所有文档

          容器引擎 CCE

          通过YAML创建CCE Ingress

          本文档介绍如何通过YAML创建和管理CCE Ingress。

          创建Ingress Controller资源

          使用以下yaml内容创建Ingress Controller:

          kubectl create -f ingress-controller.yaml

          ingress-controller.yaml 如下所示:

          apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            namespace: kube-system
            name: cce-ingress-clusterrole
          rules:
          - apiGroups: [""]
            resources:
            - nodes
            - services
            verbs: ["get", "list", "watch"]
          - apiGroups: ["extensions"]
            resources:
            - ingresses
            verbs: ["get", "list", "watch", "update", "patch"]
          - apiGroups: [""]
            resources:
            - events
            verbs: ["create", "update", "patch"]
          - apiGroups:
              - "extensions"
            resources:
              - ingresses/status
            verbs:
              - update
          ---
          apiVersion: v1
          kind: ServiceAccount
          metadata:
            namespace: kube-system
            name: cce-ingress-serviceaccount
          ---
          apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRoleBinding
          metadata:
            namespace: kube-system
            name: cce-ingress-binding
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: cce-ingress-clusterrole
          subjects:
          - kind: ServiceAccount
            namespace: kube-system
            name: cce-ingress-serviceaccount
          ---
          apiVersion: apps/v1
          kind: Deployment
          metadata:
            name: cce-ingress-controller
            namespace: kube-system
          spec:
            replicas: 1
            selector:
              matchLabels:
                app: cce-ingress-controller
            template:
              metadata:
                labels:
                  app: cce-ingress-controller
              spec:
                hostNetwork: true
                serviceAccountName: cce-ingress-serviceaccount
                dnsPolicy: ClusterFirst
                restartPolicy: Always
                terminationGracePeriodSeconds: 30
                containers:
                - name: ingress-controller
                  image: hub.baidubce.com/cce/cce-ingress-controller:latest
                  imagePullPolicy: Always
                  volumeMounts:
                    - name: etc-volume
                      mountPath: /etc/kubernetes/
                      readOnly: true
                  resources:
                    limits:
                      cpu: 0.5
                      memory: 500Mi
                volumes:
                - name: etc-volume
                  hostPath:
                    path: /etc/kubernetes/

          创建示例 Deployment 和 Service

          apiVersion: apps/v1
          kind: Deployment
          metadata:
            name: ingress-nginx-deployment
            labels:
              app: ingress-nginx
          spec:
            replicas: 2
            selector:
              matchLabels:
                app: ingress-nginx
            template:
              metadata:
                labels:
                  app: ingress-nginx
              spec:
                containers:
                - name: nginx
                  image: hub.baidubce.com/cce/nginx-ingress
                  ports:
                  - containerPort: 80
          ---
          kind: Service
          apiVersion: v1
          metadata:
            name: hello-service
          spec:
            selector:
              app: ingress-nginx
            type: NodePort
            ports:
            - protocol: TCP
              port: 8000
              targetPort: 80
          ---
          kind: Service
          apiVersion: v1
          metadata:
            name: world-service
          spec:
            selector:
              app: ingress-nginx
            type: NodePort
            ports:
            - protocol: TCP
              port: 9000
              targetPort: 80

          创建Ingress对象

          使用以下yaml内容创建名为 helloworld 的 Ingress 对象,并配置Ingress转发规则:

          • www.cce-ingress.com/hello/ -> hello-service:8000/hello/
          • www.cce-ingress.com/world/ -> world-service:9000/world/

          可通过Ingress annotations中的参数对Ingress进行配置,例如指定BLB或EIP。

          Service 对应后端服务必须支持转发策略的 URI,如果要支持所有情况,建议设置为 /*,这里对URI的路径要求很严格注意"/"。

          apiVersion: extensions/v1beta1
          kind: Ingress
          metadata:
            annotations:
              cce.ingress.blb-backup-content: ""
              kubernetes.io/cce.ingress.blb-cert-id: ""
              kubernetes.io/cce.ingress.blb-id: ""
              kubernetes.io/cce.ingress.eip: ""
              kubernetes.io/cce.ingress.http-redirect: "false"
              kubernetes.io/cce.ingress.https: "false"
              kubernetes.io/cce.ingress.internal: "false"
              kubernetes.io/cce.ingress.timeout-in-seconds: "30"
              kubernetes.io/cce.ingress.vpc-subnet-id: ""
              kubernetes.io/ingress.class: cce
            name: helloworld
            namespace: default
          spec:
            rules:
            - host: www.cce-ingress.com
              http:
                paths:
                - backend:
                    serviceName: hello-service
                    servicePort: 8000
                  path: /hello/
                - backend:
                    serviceName: world-service
                    servicePort: 9000
                  path: /world/

          访问测试

          修改本地 /etc/hosts,将 www.cce-ingress.com 指向 EIP(例如: 106.12.52.80),可在控制台或者集群内查看ingress信息:

          # kubectl get ingress
          NAME         HOSTS                 ADDRESS                    PORTS   AGE
          helloworld   www.cce-ingress.com   10.0.3.251,106.12.52.80   80      6m34s

          访问测试:

          cce-ingress-hello.png

          cce-ingress-world.png

          Ingress Annotation 说明

          参数名 类型 说明 示例
          kubernetes.io/ingress.class string 指定为 cce-ingress-controller 托管 "cce"
          kubernetes.io/cce.ingress.blb-id string Ingress 绑定 BLB,修改或删除可能会导致 BLB 泄漏 "lb-asdfDsXS"
          kubernetes.io/cce.ingress.internal string 是否只内网访问,默认 "false" "true" 或 "false"
          kubernetes.io/cce.ingress.eip string Ingress 绑定 EIP,修改或删除可能会导致 EIP 泄漏 "100.0.0.1"
          kubernetes.io/cce.ingress.eip-bandwidth-in-mbps string EIP 带宽,按流量计费 1~1000 mbps "500"
          kubernetes.io/cce.ingress.timeout-in-seconds string 访问超时时间 1~3600 "1500"
          kubernetes.io/cce.ingress.https string 是否支持 HTTPS "true" 或 "false"
          kubernetes.io/cce.ingress.http-redirect string HTTP 是否支持 HTTPS 重定向,开启 HTTPS 才生效 "true" 或 "false"
          kubernetes.io/cce.ingress.blb-cert-id string HTTPS 证书 ID "xs-asdfDESz"
          kubernetes.io/cce.ingress.max-backend-count string BLB 挂载默认 RS 数,默认不做限制 "50"
          kubernetes.io/cce.ingress.vpc-subnet-id string 指定 BLB VPC 子网,默认不使用 "sb-adfEsDzs"

          CCE Ingress 为满足单个域名同时支持 HTTP 及 HTTPS 转发,新增如下两条 Annotation:

          kubernetes.io/cce.ingress.http-rules:

          [
              {
                  "host":"baidu-cce-ingress.com",
                  "http":{
                      "paths":[
                          {
                              "path":"/apple/",
                              "backend":{
                                  "serviceName":"service-example",
                                  "servicePort":80
                              }
                          },
                          {
                              "path":"/banana/",
                              "backend":{
                                  "serviceName":"service-example",
                                  "servicePort":80
                              }
                          }
                      ]
                  }
              }
          ]

          kubernetes.io/cce.ingress.https-rules

          [
              {
                  "host":"baidu-cce-ingress.com",
                  "http":{
                      "paths":[
                          {
                              "path":"/orange/",
                              "backend":{
                                  "serviceName":"service-example",
                                  "servicePort":80
                              }
                          }
                      ]
                  }
              }
          ]

          规则逻辑如下:

          for rule in rules:
              if rule in annotation_https_rules:
                  setHTTPS(rule)
               
              if rule in annotation_http_rule:
                  setHTTP(rule)
           
              if rule not in annotation_https_rules && rule not in annotation_http_rule:
                  setHTTP(rule)
          上一篇
          灰度发布
          下一篇
          网络管理