From 4c8d010cbee12d38a40f72463c4080fa60a8bb07 Mon Sep 17 00:00:00 2001 From: kino Date: Thu, 20 Oct 2022 01:50:07 +0800 Subject: [PATCH] k8s - ingress install --- note/Kubernetes/k8s-Service.md | 1080 ++++++++++++++++---------------- 1 file changed, 557 insertions(+), 523 deletions(-) diff --git a/note/Kubernetes/k8s-Service.md b/note/Kubernetes/k8s-Service.md index a9f8c06..aab5c72 100644 --- a/note/Kubernetes/k8s-Service.md +++ b/note/Kubernetes/k8s-Service.md @@ -414,666 +414,700 @@ spec: ``` # 三、Ingress -## 3.1 Ingress 安装部署 +## 3.1 说明 +[K8s Ingress github](https://github.com/kubernetes/ingress-nginx) + +需要注意的是,README 中有 Ingress 和 K8s 对应的版本信息。 + +Support Versions table + +| Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | +| --------------------- | ---------------------------- | -------------- | ------------- | +| v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | +| v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | +| v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | +| v1.2.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6 | 1.19.10† | +| v1.1.3 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† | +| v1.1.2 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v1.0.5 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v1.0.4 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v1.0.3 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v1.0.2 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v1.0.1 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | + +例如我现在的 K8s 版本为: `v1.20.9`, 那么 Ingress 就只能选择 v1.3.1 及以下。 + +[K8s 官方文档](https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/#what-is-ingress) + +[Ingress nginx 官方文档 ](https://kubernetes.github.io/ingress-nginx/deploy/#bare-metal-clusters) + +## 3.2 Ingress 安装部署 + +文档中的 apply 如下 + +```bash +$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.2.0/deploy/static/provider/baremetal/deploy.yaml +``` + +因为官方deploy.yaml 中的镜像在国内很难下载下来,所以需要修改镜像,并且做一些额外的配置修改 + ```yaml -$ vim install-ingress.yaml ---- +# 下载 +$ wgeet https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.2.0/deploy/static/provider/baremetal/deploy.yaml +# 修改 +$ vim deploy.yaml apiVersion: v1 kind: Namespace metadata: - name: ingress-nginx labels: - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx --- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml apiVersion: v1 +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 name: ingress-nginx namespace: ingress-nginx -automountServiceAccountToken: true --- -# Source: ingress-nginx/templates/controller-configmap.yaml apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx namespace: ingress-nginx -data: +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch --- -# Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.30.0 + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 name: ingress-nginx rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io # k8s 1.14+ - resources: - - ingressclasses - verbs: - - get - - list - - watch +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch --- -# Source: ingress-nginx/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.30.0 + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 name: ingress-nginx + namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: ingress-nginx subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-role.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission namespace: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io # k8s 1.14+ - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader-nginx - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch --- -# Source: ingress-nginx/templates/controller-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 name: ingress-nginx - namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx --- -# Source: ingress-nginx/templates/controller-service-webhook.yaml apiVersion: v1 -kind: Service +data: + allow-snippet-annotations: "true" +kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + labels: app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-controller namespace: ingress-nginx spec: - type: ClusterIP ports: - - name: https-webhook - port: 443 - targetPort: webhook + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP ## 从 NodePort 改成 ClusterIP --- -# Source: ingress-nginx/templates/controller-service.yaml:不要 apiVersion: v1 kind: Service metadata: - annotations: labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller - name: ingress-nginx-controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-controller-admission namespace: ingress-nginx spec: - type: ClusterIP ## 改为clusterIP ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - - name: https - port: 443 - protocol: TCP - targetPort: https + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP --- -# Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 -kind: DaemonSet +kind: DaemonSet # 从 Deployment 改成 DaemonSet metadata: labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 name: ingress-nginx-controller namespace: ingress-nginx spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 selector: matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx template: metadata: labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx spec: + hostNetwork: true ## 直接让nginx占用本机80端口和443端口,所以使用主机网络 dnsPolicy: ClusterFirstWithHostNet ## dns对应调整为主机网络 - hostNetwork: true ## 直接让nginx占用本机80端口和443端口,所以使用主机网络 containers: - - name: controller - image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --election-id=ingress-controller-leader - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - livenessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi - nodeSelector: ## 节点选择器 - node-role: ingress #以后只需要给某个node打上这个标签就可以部署ingress-nginx到这个节点上了 - #kubernetes.io/os: linux ## 修改节点选择 + - args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + # image: k8s.gcr.io/ingress-nginx/controller:v1.2.0@sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185 + image: opsdockerimage/ingress-nginx-controller:v1.2.1 ## 替换镜像 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + # kubernetes.io/os: linux ## 注释原来的选择器 + node-role: ingress ## 修改为选择 node 上有 label标签为: node-role=ingress serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission -webhooks: - - name: validate.nginx.ingress.kubernetes.io - matchPolicy: Equivalent - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /networking/v1beta1/ingresses + - name: webhook-cert + secret: + secretName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +apiVersion: batch/v1 +kind: Job metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.30.0 app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml -apiVersion: batch/v1 -kind: Job -metadata: + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 name: ingress-nginx-admission-create - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission-create spec: containers: - - name: create - image: docker.io/jettech/kube-webhook-certgen:v1.5.1 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 ## 注释掉原来的 + image: wangshun1024/kube-webhook-certgen:v1.1.1 ## 替换镜像 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission securityContext: + fsGroup: 2000 runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission --- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml apiVersion: batch/v1 kind: Job metadata: - name: ingress-nginx-admission-patch - annotations: - helm.sh/hook: post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission-patch namespace: ingress-nginx spec: template: metadata: - name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.30.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.46.0 - app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission-patch spec: containers: - - name: patch - image: docker.io/jettech/kube-webhook-certgen:v1.5.1 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 ## 注释掉原来的 + image: wangshun1024/kube-webhook-certgen:v1.1.1 ## 替换镜像 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission securityContext: + fsGroup: 2000 runAsNonRoot: true runAsUser: 2000 + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.0 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None + +# apply +$ kubectl apply -f deploy.yaml ``` +部署完成之后 + +```bash +[root@etl-k8s01 app]# kubectl get all -n ingress-nginx +NAME READY STATUS RESTARTS AGE +pod/ingress-nginx-admission-create-59f4d 0/1 Completed 0 32m +pod/ingress-nginx-admission-patch-5wxtb 0/1 Completed 0 32m +pod/ingress-nginx-controller-fl6lc 1/1 Running 0 32m + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +service/ingress-nginx-controller ClusterIP 10.96.91.32 80/TCP,443/TCP 32m +service/ingress-nginx-controller-admission ClusterIP 10.109.170.60 443/TCP 32m + +NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE +daemonset.apps/ingress-nginx-controller 1 1 1 1 1 node-role=ingress 32m + +NAME COMPLETIONS DURATION AGE +job.batch/ingress-nginx-admission-create 1/1 16s 32m +job.batch/ingress-nginx-admission-patch 1/1 16s 32m +``` + + + ## 3.2 ingress 案例 ### 3.2.1 基本配置 ```yaml @@ -1445,7 +1479,7 @@ spec: ports: - protocol: TCP port: 5978 -``` + ``` - **基本信息:** 同其他的 Kubernetes 对象一样,`NetworkPolicy` 需要 `apiVersion`、`kind`、`metadata` 字段 - spec:`NetworkPolicy`的spec字段包含了定义网络策略的主要信息: