博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
kubernetes1.13.1部署ingress-nginx并配置https转发dashboard
阅读量:5823 次
发布时间:2019-06-18

本文共 10355 字,大约阅读时间需要 34 分钟。

参考

https://github.com/kubernetes/ingress-nginxhttps://www.jianshu.com/p/e30b06906b77https://github.com/kubernetes/ingress-nginx/issues/2474https://www.cnblogs.com/zhangeamon/p/7007076.htmlhttps://github.com/kubernetes/kubernetes/issues/45324https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdenyhttps://jimmysong.io/kubernetes-handbook/concepts/admission-controller.htmlhttps://github.com/kubernetes/ingress-nginx/issues/3608https://blog.csdn.net/ygqygq2/article/details/82791101

文档目录

简介

Ingress

An API object that manages external access to the services in a cluster, typically HTTP.
Ingress can provide load balancing, SSL termination and name-based virtual hosting.

Terminology

  • Node: A single virtual or physical machine in a Kubernetes cluster.
  • Cluster: A group of nodes firewalled from the internet, that are the primary compute resources managed by Kubernetes.
  • Edge router: A router that enforces the firewall policy for your cluster. This could be a gateway managed by a cloud provider or a physical piece of hardware.
  • Cluster network: A set of links, logical or physical, that facilitate communication within a cluster according to the Kubernetes networking model.
  • Service: A Kubernetes Service that identifies a set of pods using label selectors. Unless mentioned otherwise, Services are assumed to have virtual IPs only routable within the cluster network.

What is Ingress?

Ingress, added in Kubernetes v1.1, exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the ingress resource.

internet        |   [ Ingress ]   --|-----|--   [ Services ]

An ingress can be configured to give services externally-reachable URLs, load balance traffic, terminate SSL, and offer name based virtual hosting. An ingress controller is responsible for fulfilling the ingress, usually with a loadbalancer, though it may also configure your edge router or additional frontends to help handle the traffic.

An ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer.

Prerequisites

FEATURE STATE: Kubernetes v1.1 beta
Before you start using an ingress, there are a few things you should understand. The ingress is a beta resource. You will need an ingress controller to satisfy an ingress, simply creating the resource will have no effect.
GCE/Google Kubernetes Engine deploys an ingress controller on the master. Review the beta limitations of this controller if you are using GCE/GKE.
In environments other than GCE/Google Kubernetes Engine, you may need to deploy an ingress controller. There are a number of ingress controller you may choose from.

Ingress controllers

In order for the ingress resource to work, the cluster must have an ingress controller running. This is unlike other types of controllers, which run as part of the kube-controller-manager binary, and are typically started automatically with a cluster. Choose the ingress controller implementation that best fits your cluster.
Kubernetes as a project currently supports and maintains GCE and nginx controllers.
Additional controllers include:
Contour is an Envoy based ingress controller provided and supported by Heptio.
F5 Networks provides support and maintenance for the F5 BIG-IP Controller for Kubernetes.
HAProxy based ingress controller jcmoraisjr/haproxy-ingress which is mentioned on the blog post HAProxy Ingress Controller for Kubernetes. HAProxy Technologies offers support and maintenance for HAProxy Enterprise and the ingress controller jcmoraisjr/haproxy-ingress.
Istio based ingress controller Control Ingress Traffic.
Kong offers community or commercial support and maintenance for the Kong Ingress Controllerfor Kubernetes.
NGINX, Inc. offers support and maintenance for the NGINX Ingress Controller for Kubernetes.
Traefik is a fully featured ingress controller (Let’s Encrypt, secrets, http2, websocket), and it also comes with commercial support by Containous.
You may deploy any number of ingress controllers within a cluster. When you create an ingress, you should annotate each ingress with the appropriate ingress-class to indicate which ingress controller should be used if more than one exists within your cluster. If you do not define a class, your cloud provider may use a default ingress provider.

官网部署方法

https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.mdkubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yamlkubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml

部署ingress-controller

[root@elasticsearch01 ingree-nginx]# kubectl create -f mandatory.yaml namespace/ingress-nginx createdconfigmap/nginx-configuration createdconfigmap/tcp-services createdconfigmap/udp-services createdserviceaccount/nginx-ingress-serviceaccount createdclusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole createdrole.rbac.authorization.k8s.io/nginx-ingress-role createdrolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding createdclusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding createddeployment.extensions/nginx-ingress-controller created

报错

Error creating: pods "nginx-ingress-controller-565dfd6dff-g977n" is forbidden: SecurityContext.RunAsUser is forbidden

排错

需要对准入控制器进行修改,然后重启apiserver
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
SecurityContextDeny 不enable就行

[root@elasticsearch01 ingree-nginx]# vim /k8s/kubernetes/cfg/kube-apiserver [root@elasticsearch01 ingree-nginx]# systemctl restart kube-apiserver.service [root@elasticsearch01 ingree-nginx]# systemctl status kube-apiserver.service ● kube-apiserver.service - Kubernetes API Server   Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled)   Active: active (running) since Mon 2019-01-07 11:30:07 CST; 7s ago     Docs: https://github.com/kubernetes/kubernetes Main PID: 12796 (kube-apiserver)   CGroup: /system.slice/kube-apiserver.service           └─12796 /k8s/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://10.2.8.44:2379,https://10.2....

检查状态

[root@elasticsearch01 ingree-nginx]# kubectl get pods -n ingress-nginxNAME                                            READY   STATUS    RESTARTS   AGEpod/nginx-ingress-controller-565dfd6dff-vj52t   1/1     Running   0          2m36s

部署svc

[root@elasticsearch01 ingree-nginx]# kubectl create -f cloud-generic.yaml

service/ingress-nginx created
[root@elasticsearch01 ingree-nginx]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx LoadBalancer 10.254.156.80 <pending> 80:40133/TCP,443:36517/TCP 12s

测试功能

之前dashboard是通过nodeport暴露,现在使用ingress方式,注意ingress后端是https,需要添加如下配置

宣告annotations

apiVersion: extensions/v1beta1kind: Ingressmetadata:  annotations:    nginx.ingress.kubernetes.io/ingress.class: nginx    nginx.ingress.kubernetes.io/secure-backends: "true"    nginx.ingress.kubernetes.io/ssl-passthrough: "true"

生成ingress-secret证书

[root@elasticsearch01 ingress-nginx]# kubectl -n kube-system  create secret tls ingress-secret --key /certs/dashboard.key --cert /certs/dashboard.crt secret/ingress-secret created

创建ingress服务

[root@elasticsearch01 ~]# cat /k8s/yaml/ingress-nginx/k8s.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: dashboard-ingress  namespace: kube-system  annotations:    nginx.ingress.kubernetes.io/ingress.class: nginx    nginx.ingress.kubernetes.io/secure-backends: "true"    nginx.ingress.kubernetes.io/ssl-passthrough: "true"spec:  tls:  - hosts:    - dashboard.minminmsn.com    secretName: ingress-secret  rules:    - host: dashboard.minminmsn.com      http:        paths:        - path: /          backend:            serviceName: kubernetes-dashboard            servicePort: 443[root@elasticsearch01 ingree-nginx]# kubectl create -f k8s.yaml ingress.extensions/dashboard-ingress created
[root@elasticsearch01 ingree-nginx]# kubectl get ingress -n kube-systemNAME                HOSTS                      ADDRESS   PORTS   AGEdashboard-ingress   dashboard.minminmsn.com             80      2m51s[root@elasticsearch01 ingree-nginx]# kubectl describe ingress dashboard-ingress -n kube-systemName:             dashboard-ingressNamespace:        kube-systemAddress:          Default backend:  default-http-backend:80 (
)Rules: Host Path Backends ---- ---- -------- dashboard.minminmsn.com kubernetes-dashboard:443 (10.254.73.2:8443)Annotations: ingress.kubernetes.io/ssl-passthrough: trueEvents: Type Reason Age From Message ---- ------ ---- ---- ------- Normal CREATE 3m3s nginx-ingress-controller Ingress ingress-nginx/dashboard-ingress Normal CREATE 3m3s nginx-ingress-controller Ingress ingress-nginx/dashboard-ingress

网页浏览

集群内部访问直接https://dashboard.minminmsn.com 即可;集群外部访问需要获取对外端口47215,另外需要设置dns解析,访问时同样需要输入token
[root@elasticsearch01 ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx LoadBalancer 10.254.125.151 <pending> 80:33003/TCP,443:47215/TCP 16m

访问效果如下

kubernetes1.13.1部署ingress-nginx并配置https转发dashboard

补充

准入控制器

To see which admission plugins are enabled:
kube-apiserver -h | grep enable-admission-plugins
In 1.13, they are:
NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeClaimResize,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority

LimitRanger:此准入控制器将确保所有资源请求不会超过 namespace 的 LimitRange。

SecurityContextDeny:此准入控制器将拒绝任何试图设置某些升级的SecurityContext字段的pod 。
ServiceAccount:此准入控制器实现serviceAccounts的自动化。
ResourceQuota:此准入控制器将观察传入请求并确保它不违反命名空间的ResourceQuota对象中列举的任何约束。
NodeRestriction:该准入控制器限制了 kubelet 可以修改的Node和Pod对象。
NamespaceExists:此许可控制器检查除 Namespace 其自身之外的命名空间资源上的所有请求。如果请求引用的命名空间不存在,则拒绝该请求。
NamespaceLifecycle:此准入控制器强制执行正在终止的命令空间中不能创建新对象,并确保Namespace拒绝不存在的请求。此准入控制器还防止缺失三个系统保留的命名空间default、kube-system、kube-public。

转载于:https://blog.51cto.com/jerrymin/2340022

你可能感兴趣的文章
linux清除文件内容
查看>>
WindowManager.LayoutParams 详解
查看>>
find的命令的使用和文件名的后缀
查看>>
Android的Aidl安装方法
查看>>
Linux中rc的含义
查看>>
曾鸣:区块链的春天还没有到来| 阿里内部干货
查看>>
如何通过Dataworks禁止MaxCompute 子账号跨Project访问
查看>>
js之无缝滚动
查看>>
Django 多表联合查询
查看>>
logging模块学习:basicConfig配置文件
查看>>
Golang 使用 Beego 与 Mgo 开发的示例程序
查看>>
ntpdate时间同步
查看>>
+++++++子域授权与编译安装(一)
查看>>
asp.net怎样在URL中使用中文、空格、特殊字符
查看>>
路由器发布服务器
查看>>
实现跨交换机VLAN间的通信
查看>>
jquery中的data-icon和data-role
查看>>
python例子
查看>>
环境变量(总结)
查看>>
ios之UILabel
查看>>