通过YAML创建CCE_Ingress
更新时间:2022-03-25
本文档介绍如何通过YAML创建和管理CCE Ingress。
创建Ingress Controller资源
使用以下yaml内容创建Ingress Controller:
kubectl create -f ingress-controller.yamlingress-controller.yaml如下所示:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: kube-system
name: cce-ingress-clusterrole
rules:
- apiGroups: [""]
resources:
- nodes
- services
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources:
- ingresses
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
resources:
- events
verbs: ["create", "update", "patch"]
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: cce-ingress-serviceaccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
namespace: kube-system
name: cce-ingress-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cce-ingress-clusterrole
subjects:
- kind: ServiceAccount
namespace: kube-system
name: cce-ingress-serviceaccount
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cce-ingress-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: cce-ingress-controller
template:
metadata:
labels:
app: cce-ingress-controller
spec:
hostNetwork: true
serviceAccountName: cce-ingress-serviceaccount
dnsPolicy: ClusterFirst
restartPolicy: Always
terminationGracePeriodSeconds: 30
containers:
- name: ingress-controller
image: hub.baidubce.com/cce/cce-ingress-controller:latest
imagePullPolicy: Always
volumeMounts:
- name: etc-volume
mountPath: /etc/kubernetes/
readOnly: true
resources:
limits:
cpu: 0.5
memory: 500Mi
volumes:
- name: etc-volume
hostPath:
path: /etc/kubernetes/创建示例Deployment和Service
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-nginx-deployment
labels:
app: ingress-nginx
spec:
replicas: 2
selector:
matchLabels:
app: ingress-nginx
template:
metadata:
labels:
app: ingress-nginx
spec:
containers:
- name: nginx
image: hub.baidubce.com/cce/nginx-ingress
ports:
- containerPort: 80
---
kind: Service
apiVersion: v1
metadata:
name: hello-service
spec:
selector:
app: ingress-nginx
type: NodePort
ports:
- protocol: TCP
port: 8000
targetPort: 80
---
kind: Service
apiVersion: v1
metadata:
name: world-service
spec:
selector:
app: ingress-nginx
type: NodePort
ports:
- protocol: TCP
port: 9000
targetPort: 80创建Ingress对象
使用以下yaml内容创建名为helloworld的Ingress对象,并配置Ingress转发规则:
- www.cce-ingress.com/hello/ -> hello-service:8000/hello/
- www.cce-ingress.com/world/ -> world-service:9000/world/
可通过Ingress Annotations中的参数对Ingress进行配置,例如指定BLB或EIP。
Service对应后端服务必须支持转发策略的URI,如果要支持所有情况,建议设置为/*,这里对URI的路径要求很严格注意"/"。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
cce.ingress.blb-backup-content: ""
kubernetes.io/cce.ingress.blb-cert-id: ""
kubernetes.io/cce.ingress.blb-id: ""
kubernetes.io/cce.ingress.eip: ""
kubernetes.io/cce.ingress.http-redirect: "false"
kubernetes.io/cce.ingress.https: "false"
kubernetes.io/cce.ingress.internal: "false"
kubernetes.io/cce.ingress.timeout-in-seconds: "30"
kubernetes.io/cce.ingress.vpc-subnet-id: ""
kubernetes.io/ingress.class: cce
name: helloworld
namespace: default
spec:
rules:
- host: www.cce-ingress.com
http:
paths:
- backend:
serviceName: hello-service
servicePort: 8000
path: /hello/
- backend:
serviceName: world-service
servicePort: 9000
path: /world/访问测试
修改本地/etc/hosts,将www.cce-ingress.com指向EIP(例如: 106.12.52.80),可在控制台或者集群内查看Ingress信息:
# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
helloworld www.cce-ingress.com 10.0.3.251,106.12.52.80 80 6m34s访问测试:
Ingress Annotation说明
| 参数名 | 类型 | 说明 | 示例 |
|---|---|---|---|
| kubernetes.io/ingress.class | string | 指定为cce-ingress-controller托管 | "cce" |
| kubernetes.io/cce.ingress.keep-iaas-resource | string | 释放时是否保留BLB/EIP | "true"或"false",默认false |
| kubernetes.io/cce.ingress.blb-name | string | 指定Ingress对应BLB Name | 为避免CCE默认Name超长,支持指定BLB Name |
| kubernetes.io/cce.ingress.enable-ipv6 | string | 在IPv6集群中使用,会为Ingress分配IPv6地址 | "true"或"false",默认为"false" |
| kubernetes.io/cce.ingress.blb-id | string | Ingress绑定BLB,修改或删除可能会导致BLB泄漏 | "lb-asdfDsXS" |
| kubernetes.io/cce.ingress.internal | string | 是否只内网访问,默认"false" | "true"或"false" |
| kubernetes.io/cce.ingress.eip | string | Ingress绑定EIP,修改或删除可能会导致EIP泄漏 | "100.0.0.1" |
| kubernetes.io/cce.ingress.eip-bandwidth-in-mbps | string | EIP带宽,按流量计费1~1000mbps | "500" |
| kubernetes.io/cce.ingress.timeout-in-seconds | string | 访问超时时间1~3600 | "1500" |
| kubernetes.io/cce.ingress.https | string | 是否支持HTTPS | "true"或"false" |
| kubernetes.io/cce.ingress.http-redirect | string | HTTP是否支持HTTPS重定向,开启HTTPS才生效 | "true" 或 "false" |
| kubernetes.io/cce.ingress.blb-cert-id | string | HTTPS证书ID | "xs-asdfDESz" |
| kubernetes.io/cce.ingress.max-backend-count | string | BLB挂载默认RS数,默认不做限制 | "50" |
| kubernetes.io/cce.ingress.vpc-subnet-id | string | 指定BLB VPC子网,默认不使用 | "sb-adfEsDzs" |
| kubernetes.io/cce-elastic-ip-billing-method | string | 关联创建的EIP的计费方式 | "ByBandwidth"或"ByTraffic" |
CCE Ingress为满足单个域名同时支持HTTP及HTTPS转发,新增如下两条Annotation:
kubernetes.io/cce.ingress.http-rules:
[
{
"host":"baidu-cce-ingress.com",
"http":{
"paths":[
{
"path":"/apple/",
"backend":{
"serviceName":"service-example",
"servicePort":80
}
},
{
"path":"/banana/",
"backend":{
"serviceName":"service-example",
"servicePort":80
}
}
]
}
}
]kubernetes.io/cce.ingress.https-rules
[
{
"host":"baidu-cce-ingress.com",
"http":{
"paths":[
{
"path":"/orange/",
"backend":{
"serviceName":"service-example",
"servicePort":80
}
}
]
}
}
]规则逻辑如下:
for rule in rules:
if rule in annotation_https_rules:
setHTTPS(rule)
if rule in annotation_http_rule:
setHTTP(rule)
if rule not in annotation_https_rules && rule not in annotation_http_rule:
setHTTP(rule)