kubernetes1.13.1部署ingress-nginx并配置https转发dashboard

参考

https://github.com/kubernetes/ingress-nginx
https://www.jianshu.com/p/e30b06906b77
https://github.com/kubernetes/ingress-nginx/issues/2474
https://www.cnblogs.com/zhangeamon/p/7007076.html
https://github.com/kubernetes/kubernetes/issues/45324
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny
https://jimmysong.io/kubernetes-handbook/concepts/admission-controller.html
https://github.com/kubernetes/ingress-nginx/issues/3608
https://blog.csdn.net/ygqygq2/article/details/82791101

简介

Ingress
An API object that manages external access to the services in a cluster, typically HTTP.
Ingress can provide load balancing, SSL termination and name-based virtual hosting.

Terminology

  • Node: A single virtual or physical machine in a Kubernetes cluster.
  • Cluster: A group of nodes firewalled from the internet, that are the primary compute resources managed by Kubernetes.
  • Edge router: A router that enforces the firewall policy for your cluster. This could be a gateway managed by a cloud provider or a physical piece of hardware.
  • Cluster network: A set of links, logical or physical, that facilitate communication within a cluster according to the Kubernetes networking model.
  • Service: A Kubernetes Service that identifies a set of pods using label selectors. Unless mentioned otherwise, Services are assumed to have virtual IPs only routable within the cluster network.

What is Ingress?
Ingress, added in Kubernetes v1.1, exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the ingress resource.

    internet
        |
   [ Ingress ]
   --|-----|--
   [ Services ]

An ingress can be configured to give services externally-reachable URLs, load balance traffic, terminate SSL, and offer name based virtual hosting. An ingress controller is responsible for fulfilling the ingress, usually with a loadbalancer, though it may also configure your edge router or additional frontends to help handle the traffic.
An ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer.

Prerequisites
FEATURE STATE: Kubernetes v1.1 beta
Before you start using an ingress, there are a few things you should understand. The ingress is a beta resource. You will need an ingress controller to satisfy an ingress, simply creating the resource will have no effect.
GCE/Google Kubernetes Engine deploys an ingress controller on the master. Review the beta limitations of this controller if you are using GCE/GKE.
In environments other than GCE/Google Kubernetes Engine, you may need to deploy an ingress controller. There are a number of ingress controller you may choose from.

Ingress controllers
In order for the ingress resource to work, the cluster must have an ingress controller running. This is unlike other types of controllers, which run as part of the kube-controller-manager binary, and are typically started automatically with a cluster. Choose the ingress controller implementation that best fits your cluster.
Kubernetes as a project currently supports and maintains GCE and nginx controllers.
Additional controllers include:
Contour is an Envoy based ingress controller provided and supported by Heptio.
F5 Networks provides support and maintenance for the F5 BIG-IP Controller for Kubernetes.
HAProxy based ingress controller jcmoraisjr/haproxy-ingress which is mentioned on the blog post HAProxy Ingress Controller for Kubernetes. HAProxy Technologies offers support and maintenance for HAProxy Enterprise and the ingress controller jcmoraisjr/haproxy-ingress.
Istio based ingress controller Control Ingress Traffic.
Kong offers community or commercial support and maintenance for the Kong Ingress Controllerfor Kubernetes.
NGINX, Inc. offers support and maintenance for the NGINX Ingress Controller for Kubernetes.
Traefik is a fully featured ingress controller (Let’s Encrypt, secrets, http2, websocket), and it also comes with commercial support by Containous.
You may deploy any number of ingress controllers within a cluster. When you create an ingress, you should annotate each ingress with the appropriate ingress-class to indicate which ingress controller should be used if more than one exists within your cluster. If you do not define a class, your cloud provider may use a default ingress provider.

官网部署方法

https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/cloud-generic.yaml

部署ingress-controller

[[email protected] ingree-nginx]# kubectl create -f mandatory.yaml
namespace/ingress-nginx created
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.extensions/nginx-ingress-controller created

报错
Error creating: pods "nginx-ingress-controller-565dfd6dff-g977n" is forbidden: SecurityContext.RunAsUser is forbidden

排错
需要对准入控制器进行修改,然后重启apiserver
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
SecurityContextDeny 不enable就行

[[email protected] ingree-nginx]# vim /k8s/kubernetes/cfg/kube-apiserver
[[email protected] ingree-nginx]# systemctl restart kube-apiserver.service
[[email protected] ingree-nginx]# systemctl status kube-apiserver.service
● kube-apiserver.service - Kubernetes API Server
   Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-01-07 11:30:07 CST; 7s ago
     Docs: https://github.com/kubernetes/kubernetes
 Main PID: 12796 (kube-apiserver)
   CGroup: /system.slice/kube-apiserver.service
           └─12796 /k8s/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://10.2.8.44:2379,https://10.2....

检查状态

[[email protected] ingree-nginx]# kubectl get pods -n ingress-nginx
NAME                                            READY   STATUS    RESTARTS   AGE
pod/nginx-ingress-controller-565dfd6dff-vj52t   1/1     Running   0          2m36s

部署svc

[[email protected] ingree-nginx]# kubectl create -f cloud-generic.yaml
service/ingress-nginx created
[[email protected] ingree-nginx]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx LoadBalancer 10.254.156.80 <pending> 80:40133/TCP,443:36517/TCP 12s

测试功能

之前dashboard是通过nodeport暴露,现在使用ingress方式,注意ingress后端是https,需要添加如下配置
宣告annotations

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"

生成ingress-secret证书

[[email protected] ingress-nginx]# kubectl -n kube-system  create secret tls ingress-secret --key /certs/dashboard.key --cert /certs/dashboard.crt
secret/ingress-secret created

创建ingress服务

[[email protected] ~]# cat /k8s/yaml/ingress-nginx/k8s.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kube-system
  annotations:
    nginx.ingress.kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  tls:
  - hosts:
    - dashboard.minminmsn.com
    secretName: ingress-secret
  rules:
    - host: dashboard.minminmsn.com
      http:
        paths:
        - path: /
          backend:
            serviceName: kubernetes-dashboard
            servicePort: 443
[[email protected] ingree-nginx]# kubectl create -f k8s.yaml
ingress.extensions/dashboard-ingress created
[[email protected] ingree-nginx]# kubectl get ingress -n ingress-nginx
NAME                HOSTS                      ADDRESS   PORTS   AGE
dashboard-ingress   dashboard.zhidaoauto.com             80      2m51s
[[email protected] ingree-nginx]# kubectl describe ingress dashboard-ingress -n ingress-nginx
Name:             dashboard-ingress
Namespace:        ingress-nginx
Address:
Default backend:  default-http-backend:80 (<none>)
Rules:
  Host                      Path  Backends
  ----                      ----  --------
  dashboard.zhidaoauto.com
                               kubernetes-dashboard:443 (10.254.73.2:8443)
Annotations:
  ingress.kubernetes.io/ssl-passthrough:  true
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  3m3s  nginx-ingress-controller  Ingress ingress-nginx/dashboard-ingress
  Normal  CREATE  3m3s  nginx-ingress-controller  Ingress ingress-nginx/dashboard-ingress

网页浏览
集群内部访问直接https://dashboard.minminmsn.com 即可;集群外部访问需要获取对外端口47215,另外需要设置dns解析,访问时同样需要输入token
[[email protected] ~]# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx LoadBalancer 10.254.125.151 <pending> 80:33003/TCP,443:47215/TCP 16m

访问效果如下

补充

准入控制器
To see which admission plugins are enabled:
kube-apiserver -h | grep enable-admission-plugins
In 1.13, they are:
NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeClaimResize,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority

LimitRanger:此准入控制器将确保所有资源请求不会超过 namespace 的 LimitRange。
SecurityContextDeny:此准入控制器将拒绝任何试图设置某些升级的SecurityContext字段的pod 。
ServiceAccount:此准入控制器实现serviceAccounts的自动化。
ResourceQuota:此准入控制器将观察传入请求并确保它不违反命名空间的ResourceQuota对象中列举的任何约束。
NodeRestriction:该准入控制器限制了 kubelet 可以修改的Node和Pod对象。
NamespaceExists:此许可控制器检查除 Namespace 其自身之外的命名空间资源上的所有请求。如果请求引用的命名空间不存在,则拒绝该请求。
NamespaceLifecycle:此准入控制器强制执行正在终止的命令空间中不能创建新对象,并确保Namespace拒绝不存在的请求。此准入控制器还防止缺失三个系统保留的命名空间default、kube-system、kube-public。

原文地址:http://blog.51cto.com/jerrymin/2340022

时间: 2024-10-08 10:02:00

kubernetes1.13.1部署ingress-nginx并配置https转发dashboard的相关文章

Nginx+Tomcat配置https

Nginx + Tomcat 配置 HTTPS 1.总述 浏览器和 Nginx 之间走的 HTTPS 通讯,而 Nginx 到 Tomcat 通过 proxy_pass 走的是普通 HTTP 连接. 2.Nginx配置(nginx.conf),部分 http { #HTTPS server server { listen 443 ssl; server_name goldlone.cn; #证书地址 ssl_certificate ./1_goldlone.cn_bundle.crt; ssl_

Linux下 nginx+tomcat配置https的总结和遇到的坑

证书的获取略 服务器的端口443确保外界网络能够进行访问. 是否配置https: nginx:是 tomcat:否 1.首先查看nginx是否支持SSL. 参考链接: 实战http切换成https 查看nginx支持SSL [[email protected] bin]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.13.3 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) b

在NGINX上配置HTTPS服务

使用 NGINX 配置 HTTPS服务的步骤如下: 首先应该为你的域名申请一个ssl证书,如果是阿里云的服务器可以直接在阿里云的控制台中申请一个ssl安全证书. 在阿里云平台申请证书完成后,点击下载证书将证书下载到本地.然后用ftp工具传输到你自己的服务器上 listen 443 ssl 监听443号端口 server_name 你服务器的ip或者ip绑定的域名 ssl_certificate 服务器上xxx.pem文件的路径(最好填绝对路径) ssl_certificate_key 服务器上x

Kubernetes1.13.1部署Kuberneted-dashboard v1.10.1版本

参考文档 https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#deploying-the-dashboard-ui https://github.com/kubernetes/kubernetes/tree/7f23a743e8c23ac6489340bbb34fa6f1d392db9d/cluster/addons/dashboard https://github.com/kubernete

NGINX之——配置HTTPS加密反向代理訪问–自签CA

转载请注明出处:http://blog.csdn.net/l1028386804/article/details/46695495 出于公司内部訪问考虑,採用的CA是本机Openssl自签名生成的,因此无法通过互联网工信Root CA验证,所以会出现该站点不受信任或安全证书无效的提示.直接跳过,直接訪问就可以! HTTPS的原理和訪问过程: server必要条件 一个server私钥 KEY文件 一张与server域名匹配的CA证书(公钥,依据私钥key生成) 訪问过程: 1,client浏览器

NGINX之——配置HTTPS加密反向代理访问–自签CA

转载请注明出处:http://blog.csdn.net/l1028386804/article/details/46695495 出于公司内部访问考虑,采用的CA是本机Openssl自签名生成的,因此无法通过互联网工信Root CA验证,所以会出现该网站不受信任或安全证书无效的提示,直接跳过,直接访问即可! HTTPS的原理和访问过程: 服务器必要条件 一个服务器私钥 KEY文件 一张与服务器域名匹配的CA证书(公钥,根据私钥key生成) 访问过程: 1,客户端浏览器通过https协议访问服务

nginx + tomcat配置https的两种方法

# The frist method: - Nginx and Tomcat using HTTPS: 1. nginx configuration: upstream test { server 172.16.7.30:8443 weight=1; } upstream master { server 172.16.7.31:8443 weight=1; } server { listen 80; server_name test.hbc315.com master.hbc315.com; r

tomcat 安装配置部署到nginx+tomcat+https

目录 1 Tomcat简介 2.下载并安装Tomcat服务 2.2 部署java环境 2.3 安装Tomcat 2.4 Tomcat目录介绍 (关注点 bin conf logs webapps) 2.5 启动Tomcat 3.2 Tomcat管理 8 搭建jpress--java 版本的wordpress tomcat 配置文件 conf/server.xml tomcat 自定义网站目录 Tomcat多实例 (多个虚拟主机) tomcat反向代理集群 tomcat监控 zabbix监控 ng

nginx配置https及Android客户端访问自签名证书

前一篇随笔通过keytool生成keystore并为tomcat配置https,这篇随笔记录如何给nginx配置https.如果nginx已配置https,则tomcat就不需要再配置https了.通过以下三步生成自签名证书# 生成一个key,你的私钥,openssl会提示你输入一个密码,可以输入,也可以不输,# 输入的话,以后每次使用这个key的时候都要输入密码,安全起见,还是应该有一个密码保护> openssl genrsa -des3 -out selfsign.key 4096 # 使用