Kubernetes Ingress with AWS ALB Ingress Controller

Kubernetes Ingress with AWS ALB Ingress Controller

by Nishi Davidson | on 20 NOV 2018 | in Amazon Elastic Kubernetes ServiceOpen Source | Permalink | Comments | Share

中文版 – Kubernetes Ingress is an api object that allows you manage external (or) internal HTTP[s] access to Kubernetes services running in a cluster. Amazon Elastic Load Balancing Application Load Balancer (ALB) is a popular AWS service that load balances incoming traffic at the application layer (layer 7) across multiple targets, such as Amazon EC2 instances, in a region. ALB supports multiple features including host or path based routing, TLS (Transport layer security) termination, WebSockets, HTTP/2, AWS WAF (web application firewall) integration, integrated access logs, and health checks.

The AWS ALB Ingress controller is a controller that triggers the creation of an ALB and the necessary supporting AWS resources whenever a Kubernetes user declares an Ingress resource on the cluster. The Ingress resource uses the ALB to route HTTP[s] traffic to different endpoints within the cluster. The AWS ALB Ingress controller works on any Kubernetes cluster including Amazon Elastic Container Service for Kubernetes (EKS).

Terminology

We will use the following acronyms to describe the Kubernetes Ingress concepts in more detail:

How Kubernetes Ingress works with aws-alb-ingress-controller

The following diagram details the AWS components that the aws-alb-ingress-controller creates whenever an Ingress resource is defined by the user. The Ingress resource routes ingress traffic from the ALB to the Kubernetes cluster.

Ingress Creation

Following the steps in the numbered blue circles in the above diagram:

  1. The controller watches for ingress events from the API server. When it finds ingress resources that satisfy its requirements, it begins creation of AWS resources.
  2. An ALB is created for the Ingress resource.
  3. TargetGroups are created for each backend specified in the Ingress resource.
  4. Listeners are created for every port specified as Ingress resource annotation. When no port is specified, sensible defaults (80 or 443) are used.
  5. Rules are created for each path specified in your ingress resource. This ensures that traffic to a specific path is routed to the correct TargetGroup created.

Ingress Traffic

AWS ALB Ingress controller supports two traffic modes: instance mode and ip mode.
Users can explicitly specify these traffic modes by declaring the alb.ingress.kubernetes.io/target-type annotation on the Ingress and the Service definitions.

  • instance mode: Ingress traffic starts from the ALB and reaches the NodePort opened for your service. Traffic is then routed to the container Pods within cluster. The number of hops for the packet to reach its destination in this mode is always two.
  • ip mode: Ingress traffic starts from the ALB and reaches the container Pods within cluster directly. In order to use this mode, the networking plugin for the Kubernetes cluster must use a secondary IP address on ENI as pod IP, aka AWS CNI plugin for Kubernetes. The number of hops for the packet to reach its destination in this mode is always one.

Deploy Amazon EKS with eksctl

First, let’s deploy an Amazon EKS cluster with eksctl cli tool.

Install eksctl with Homebrew for macOS users:

brew install weaveworks/tap/eksctl

Create EKS cluster with cluster name “attractive-gopher”

eksctl create cluster --name=attractive-gopher

Go to the “Subnets” section in the VPC Console. Find all the Public subnets for your EKS cluster.

Example:
eksctl-attractive-gopher-cluster/SubnetPublic<USWEST2a>
eksctl-attractive-gopher-cluster/SubnetPublic<USWEST2b>
eksctl-attractive-gopher-cluster/SubnetPublic<USWEST2c>

Configure the Public subnets in the console as defined in this guide. (Most Kubernetes
distributions on AWS already do this for you, e.g. kops)

Deploy AWS ALB Ingress controller

Next, let’s deploy the AWS ALB Ingress controller into our Kubernetes cluster.

Create the IAM policy to give the Ingress controller the right permissions:

  1. Go to the IAM Console and choose the section Policies.
  2. Select Create policy.
  3. Embed the contents of the template iam-policy.json in the JSON section.
  4. Review policy and save as “ingressController-iam-policy”

Attach the IAM policy to the EKS worker nodes:

  1. Go back to the IAM Console.
  2. Choose the section Roles and search for the NodeInstanceRole of your EKS worker node. Example: eksctl-attractive-gopher-NodeInstanceRole-xxxxxx
  3. Attach policy “ingressController-iam-policy.”

Deploy RBAC Roles and RoleBindings needed by the AWS ALB Ingress controller:

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.0.0/docs/examples/rbac-role.yaml

Download the AWS ALB Ingress controller YAML into a local file:

curl -sS "https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.0.0/docs/examples/alb-ingress-controller.yaml" > alb-ingress-controller.yaml

Edit the AWS ALB Ingress controller YAML to include the clusterName of the Kubernetes (or) Amazon EKS cluster.

Edit the –cluster-name flag to be the real name of our Kubernetes (or) Amazon EKS cluster.

Deploy the AWS ALB Ingress controller YAML:

kubectl apply -f alb-ingress-controller.yaml

Verify that the deployment was successful and the controller started:

kubectl logs -n kube-system $(kubectl get po -n kube-system | egrep -o alb-ingress[a-zA-Z0-9-]+)

You should be able to see the following output:

-------------------------------------------------------------------------------
AWS ALB Ingress controller
  Release: v1.0.0
  Build: git-6ee1276
  Repository: https://github.com/kubernetes-sigs/aws-alb-ingress-controller
-------------------------------------------------------------------------------

Deploy Sample Application

Now let’s deploy a sample 2048 game into our Kubernetes cluster and use the Ingress resource to expose it to traffic:

Deploy 2048 game resources:

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.0.0/docs/examples/2048/2048-namespace.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.0.0/docs/examples/2048/2048-deployment.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.0.0/docs/examples/2048/2048-service.yaml

Deploy an Ingress resource for the 2048 game:

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.0.0/docs/examples/2048/2048-ingress.yaml

After few seconds, verify that the Ingress resource is enabled:

kubectl get ingress/2048-ingress -n 2048-game

You should be able to see the following output:

NAME         HOSTS         ADDRESS         PORTS   AGE
2048-ingress   *    DNS-Name-Of-Your-ALB    80     3m

Open a browser. Copy and paste your “DNS-Name-Of-Your-ALB”. You should be to access your newly deployed 2048 game – have fun!

Get Involved

The AWS ALB Ingress controller, a subproject of Kubernetes SIG (Special Interest Group) AWS, is a fully open source project maintained by Yang Yang (@M00nf1sh) and Kraig Amador. Kubernetes SIG-AWS’s technical roadmap is currently steered by three SIG chairs: Nishi Davidson (@nishidavidson), Justin Santa Barbara, and Kris Nova (@krisnova).

AWS ALB Ingress controller has been pegged as an alpha feature in Kubernetes 1.13, due to release early December 2018. The AWS team has also tested the Ingress controller with Amazon EKS that currently supports Kubernetes version 1.10.

More resources:

原文地址:https://www.cnblogs.com/cloudrivers/p/11231475.html

时间: 2024-10-29 06:52:45

Kubernetes Ingress with AWS ALB Ingress Controller的相关文章

Kubernetes之(十一)Ingress和Ingress Controller

目录 Kubernetes之(十一)Ingress和Ingress Controller 概念 Ingress资源类型 单Service资源型Ingress Ingress Nginx部署 部署Ingress controller 配置ingress后端服务 部署ingress-nginx service 部署Ingress 增加tomcat服务 总结 构建TLS站点 Kubernetes之(十一)Ingress和Ingress Controller 概念 通常情况下,service和pod的I

kubernetes集群中使用ingress发布服务

当我们将kubernetes的应用部署完之后,就需要对外发布服务的访问地址.kubernetes 将服务发布到外部访问的方式主要有:LoadBlancer ServiceNodePort ServiceIngress 一.LoadBlancer ServiceLoadBlancer Service 是 kubernetes 深度结合云平台的一个组件:当使用 LoadBlancer Service 暴露服务时,实际上是通过向底层云平台申请创建一个负载均衡器来向外暴露服务:目前 GCE.AWS.阿里

kubernetes集群边界路由Ingress的管理

1.将请求转发到单个后端服务上#cat traefik-ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: c7n-system spec: rules: - host: traefik.maimailoan.cn http: paths: - path: / backend: serviceName: traefik-ingress-service

AWS ALB使用cognito认证时遇到redirect_mismatch错误

有关如何在ALB上使用cognito不在本文讨论范围,有兴趣的同学可以直接查看AWS相应文档. 这里讲到网页在转到cognito认证页面时,出现了redirect_mismatch的错误,如下图: 经过仔细查看文档,发现在配置cognito的callback URL时,必须要用标准格式: https://<your domain name>/oauth2/idpresponse 这里/oauth2之前不能再有任何path.改为之后,就会出现正常的登陆界面: 如有相关问题,欢迎留言交流. 原文地

Kubernetes之Ingress和Ingress Controller

目录 Kubernetes之Ingress和Ingress Controller 概念 Ingress资源类型 单Service资源型Ingress Ingress Nginx部署 部署Ingress controller 配置ingress后端服务 部署ingress-nginx service 部署Ingress 增加tomcat服务 总结 构建TLS站点 Kubernetes之Ingress和Ingress Controller 概念 通常情况下,service和pod的IP仅可在集群内部

Kubernetes 部署 Nginx Ingress Controller

开始天真地以为只要写一个 ingress 配置文件并部署好就行了. apiVersion: extensions/v1beta1 kind: Ingress metadata: name: cnblogs-ingress spec: rules: - host: q.cnblogs.com http: paths: - backend: serviceName: q-web servicePort: 80 # kubectl apply -f cnblogs-ingress.yaml # kub

TF+K8s轻松上手丨通过Kubernetes Ingress进行高级外部应用程序连接

本文所有相关链接pdf:https://tungstenfabric.org.cn/assets/uploads/files/tf-ceg-case-2.pdf Kubernetes的Ingress文档页面将其描述为: "用于管理对集群中服务的外部访问的API对象,通常是HTTP.Ingress可以提供负载均衡.SSL终结和基于名称的虚拟主机." CNI不提供Ingress功能.这意味着Kubernetes集群管理者通常要为其集群安装.管理和支持单独的Ingress控制器解决方案. 对

kubernetes nginx ingress 使用记录

前言 ingress是一种可以暴露k8s集群内部service的方式,用户编辑配置文件定义一个ingress资源即可实现外部网络访问内网service. ingress controller是来管理所有的Ingress的对象,ingress controller内部其实是一个nginx的容器,当ingress controll 通过与 Kubernetes API 交互,感知集群中Ingress规则变化时会按照模板文件生成nginx.conf文件,然后reload该配置文件. 相对于kubern

Kubernetes使用Nginx Ingress暴露Dashboard

Kubernetes使用Nginx Ingress暴露Dashboard [TOC] 1. 环境说明 可用的kubernetes集群 可用的nginx ingress controller 可用的dashboard 关于kubernetes.dashboard和nginx ingress在前面文章中,已有介绍. <centos7使用kubeadm安装kubernetes 1.11版本多主高可用> <kubernetes 1.11配置使用nginx ingress> 也可以使用hel