadata:
Name: app-nginx
Labels:
App: app-nginx
Spec:
Ports:
Port: 80
Selector:
App: app-nginx
Tier: productionapiVersion: autoscaling/v1
Kind: HorizontalPodAutoscaler
Metadata:
Name: app-nginx
Spec:
MaxReplicas: 3
MinReplicas: 1
ScaleTargetRef:
ApiVersion: extensions/v1beta1
Kind: Deployment
Name: app-nginx
TargetCPUUtilizationPercentage: 80
ApiVersion: apps/v1
Kind: Deployment
Metadata:
Name: app-nginx
Labels:
App: app-nginx
Spec:
Replicas: 1
Selector:
MatchLabels:
App: app-nginx
Tier: production
Template:
Metadata:
Labels:
App: app-nginx
Tier: production
Spec:
Containers:
Name: app-nginx
Image: harbor.huoban.com/open/huoban-nginx:v1.1
ImagePullPolicy: IfNotPresent
Resources:
Requests:
Memory: "50Mi"
Cpu: "25m"
Ports:
ContainerPort: 80
Name: nginx
VolumeMounts:
Name: html
MountPath: / usr/share/nginx/html
Name: conf
MountPath: / etc/nginx/conf.d
Volumes:
Name: html
Nfs:
Path: / open/web/app
Server: 192.168.101.11
Name: conf
Nfs:
Path: / open/conf/app/nginx
Server: 192.168.101.11
2. Create a TLS certificate
Kubectl create secret tls bjwf-ingress-secret-- cert=server.crt-- key=server.key-- dry-run-o yaml > bjwf-ingress-secret.yaml
3. Create the ingress of the application
Vim app-nginx-ingress.yaml
ApiVersion: extensions/v1beta1
Kind: Ingress
Metadata:
Name: app-ingress
Namespace: default
Spec:
Tls:
Hosts:www.bjwf125.com
SecretName: bjwf-ingress-secret
Rules:host: www.bjwf125.com
Http:
Paths:path: /
Backend:
ServiceName: app-nginx
ServicePort: 808, visit the service (no screenshot in this section. Has been able to jump to 443)
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.