2. 科技
    3. k8s安装与配置ingress

    k8s安装与配置ingress

    科技2026-02-07  1

            ingress在Kubernetes集群中,主要用于接入外部请求到k8s内部,Ingress是授权入站连接到达集群服务的规则集合,为您提供七层负载均衡能力。您可以给 Ingress 配置提供外部可访问的URL、负载均衡、SSL、基于名称的虚拟主机等

    一、创建一个Service,type为ClusterIP

    --- kind: Deployment # 组件类型 apiVersion: apps/v1 metadata: name: linuxwebv-126 namespace: default # 可指定,不指定时使用默认命名空间 labels: name: linuxwebv-126 spec: replicas: 2 # 部署两份叫 linuxwebv-126 的容器 selector: matchLabels: name: linuxwebv-126 template: metadata: labels: name: linuxwebv-126 spec: containers: - name: linuxwebv-126 image: registry.cn-hangzhou.aliyuncs.com/saas_mirroring/ali_mi_demo:v2 # docker hub 中的镜像名称,修改为你的镜像名称 ports: - containerPort: 80 imagePullPolicy: Always #Always:自动到远程拉取镜像,并不使用本地的镜像; IfNotPresent:如果本地存在镜像就优先使用本地镜像; Never:直接不再去拉取镜像了,使用本地的;如果本地不存在就报异常了。 --- kind: Service apiVersion: v1 metadata: name: linuxwebv-126 namespace: default spec: type: ClusterIP #ClusterIP或NodePort ports: - port: 80 targetPort: 80 selector: name: linuxwebv-126 # 对应要映射的Pod

     二、依次执行:

    kubectl apply -f mandatory.yaml kubectl apply -f service-nodeport.yaml kubectl apply -f nginx-ingress.yaml #设置Linux设置Host nano /etc/hosts

    mandatory.yaml

    apiVersion: v1 kind: Namespace metadata: name: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- kind: ConfigMap apiVersion: v1 metadata: name: nginx-configuration namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- kind: ConfigMap apiVersion: v1 metadata: name: tcp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- kind: ConfigMap apiVersion: v1 metadata: name: udp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- apiVersion: v1 kind: ServiceAccount metadata: name: nginx-ingress-serviceaccount namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: nginx-ingress-clusterrole labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx rules: - apiGroups: - "" resources: - configmaps - endpoints - nodes - pods - secrets verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses verbs: - get - list - watch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses/status verbs: - update --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: nginx-ingress-role namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx rules: - apiGroups: - "" resources: - configmaps - pods - secrets - namespaces verbs: - get - apiGroups: - "" resources: - configmaps resourceNames: # Defaults to "<election-id>-<ingress-class>" # Here: "<ingress-controller-leader>-<nginx>" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. - "ingress-controller-leader-nginx" verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resources: - endpoints verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: nginx-ingress-role-nisa-binding namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-ingress-role subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: nginx-ingress-clusterrole-nisa-binding labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-ingress-clusterrole subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-ingress-controller namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: prometheus.io/port: "10254" prometheus.io/scrape: "true" spec: # wait up to five minutes for the drain of connections terminationGracePeriodSeconds: 300 serviceAccountName: nginx-ingress-serviceaccount containers: - name: nginx-ingress-controller image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:0.26.1 args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io securityContext: allowPrivilegeEscalation: true capabilities: drop: - ALL add: - NET_BIND_SERVICE # www-data -> 33 runAsUser: 33 env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace ports: - name: http containerPort: 80 - name: https containerPort: 443 livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 lifecycle: preStop: exec: command: - /wait-shutdown ---

    service-nodeport.yaml

    apiVersion: v1 kind: Service metadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: type: NodePort ports: - name: http port: 80 targetPort: 80 protocol: TCP nodePort: 30080 # http请求对外映射80端口 - name: https port: 443 targetPort: 443 protocol: TCP nodePort: 30443 # https请求对外映射443端口 selector: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx ---

    nginx-ingress.yaml

    apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-pod namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - test.dm.com secretName: ingress-secret rules: - host: test.dm.com http: paths: - path: backend: serviceName: linuxwebv-126 servicePort: 80

    配置ingress证书支持https:

     

    mkdir /root/cert cd /root/cert openssl genrsa -out ingress-key.pem 2048 openssl req -new -x509 -key ingress-key.pem -out ingress.pem -subj /C=CN/ST=BeiJing/L=BeiJing/O=xxx/OU=xxx/CN=www.test.dm.com kubectl create secret tls ingress-secret --key ingress-key.pem --cert ingress.pem

    在windown机器上设置host:

    192.168.1.107 test.dm.com 

    在浏览器输入:https://test.dm.com:30443/

     运行效果:

    Processed: 0.020, SQL: 9