1. 为了理解Nginx Ingress Controller, 先看下上海长宁来福士的人脸识别电梯, 正好在这上班😃.
把外部进入内部人脸识别闸机类比为NGINX Ingress Controller, 匹配域名, 把人或请求分配到内部service.
把人脸识别分配电梯类比为service, service控制着一组电梯, 将人或请求分配service下的电梯中.
把电梯类比为pod, 在service下, 处理人或请求.
2. 下面是配置文件, 角色与service绑定的, 使用到pv和pvc, 使用secret, 我的命名空间是nginx-space
- 创建name-space
kubectl create namespace nginx-space
- 设置默认返回内容 default-backend.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: default-http-backend
labels:
k8s-app: default-http-backend
namespace: nginx-space
spec:
replicas: 1
template:
metadata:
labels:
k8s-app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissable as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: gcr.io/google_containers/defaultbackend:1.4
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
nodeSelector:
kubernetes.io/hostname: cc2
---
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
namespace: nginx-space
labels:
k8s-app: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
selector:
k8s-app: default-http-backend
- 设置角色, 角色绑定nginx-ingress-controller-rbac.yml
#apiVersion: v1
#kind: Namespace
#metadata:
# name: nginx-ingress
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: nginx-space
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: nginx-space
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- create
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: nginx-space
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: nginx-space
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: nginx-space
- 设置nginx ingress controller配置, nginx-ingress-controller.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
labels:
k8s-app: nginx-ingress-controller
namespace: nginx-space
# for now change default
spec:
replicas: 1
template:
metadata:
namespace: nginx-space
labels:
k8s-app: nginx-ingress-controller
spec:
# hostNetwork makes it possible to use ipv6 and to preserve the source IP correctly regardless of docker configuration
# however, it is not a hard dependency of the nginx-ingress-controller itself and it may cause issues if port 10254 already is taken on the host
# that said, since hostPort is broken on CNI (https://github.com/kubernetes/kubernetes/issues/31307) we have to use hostNetwork where CNI is used
# like with kubeadm
# hostNetwork: true
terminationGracePeriodSeconds: 60
hostNetwork: true
serviceAccountName: nginx-ingress-serviceaccount
containers:
- image: bitnami/nginx-ingress-controller
name: nginx-ingress-controller
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 1
ports:
- containerPort: 80
hostPort: 80
- containerPort: 443
hostPort: 443
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
# - --default-ssl-certificate=$(POD_NAMESPACE)/ingress-secret
nodeSelector:
kubernetes.io/hostname: cc2
- 设置ingress, my-nginx.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: nginx-space
name: my-nginx
spec:
tls:
- hosts:
- www.actiger.com
secretName: ingress-secret
rules:
- host: www.actiger.com
http:
paths:
- backend:
serviceName: my-nginx
servicePort: 80
- 创建nginx deleployment, nginx-deployment.yaml, 创建Nginx Service
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: my-nginx
namespace: nginx-space
spec:
replicas: 1
template:
metadata:
namespace: nginx-space
labels:
app: my-nginx
spec:
containers:
- name: my-nginx
image: nginx:1.16.0
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html
name: www.actiger.com
volumes:
- name: www.actiger.com
persistentVolumeClaim:
claimName: pvc-blog
---
apiVersion: v1
kind: Service
metadata:
name: my-nginx
namespace: nginx-space
labels:
run: my-nginx
spec:
ports:
- port: 80
protocol: TCP
selector:
app: my-nginx
- 设置域名证书, 使用的letsencrypt, privkey.pem和cert.pem转成base64
如没有证书, 删除my-nginx.yml中这行secretName: ingress-secret即可.
apiVersion: v1
data:
tls.crt:
tls.key:
kind: Secret
metadata:
name: ingress-secret
namespace: nginx-space
type: Opaque
- 创建hugo文件夹, 使用pv和pvc创建空间.
如不使用pv和pvc, 需要在nginx-deployment.yaml外部硬盘替换为其他方式.
创建pv, pv-blog.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-blog
namespace: nginx-space
spec:
capacity:
storage: 300Mi
accessModes:
- ReadWriteOnce
hostPath:
path: "/root/www.actiger.com"
创建pvc, pvc-blog.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-blog
namespace: nginx-space
spec:
accessModes:
- ReadWriteOnce
storageClassName: ""
resources:
requests:
storage: 300Mi
3. 创建服务
如需更改里面内容, 需要先删除kubectl delete -f * 防止生成没使用的pod. 如有错误参考 通过日志排查
kubectl apply -f default-backend.yaml,ingress-secret.yml,my-nginx.yml,nginx-deployment.yaml,nginx-ingress-controller-rbac.yml,nginx-ingress-controller.yaml,pv-blog.yaml,pvc-blog.yaml
# 查看pods
kubectl get pods -n nginx-space