kubernetes 入口配置
kubernetes ingress configuration
我有一个工作的 Nexus 3 pod,可在端口 30080 上访问(使用 NodePort):http://nexus.mydomain:30080/ 从所有主机(从集群或外部)完美运行。
现在我正试图让它可以在端口 80 上访问(出于显而易见的原因)。
按照文档,我已经实现了它(微不足道):
[...]
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nexus-ingress
namespace: nexus-ns
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: nexus.mydomain
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: nexus-service
servicePort: 80
应用它没有错误。但是当我尝试达到 http://nexus.mydomain 时,我得到:
Service Unavailable
未显示任何日志(未命中 webapp)。
我错过了什么?
我认为您不能通过 NodePort 服务在端口 80 或 443 上公开它,或者至少不推荐这样做。
In this configuration, the NGINX container remains isolated from the
host network. As a result, it can safely bind to any port, including
the standard HTTP ports 80 and 443. However, due to the container
namespace isolation, a client located outside the cluster network
(e.g. on the public internet) is not able to access Ingress hosts
directly on ports 80 and 443. Instead, the external client must append
the NodePort allocated to the ingress-nginx Service to HTTP requests.
* 重点是我加的。
While it may sound tempting to reconfigure the NodePort range using
the --service-node-port-range API server flag to include unprivileged
ports and be able to expose ports 80 and 443, doing so may result in
unexpected issues including (but not limited to) the use of ports
otherwise reserved to system daemons and the necessity to grant
kube-proxy privileges it may otherwise not require.
This practice is therefore discouraged. See the other approaches
proposed in this page for alternatives.
几个月前我做了一个类似的设置。我安装了一个 MetalLB 负载均衡器,然后暴露了服务。根据您的提供商(例如 GKE),负载均衡器甚至可以自动启动。因此,您甚至不必处理 MetalLB,尽管 MetalLB 不难设置并且运行良好。
K3s is designed to be a single binary of less than 40MB that completely implements the Kubernetes API. In order to achieve this, they removed a lot of extra drivers that didn't need to be part of the core and are easily replaced with add-ons.
正如我在评论中提到的,K3s 默认使用 Traefik Ingress Controller.
Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them.
可以在 K3s Rancher Documentation 中找到此信息。
Traefik is deployed by default when starting the server... To prevent k3s from using or overwriting the modified version, deploy k3s with --no-deploy traefik and store the modified copy in the k3s/server/manifests directory. For more information, refer to the official Traefik for Helm Configuration Parameters.
To disable it, start each server with the --disable traefik option.
如果要部署Nginx Ingress controller, you can check guide How to use NGINX ingress controller in K3s.
由于您正在使用特定的 Nginx Ingress,例如 nginx.ingress.kubernetes.io/rewrite-target: /,您必须使用 Nginx Ingress。
如果您要使用超过 2 个 Ingress controllers,则需要通过 annotation 强制使用 nginx ingress。
annotations:
kubernetes.io/ingress.class: "nginx"
如果提及信息没有帮助,请提供更多详细信息,例如您的 Deployment、Service。
我有一个工作的 Nexus 3 pod,可在端口 30080 上访问(使用 NodePort):http://nexus.mydomain:30080/ 从所有主机(从集群或外部)完美运行。
现在我正试图让它可以在端口 80 上访问(出于显而易见的原因)。
按照文档,我已经实现了它(微不足道):
[...]
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nexus-ingress
namespace: nexus-ns
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: nexus.mydomain
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: nexus-service
servicePort: 80
应用它没有错误。但是当我尝试达到 http://nexus.mydomain 时,我得到:
Service Unavailable
未显示任何日志(未命中 webapp)。
我错过了什么?
我认为您不能通过 NodePort 服务在端口 80 或 443 上公开它,或者至少不推荐这样做。
In this configuration, the NGINX container remains isolated from the host network. As a result, it can safely bind to any port, including the standard HTTP ports 80 and 443. However, due to the container namespace isolation, a client located outside the cluster network (e.g. on the public internet) is not able to access Ingress hosts directly on ports 80 and 443. Instead, the external client must append the NodePort allocated to the
ingress-nginxService to HTTP requests.
* 重点是我加的。
While it may sound tempting to reconfigure the NodePort range using the
--service-node-port-rangeAPI server flag to include unprivileged ports and be able to expose ports 80 and 443, doing so may result in unexpected issues including (but not limited to) the use of ports otherwise reserved to system daemons and the necessity to grantkube-proxyprivileges it may otherwise not require.This practice is therefore discouraged. See the other approaches proposed in this page for alternatives.
几个月前我做了一个类似的设置。我安装了一个 MetalLB 负载均衡器,然后暴露了服务。根据您的提供商(例如 GKE),负载均衡器甚至可以自动启动。因此,您甚至不必处理 MetalLB,尽管 MetalLB 不难设置并且运行良好。
K3s is designed to be a single binary of less than 40MB that completely implements the Kubernetes API. In order to achieve this, they removed a lot of extra drivers that didn't need to be part of the core and are easily replaced with add-ons.
正如我在评论中提到的,K3s 默认使用 Traefik Ingress Controller.
Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them.
可以在 K3s Rancher Documentation 中找到此信息。
Traefik is deployed by default when starting the server... To prevent
k3sfrom using or overwriting the modified version, deployk3swith--no-deploy traefikand store the modified copy in thek3s/server/manifestsdirectory. For more information, refer to the official Traefik for Helm Configuration Parameters.To disable it, start each server with the
--disable traefikoption.
如果要部署Nginx Ingress controller, you can check guide How to use NGINX ingress controller in K3s.
由于您正在使用特定的 Nginx Ingress,例如 nginx.ingress.kubernetes.io/rewrite-target: /,您必须使用 Nginx Ingress。
如果您要使用超过 2 个 Ingress controllers,则需要通过 annotation 强制使用 nginx ingress。
annotations:
kubernetes.io/ingress.class: "nginx"
如果提及信息没有帮助,请提供更多详细信息,例如您的 Deployment、Service。