nginx - NodePort 上的 Kubernetes Nginx 入口控制器
问题描述
我正在由 RKE 管理的 Kubernetes 集群上部署基于 nginx 的入口控制器。(我也直接尝试过没有 RKE)。
在这两种情况下,它都会尝试在主机上使用/绑定到Ports 80
和443
,但它失败了,因为在security policy
所有服务帐户的 pod 中我不允许主机端口。
事实上,我不需要直接在主机上访问入口,但我想在from external上访问ingress controller
as a 。Service
NodePort
LoadBalancer
有没有办法部署Nginx ingress controller
不使用任何主机端口。
解决方案
通过禁用 hostNetwork 来完成,并删除不必要的权限和功能:
C02W84XMHTD5:Downloads iahmad$ kubectl get deployments -n ingress-nginx -o yaml
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: nginx-ingress-controller
namespace: ingress-nginx
resourceVersion: "68427"
selfLink: /apis/extensions/v1beta1/namespaces/ingress-nginx/deployments/nginx-ingress-controller
uid: 0b92b556-12fa-11ea-9d82-08002762a3c5
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
creationTimestamp: null
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
containers:
- args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
name: nginx-ingress-controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
resources: {}
securityContext:
runAsUser: 33
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: nginx-ingress-serviceaccount
serviceAccountName: nginx-ingress-serviceaccount
terminationGracePeriodSeconds: 300
status:
availableReplicas: 1
conditions:
- lastTransitionTime: 2019-11-29T22:46:59Z
lastUpdateTime: 2019-11-29T22:46:59Z
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: 2019-11-29T22:46:13Z
lastUpdateTime: 2019-11-29T22:46:59Z
message: ReplicaSet "nginx-ingress-controller-84758fb96c" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 1
readyReplicas: 1
replicas: 1
updatedReplicas: 1
kind: List
metadata:
resourceVersion: ""
selfLink: ""
然后创建一个指向入口控制器端口的节点端口服务:
C02W84XMHTD5:Downloads iahmad$ kubectl get svc -n ingress-nginx -o yaml
apiVersion: v1
items:
- apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
name: ingress-nginx
namespace: ingress-nginx
resourceVersion: "68063"
selfLink: /api/v1/namespaces/ingress-nginx/services/ingress-nginx
uid: 7aa425a4-12f9-11ea-9d82-08002762a3c5
spec:
clusterIP: 10.97.110.93
externalTrafficPolicy: Cluster
ports:
- name: http
nodePort: 30864
port: 80
protocol: TCP
targetPort: 80
- name: https
nodePort: 30716
port: 443
protocol: TCP
targetPort: 443
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
sessionAffinity: None
type: NodePort
status:
loadBalancer: {}
kind: List
metadata:
resourceVersion: ""
selfLink: ""
C02W84XMHTD5:Downloads iahmad$
推荐阅读
- java - CompletableFuture 超时
- jira - 如何将 Jira Webhook 连接到 Azure 服务总线
- stellar.js - 不支持恒星核心交易
- ssl - 解析切换规则时检测到 HAProxy 错误:没有这样的 ACL:'{hdr(host)'
- types - 在 matillion ETL 工具中将文本转换为日期时间
- sparql - 如何从 sparql 中的对象 URI 查询数据
- laravel - 为什么 Laravel Voyager BREAD Accessor 不返回格式化日期?
- git - 通过 Git 远程跟踪分支的给定名称如何找到哪个本地分支跟踪它?
- java - 片段之间的过渡动画在重新打开片段后发生
- javascript - 构建后删除 node_modules 文件夹