在GKE上使用NGINX Ingress Controller的奇怪之处

时间:2018-03-23 16:11:41

标签: google-cloud-platform google-kubernetes-engine kubernetes-ingress kubernetes

要在GKE上展示我们的应用,我们一直在使用" gce"使用谷歌L7负载平衡器的入口。由于各种原因,我们希望切换到TCP负载均衡器公开的Nginx控制器。设置正常,但有一些奇怪的文物。

$ kubectl get service ingress-nginx-static -n ingress-nginx -o yaml
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: 2018-03-23T15:08:39Z
  labels:
    app: ingress-nginx
  name: ingress-nginx-static
  namespace: ingress-nginx
  resourceVersion: "101258"
  selfLink: /api/v1/namespaces/ingress-nginx/services/ingress-nginx-static
  uid: 110cf622-2eac-11e8-a8e3-42010a84011f
spec:
  clusterIP: 10.51.247.47
  externalTrafficPolicy: Local
  healthCheckNodePort: 32689
  loadBalancerIP: 99.99.99.99
  ports:
  - name: http
    nodePort: 32296
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    nodePort: 31228
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    app: ingress-nginx
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - ip: 99.99.99.99

我们在群集上配置了许多入口,这些入口都可以从上述的99.99.99.99 ip地址获得。

$ kubectl get ing -n staging-application -o yaml
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
    creationTimestamp: 2018-03-23T15:15:56Z
    generation: 1
    name: staging-ingress
    namespace: staging-platform
    resourceVersion: "101788"
    selfLink: /apis/extensions/v1beta1/namespaces/staging-platform/ingresses/staging-ingress
    uid: 15b0f0f5-2ead-11e8-a8e3-42010a84011f
  spec:
    rules:
    - host: staging-application.foo.com
      http:
        paths:
        - backend:
            serviceName: staging-application
            servicePort: 80
          path: /
    tls:
    - hosts:
      - staging-application.foo.com
      secretName: wildcard-certificate
  status:
    loadBalancer:
      ingress:
      - ip: 35.189.220.150
      - ip: 35.195.151.243
      - ip: 35.195.156.166
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

虽然设置工作正常但令我困惑的是spec.status.loadBalancer.ingress ips在那里。这些是群集的外部IP地址。我在这里错误配置了什么吗?似乎已创建TCP负载均衡器以响应yaml中描述的此loadBalancer对象。我担心形成负载均衡器的物体会导致负载均衡。在谷歌云中迷惑我。这是一些似乎相关的输出。

$ gcloud compute forwarding-rules describe bertram-cluster --region europe-west1
IPAddress: 35.195.104.202
IPProtocol: TCP
creationTimestamp: '2018-03-22T14:01:09.768-07:00'
description: ''
id: '2098255211810891642'
kind: compute#forwardingRule
loadBalancingScheme: EXTERNAL
name: bertram-cluster
portRange: 80-443
region: https://www.googleapis.com/compute/v1/projects/sonorous-cacao-185213/regions/europe-west1
selfLink: https://www.googleapis.com/compute/v1/projects/sonorous-cacao-185213/regions/europe-west1/forwardingRules/bertram-cluster
target: https://www.googleapis.com/compute/v1/projects/sonorous-cacao-185213/regions/europe-west1/targetPools/a91e005bd2e1311e8a8e342010a84011


$ gcloud compute firewall-rules describe k8s-a91e005bd2e1311e8a8e342010a84011-http-hc
allowed:
- IPProtocol: tcp
  ports:
  - '30008'
creationTimestamp: '2018-03-22T13:57:18.452-07:00'
description: '{"kubernetes.io/service-name":"ingress-nginx/ingress-nginx", "kubernetes.io/service-ip":"104.199.14.53"}'
direction: INGRESS
id: '7902205773442819649'
kind: compute#firewall
name: k8s-a91e005bd2e1311e8a8e342010a84011-http-hc
network: https://www.googleapis.com/compute/v1/projects/sonorous-cacao-185213/global/networks/default
priority: 1000
selfLink: https://www.googleapis.com/compute/v1/projects/sonorous-cacao-185213/global/firewalls/k8s-a91e005bd2e1311e8a8e342010a84011-http-hc
sourceRanges:
- 130.211.0.0/22
- 35.191.0.0/16
- 209.85.152.0/22
- 209.85.204.0/22
targetTags:
- gke-cluster-bertram-2fdf26f5-node

这对我来说似乎很奇怪。这是预期的行为吗?难道我做错了什么?

1 个答案:

答案 0 :(得分:1)

看起来您可能需要将--publish-service标志添加到入口控制器。在nginx-ingress控制器部署中,添加一个参数以将入口控制器的pod名称空间和pod名称传递给它。

例如:

args:
  - --publish-service=ingress-nginx/ingress-nginx

这会将入口控制器服务的IP发布到入口数据。

有关详细信息,请参阅:https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/static-ip/README.md#acquiring-an-ip