[System integration] Implement HTTP Service Release and load balancing with Kubernetes Nginx ingress

Services deployed by users on Kubernetes typically run on private networks, and pod and service provide parameters such as Hostport,nodeport to expose these service ports to K8S nodes for user access. There are obvious drawbacks to this approach:

1) Easy to occupy excessive host port;

2) service ports exposed to multiple hosts increasing the difficulty of firewalls and security configuration

3) The default hostport,nodeport mode does not function as load balancing

K8s's ingress resources provide another method of service exposure, which can obtain the status of each service, pass to Nginx and other tools for configuration modification, reload and so on, to achieve load balancing, virtual host, SSL and other functions. And it only needs to occupy one host of 80, 443, 80,803 ports can be used for all HTTP services to achieve the above functions.

About the installation of Nginx Ingress, k8s has relevant instructions, there are many documents on the Internet can be consulted:

Https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx

In the pre-installation, according to the official website of the instructions and did not succeed, consulted a large number of documents, and combined with their own practice finally ruled out the problem, installation success. Share my installation process below.

1. Preparing the installation Environment

K8s 1.2

2. Enable Kubernetes API Authentication

http://kubernetes.io/docs/admin/authentication/

This step can not be ignored, otherwise nginx ingress can not start;

There are a few points to pay special attention to, otherwise, the Nginx ingress starts with a TLS handshake failure error:

1) ServiceAccount certificate must be generated

After the certificate is generated, it is enabled in/etc/kubernetes/Apiserver and Controller-manager

2) Clusterip must be added to SERVER.CRT

#Add Cluster IP of Kubernetes to SERVER.CRT
Subjectaltname= ' kubectl Get services--all-namespaces |grep ' default ' |grep ' kubernetes ' |grep ' 443 ' |awk ' {print $} '
Echo Subjectaltname=ip:${subjectaltname} > Extfile.cnf

#According to the Ca.key, CA.CRT and SERVER.CSR generate the SERVER.CRT:
OpenSSL x509-req-in server.csr-ca ca.crt-cakey ca.key-cacreateserial-extfile extfile.cnf-out server.crt-days 10000

3) Delete the old secret and serviceaccount after updating the certificate

Kubectl Get Secret--all-namespaces

Kubectl Get ServiceAccount--all-namespaces

View Secret and ServiceAccount at the beginning of default, delete them, and the system will automatically regenerate

3. Installing Nginx Ingress

Note: In order to display the nginx_status, you need to expose 8080 ports in addition to 80, 443, and deploy a Configmap file:

ApiVersion:v1kind:ConfigMapmetadata:  name:nginx-load-balancer-confdata:  enable-vts-status: "True" ~                               

Once you have done the preparation, you can install it in the official documentation

4. Example

Below, use Nginx ingress to expose the kubernetes-dashboards based on the virtual host and increase the HTTPS function:

4.1 Creating Dashboard Secret

Https://github.com/kubernetes/contrib/blob/master/ingress/controllers/nginx/examples/tls/README.md

Note: When creating the key, please fill in the virtual hostname, for example: k8s-dashboard.gkkxd.com, if the name is inconsistent with the actual access on the subsequent browser, it will be rejected.

4.2 Deployment of Dashboard

Kind:deploymentapiversion:extensions/v1beta1metadata:labels:app:kubernetes-dashboard version:v1.1.0 Name:ku Bernetes-dashboard namespace:kube-systemspec:replicas:1 Selector:matchlabels:app:kubernetes-dashboard te Mplate:metadata:labels:app:kubernetes-dashboard spec:containers:-NAME:KUBERNETES-DASHB        Oard image:172.31.17.36:5000/kubernetes-dashboard-amd64:v1.1.0 imagepullpolicy:ifnotpresent Ports: -containerport:9090 protocol:tcp args: # Uncomment the following line to manually speci FY Kubernetes API Server Host # IF not specified, Dashboard would attempt to auto Discover the API server and conn ECT # to it.          Uncomment only if the default does isn't work. ---apiserver-host=http://172.31.17.81:8080 LivenessProbe:httpGet:path:/port:90 Initialdelayseconds:30 timeoutseconds:30---Kind: Serviceapiversion:v1metadata:labels:app:kubernetes-dashboard Name:kubernetes-dashboard Namespace:kube-system Spec:ports:-port:80 targetport:9090 Selector:app:kubernetes-dashboard

Note: Please set the port of service to 80

4.3 Creating dashboard Ingress Resources

Apiversion:extensions/v1beta1kind:ingressmetadata:  name:k8s-dashboard  namespace:kube-systemspec:  TLS:  -hosts:    -k8s-dashboard.gkkxd.com    secretname:k8s-dashboard-secret  rules:  -Host: K8s-dashboard.gkkxd.com    http:      paths:      -backend:          servicename:kubernetes-dashboard          serviceport:80        Path:/

Note: Please set the parameters such as TLS, virtual hostname, backend service, etc.

4.4 Setting up a DNS or Hosts file

Set IP for k8s-dashboard.gkkxd.com

Once set up, you can access dashboard by http://k8s-dashboard.gkkxd.com or https://k8s-dashboard.gkkxd.com.

Nginx Status:

[System integration] Implement HTTP Service Release and load balancing with Kubernetes Nginx ingress