已搭建好的kubernetes-dashboard是通过ip:port的方式进行访问(https://10.192.0.10:30000),现使用ingress通过域名访问(https://dashboard.dev.com)
Ingress Controller 的部署
1. 使用 yaml 文件一键部署 Ingress Controller
执行命令:kubectl apply -f ingress-controller.yaml
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
—
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
—
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
—
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
—
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
—
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
– apiGroups:
– “”
resources:
– configmaps
– endpoints
– nodes
– pods
– secrets
verbs:
– list
– watch
– apiGroups:
– “”
resources:
– nodes
verbs:
– get
– apiGroups:
– “”
resources:
– services
verbs:
– get
– list
– watch
– apiGroups:
– “”
resources:
– events
verbs:
– create
– patch
– apiGroups:
– “extensions”
– “networking.k8s.io”
resources:
– ingresses
verbs:
– get
– list
– watch
– apiGroups:
– “extensions”
– “networking.k8s.io”
resources:
– ingresses/status
verbs:
– update
—
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
– apiGroups:
– “”
resources:
– configmaps
– pods
– secrets
– namespaces
verbs:
– get
– apiGroups:
– “”
resources:
– configmaps
resourceNames:
# Defaults to “<election-id>-<ingress-class>”
# Here: “<ingress-controller-leader>-<nginx>”
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
– “ingress-controller-leader-nginx”
verbs:
– get
– update
– apiGroups:
– “”
resources:
– configmaps
verbs:
– create
– apiGroups:
– “”
resources:
– endpoints
verbs:
– get
—
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
– kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
—
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
– kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
—
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: “10254”
prometheus.io/scrape: “true”
spec:
# wait up to five minutes for the drain of connections
terminationGracePeriodSeconds: 300
serviceAccountName: nginx-ingress-serviceaccount
nodeSelector:
kubernetes.io/hostname: k8s-master.novalocal # 运行到K8S主节点,域名映射到主节点
hostNetwork: true # 改用service-NodePort
tolerations: # 保证可以运行于主节点上
– key: node-role.kubernetes.io/master
operator: Equal
effect: NoSchedule
containers:
– name: nginx-ingress-controller
image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:0.24.1
args:
– /nginx-ingress-controller
– –configmap=$(POD_NAMESPACE)/nginx-configuration
– –tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
– –udp-services-configmap=$(POD_NAMESPACE)/udp-services
– –publish-service=$(POD_NAMESPACE)/ingress-nginx
– –annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
– ALL
add:
– NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
– name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
– name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
– name: http
containerPort: 80
protocol: TCP
– name: https
containerPort: 443
protocol: TCP
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
lifecycle:
preStop:
exec:
command:
– /wait-shutdown
—
2. 使用 NodePort 将 Ingress Controller 暴露到集群外部
执行命令:kubectl apply -f service-nodeport.yaml
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
ports:
– name: http
port: 80
targetPort: 80
nodePort: 30080
protocol: TCP
– name: https
port: 443
targetPort: 443
nodePort: 30443
protocol: TCP
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
—
基于域名的 Ingress 转发
1.申请泛域名
(1)泛域名跳转规则:*.dev.com 指向 10.192.0.10
(2)Ingress Pod 运行于 10.192.0.10,并监听 80、443 端口。
2.配置域名的 SSL 证书
(1)配置证书主要是为了让域名支持 HTTPS 协议的访问。
(2)可以使用 OpenSSL 工具或者 shell 脚本 create_self_signed_cert.sh 生成密钥证书文件:./create_self_signed_cert.sh “/C=CN/ST=Guangdong/L=Shenzhen/O=xdevops/OU=xdevops/CN=dev.com”
vi create_self_signed_cert.sh
#!/usr/bin/env bash
set -e
# Locate shell script path
SCRIPT_DIR=$(dirname $0)
if [ ${SCRIPT_DIR} != ‘.’ ]
then
cd ${SCRIPT_DIR}
fi
# Generate RSA private key
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
# Remove password in the private key
openssl rsa -passin pass:x -in server.pass.key -out server.key
rm -f server.pass.key
# Generate CSR sign request
SUBJ=”$1″
openssl req -new -key server.key -out server.csr -subj “$SUBJ”
# Generate CRT signed cert
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
chmod 755 create_self_signed_cert.sh
(3)生成的密钥证书文件有三个:server.crt server.csr server.key
(4)基于密钥文件创建 Secret 用于与 Ingress 绑定:kubectl create secret tls ingress-secret(secret名称,自定义即可) –key server.key –cert server.crt -n kubernetes-dashboard(目标命名空间,即此次进行域名转发的kubernetes-dashboard所在的namespace)
P.S. 注意 Secret 必须与绑定的 Ingress 位于同一命名空间下
基于域名的 HTTPS访问
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: “nginx”
nginx.ingress.kubernetes.io/ssl-redirect: “true” # 前端使用https访问Ingress
nginx.ingress.kubernetes.io/backend-protocol: “HTTPS” # Ingress使用https访问后台,默认可能使用http请求后台url
nginx.ingress.kubernetes.io/rewrite-target: /$1 # url path重写规则
spec:
tls: # 域名与TLS证书绑定,支持前端使用https访问域名
– hosts:
– dashboard.dev.com
secretName: ingress-secret
rules:
– host: dashboard.dev.com # 访问该后台的域名
http:
paths:
– path: /(.*)
backend:
serviceName: kubernetes-dashboard
servicePort: 443
基于域名的 HTTP访问
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: “nginx”
nginx.ingress.kubernetes.io/ssl-redirect: “false” # # 前端使用http访问Ingress,默认可能使用https链接Ingress
nginx.ingress.kubernetes.io/rewrite-target: /$1 # url path重写规则
spec:
rules:
– host: dashboard.dev.com # 访问该后台的域名
http:
paths:
– path: /(.*)
backend:
serviceName: kubernetes-dashboard
servicePort: 80