K8S的ingress介绍和安装ingress

1 ingress介绍

1.1 ingress架构图

1.2 ingress相关概念

ingress诞生背景：

在没有ingress之前，只能基于svc的NodePort或者LoadBalancer实现内部的pod对外访问，如果遇到多个服务要监听80端口时。

很明显无论哪种类型都无法实现，如果非要实现，就得在K8S集群外部部署一个LB设备，来代理到对应svc资源。而ingress就可以很好的解决这个问题。例如nginx的一个80端口可以给多个实例使用

所谓的ingress指的是一种规则，基于用户访问的请求头路由到正确的svc。简单来说说就是7层代理。

可惜K8S只是实现了ingress定义规则，这个规则被记录到etcd中，但并没有具体实现此功能，因此需要自行安装相应的附加组件

(ingress-nginx,trafik,...)

和svc的区别时，svc只能实现4层的代理。而ingress实现了7层的代理。ingress是定义域名到svc的解析规则，好比nginx.conf配置文件

Ingress Controller和内置的pod控制器有啥区别呢？

内置的pod控制器，比如ds、sts、deploy、jobs、cj、rs、rc等都是用来控制pod的副本数量

1.3 nginx基于域名的多实例演示

1.nginx配置

nginx 复制代码

cat /etc/nginx/conf.d/more-instance.conf
server {
  listen 80; 
  server_name name1.wzy.com;
  location /* {
  root /code/name1;
  index index.html;
  }
}
server {
  listen 80; 
  server_name name2.wzy.com;
  location /* {
  root /code/name2;
  index index.html;
  }
}

2.nginx 页面文件：

bash 复制代码

[root@db51~]# tree -F /code/
/code/
├── name1/
│   └── index.html
└── name2/
    └── index.html

3.访问效果

bash 复制代码

[root@db51~]# curl -H Host:name1.wzy.com 10.0.0.51
name1
[root@db51~]# curl -H Host:name2.wzy.com 10.0.0.51
name2

2 安装ingress控制器

01 ingress-nginx 版本选择和安装方式

ingress-nginx 是K8S官方开源的一个ingress控制器。

安装方式有如下3种：

使用 helm 安装
使用 kubectl apply 创建yaml资源清单的方式进行安装，参考地址。yaml下载地址，修改uri对应版本即可下载需要的版本
使用第三方插件的方式进行安装

upported	Ingress-NGINX version	k8s supported version	Alpine Version	Nginx Version	Helm Chart Version
🔄	v1.12.0-beta.0	1.31, 1.30, 1.29, 1.28	3.20.3	1.25.5	4.12.0-beta.0
🔄	v1.11.3	1.30, 1.29, 1.28, 1.27, 1.26	3.20.3	1.25.5	4.11.3
🔄	v1.11.2	1.30, 1.29, 1.28, 1.27, 1.26	3.20.0	1.25.5	4.11.2
🔄	v1.11.1	1.30, 1.29, 1.28, 1.27, 1.26	3.20.0	1.25.5	4.11.1
🔄	v1.11.0	1.30, 1.29, 1.28, 1.27, 1.26	3.20.0	1.25.5	4.11.0
	v1.10.5	1.30, 1.29, 1.28, 1.27, 1.26	3.20.3	1.25.5	4.10.5
	v1.10.4	1.30, 1.29, 1.28, 1.27, 1.26	3.20.0	1.25.5	4.10.4
	v1.10.3	1.30, 1.29, 1.28, 1.27, 1.26	3.20.0	1.25.5	4.10.3
	v1.10.2	1.30, 1.29, 1.28, 1.27, 1.26	3.20.0	1.25.5	4.10.2
	v1.10.1	1.30, 1.29, 1.28, 1.27, 1.26	3.19.1	1.25.3	4.10.1
	v1.10.0	1.29, 1.28, 1.27, 1.26	3.19.1	1.25.3	4.10.0
	v1.9.6	1.29, 1.28, 1.27, 1.26, 1.25	3.19.0	1.21.6	4.9.1
	v1.9.5	1.28, 1.27, 1.26, 1.25	3.18.4	1.21.6	4.9.0
	v1.9.4	1.28, 1.27, 1.26, 1.25	3.18.4	1.21.6	4.8.3
	v1.9.3	1.28, 1.27, 1.26, 1.25	3.18.4	1.21.6	4.8.*
	v1.9.1	1.28, 1.27, 1.26, 1.25	3.18.4	1.21.6	4.8.*
	v1.9.0	1.28, 1.27, 1.26, 1.25	3.18.2	1.21.6	4.8.*
	v1.8.4	1.27, 1.26, 1.25, 1.24	3.18.2	1.21.6	4.7.*
	v1.7.1	1.27, 1.26, 1.25, 1.24	3.17.2	1.21.6	4.6.*
	v1.6.4	1.26, 1.25, 1.24, 1.23	3.17.0	1.21.6	4.5.*
	v1.5.1	1.25, 1.24, 1.23	3.16.2	1.21.6	4.4.*
	v1.4.0	1.25, 1.24, 1.23, 1.22	3.16.2	1.19.10†	4.3.0
	v1.3.1	1.24, 1.23, 1.22, 1.21, 1.20	3.16.2	1.19.10†	4.2.5

02 helm安装Ingress-nginx

节点	IP地址
master231	10.0.0.231
worker232	10.0.0.232
worker232	10.0.0.233

1.添加Ingress-nginx的官方仓库

bash 复制代码

[root@master231 05-ingress-nginx]# helm repo add zhiyong18-ingress-nginx \
https://kubernetes.github.io/ingress-nginx

"zhiyong18-ingress-nginx" has been added to your repositories

[root@master231 05-ingress-nginx]# helm repo list
NAME                   	URL                                                   
...
zhiyong18-ingress-nginx	https://kubernetes.github.io/ingress-nginx

2.更新helm软件源

bash 复制代码

[root@master231 05-ingress-nginx]# helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "zhiyong18-aliyun" chart repository
...Successfully got an update from the "zhiyong18-ingress-nginx" chart repository
...Successfully got an update from the "azure" chart repository
Update Complete. ⎈Happy Helming!⎈

3.下载指定版本的ingres-nginx软件包。如果下载失败，可以直接去拉取官方拉取chart包：下载地址

bash 复制代码

[root@master231 05-ingress-nginx]# helm search repo ingress-nginx
NAME                                 	CHART VERSION	APP VERSION	DESCRIPTION                                       
zhiyong18-ingress-nginx/ingress-nginx	4.11.1       	1.11.1     	Ingress controller for Kubernetes using NGINX a...

[root@master231 05-ingress-nginx]# helm pull zhiyong18-ingress-nginx/ingress-nginx --version 4.2.5

4.解压软件包，然后修改配置文件

ingress-nginx 要拉取的镜像为：

bash 复制代码

registry.k8s.io/ingress-nginx/controller:v1.3.1
registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0
registry.k8s.io/defaultbackend-amd64:1.5

修改镜像为国内的镜像，否则无法下载海外镜像，除非会FQ

建议使用宿主机网络效率最高，但是使用宿主机网络将来DNS解析策略会直接使用宿主机的解析

如果还想要继续使用K8S内部的svc名称解析，则需要将默认的 ClusterFirst 的DNS解析策略修改为 ClusterFirstWithHostNet

ClusterFirst：默认策略，Pod 的 DNS 查询会优先使用 K8S 集群内部的 DNS 解析服务（通常是 CoreDNS 或 kube-dns

ClusterFirstWithHostNet：强制使用K8S集群的 DNS 解析，即便 Pod 使用主机网络模式

建议将Deployment类型改为 DaemonSet 类型，可以确保在各个节点部署一个Pod，也可以修改 nodeSelector 字段让其调度到指定节点

如果仅有一个ingress controller，可以考虑将 ingressClassResource.default 设置为true，表示让其成为默认的ingress controller

方法一：使用第三方镜像

bash 复制代码

sed -i '/registry:/s#registry.k8s.io#registry.cn-hangzhou.aliyuncs.com#g' ingress-nginx/values.yaml
sed -i 's#ingress-nginx/controller#yinzhengjie-k8s/ingress-nginx#' ingress-nginx/values.yaml 
sed -i 's#ingress-nginx/kube-webhook-certgen#yinzhengjie-k8s/ingress-nginx#' ingress-nginx/values.yaml
sed -i 's#v1.3.0#kube-webhook-certgen-v1.3.0#' ingress-nginx/values.yaml
sed -ri '/digest:/s@^@#@' ingress-nginx/values.yaml

sed -i '/hostNetwork:/s#false#true#' ingress-nginx/values.yaml
sed -i  '/dnsPolicy/s#ClusterFirst#ClusterFirstWithHostNet#' ingress-nginx/values.yaml
sed -i '/kind/s#Deployment#DaemonSet#' ingress-nginx/values.yaml 
sed -i '/default:/s#false#true#'  ingress-nginx/values.yaml

方法二：用FQ的节点拉取官方镜像，然后导出为压缩包。然后在每一个节点手动导入，然后就可以少执行几条命令。（本次操作用的这一种）

bash 复制代码

sed -i '/hostNetwork:/s#false#true#' ingress-nginx/values.yaml
sed -i  '/dnsPolicy/s#ClusterFirst#ClusterFirstWithHostNet#' ingress-nginx/values.yaml
sed -i '/kind/s#Deployment#DaemonSet#' ingress-nginx/values.yaml 
sed -i '/default:/s#false#true#'  ingress-nginx/values.yaml

如果使用改名后的镜像，须删除chart包 value 的所有 digest 信息（注释掉也可以），否则会比对校验值失败，导致本地导入的镜像无效

5.创建Ingress专用的名称空间，使用helm一键安装Ingress

bash 复制代码

kubectl create ns zhiyong18-ingress
helm install luckyboy-ingress-nginx ingress-nginx -n zhiyong18-ingress 

NAME: luckyboy-ingress-nginx
LAST DEPLOYED: Wed Aug 14 10:07:47 2024
NAMESPACE: zhiyong18-ingress
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace zhiyong18-ingress get services -o wide -w luckyboy-ingress-nginx-controller'

An example Ingress that makes use of the controller:
  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: example
    namespace: foo
  spec:
    ingressClassName: nginx
    rules:
      - host: www.example.com
        http:
          paths:
            - pathType: Prefix
              backend:
                service:
                  name: exampleService
                  port:
                    number: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
      - hosts:
        - www.example.com
        secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls

6.查看创建的创建的资源，daemonset控制器管理的2个pod（因为master有污点，不然就是3个pod）

bash 复制代码

[root@master23106-ingress]# kubectl -n zhiyong18-ingress get all
NAME                                          READY   STATUS    RESTARTS   AGE
pod/luckyboy-ingress-nginx-controller-mn5tn   1/1     Running   0          94s
pod/luckyboy-ingress-nginx-controller-stcf9   1/1     Running   0          94s

NAME                                                  TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                    AGE
service/luckyboy-ingress-nginx-controller             LoadBalancer   10.200.43.110    <pending>     80:8856/TCP,443:9000/TCP   94s
service/luckyboy-ingress-nginx-controller-admission   ClusterIP      10.200.122.168   <none>        443/TCP                    94s

NAME                                               DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
daemonset.apps/luckyboy-ingress-nginx-controller   2         2         2       2            2           kubernetes.io/os=linux   94s

7.测试访问。404为正常现象

http://10.0.0.232/
http://10.0.0.233

03 禁用admissionWebhooks功能

1.修改配置文件，禁用admissionWebhooks功能。如果此步骤不操作，后续自定义ingress规则会出现如下的报错信息:

Error from server (InternalError): error when creating "01-ingress-demo.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": failed to call webhook: Post "https://luckyboy-ingress-nginx-controller-admission.zhiyong18-ingress.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate is not valid for any names, but wanted to match linux92-ingress-nginx-controller-admission.oldboyedu-ingress.svc

yaml 复制代码

vim ingress-nginx/values.yaml

controller:
  ...
  admissionWebhooks:
    ...
	# 大概在596行左右。
    # enabled: true
    enabled: false

resses?timeout=10s": x509: certificate is not valid for any names, but wanted to match linux92-ingress-nginx-controller-admission.oldboyedu-ingress.svc

```yaml
vim ingress-nginx/values.yaml

controller:
  ...
  admissionWebhooks:
    ...
	# 大概在596行左右。
    # enabled: true
    enabled: false