一、创建资源


完整的yaml清单文件在后面。

[root@lidabai-master app]# kubectl apply -f nginx-ingress-controller.yaml
serviceaccount/nginx-ingress-serviceaccount created

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_nginx

二、查看服务状态


查看服务状态是否正常,刚才创建的Pod是放在kube-system名称空间的。

[root@lidabai-master app]# kubectl -n kube-system  get pod

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_kubernetes_02

服务状态正常!


三、创建测试的服务


$ kubectl apply  -f pod-test.yaml
$ vim pod-test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginxx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
selector:
app: nginx
ports:
- port: 80
targetPort: 80
protocol: TCP

查看服务

[root@lidabai-master app]# kubectl get svc
nginx-svc ClusterIP 10.108.224.202 <none> 80/TCP 26h

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_kubernetes_03


四、创建Ingress

[root@lidabai-master app]# kubectl apply -f ingress-test.yaml
[root@lidabai-master app]# cat ingress-test.yaml
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-ngi
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: lidabai.nginx.com #访
http:
paths:
- path: /
pathType: Prefix # Prefix
backend:
service:
name: nginx-svc #service
port:
number: 80

查看ingress

[root@lidabai-master app]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-ngi nginx lidabai.nginx.com 80 26h
[root@lidabai-master app]# kubectl describe ingress ingress-ngi #查看ingress的详细信息

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_云原生_04


五、Windows主机配置

在自己的Windows系统中使用Notpad++工具打开 C:\Windows\System32\drivers\etc\hosts文件,

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_运维_05

增加如下配置:

192.168.2.131  lidabai.damon.com

 注意: 这里的IP是部署的nginx-ingress-controller服务的Pod所在的节点IP

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_云原生_06


六、浏览器使用域名访问服务

刚才我填的域名是lidabai.nginx.com,现在我就在浏览器中用这个域名访问我的服务。

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_nginx_07

可以看到可以访问到我们后端部署的nginx服务。

七、完整的yaml文件说明

完整的yaml文件如下,总共会部署2个pod:

default-http-backend:负责配置默认的转发规则;

nginx-ingress-controller:基于nginx实现的控制器服务。这两个Pod需要调度到同一节点,所有用affinity Pod亲和性将2个pod调度到一起了。

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole #这个ServiceAcount所绑定的集群角色
rules:
- apiGroups:
- ""
resources: #此集群角色的权限,它能操作的API资源
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role #这是一个角色,而非集群角色
namespace: kube-system
rules: #角色的权限
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- create
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding #角色绑定
metadata:
name: nginx-ingress-role-nisa-binding
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount #绑定在这个用户
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding #集群绑定
metadata:
name: nginx-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount #集群绑定到这个serviceacount
namespace: kube-system #集群角色是可以跨namespace,但是这里只指明给这个namespce来使用

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
labels:
k8s-app: nginx-ingress-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: nginx-ingress-controller
template:
metadata:
labels:
k8s-app: nginx-ingress-controller
spec:
# hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
# however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
# that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
# like with kubeadm
terminationGracePeriodSeconds: 60
hostNetwork: true #表示容器使用和宿主机一样的网络
serviceAccountName: nginx-ingress-serviceaccount #引用前面创建的serviceacount
containers:
- image: registry.cn-hangzhou.aliyuncs.com/peter1009/nginx-ingress-controller:0.20.0 #容器使用的镜像
name: nginx-ingress-controller
readinessProbe: #启动这个服务时要验证/healthz 端口10254会在运行的node上监听。
httpGet:
path: /healthz
port: 10254
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10 #每隔10做健康检查
timeoutSeconds: 1
ports:
- containerPort: 80
hostPort: 80 #80映射到80
# - containerPort: 443
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
# - --default-ssl-certificate=$(POD_NAMESPACE)/ingress-secret #这是启用Https时用的
# nodeSelector: #指明运行在哪,此IP要和default backend是同一个IP
# kubernetes.io/hostname: 10.3.1.17 #上面映射到了hostport80,确保此IP80,443没有占用.


---
apiVersion: apps/v1
kind: Deployment
metadata:
name: default-http-backend
labels:
k8s-app: default-http-backend
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: default-http-backend
template:
metadata:
labels:
k8s-app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissable as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: registry.cn-hangzhou.aliyuncs.com/hachikou/defaultbackend:1.0
livenessProbe:
httpGet:
path: /healthz #这个URI是 nginx-ingress-controller中nginx里配置好的localtion
port: 8080
scheme: HTTP
initialDelaySeconds: 30 #30s检测一次/healthz
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
affinity: #Pod亲和性调度,default需要跟前面的nginx的Pod在同一节点
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: k8s-app
operator: In
values:
- nginx-ingress-controller
topologyKey: "kubernetes.io/hostname"

---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: kube-system
labels:
k8s-app: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
selector:
k8s-app: default-http-backend

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_云原生_08

【K8S】Nginx-Ingress-Controller部署,用域名的方式访问服务_运维_09