在kubernetes中,pod是应用程序的载体,我们可以通过pod的ip来访问应用程序,但是pod的ip地址不是固定的,这也就意味着不方便直接采用pod的ip对服务进行访问。
为了解决这个问题,kubernetes提供了Service资源,Service会对提供同一个服务的多个pod进行聚合,并且提供一个统一的入口地址。通过访问Service的入口地址就能访问到后面的pod服务
Kubernetes Service定义了这样一种抽象:逻辑上的一组Pod,一种可以访问它们的策略 —— 通常被称为微服务。这一组Pod能够被Service访问到,通常是通过selector实现的。
举个例子,考虑一个图片处理后端,它运行了3个副本。这些副本是可互换的——前端不需要关心它们调用了哪个后端副本。然而组成这一组后端程序的Pod实际上可能会发生变化,前端客户端不应该也没必要知道,而且也不需要跟踪这一组后端的状态。Service定义的抽象能够解耦这种关联。
Service可以提供负载均衡的能力,但是使用上存在如下限制:
只能提供4层负载均衡能力,而没有7层功能。有时我们可能需要更多的匹配规则来转发请求,这点上4层负载均衡是不支持的
如web访问的service服务示例图
在 Kubernetes 集群中,每个 Node 运行一个 kube-proxy 进程。kube-proxy 负责为 Service 实现了一种 VIP(虚拟 IP)的形式,而不是 ExternalName 的形式。
从Kubernetes v1.0开始,已经可以使用 userspace代理模式。Kubernetes v1.1添加了 iptables 代理模式,在 Kubernetes v1.2 中kube-proxy 的 iptables 模式成为默认设置。Kubernetes v1.8添加了 ipvs 代理模式。
为什么不使用 DNS 轮询?
原因如下:
Service在很多情况下只是一个概念,真正起作用的其实是kube-proxy服务进程,每个Node节点上都运行着一个kube-proxy服务进程。当创建Service的时候会通过api-server向etcd写入创建的service的信息,而kube-proxy会基于监听的机制发现这种Service的变动,然后它会将最新的Service信息转换成对应的访问规则
- # 192.168.170.138:80 是service提供的访问入口
- # 当访问这个入口的时候,可以发现后面有三个pod的服务在等待调用,
- # kube-proxy会基于rr(轮询)的策略,将请求分发到其中一个pod上去
- # 这个规则会同时在集群内的所有节点上都生成,所以在任何一个节点上访问都可以。
- [root@node1 ~]# ipvsadm -Ln
- [root@node1 ~]# ipvsadm -Ln
- IP Virtual Server version 1.2.1 (size=4096)
- Prot LocalAddress:Port Scheduler Flags
- -> RemoteAddress:Port Forward Weight ActiveConn InActConn
- TCP 192.168.170.138:30318 rr
- -> 10.244.1.6:80 Masq 1 0 0
- TCP 10.96.0.1:443 rr
- -> 192.168.170.135:6443 Masq 1 1 0
- TCP 10.96.0.10:53 rr
- -> 10.244.0.6:53 Masq 1 0 0
- -> 10.244.0.7:53 Masq 1 0 0
userspace模式下,kube-proxy会为每一个Service创建一个监听端口,发向Cluster IP的请求被Iptables规则重定向到kube-proxy监听的端口上,kube-proxy根据LB算法选择一个提供服务的Pod并和其建立链接,以将请求转发到Pod上。 该模式下,kube-proxy充当了一个四层负责均衡器的角色。由于kube-proxy运行在userspace中,在进行转发处理时会增加内核和用户空间之间的数据拷贝,虽然比较稳定,但是效率比较低
这种模式,kube-proxy 会监视 Kubernetes 控制节点对 Service 对象和 Endpoints 对象的添加和移除。 对每个 Service,它会配置 iptables 规则,从而捕获到达该 Service 的 clusterIP 和端口的请求,进而将请求重定向到 Service 的一组 backend 中的某个上面。对于每个 Endpoints 对象,它也会配置 iptables 规则,这个规则会选择一个 backend 组合。
默认的策略是,kube-proxy 在 iptables 模式下随机选择一个 backend。
使用 iptables 处理流量具有较低的系统开销,因为流量由 Linux netfilter 处理,而无需在用户空间和内核空间之间切换。 这种方法也可能更可靠。
如果 kube-proxy 在 iptables模式下运行,并且所选的第一个 Pod 没有响应,则连接失败。 这与userspace模式不同:在这种情况下,kube-proxy 将检测到与第一个 Pod 的连接已失败,并会自动使用其他后端 Pod 重试。
我们可以使用 Pod readiness 探测器 验证后端 Pod 是否可以正常工作,以便 iptables 模式下的 kube-proxy 仅看到测试正常的后端。这样做意味着可以避免将流量通过 kube-proxy 发送到已知已失败的Pod
在 ipvs 模式下,kube-proxy监视Kubernetes服务(Service)和端点(Endpoints),调用 netlink 接口相应地创建 IPVS 规则, 并定期将 IPVS 规则与 Kubernetes服务(Service)和端点(Endpoints)同步。该控制循环可确保 IPVS 状态与所需状态匹配。访问服务(Service)时,IPVS 将流量定向到后端Pod之一。
IPVS代理模式基于类似于 iptables 模式的 netfilter 挂钩函数,但是使用哈希表作为基础数据结构,并且在内核空间中工作。 这意味着,与 iptables 模式下的 kube-proxy 相比,IPVS 模式下的 kube-proxy 重定向通信的延迟要短,并且在同步代理规则时具有更好的性能。与其他代理模式相比,IPVS 模式还支持更高的网络流量吞吐量。
IPVS提供了更多选项来平衡后端Pod的流量。这些是:
注意:要在 IPVS 模式下运行 kube-proxy,必须在启动 kube-proxy 之前使 IPVS Linux 在节点上可用。 当 kube-proxy 以 IPVS 代理模式启动时,它将验证 IPVS 内核模块是否可用。 如果未检测到 IPVS 内核模块,则 kube-proxy 将退回到以 iptables 代理模式运行
Kubernetes 中Service有以下4中类型:
需要注意的是:Service 能够将一个接收 port 映射到任意的 targetPort。默认情况下,targetPort 将被设置为与 port 字段相同的值。
Service域名格式:$(service name).$(namespace).svc.cluster.local,其中 cluster.local 为指定的集群的域名
Deoployment的资源清单
- [root@k8s-master mainfest]# vim deployment.yaml
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: pc-deployment
- namespace: dev
- spec:
- replicas: 3
- selector:
- matchLabels:
- app: nginx-pod
- template:
- metadata:
- labels:
- app: nginx-pod
- spec:
- containers:
- - name: nginx
- image: nginx:1.17.1
- ports:
- - containerPort: 80
-
- [root@k8s-master mainfest]# kubectl create -f deployment.yaml
- deployment.apps/deploy created
-
- # 查看pod详情
- [root@k8s-master mainfest]# kubectl get pods -n dev -o wide --show-labels
- NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
- nginx 1/1 Running 1 7d11h 10.244.2.4 node2.example.com <none> <none> <none>
- pc-deployment-5ffc5bf56c-4b776 1/1 Running 0 109s 10.244.2.7 node2.example.com <none> <none> app=nginx-pod,pod-template-hash=5ffc5bf56c
- pc-deployment-5ffc5bf56c-ktnp8 1/1 Running 0 109s 10.244.2.8 node2.example.com <none> <none> app=nginx-pod,pod-template-hash=5ffc5bf56c
- pc-deployment-5ffc5bf56c-vh4f9 1/1 Running 0 109s 10.244.1.9 node1.example.com <none> <none> app=nginx-pod,pod-template-hash=5ffc5bf56c
-
访问
- [root@k8s-master mainfest]# curl 10.244.2.7
- html>
- <html>
- <head>
- <title>Welcome to nginx!title>
- <style>
- [root@master mainfest]# curl 10.244.2.8
- html>
- <html>
- <head>
- <title>Welcome to nginx!title>
- <style>
- [root@master mainfest]# curl 10.244.1.9
- html>
- <html>
- <head>
- <title>Welcome to nginx!title>
- <style>
创建cluster IP类型的service
- [root@k8s-master mainfest]# vim svc-clusterip.yaml
- apiVersion: v1
- kind: Service
- metadata:
- name: svc-clusterip
- spec:
- type: ClusterIP //可以不写,默认为ClusterIP
- selector:
- app: nginx
- ports:
- - name: nginx
- port: 80
- targetPort: 80
-
- [root@k8s-master mainfest]# kubectl apply -f svc-clusterip.yaml
- service/svc-clusterip created
- [root@k8s-master mainfest]# kubectl get svc
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 6d23h
- svc-clusterip ClusterIP 10.105.207.162 <none> 80/TCP 2m39s
-
访问
- [root@k8s-master mainfest]# curl 10.105.207.162
- html>
- <html>
- <head>
- <title>Welcome to nginx!title>
- <style>
-
如果将 type 字段设置为 NodePort,则 Kubernetes 控制层面将在 --service-node-port-range 标志指定的范围内分配端口(默认值:30000-32767
- [root@k8s-master mainfest]# vim svc-nodeport.yaml
- apiVersion: v1
- kind: Service
- metadata:
- name: service-clusterip
- namespace: dev
- spec:
- selector:
- app: nginx-pod
- clusterIP: 10.97.97.97 # service的ip地址,如果不写,默认会生成一个
- type: ClusterIP
- ports:
- - port: 80 # Service端口
- targetPort: 80 # pod端口
-
- # 创建service
- [root@k8s-master mainfest]# kubectl create -f service-clusterip.yaml
- service/service-clusterip created
-
- # 查看service
- [root@k8s-master mainfest]# kubectl get svc -n dev -o wide
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
- service-clusterip ClusterIP 10.97.97.97 <none> 80/TCP 6s app=nginx-pod
-
- # 查看service的详细信息
- # 在这里有一个Endpoints列表,里面就是当前service可以负载到的服务入口
- [root@k8s-master mainfest]# kubectl describe svc service-clusterip -n dev
- Name: service-clusterip
- Namespace: dev
- Labels: <none>
- Annotations: <none>
- Selector: app=nginx-pod
- Type: ClusterIP
- IP Families: <none>
- IP: 10.97.97.97
- IPs: 10.97.97.97
- Port: <unset> 80/TCP
- TargetPort: 80/TCP
- Endpoints: 10.244.1.9:80,10.244.2.7:80,10.244.2.8:80
- Session Affinity: None
- Events: <none>
-
- # 查看ipvs的映射规则
- [root@k8s-master mainfest]# ipvsadm -Ln
- IP Virtual Server version 1.2.1 (size=4096)
- Prot LocalAddress:Port Scheduler Flags
- -> RemoteAddress:Port Forward Weight ActiveConn InActConn
- TCP 172.17.0.1:30318 rr
- -> 10.244.1.6:80 Masq 1 0 0
- TCP 192.168.122.1:30318 rr
- -> 10.244.1.6:80 Masq 1 0 0
-
- # 访问172.17.0.1:30318观察效果
- [root@k8s-master ~]# curl 172.17.0.1:30318
- <!DOCTYPE html>
- <html>
- <head>
- <title>Welcome to nginx!</title>
- <style>
在某些场景中,开发人员可能不想使用Service提供的负载均衡功能,而希望自己来控制负载均衡策略,针对这种情况,kubernetes提供了HeadLiness Service,这类Service不会分配Cluster IP,如果想要访问service,只能通过service的域名进行查询。
创建service-headliness.yaml
- [root@k8s-master mainfest]# vi service-headliness.yaml
- apiVersion: v1
- kind: Service
- metadata:
- name: service-headliness
- namespace: dev
- spec:
- selector:
- app: nginx-pod
- clusterIP: None # 将clusterIP设置为None,即可创建headliness Service
- type: ClusterIP
- ports:
- - port: 80
- targetPort: 80
-
- # 创建service
- [root@k8s-master mainfest]# kubectl create -f service-headliness.yaml
- service/service-headliness created
-
- # 获取service, 发现CLUSTER-IP未分配
- [root@k8s-master mainfest]# kubectl get svc service-headliness -n dev -o wide
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
- service-headliness ClusterIP None <none> 80/TCP 9s app=nginx-pod
-
- # 查看service详情
- [root@k8s-master mainfest]# kubectl describe svc service-headliness -n dev
- Name: service-headliness
- Namespace: dev
- Labels: <none>
- Annotations: <none>
- Selector: app=nginx-pod
- Type: ClusterIP
- IP Families: <none>
- IP: None
- IPs: None
- Port: <unset> 80/TCP
- TargetPort: 80/TCP
- Endpoints: <none>
- Session Affinity: None
- Events: <none>
-
在使用支持外部负载均衡器的云提供商的服务时,设置 type 的值为 "LoadBalancer", 将为 Service 提供负载均衡器。 负载均衡器是异步创建的,关于被提供的负载均衡器的信息将会通过 Service 的 status.loadBalancer 字段发布出去
- apiVersion: v1
- kind: Service
- metadata:
- name: my-service
- spec:
- selector:
- app: MyApp
- ports:
- - protocol: TCP
- port: 80
- targetPort: 9376
- clusterIP: 10.0.171.239
- type: LoadBalancer
- status:
- loadBalancer:
- ingress:
- - ip: 192.0.2.127
来自外部负载均衡器的流量将直接重定向到后端 Pod 上,不过实际它们是如何工作的,这要依赖于云提供商。
某些云提供商允许设置 loadBalancerIP。 在这些情况下,将根据用户设置的 loadBalancerIP 来创建负载均衡器。 如果没有设置 loadBalancerIP 字段,将会给负载均衡器指派一个临时 IP。 如果设置了 loadBalancerIP,但云提供商并不支持这种特性,那么设置的 loadBalancerIP 值将会被忽略掉。
在前面课程中已经提到,Service对集群之外暴露服务的主要方式有两种:NotePort和LoadBalancer,但是这两种方式,都有一定的缺点:
NodePort方式的缺点是会占用很多集群机器的端口,那么当集群服务变多的时候,这个缺点就愈发明显
LB方式的缺点是每个service需要一个LB,浪费、麻烦,并且需要kubernetes之外设备的支持
基于这种现状,kubernetes提供了Ingress资源对象,Ingress只需要一个NodePort或者一个LB就可以满足暴露多个Service的需求。工作机制大致如下图表示
实际上,Ingress相当于一个7层的负载均衡器,是kubernetes对反向代理的一个抽象,它的工作原理类似于Nginx,可以理解成在Ingress里建立诸多映射规则,Ingress Controller通过监听这些配置规则并转化成Nginx的反向代理配置 , 然后对外部提供服务。在这里有两个核心概念:
ingress:kubernetes中的一个对象,作用是定义请求如何转发到service的规则
ingress controller:具体实现反向代理及负载均衡的程序,对ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如Nginx, Contour, Haproxy等等
Ingress(以Nginx为例)的工作原理如下:
用户编写Ingress规则,说明哪个域名对应kubernetes集群中的哪个Service
Ingress控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置
Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新
到此为止,其实真正在工作的就是一个Nginx了,内部配置了用户定义的请求转发规则
环境准备
搭建ingress环境
- # 创建文件夹
- [root@k8s-master ~]# mkdir ingress-controller
- [root@k8s-master ~]# cd ingress-controller
-
- # 获取ingress-nginx,本次案例使用的是1.31版本
- # 修改deploy.yaml文件中的仓库
- # 修改quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
- # 为dyrnq/ingress-nginx-controller:v1.3.1
- [root@k8s-master ingress-controller]# grep image deploy.yaml
- image: dyrnq/ingress-nginx-controller:v1.3.1
- imagePullPolicy: IfNotPresent
- image: dyrnq/kube-webhook-certgen:v1.3.0
- imagePullPolicy: IfNotPresent
- image: dyrnq/kube-webhook-certgen:v1.3.0
- imagePullPolicy: IfNotPresent
- [root@k8s-master ingress-controller]#
-
-
-
- # 创建ingress-nginx
- [root@k8s-master ingress-controller]# kubectl apply -f deploy.yaml
-
-
-
- # 查看ingress-nginx
- [root@k8s-master ~]# kubectl get pods -n ingress-nginx
- NAME READY STATUS RESTARTS AGE
- ingress-nginx-admission-create-zrp92 0/1 Completed 0 49s
- ingress-nginx-admission-patch-s2fj5 0/1 Completed 0 49s
- ingress-nginx-controller-5dbc974cb-frg8k 1/1 Running 0 49s
-
-
- # 查看service
- [root@k8s-master ingress-controller]# kubectl get svc -n ingress-nginxNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- ingress-nginx-controller NodePort 10.98.74.130 <none> 80:31313/TCP,443:32641/TCP 53s
- ingress-nginx-controller-admission ClusterIP 10.99.61.209 <none> 443/TCP 53s
编写yaml文件
- [root@k8s-master ~]# cat ingress-controller/deploy.yaml
- apiVersion: v1
- kind: Namespace
- metadata:
- labels:
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- name: ingress-nginx
- ---
- apiVersion: v1
- automountServiceAccountToken: true
- kind: ServiceAccount
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx
- namespace: ingress-nginx
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission
- namespace: ingress-nginx
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx
- namespace: ingress-nginx
- rules:
- - apiGroups:
- - ""
- resources:
- - namespaces
- verbs:
- - get
- - apiGroups:
- - ""
- resources:
- - configmaps
- - pods
- - secrets
- - endpoints
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resourceNames:
- - ingress-controller-leader
- resources:
- - configmaps
- verbs:
- - get
- - update
- - apiGroups:
- - ""
- resources:
- - configmaps
- verbs:
- - create
- - apiGroups:
- - coordination.k8s.io
- resourceNames:
- - ingress-controller-leader
- resources:
- - leases
- verbs:
- - get
- - update
- - apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
- - apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission
- namespace: ingress-nginx
- rules:
- - apiGroups:
- - ""
- resources:
- - secrets
- verbs:
- - get
- - create
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx
- rules:
- - apiGroups:
- - ""
- resources:
- - configmaps
- - endpoints
- - nodes
- - pods
- - secrets
- - namespaces
- verbs:
- - list
- - watch
- - apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - apiGroups:
- - ""
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - networking.k8s.io
- resources:
- - ingressclasses
- verbs:
- - get
- - list
- - watch
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission
- rules:
- - apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - get
- - update
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx
- namespace: ingress-nginx
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission
- namespace: ingress-nginx
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: ingress-nginx-admission
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- labels:
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx
- namespace: ingress-nginx
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: ingress-nginx-admission
- subjects:
- - kind: ServiceAccount
- name: ingress-nginx-admission
- namespace: ingress-nginx
- ---
- apiVersion: v1
- data:
- allow-snippet-annotations: "true"
- kind: ConfigMap
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-controller
- namespace: ingress-nginx
- ---
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-controller
- namespace: ingress-nginx
- spec:
- externalTrafficPolicy: Local
- ipFamilies:
- - IPv4
- ipFamilyPolicy: SingleStack
- ports:
- - appProtocol: http
- name: http
- port: 80
- protocol: TCP
- targetPort: http
- - appProtocol: https
- name: https
- port: 443
- protocol: TCP
- targetPort: https
- selector:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- type: NodePort
- ---
- apiVersion: v1
- kind: Service
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-controller-admission
- namespace: ingress-nginx
- spec:
- ports:
- - appProtocol: https
- name: https-webhook
- port: 443
- targetPort: webhook
- selector:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- type: ClusterIP
- ---
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-controller
- namespace: ingress-nginx
- spec:
- minReadySeconds: 0
- revisionHistoryLimit: 10
- selector:
- matchLabels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- template:
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- spec:
- containers:
- - args:
- - /nginx-ingress-controller
- - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- - --election-id=ingress-controller-leader
- - --controller-class=k8s.io/ingress-nginx
- - --ingress-class=nginx
- - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- - --validating-webhook=:8443
- - --validating-webhook-certificate=/usr/local/certificates/cert
- - --validating-webhook-key=/usr/local/certificates/key
- env:
- - name: POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: LD_PRELOAD
- value: /usr/local/lib/libmimalloc.so
- image: dyrnq/ingress-nginx-controller:v1.3.1
- imagePullPolicy: IfNotPresent
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
- livenessProbe:
- failureThreshold: 5
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- name: controller
- ports:
- - containerPort: 80
- name: http
- protocol: TCP
- - containerPort: 443
- name: https
- protocol: TCP
- - containerPort: 8443
- name: webhook
- protocol: TCP
- readinessProbe:
- failureThreshold: 3
- httpGet:
- path: /healthz
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- requests:
- cpu: 100m
- memory: 90Mi
- securityContext:
- allowPrivilegeEscalation: true
- capabilities:
- add:
- - NET_BIND_SERVICE
- drop:
- - ALL
- runAsUser: 101
- volumeMounts:
- - mountPath: /usr/local/certificates/
- name: webhook-cert
- readOnly: true
- dnsPolicy: ClusterFirst
- nodeSelector:
- kubernetes.io/os: linux
- serviceAccountName: ingress-nginx
- terminationGracePeriodSeconds: 300
- volumes:
- - name: webhook-cert
- secret:
- secretName: ingress-nginx-admission
- ---
- apiVersion: batch/v1
- kind: Job
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission-create
- namespace: ingress-nginx
- spec:
- template:
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission-create
- spec:
- containers:
- - args:
- - create
- - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- - --namespace=$(POD_NAMESPACE)
- - --secret-name=ingress-nginx-admission
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- image: dyrnq/kube-webhook-certgen:v1.3.0
- imagePullPolicy: IfNotPresent
- name: create
- securityContext:
- allowPrivilegeEscalation: false
- nodeSelector:
- kubernetes.io/os: linux
- restartPolicy: OnFailure
- securityContext:
- fsGroup: 2000
- runAsNonRoot: true
- runAsUser: 2000
- serviceAccountName: ingress-nginx-admission
- ---
- apiVersion: batch/v1
- kind: Job
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission-patch
- namespace: ingress-nginx
- spec:
- template:
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission-patch
- spec:
- containers:
- - args:
- - patch
- - --webhook-name=ingress-nginx-admission
- - --namespace=$(POD_NAMESPACE)
- - --patch-mutating=false
- - --secret-name=ingress-nginx-admission
- - --patch-failure-policy=Fail
- env:
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- image: dyrnq/kube-webhook-certgen:v1.3.0
- imagePullPolicy: IfNotPresent
- name: patch
- securityContext:
- allowPrivilegeEscalation: false
- nodeSelector:
- kubernetes.io/os: linux
- restartPolicy: OnFailure
- securityContext:
- fsGroup: 2000
- runAsNonRoot: true
- runAsUser: 2000
- serviceAccountName: ingress-nginx-admission
- ---
- apiVersion: networking.k8s.io/v1
- kind: IngressClass
- metadata:
- labels:
- app.kubernetes.io/component: controller
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: nginx
- spec:
- controller: k8s.io/ingress-nginx
- ---
- apiVersion: admissionregistration.k8s.io/v1
- kind: ValidatingWebhookConfiguration
- metadata:
- labels:
- app.kubernetes.io/component: admission-webhook
- app.kubernetes.io/instance: ingress-nginx
- app.kubernetes.io/name: ingress-nginx
- app.kubernetes.io/part-of: ingress-nginx
- app.kubernetes.io/version: 1.3.1
- name: ingress-nginx-admission
- webhooks:
- - admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: ingress-nginx-controller-admission
- namespace: ingress-nginx
- path: /networking/v1/ingresses
- failurePolicy: Fail
- matchPolicy: Equivalent
- name: validate.nginx.ingress.kubernetes.io
- rules:
- - apiGroups:
- - networking.k8s.io
- apiVersions:
- - v1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ingresses
- sideEffects: None
准备service与pod
- [root@k8s-master ingress-controller]# cat tomcat-nginx.yaml
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: nginx-deployment
- namespace: dev
- spec:
- replicas: 3
- selector:
- matchLabels:
- app: nginx-pod
- template:
- metadata:
- labels:
- app: nginx-pod
- spec:
- containers:
- - name: nginx
- image: nginx:1.17.1
- ports:
- - containerPort: 80
-
- ---
-
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: tomcat-deployment
- namespace: dev
- spec:
- replicas: 3
- selector:
- matchLabels:
- app: tomcat-pod
- template:
- metadata:
- labels:
- app: tomcat-pod
- spec:
- containers:
- - name: tomcat
- image: tomcat:8.5-jre10-slim
- ports:
- - containerPort: 8080
-
- ---
-
- apiVersion: v1
- kind: Service
- metadata:
- name: nginx-service
- namespace: dev
- spec:
- selector:
- app: nginx-pod
- type: ClusterIP
- ports:
- - port: 80
- targetPort: 80
-
- ---
-
- apiVersion: v1
- kind: Service
- metadata:
- name: tomcat-service
- namespace: dev
- spec:
- selector:
- app: tomcat-pod
- type: ClusterIP
- ports:
- - port: 8080
- targetPort: 8080
创建pod并且运行
- # 创建
- [root@k8s-master ingress-controller]# kubectl apply -f tomcat-nginx.yaml
- deployment.apps/nginx-deployment created
- deployment.apps/tomcat-deployment created
- service/nginx-service created
- service/tomcat-service created
- [root@k8s-master ingress-controller]#
-
-
- # 查看
- [root@k8s-master ingress-controller]# kubectl get svc -n devNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- nginx-service ClusterIP 10.100.5.73 <none> 80/TCP 74s
- tomcat-service ClusterIP 10.100.153.3 <none> 8080/TCP 74s
- [root@k8s-master ingress-controller]# kubectl get -f tomcat-nginx.yaml
- NAME READY UP-TO-DATE AVAILABLE AGE
- deployment.apps/nginx-deployment 3/3 3 3 83s
- deployment.apps/tomcat-deployment 3/3 3 3 83s
-
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- service/nginx-service ClusterIP 10.100.5.73 <none> 80/TCP 83s
- service/tomcat-service ClusterIP 10.100.153.3 <none> 8080/TCP 83s
-