本文使用kubernetes环境:
v1.19,不是这个版本apiVersion可能不一样.
说明
之前通过helm方式安装ingress-nginx,具体参考3.2 使用Helm部署Nginx Ingress.
但是现在http://mirror.azure.cn/kubernetes/charts仓库已经无法使用.本文通过yaml文件安装.
创建serviceaccount
这里没有梳理可能用到的权限,所以直接赋予了全部权限.
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-ingress-normal
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- '*'
verbs:
- '*'
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- '*'
verbs:
- '*'
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nginx-ingress-minimal
namespace: ingress-nginx
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- apiGroups:
- '*'
resources:
- '*'
resourceNames:
- '*'
verbs:
- '*'
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nginx-ingress-minimal
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-minimal
subjects:
- kind: ServiceAccount
name: nginx-ingress
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-normal
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-normal
subjects:
- kind: ServiceAccount
name: nginx-ingress
namespace: ingress-nginx
创建configmap
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: ingress-nginx
创建nginx-ingress-default-backend
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.24.5
component: default-backend
heritage: Tiller
release: nginx-ingress
name: nginx-ingress-default-backend
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx-ingress
release: nginx-ingress
template:
metadata:
creationTimestamp: null
labels:
app: nginx-ingress
component: default-backend
release: nginx-ingress
spec:
serviceAccount: nginx-ingress
containers:
- image: hub.deri.org.cn/k8s/defaultbackend-amd64:1.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: nginx-ingress-default-backend
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
failureThreshold: 6
httpGet:
path: /healthz
port: 8080
scheme: HTTP
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
runAsUser: 65534
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
nodeSelector:
node-role.kubernetes.io/edge: ""
restartPolicy: Always
schedulerName: default-scheduler
terminationGracePeriodSeconds: 60
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: PreferNoSchedule
key: node-role.kubernetes.io/master
operator: Exists
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.24.5
component: default-backend
heritage: Tiller
release: nginx-ingress
name: nginx-ingress-default-backend
namespace: ingress-nginx
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app: nginx-ingress
component: default-backend
release: nginx-ingress
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
创建nginx-ingress-controller
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.24.5
component: controller
heritage: Tiller
release: nginx-ingress
name: nginx-ingress-controller
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx-ingress
release: nginx-ingress
template:
metadata:
labels:
app: nginx-ingress
component: controller
release: nginx-ingress
spec:
serviceAccount: nginx-ingress
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- nginx-ingress
- key: component
operator: In
values:
- controller
topologyKey: kubernetes.io/hostname
containers:
- args:
- /nginx-ingress-controller
- --default-backend-service=ingress-nginx/nginx-ingress-default-backend
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --configmap=ingress-nginx/nginx-ingress-controller
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: hub.deri.org.cn/k8s/nginx-ingress-controller:0.26.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: nginx-ingress-controller
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 33
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
hostNetwork: true
nodeSelector:
node-role.kubernetes.io/edge: ""
restartPolicy: Always
schedulerName: default-scheduler
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: PreferNoSchedule
key: node-role.kubernetes.io/master
operator: Exists
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.24.5
component: controller
heritage: Tiller
release: nginx-ingress
name: nginx-ingress-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Cluster
ports:
- name: http
nodePort: 31967
port: 80
protocol: TCP
targetPort: http
- name: https
nodePort: 31276
port: 443
protocol: TCP
targetPort: https
- name: 30107-tcp
nodePort: 32354
port: 30107
protocol: TCP
targetPort: 30107-tcp
selector:
app: nginx-ingress
component: controller
release: nginx-ingress
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer: {}
