网站建设工程师 html5,松原网站建设公司,台山市网站建设,科技词语文章目录 一、Ingress Controller理论知识1、Ingress Controller、Ingress简介2、四层代理与七层代理的区别3、Ingress Controller中封装Nginx#xff0c;为什么不直接用Nginx呢#xff1f;4、Ingress Controller代理K8S内部Pod流程 二、实践#xff1a;部署Ingress Control… 文章目录 一、Ingress Controller理论知识1、Ingress Controller、Ingress简介2、四层代理与七层代理的区别3、Ingress Controller中封装Nginx为什么不直接用Nginx呢4、Ingress Controller代理K8S内部Pod流程 二、实践部署Ingress Controller高可用架构1、部署Ingress Controller2、在Node节点上安装并配置Nginx、keepalived3、测试主备切换 三、实践创建Ingress规则进行七层转发1、基于HTTP七层代理转发后端Pod2、基于HTTPS七层代理转发后端 一、Ingress Controller理论知识
Ingress官方中文参考文档
1、Ingress Controller、Ingress简介
Ingress Controller是一个七层负载调度器常见的七层负载均衡器有nginx、traefik以我们熟悉的nginx为例客户端的请求首先会到Ingress Controller七层负载调度器由七层负载调度器将请求代理到后端的Pod。
以Nginx举例客户端请求首先会到Nginx中由Nginx中的upstream模块将请求代理到后端的服务上但是K8s场景下后端Pod的IP地址不是固定的因此在Pod前面需要添加一个service资源请求到达Service由Service代理到后端的Pod。 Ingress是K8S中的资源简单理解就是Ingress Controller的配置文件创建ingress规则在管理Ingress Controller。
2、四层代理与七层代理的区别
四层代理
工作在传输层可以解析传输层协议TCP、UDP等。四层代理 基于传IP端口方式进行转发。
七层代理
工作在应有层可以解析应用层协议如HTTP、FTP等。七层负载工作在四层的基础之上基于虚拟主机的URL或主机的IP进行转发。
总体而言四层代理更关注于网络层面的流量控制和安全主要基于传输层的信息进行处理而七层代理更加智能能够理解和处理应用层协议的内容提供更加精细的控制和调度。选择使用哪种类型的代理取决于具体需求和使用场景。
OSI七层模型 722190254323.png)]
3、Ingress Controller中封装Nginx为什么不直接用Nginx呢
在宿主机安装Nginx只要配置文件有改动就必须手动reload加载才可以生效但是如果使用Ingress Controller封装的Nginx你ingress维护配置ingress创建好了之后会自动把配置文件传到Ingress Controller这个Pod中自动进行reload加载。
4、Ingress Controller代理K8S内部Pod流程
第一步部署Ingress Controller
第二步创建Pod可以使用控制器进行创建
第三步创建Service管理Pod
第四步创建Ingress http或https规则
第五步测试客户端通过七层访问
二、实践部署Ingress Controller高可用架构
高可用架构请求转发图 ingress-nginx GitHub地址
ingress-nginx YAML GitHub地址
1、部署Ingress Controller
1、编写YAML文件基于官方下载根基自己需求进行对应修改。
cat ingress-controller-nginx.yaml
---
apiVersion: v1
kind: Namespace
metadata:name: ingress-nginxlabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginx---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: controllername: ingress-nginxnamespace: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: controllername: ingress-nginx-controllernamespace: ingress-nginx
data:allow-snippet-annotations: true
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmname: ingress-nginx
rules:- apiGroups:- resources:- configmaps- endpoints- nodes- pods- secrets- namespacesverbs:- list- watch- apiGroups:- resources:- nodesverbs:- get- apiGroups:- resources:- servicesverbs:- get- list- watch- apiGroups:- networking.k8s.ioresources:- ingressesverbs:- get- list- watch- apiGroups:- resources:- eventsverbs:- create- patch- apiGroups:- networking.k8s.ioresources:- ingresses/statusverbs:- update- apiGroups:- networking.k8s.ioresources:- ingressclassesverbs:- get- list- watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmname: ingress-nginx
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: ingress-nginx
subjects:- kind: ServiceAccountname: ingress-nginxnamespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: controllername: ingress-nginxnamespace: ingress-nginx
rules:- apiGroups:- resources:- namespacesverbs:- get- apiGroups:- resources:- configmaps- pods- secrets- endpointsverbs:- get- list- watch- apiGroups:- resources:- servicesverbs:- get- list- watch- apiGroups:- networking.k8s.ioresources:- ingressesverbs:- get- list- watch- apiGroups:- networking.k8s.ioresources:- ingresses/statusverbs:- update- apiGroups:- networking.k8s.ioresources:- ingressclassesverbs:- get- list- watch- apiGroups:- resources:- configmapsresourceNames:- ingress-controller-leaderverbs:- get- update- apiGroups:- resources:- configmapsverbs:- create- apiGroups:- resources:- eventsverbs:- create- patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: controllername: ingress-nginxnamespace: ingress-nginx
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: ingress-nginx
subjects:- kind: ServiceAccountname: ingress-nginxnamespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: controllername: ingress-nginx-controller-admissionnamespace: ingress-nginx
spec:type: ClusterIPports:- name: https-webhookport: 443targetPort: webhookappProtocol: httpsselector:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:annotations:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: controllername: ingress-nginx-controllernamespace: ingress-nginx
spec:type: NodePortipFamilyPolicy: SingleStackipFamilies:- IPv4ports:- name: httpport: 80protocol: TCPtargetPort: httpappProtocol: http- name: httpsport: 443protocol: TCPtargetPort: httpsappProtocol: httpsselector:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: controllername: ingress-nginx-controllernamespace: ingress-nginx
spec:replicas: 2selector:matchLabels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/component: controllerrevisionHistoryLimit: 10minReadySeconds: 0template:metadata:labels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/component: controllerspec:hostNetwork: trueaffinity:podAntiAffinity:preferredDuringSchedulingIgnoredDuringExecution:- weight: 100podAffinityTerm:labelSelector:matchLabels:app.kubernetes.io/name: ingress-nginxtopologyKey: kubernetes.io/hostnamednsPolicy: ClusterFirstWithHostNetcontainers:- name: controllerimage: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.1.0imagePullPolicy: IfNotPresentlifecycle:preStop:exec:command:- /wait-shutdownargs:- /nginx-ingress-controller- --election-idingress-controller-leader- --controller-classk8s.io/ingress-nginx- --configmap$(POD_NAMESPACE)/ingress-nginx-controller- --validating-webhook:8443- --validating-webhook-certificate/usr/local/certificates/cert- --validating-webhook-key/usr/local/certificates/keysecurityContext:capabilities:drop:- ALLadd:- NET_BIND_SERVICErunAsUser: 101allowPrivilegeEscalation: trueenv:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespace- name: LD_PRELOADvalue: /usr/local/lib/libmimalloc.solivenessProbe:failureThreshold: 5httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 1readinessProbe:failureThreshold: 3httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10successThreshold: 1timeoutSeconds: 1ports:- name: httpcontainerPort: 80protocol: TCP- name: httpscontainerPort: 443protocol: TCP- name: webhookcontainerPort: 8443protocol: TCPvolumeMounts:- name: webhook-certmountPath: /usr/local/certificates/readOnly: trueresources:requests:cpu: 100mmemory: 90MinodeSelector:kubernetes.io/os: linuxserviceAccountName: ingress-nginxterminationGracePeriodSeconds: 300volumes:- name: webhook-certsecret:secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/controller-ingressclass.yaml
# We dont support namespaced ingressClass yet
# So a ClusterRole and a ClusterRoleBinding is required
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: controllername: nginxnamespace: ingress-nginx
spec:controller: k8s.io/ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:labels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhookname: ingress-nginx-admission
webhooks:- name: validate.nginx.ingress.kubernetes.iomatchPolicy: Equivalentrules:- apiGroups:- networking.k8s.ioapiVersions:- v1operations:- CREATE- UPDATEresources:- ingressesfailurePolicy: FailsideEffects: NoneadmissionReviewVersions:- v1clientConfig:service:namespace: ingress-nginxname: ingress-nginx-controller-admissionpath: /networking/v1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:name: ingress-nginx-admissionnamespace: ingress-nginxannotations:helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgradehelm.sh/hook-delete-policy: before-hook-creation,hook-succeededlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhook
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: ingress-nginx-admissionannotations:helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgradehelm.sh/hook-delete-policy: before-hook-creation,hook-succeededlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhook
rules:- apiGroups:- admissionregistration.k8s.ioresources:- validatingwebhookconfigurationsverbs:- get- update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: ingress-nginx-admissionannotations:helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgradehelm.sh/hook-delete-policy: before-hook-creation,hook-succeededlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhook
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: ingress-nginx-admission
subjects:- kind: ServiceAccountname: ingress-nginx-admissionnamespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:name: ingress-nginx-admissionnamespace: ingress-nginxannotations:helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgradehelm.sh/hook-delete-policy: before-hook-creation,hook-succeededlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhook
rules:- apiGroups:- resources:- secretsverbs:- get- create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: ingress-nginx-admissionnamespace: ingress-nginxannotations:helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgradehelm.sh/hook-delete-policy: before-hook-creation,hook-succeededlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhook
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: ingress-nginx-admission
subjects:- kind: ServiceAccountname: ingress-nginx-admissionnamespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:name: ingress-nginx-admission-createnamespace: ingress-nginxannotations:helm.sh/hook: pre-install,pre-upgradehelm.sh/hook-delete-policy: before-hook-creation,hook-succeededlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhook
spec:template:metadata:name: ingress-nginx-admission-createlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhookspec:containers:- name: createimage: registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1imagePullPolicy: IfNotPresentargs:- create- --hostingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc- --namespace$(POD_NAMESPACE)- --secret-nameingress-nginx-admissionenv:- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespacesecurityContext:allowPrivilegeEscalation: falserestartPolicy: OnFailureserviceAccountName: ingress-nginx-admissionnodeSelector:kubernetes.io/os: linuxsecurityContext:runAsNonRoot: truerunAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:name: ingress-nginx-admission-patchnamespace: ingress-nginxannotations:helm.sh/hook: post-install,post-upgradehelm.sh/hook-delete-policy: before-hook-creation,hook-succeededlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhook
spec:template:metadata:name: ingress-nginx-admission-patchlabels:helm.sh/chart: ingress-nginx-4.0.10app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/version: 1.1.0app.kubernetes.io/managed-by: Helmapp.kubernetes.io/component: admission-webhookspec:containers:- name: patchimage: registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1imagePullPolicy: IfNotPresentargs:- patch- --webhook-nameingress-nginx-admission- --namespace$(POD_NAMESPACE)- --patch-mutatingfalse- --secret-nameingress-nginx-admission- --patch-failure-policyFailenv:- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespacesecurityContext:allowPrivilegeEscalation: falserestartPolicy: OnFailureserviceAccountName: ingress-nginx-admissionnodeSelector:kubernetes.io/os: linuxsecurityContext:runAsNonRoot: truerunAsUser: 20002、执行YAML文件
kubectl apply -f ingress-controller-nginx.yaml如果执行YAML文件有报错如下
报错内容Error from server (InternalError): error when creating “ingress.yaml“: Internal error occurred: fail
报错解决方法
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission3、查看创建的Pod资源状态是否已运行
kubectl get pod -n ingress-nginx2、在Node节点上安装并配置Nginx、keepalived
1、上面部署ingress controller分配在不同的两台Node节点(两台Node节点同步操作)
yum install epel-release nginx keepalived nginx-mod-stream nc -y2、修改 nginx.conf 配置文件(两台Node节点同步操作)
mv /etc/nginx/nginx.conf{,.$(date %F)}
vim /etc/nginx/nginx.confuser nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;include /usr/share/nginx/modules/*.conf;events {worker_connections 1024;
}# 四层负载
stream {log_format main $remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent;access_log /var/log/nginx/k8s-access.log main;# 定义后端负载节点upstream k8s-ingress-controller {server 16.32.15.201:80 weight5 max_fails3 fail_timeout30s;server 16.32.15.202:80 weight5 max_fails3 fail_timeout30s;}# 访问30080代理到后端节点server {listen 30080; proxy_pass k8s-ingress-controller;}
}http {log_format main $remote_addr - $remote_user [$time_local] $request $status $body_bytes_sent $http_referer $http_user_agent $http_x_forwarded_for;access_log /var/log/nginx/access.log main;sendfile on;tcp_nopush on;tcp_nodelay on;keepalive_timeout 65;types_hash_max_size 2048;include /etc/nginx/mime.types;default_type application/octet-stream;}检查配置 启动并加入开机自启动
nginx -t
systemctl enable nginx --now
systemctl status nginx3、修改Keepalived Master节点配置文件(Keepalived Master操作我这里将16.32.15.201定义为主)
mv /etc/keepalived/keepalived.conf{,.$(date %F)}
vim /etc/keepalived/keepalived.conf
vrrp_script check_nginx {script /etc/keepalived/check_nginx.sh
}vrrp_instance VI_1 { state MASTER interface ens33 # 网卡名称virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } # 虚拟IPvirtual_ipaddress { 16.32.15.100/24} track_script {check_nginx}
}添加判断Nginx是否运行脚本
vim /etc/keepalived/check_nginx.sh
#!/bin/bash
nc -z localhost 30080
if [[ $? -ne 0 ]];thensystemctl stop keepalived.service
fichmod x /etc/keepalived/check_nginx.sh启动主节点keepalived
systemctl enable keepalived --now4、修改Keepalived Backup节点配置文件(Keepalived Master操作我这里将16.32.15.202定义为备)
mv /etc/keepalived/keepalived.conf{,.$(date %F)}
vim /etc/keepalived/keepalived.conf
vrrp_script check_nginx {script /etc/keepalived/check_nginx.sh
}vrrp_instance VI_1 { state BACKUP interface ens33 # 网卡名称virtual_router_id 51 priority 90advert_int 1 authentication { auth_type PASS auth_pass 1111 } # 虚拟IPvirtual_ipaddress { 16.32.15.100/24} track_script {check_nginx}
}添加判断Nginx是否运行脚本
vim /etc/keepalived/check_nginx.sh
#!/bin/bash
nc -z localhost 30080
if [[ $? -ne 0 ]];thensystemctl stop keepalived.service
fichmod x /etc/keepalived/check_nginx.sh启动备节点keepalived
systemctl enable keepalived --now3、测试主备切换
1、在主机停止nginx服务
systemctl stop nginx2、在备机查看VIP是否漂移过去
ip a|grep 100如果漂移过去表示无问题如下图 3、在主机启动VIP会自动表漂移到主机
systemctl start nginx keepalived
ip a|grep 100三、实践创建Ingress规则进行七层转发
Ingress规则官方参考文档
1、基于HTTP七层代理转发后端Pod
1、创建后端Pod、Server资源
cat ingress-demo.yaml
---
apiVersion: v1
kind: Service
metadata:name: ingress-tomcat-servicenamespace: default
spec:selector:app: tomcatports:- name: httptargetPort: 8080port: 8080- name: ajptargetPort: 8009port: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:name: ingress-tomcat-deploymentnamespace: default
spec:replicas: 2selector:matchLabels:app: tomcattemplate:metadata:labels:app: tomcatspec:containers:- name: tomcatimage: tomcat:8.5.34-jre8-alpine imagePullPolicy: IfNotPresent ports:- name: httpcontainerPort: 8080name: ajpcontainerPort: 8009执行YAML文件
kubectl apply -f ingress-demo.yaml查看创建的Pod、Service
kubectl get pods,svc2、创建Ingress转发规则
cat ingress-tomcat.yamlapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-tomcatnamespace: default
spec: ingressClassName: nginx # 指定ingress类名称,这里是Nginxrules:- host: tomcat.ingress.com # 客户端访问的域名http:paths:- backend:service:name: ingress-tomcat-service # 转发到SVC名称port:number: 8080 # 转发到SVC端口path: / # 转发到/pathType: Prefix执行YAML
kubectl apply -f ingress-tomcat.yaml3、添加域名解析
打开 C:\Windows\System32\drivers\etc\hosts 文件添加解析如下图 浏览器访问tomcat.ingress.com:30080进行测试 2、基于HTTPS七层代理转发后端
基于上面 HTTP七层代理转发的 Pod、Service做实验不在创建新的资源。
1、创建证书
生成一个私钥
openssl genrsa -out tls.key 2048基于私钥生成根证书并签发qinzt.ingress.com 域名
openssl req -new -x509 -key tls.key -out tls.crt -subj /CCN/STBeijing/LBeijing/ODevOps/CNqinzt.ingress.com2、创建secret对证书进行加密
kubectl create secret tls ingress-tomcat-secret --certtls.crt --keytls.key查看secret
kubectl describe secret ingress-tomcat-secret3、创建ingress规则
cat ingress-tomcat-tls.yamlapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress-tomcat-tlsnamespace: default
spec:ingressClassName: nginxtls:- hosts:- qinzt.ingress.comsecretName: ingress-tomcat-secret # secret名称rules:- host: qinzt.ingress.comhttp:paths:- path: /pathType: Prefixbackend:service:name: tomcatport:number: 8080执行YAML文件
kubectl apply -f ingress-tomcat-tls.yaml4、添加域名解析
打开 C:\Windows\System32\drivers\etc\hosts 文件添加解析如下图 5、浏览器访问域名测试
由于证书是自签名所有浏览器会提示不安全点击确认继续访问即可 文章转载自: http://www.morning.hpcpp.cn.gov.cn.hpcpp.cn http://www.morning.hprmg.cn.gov.cn.hprmg.cn http://www.morning.fnfxp.cn.gov.cn.fnfxp.cn http://www.morning.xbrxk.cn.gov.cn.xbrxk.cn http://www.morning.bzfld.cn.gov.cn.bzfld.cn http://www.morning.bhgnj.cn.gov.cn.bhgnj.cn http://www.morning.rhmpk.cn.gov.cn.rhmpk.cn http://www.morning.qrnbs.cn.gov.cn.qrnbs.cn http://www.morning.kmlmf.cn.gov.cn.kmlmf.cn http://www.morning.znmwb.cn.gov.cn.znmwb.cn http://www.morning.cwgn.cn.gov.cn.cwgn.cn http://www.morning.qnxtz.cn.gov.cn.qnxtz.cn http://www.morning.dtrcl.cn.gov.cn.dtrcl.cn http://www.morning.lywys.cn.gov.cn.lywys.cn http://www.morning.ldzss.cn.gov.cn.ldzss.cn http://www.morning.pdwny.cn.gov.cn.pdwny.cn http://www.morning.gcftl.cn.gov.cn.gcftl.cn http://www.morning.hsklc.cn.gov.cn.hsklc.cn http://www.morning.pggkr.cn.gov.cn.pggkr.cn http://www.morning.bpmdh.cn.gov.cn.bpmdh.cn http://www.morning.bdsyu.cn.gov.cn.bdsyu.cn http://www.morning.xnnpy.cn.gov.cn.xnnpy.cn http://www.morning.ymwcs.cn.gov.cn.ymwcs.cn http://www.morning.zlkps.cn.gov.cn.zlkps.cn http://www.morning.cpmwg.cn.gov.cn.cpmwg.cn http://www.morning.zrgdd.cn.gov.cn.zrgdd.cn http://www.morning.lkwyr.cn.gov.cn.lkwyr.cn http://www.morning.rmqlf.cn.gov.cn.rmqlf.cn http://www.morning.xkhxl.cn.gov.cn.xkhxl.cn http://www.morning.wwjft.cn.gov.cn.wwjft.cn http://www.morning.tnfyj.cn.gov.cn.tnfyj.cn http://www.morning.ahlart.com.gov.cn.ahlart.com http://www.morning.shxrn.cn.gov.cn.shxrn.cn http://www.morning.tnjz.cn.gov.cn.tnjz.cn http://www.morning.qswws.cn.gov.cn.qswws.cn http://www.morning.gtcym.cn.gov.cn.gtcym.cn http://www.morning.rnlx.cn.gov.cn.rnlx.cn http://www.morning.qbzfp.cn.gov.cn.qbzfp.cn http://www.morning.byjwl.cn.gov.cn.byjwl.cn http://www.morning.ywqw.cn.gov.cn.ywqw.cn http://www.morning.mnrqq.cn.gov.cn.mnrqq.cn http://www.morning.cqyhdy.cn.gov.cn.cqyhdy.cn http://www.morning.wfwqr.cn.gov.cn.wfwqr.cn http://www.morning.nqnqz.cn.gov.cn.nqnqz.cn http://www.morning.wdpt.cn.gov.cn.wdpt.cn http://www.morning.rqdx.cn.gov.cn.rqdx.cn http://www.morning.rsjf.cn.gov.cn.rsjf.cn http://www.morning.dphmj.cn.gov.cn.dphmj.cn http://www.morning.mbrbk.cn.gov.cn.mbrbk.cn http://www.morning.tlfzp.cn.gov.cn.tlfzp.cn http://www.morning.jgmlb.cn.gov.cn.jgmlb.cn http://www.morning.npmcf.cn.gov.cn.npmcf.cn http://www.morning.mkxxk.cn.gov.cn.mkxxk.cn http://www.morning.nytgk.cn.gov.cn.nytgk.cn http://www.morning.xqtqm.cn.gov.cn.xqtqm.cn http://www.morning.fsjcn.cn.gov.cn.fsjcn.cn http://www.morning.ldynr.cn.gov.cn.ldynr.cn http://www.morning.leyuhh.com.gov.cn.leyuhh.com http://www.morning.fkffr.cn.gov.cn.fkffr.cn http://www.morning.sskns.cn.gov.cn.sskns.cn http://www.morning.zgnng.cn.gov.cn.zgnng.cn http://www.morning.prmyx.cn.gov.cn.prmyx.cn http://www.morning.tsnq.cn.gov.cn.tsnq.cn http://www.morning.whnps.cn.gov.cn.whnps.cn http://www.morning.zkqwk.cn.gov.cn.zkqwk.cn http://www.morning.scrnt.cn.gov.cn.scrnt.cn http://www.morning.qzpsk.cn.gov.cn.qzpsk.cn http://www.morning.wtbzt.cn.gov.cn.wtbzt.cn http://www.morning.qsbcg.cn.gov.cn.qsbcg.cn http://www.morning.ypwlb.cn.gov.cn.ypwlb.cn http://www.morning.rysmn.cn.gov.cn.rysmn.cn http://www.morning.cptzd.cn.gov.cn.cptzd.cn http://www.morning.kpcxj.cn.gov.cn.kpcxj.cn http://www.morning.ftgwj.cn.gov.cn.ftgwj.cn http://www.morning.ywrt.cn.gov.cn.ywrt.cn http://www.morning.qxlhj.cn.gov.cn.qxlhj.cn http://www.morning.gkgb.cn.gov.cn.gkgb.cn http://www.morning.gqfbh.cn.gov.cn.gqfbh.cn http://www.morning.pabxcp.com.gov.cn.pabxcp.com http://www.morning.tlpgp.cn.gov.cn.tlpgp.cn