k8s学习笔记-P34-ingress Controller（ingress-nginx）

教程：尚硅谷Kubernetes教程(K8s入门到精通)_哔哩哔哩_bilibili

笔记摘自视频章节：第六章 Service Ingress

主题

ingress主要用于给外部服务提供访问入口，相较于NodePort这种方式，ingress controller有很多好处，包括自动管理，不必手动管理每个NodePort对外暴露的端口；除了4层，还提供7层LB等功能。

Ingress Controller有很多实现，我们这里采用官方维护的Nginx控制器(ingress-nginx) 。

主要根据K8s官网指导文档进行操作：

• Ingress-Nginx github 址: github.com/kubernetes/…
• Ingress-Nginx 官方网站: kubernetes.github.io/ingress-ngi…

操作记录

第一次失败尝试

第一次尝试ingress-nginx构建

• 文件

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml

• 找出需要下载的镜像，下载拷贝到各个Node上

cat deploy.yaml |grep image: |awk -F " " '{print $2}'
k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660

# 找一个能上外网的主机，pull下来之后save
root@node2:/tmp/k8s# docker save -o ingress-nginx_controller.tar  k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c^C
root@node2:/tmp/k8s# docker save -o ingress-nginx-kube-webhook-certgen.tar  k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660

# 拷贝到各个Node上
# load image
docker load < ingress-nginx_controller.tar
docker load < ingress-nginx-kube-webhook-certgen.tar

• 开始创建

root@jjh-k8s-demo-master:/usr/local/install-k8s/docker-images# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/cloud/deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
serviceaccount/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
configmap/ingress-nginx-controller created
service/ingress-nginx-controller created
service/ingress-nginx-controller-admission created
deployment.apps/ingress-nginx-controller created
job.batch/ingress-nginx-admission-create created
job.batch/ingress-nginx-admission-patch created
ingressclass.networking.k8s.io/nginx created
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created

• 查看pod状态，一直因为镜像pull失败无法进行下去。后面没有再继续走下去。imagepull failed。即使本地load了，也没办法识别。很奇怪

root@jjh-k8s-demo-master:/usr/local/install-k8s/plugin/ingress# kubectl get pods -n ingress-nginx
NAME                                        READY   STATUS             RESTARTS   AGE
ingress-nginx-admission-create-v8872        0/1     ErrImagePull       0          34s
ingress-nginx-admission-patch-dfl7k         0/1     ImagePullBackOff   0          34s
ingress-nginx-controller-5b6f946f99-28c9p   0/1     Terminating        0          34s

第二次尝试，修改国内加速镜像源，成功

参考: 解决国内k8s的ingress-nginx镜像无法正常pull拉取问题_文杰@的博客-CSDN博客 或者 这篇博客中的镜像源 深入理解ingress-nginx - 赵SIR - 博客园 (cnblogs.com)

• 先删除之前的ingress-nginx的所有pod。由于都在namespace ingress-nginx，我就直接删除该namespace下的所有pod: kubectl delete namespace ingress-nginx

• 选择暴露方案，这里使用NodePort这种方式创建svc，原因是这种方式适用于绝大部分VM。（我的集群是建立在 字节火山ecs云主机中。）

wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.2/deploy/static/provider/baremetal/deploy.yaml
文件修改image，使用这两个镜像替换原来的，解决镜像下载失败的问题
anjia0532/google-containers.ingress-nginx.controller:v1.1.2
anjia0532/google-containers.ingress-nginx.kube-webhook-certgen:v1.1.1
# apply一下
kubectl appy f deply.yaml

• 查看svc的端口暴露情况，80:30815/TCP,443:30763/TCP

root@jjh-k8s-demo-master:/usr/local/install-k8s/plugin/ingress# kubectl get svc -n ingress-nginx -o wide
NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE     SELECTOR
ingress-nginx-controller             NodePort    10.1.246.76    <none>        80:30815/TCP,443:30763/TCP   3m12s   app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
ingress-nginx-controller-admission   ClusterIP   10.1.103.138   <none>        443/TCP                      3m12s   app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx

• 开放端口访问。NodePort svc开放端口范围是 30000-32767，所以我直接在 ecs控制台上开放该范围的安全组。后续测试由于没有配置对应的访问服务和规则，期望会显示404 ○ 测试访问http: 成功

○ 测试访问https: 成功