如何在 Kubernetes 中公开 Ingress 以供外部访问?
[英]How to expose a Ingress for external access in Kubernetes?
问题描述
I have a kubernetes cluster on a private network(private server, not aws or google cloud) and I created a Service to be able to access, however, I need to be able to access from outside the cluster and for this I created an Ingress and added ingress-nginx in the cluster.
我在专用网络(专用服务器,而不是 aws 或谷歌云)上有一个 kubernetes 集群,我创建了一个可以访问的服务,但是,我需要能够从集群外部访问,为此我创建了一个 Ingress并在集群中添加了 ingress-nginx。
This is the YAML I'm using after making several attempts:这是我在多次尝试后使用的 YAML:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- host: k8s.local
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
type: ClusterIP
selector:
name: nginx
ports:
- port: 80
targetPort: 80
protocol: TCP
# selector:
# app: nginx
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: echoserver
image: nginx
ports:
- containerPort: 80
I ran yaml like this: kubectl create -f file.yaml我这样运行 yaml: kubectl create -f file.yaml
In the /etc/hosts file I added k8s.local to the ip of the master server.在 /etc/hosts 文件中,我将k8s.local添加到主服务器的 ip。
When trying the command in or out of the master server a "Connection refused" message appears: $ curl http://172.16.0.18:80/ -H 'Host: k8s.local'在主服务器内外尝试命令时,会出现“连接被拒绝”消息: $ curl http://172.16.0.18:80/ -H 'Host: k8s.local'
I do not know if it's important, but I'm using Flannel in the cluster.我不知道这是否重要,但我在集群中使用 Flannel。
My idea is just to create a 'hello world' and expose it out of the cluster!我的想法只是创建一个“hello world”并将其暴露在集群之外!
Do I need to change anything in the configuration to allow this access?我是否需要更改配置中的任何内容以允许此访问?
YAML file edited:已编辑的 YAML 文件:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
# nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: k8s.local
http:
paths:
- path: /teste
backend:
serviceName: nginx
servicePort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
type: LoadBalancer # NodePort
selector:
app: nginx
ports:
- port: 80
targetPort: 80
protocol: TCP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: echoserver
image: nginx
ports:
- containerPort: 80
5 个解决方案
解决方案1
4 2018-10-05 01:32:07
You can deploy the ingress controller as a daemonset with host port 80. The service of the controller will not matter then.您可以将入口控制器部署为主机端口为 80 的守护进程。届时控制器的服务将无关紧要。 You can point your domain to every node in your cluster您可以将域指向集群中的每个节点
You can do a NodePort type service but that will force you to use some port in the 30k vicinity, you will not be able to use port 80您可以执行 NodePort 类型的服务,但这将迫使您使用 30k 附近的某个端口,您将无法使用端口 80
Of course the best solution is to use a cloud provider with a load balancer当然最好的解决方案是使用带有负载均衡器的云提供商
解决方案2
1 2018-10-04 21:47:43
You can make it work with a plain nginx pod but the recommended method is to install a Kubernetes ingress controller, in your case you are using nginx, so you can install an nginx ingress controller .您可以使用普通的 nginx pod,但推荐的方法是安装 Kubernetes 入口控制器,在您的情况下,您使用的是 nginx,因此您可以安装nginx 入口控制器。
Here is some information on how to install it.以下是有关如何安装它的一些信息。
If you want to allow external access you can also expose the nginx ingress controller as a LoadBalancer service.如果您想允许外部访问,您还可以将 nginx 入口控制器公开为LoadBalancer服务。 You can also use NodePort but you will have to manually point a load balancer to the port on your Kubernetes nodes.您也可以使用NodePort,但您必须手动将负载均衡器指向 Kubernetes 节点上的端口。
And yes the selector on the 'Service' needs to be:是的,“服务”上的选择器需要是:
selector: app: nginx选择器:应用程序:nginx
解决方案3
1 2018-10-05 00:40:08
In this case NodePort would work.在这种情况下,NodePort 会起作用。 It will open a high port number in every node (same port in every node) so you can use any of these nodes.它将在每个节点中打开一个高端口号(每个节点中的端口相同),因此您可以使用这些节点中的任何一个。 Place a Load Balancer if you want, and point the backend pool to those instances you have running.如果需要,放置一个负载均衡器,并将后端池指向您正在运行的那些实例。 Do not use ClusterIP, it is just for internal usage.不要使用 ClusterIP,它仅供内部使用。
解决方案4
1 2019-04-10 23:40:11
如果你运行你的集群裸机,你需要告诉 nginx-ingress 控制器使用 hostNetwork: true,添加到mandatory.yml 的模板/规范部分,这样运行 ingress 控制器的 pod 将监听端口 80 和 443主机节点。
解决方案5
1 2019-10-14 07:46:12
https://github.com/alexellis/inlets Is the easiest way of doing what you want. https://github.com/alexellis/inlets是做你想做的最简单的方法。
Note: encryption requires wss:// which requires TLS certs, If you want fully automated encryption + the ability to use Inlets as a Layer 4 LB, you should use Inlets Pro, it's very cheap compared to other cloud alternatives.注意:加密需要 wss://,它需要 TLS 证书,如果您想要全自动加密 + 使用 Inlets 作为第 4 层 LB 的能力,您应该使用 Inlets Pro,与其他云替代方案相比,它非常便宜。
I've also been able to setup the oss /non-kubernetes-operator version of Inlets with encryption / wss (web sockets secure), using the open source version of Inlets as a Layer 7 LB.我还能够使用加密/ wss(网络套接字安全)设置 oss /non-kubernetes-operator 版本的 Inlets,使用开源版本的 Inlets 作为第 7 层 LB。 (it just took some manual configuration/wasn't fully automated like the pro version) (它只需要一些手动配置/不像专业版那样完全自动化)
https://blog.alexellis.io/https-inlets-local-endpoints/ I was able to get public internet HTTPS + nginx ingress controller to minikube + tested 2 sites routed using ingress objects. https://blog.alexellis.io/https-inlets-local-endpoints/我能够将公共互联网 HTTPS + nginx 入口控制器连接到 minikube + 测试使用入口对象路由的 2 个站点。 In ~3-4 hours with no good guide to doing it / being new to Caddy/Websockets, but expert on Kubernetes Ingress.在大约 3-4 小时内没有很好的指南来做这件事/是 Caddy/Websockets 的新手,但 Kubernetes Ingress 方面的专家。
Basically:基本上:
Step 1.) Create a $0.007/hour or $5/month VPS on Digital Ocean with a public IP步骤 1.) 在带有公共 IP 的 Digital Ocean 上创建 0.007 美元/小时或 5 美元/月的 VPS
Step 2.) Point mysite1.com, *.mysite1.com, mysite2.com, *.mysite2.com to the public IP of the VPS.步骤 2.) 将 mysite1.com、*.mysite1.com、mysite2.com、*.mysite2.com 指向 VPS 的公共 IP。
Step 3.) SSH into the machine and install Inlets + Caddy v1.0.3 + Caddyfile here's mine:步骤 3.) SSH 进入机器并安装 Inlets + Caddy v1.0.3 + Caddyfile 这是我的:
mysite1.com, *.mysite1.com, mysite2.com, *.mysite2.com
proxy / 127.0.0.1:8080 {
transparent
}
proxy /tunnel 127.0.0.1:8080 {
transparent
websocket
}
tls {
max_certs 10
}
Step 4.) deploy 1 inlets deployment on kubernetes cluster, use wss to your VPS, and point the inlets deployment to an ingress controller service of type Cluster IP.步骤 4.) 在 kubernetes 集群上部署 1 个入口部署,使用 wss 到您的 VPS,并将入口部署指向一个集群 IP 类型的入口控制器服务。
The basics of what's happening are:发生的事情的基本情况是:
1.) Caddy leverages Lets Encrypt Free to auto get HTTPS certs for every website you point at the Caddy Server. 1.) Caddy 利用 Lets Encrypt Free 为您指向 Caddy 服务器的每个网站自动获取 HTTPS 证书。
2.) Your inlets deployment starts a bidirection VPN tunnel using websockets with the VPS that has a public IP. 2.) 您的入口部署使用具有公共 IP 的 VPS 的 websockets 启动双向 VPN 隧道。 (Warning the VPN tunnel will only be encrypted if you specify wss, and that requires the server have a TLS cert, which it gets from "LEF") (警告只有在指定 wss 时才会对 VPN 隧道进行加密,这要求服务器具有 TLS 证书,该证书来自“LEF”)
3.) Caddy is now a public L7 LB/Reverse Proxy that terminates HTTPS, and forwards to your ingress controller over an encrypted websockets VPN tunnel. 3.) Caddy 现在是一个公共 L7 LB/反向代理,它终止 HTTPS,并通过加密的 websockets VPN 隧道转发到您的入口控制器。 Then it's normal-ish ingress.然后它是正常的入口。
4.) Traffic Flow: DNS -(resolves IP)-> (HTTPS)VPS/L7 ReverseProxy - encrypted VPNtunnel-> Inlets pod from Inlets Deployment -L7 cleartext in cluster network redirect to -> Ingress Controller Service -> Ingress Controller Pod -L7 redirect to-> Cluster IP services/sites defined by ingress objs. 4.) 流量:DNS -(解析IP)-> (HTTPS)VPS/L7 ReverseProxy - 加密VPNtunnel-> Inlets pod from Inlets Deployment -L7 明文在集群网络重定向到-> Ingress Controller Service -> Ingress Controller Pod - L7 重定向到-> 入口对象定义的集群 IP 服务/站点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.