kubernetes.github.io/ingress-ngi… 官方地址
server相当于四层负载均衡,无法通过域名进行访问,ingress相当于七层的反向代理,可以根据访问的域名调度到不同的server,是提供访问的入口。
1. 部署ingress-controller
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
2.物理机通过nodeport方式访问服务
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/provider/baremetal/service-nodeport.yaml
查看ingress的端口
[root@k8s-master ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx NodePort 10.254.242.80 <none> 80:30852/TCP,443:30751/TCP 43h
创建一个ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test
annotations:
#nginx.ingress.kubernetes.io/auth-type: basic 开启认证
#nginx.ingress.kubernetes.io/auth-secret: jenkins-basic-auth user/passwd
#nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - admin' #提示信息
nginx.ingress.kubernetes.io/rewrite-target: http://ingress1.xiaobing.com #跳转到ingress1.xiaobing.com
spec:
rules:
- host: foo.bar.com #访问的域名
http:
paths:
- path: /foo #访问host/foo 调度到s1的server上
backend:
serviceName: s1
servicePort: 80
- path: /bar
backend:
serviceName: s2
servicePort: 80
tls: #https协议
secretName: tls-secret 创建的secret里有https的证书
- host: bar.foo.com
http:
paths:
- backend:
serviceName: s2
servicePort: 80
创建证书
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj"/CN=nginxsvc/O=nginxsvc"
kubectl create secret tls tls-secret --key tls.key --cert tls.crt
