容器引擎CCE

    通过YAML创建CCE Ingress

    本文档介绍如何通过YAML创建和管理CCE Ingress。

    创建Ingress Controller资源

    使用以下yaml内容创建Ingress Controller:

    kubectl create -f ingress-controller.yaml

    ingress-controller.yaml 如下所示:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      namespace: kube-system
      name: cce-ingress-clusterrole
    rules:
    - apiGroups: [""]
      resources:
      - nodes
      - services
      verbs: ["get", "list", "watch"]
    - apiGroups: ["extensions"]
      resources:
      - ingresses
      verbs: ["get", "list", "watch", "update", "patch"]
    - apiGroups: [""]
      resources:
      - events
      verbs: ["create", "update", "patch"]
    - apiGroups:
        - "extensions"
      resources:
        - ingresses/status
      verbs:
        - update
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      namespace: kube-system
      name: cce-ingress-serviceaccount
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      namespace: kube-system
      name: cce-ingress-binding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cce-ingress-clusterrole
    subjects:
    - kind: ServiceAccount
      namespace: kube-system
      name: cce-ingress-serviceaccount
    ---
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: cce-ingress-controller
      namespace: kube-system
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: cce-ingress-controller
      template:
        metadata:
          labels:
            app: cce-ingress-controller
        spec:
          hostNetwork: true
          serviceAccountName: cce-ingress-serviceaccount
          dnsPolicy: ClusterFirst
          restartPolicy: Always
          terminationGracePeriodSeconds: 30
          containers:
          - name: ingress-controller
            image: hub.baidubce.com/cce/cce-ingress-controller:latest
            imagePullPolicy: Always
            volumeMounts:
              - name: etc-volume
                mountPath: /etc/kubernetes/
                readOnly: true
            resources:
              limits:
                cpu: 0.5
                memory: 500Mi
          volumes:
          - name: etc-volume
            hostPath:
              path: /etc/kubernetes/

    创建示例 Deployment 和 Service

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: ingress-nginx-deployment
      labels:
        app: ingress-nginx
    spec:
      replicas: 2
      selector:
        matchLabels:
          app: ingress-nginx
      template:
        metadata:
          labels:
            app: ingress-nginx
        spec:
          containers:
          - name: nginx
            image: hub.baidubce.com/cce/nginx-ingress
            ports:
            - containerPort: 80
    ---
    kind: Service
    apiVersion: v1
    metadata:
      name: hello-service
    spec:
      selector:
        app: ingress-nginx
      type: NodePort
      ports:
      - protocol: TCP
        port: 8000
        targetPort: 80
    ---
    kind: Service
    apiVersion: v1
    metadata:
      name: world-service
    spec:
      selector:
        app: ingress-nginx
      type: NodePort
      ports:
      - protocol: TCP
        port: 9000
        targetPort: 80

    创建Ingress对象

    使用以下yaml内容创建名为 helloworld 的 Ingress 对象,并配置Ingress转发规则:

    • www.cce-ingress.com/hello/ -> hello-service:8000/hello/
    • www.cce-ingress.com/world/ -> world-service:9000/world/

    可通过Ingress annotations中的参数对Ingress进行配置,例如指定BLB或EIP。

    Service 对应后端服务必须支持转发策略的 URI,如果要支持所有情况,建议设置为 /*,这里对URI的路径要求很严格注意"/"。

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      annotations:
        cce.ingress.blb-backup-content: ""
        kubernetes.io/cce.ingress.blb-cert-id: ""
        kubernetes.io/cce.ingress.blb-id: ""
        kubernetes.io/cce.ingress.eip: ""
        kubernetes.io/cce.ingress.http-redirect: "false"
        kubernetes.io/cce.ingress.https: "false"
        kubernetes.io/cce.ingress.internal: "false"
        kubernetes.io/cce.ingress.timeout-in-seconds: "30"
        kubernetes.io/cce.ingress.vpc-subnet-id: ""
        kubernetes.io/ingress.class: cce
      name: helloworld
      namespace: default
    spec:
      rules:
      - host: www.cce-ingress.com
        http:
          paths:
          - backend:
              serviceName: hello-service
              servicePort: 8000
            path: /hello/
          - backend:
              serviceName: world-service
              servicePort: 9000
            path: /world/

    访问测试

    修改本地 /etc/hosts,将 www.cce-ingress.com 指向 EIP(例如: 106.12.52.80),可在控制台或者集群内查看ingress信息:

    # kubectl get ingress
    NAME         HOSTS                 ADDRESS                    PORTS   AGE
    helloworld   www.cce-ingress.com   10.0.3.251,106.12.52.80   80      6m34s

    访问测试:

    cce-ingress-hello.png

    cce-ingress-world.png

    Ingress Annotation 说明

    参数名 类型 说明 示例
    kubernetes.io/ingress.class string 指定为 cce-ingress-controller 托管 "cce"
    kubernetes.io/cce.ingress.blb-id string Ingress 绑定 BLB,修改或删除可能会导致 BLB 泄漏 "lb-asdfDsXS"
    kubernetes.io/cce.ingress.internal string 是否只内网访问,默认 "false" "true" 或 "false"
    kubernetes.io/cce.ingress.eip string Ingress 绑定 EIP,修改或删除可能会导致 EIP 泄漏 "100.0.0.1"
    kubernetes.io/cce.ingress.eip-bandwidth-in-mbps string EIP 带宽,按流量计费 1~1000 mbps "500"
    kubernetes.io/cce.ingress.timeout-in-seconds string 访问超时时间 1~3600 "1500"
    kubernetes.io/cce.ingress.https string 是否支持 HTTPS "true" 或 "false"
    kubernetes.io/cce.ingress.http-redirect string HTTP 是否支持 HTTPS 重定向,开启 HTTPS 才生效 "true" 或 "false"
    kubernetes.io/cce.ingress.blb-cert-id string HTTPS 证书 ID "xs-asdfDESz"
    kubernetes.io/cce.ingress.max-backend-count string BLB 挂载默认 RS 数,默认不做限制 "50"
    kubernetes.io/cce.ingress.vpc-subnet-id string 指定 BLB VPC 子网,默认不使用 "sb-adfEsDzs"

    CCE Ingress 为满足单个域名同时支持 HTTP 及 HTTPS 转发,新增如下两条 Annotation:

    kubernetes.io/cce.ingress.http-rules:

    [
        {
            "host":"baidu-cce-ingress.com",
            "http":{
                "paths":[
                    {
                        "path":"/apple/",
                        "backend":{
                            "serviceName":"service-example",
                            "servicePort":80
                        }
                    },
                    {
                        "path":"/banana/",
                        "backend":{
                            "serviceName":"service-example",
                            "servicePort":80
                        }
                    }
                ]
            }
        }
    ]

    kubernetes.io/cce.ingress.https-rules

    [
        {
            "host":"baidu-cce-ingress.com",
            "http":{
                "paths":[
                    {
                        "path":"/orange/",
                        "backend":{
                            "serviceName":"service-example",
                            "servicePort":80
                        }
                    }
                ]
            }
        }
    ]

    规则逻辑如下:

    for rule in rules:
        if rule in annotation_https_rules:
            setHTTPS(rule)
         
        if rule in annotation_http_rule:
            setHTTP(rule)
     
        if rule not in annotation_https_rules && rule not in annotation_http_rule:
            setHTTP(rule)
    上一篇
    灰度发布
    下一篇
    网络管理