我在AWS上部署了一个开发集群,该集群部署了Kops(在中央区域具有3个工作节点和3个主节点的集群),并且我试图设置一个 Ingress 我对外部世界的应用。
我遵循了以下文档:
基本上,我将 skipper Ingress , kube-ingress-aws-controller 和外部DNS 部署到了群集中,一切正常。
贝娄,我有上面提到的部署脚本。
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: skipper-ingress
namespace: kube-system
labels:
component: ingress
spec:
selector:
matchLabels:
component: ingress
updateStrategy:
type: RollingUpdate
template:
metadata:
name: skipper-ingress
labels:
component: ingress
application: skipper
spec:
hostNetwork: true
serviceAccountName: skipper-ingress
containers:
- name: skipper-ingress
image: registry.opensource.zalan.do/pathfinder/skipper:v0.11.17
ports:
- name: ingress-port
containerPort: 9999
hostPort: 9999
- name: metrics-port
containerPort: 9911
args:
- "skipper"
- "-kubernetes"
- "-kubernetes-in-cluster"
- "-address=:9999"
- "-proxy-preserve-host"
- "-serve-host-metrics"
- "-enable-ratelimits"
- "-experimental-upgrade"
- "-metrics-exp-decay-sample"
- "-lb-healthcheck-interval=3s"
- "-metrics-flavour=codahale,prometheus"
- "-enable-connection-metrics"
resources:
requests:
cpu: 200m
memory: 200Mi
readinessProbe:
httpGet:
path: /kube-system/healthz
port: 9999
initialDelaySeconds: 5
timeoutSeconds: 5
关于船长RBAC:
apiVersion: v1
kind: ServiceAccount
metadata:
name: skipper-ingress
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: skipper-ingress
rules:
- apiGroups: ["extensions"]
resources: ["ingresses", ]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["namespaces", "services", "endpoints", "pods"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: skipper-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: skipper-ingress
subjects:
- kind: ServiceAccount
name: skipper-ingress
namespace: kube-system
apiVersion: apps/v1
kind: Deployment
metadata:
name: kube-ingress-aws-controller
annotations:
kubernetes.io/ingress.class: "skipper"
namespace: kube-system
labels:
application: kube-ingress-aws-controller
component: ingress
spec:
replicas: 1
selector:
matchLabels:
application: kube-ingress-aws-controller
component: ingress
template:
metadata:
labels:
application: kube-ingress-aws-controller
component: ingress
spec:
serviceAccountName: kube-ingress-aws
containers:
- name: controller
image: registry.opensource.zalan.do/teapot/kube-ingress-aws-controller:latest
env:
- name: AWS_REGION
value: eu-central-1
args:
- "--redirect-http-to-https"
关于kube-inress RBAC:
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-ingress-aws
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ingress-controller
rules:
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-controller
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
- kind: ServiceAccount
name: default
namespace: default
- kind: ServiceAccount
name: kube-ingress-aws
namespace: kube-system
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
namespace: kube-system
spec:
strategy:
type: Recreate
selector:
matchLabels:
app: external-dns
template:
metadata:
labels:
app: external-dns
spec:
serviceAccountName: external-dns
containers:
- name: external-dns
image: registry.opensource.zalan.do/teapot/external-dns:latest
args:
- --source=service
- --source=ingress
- --domain-filter=alchemyone.eu # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
- --provider=aws
- --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
- --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
- --registry=txt
- --txt-owner-id=my-hostedzone-identifier
securityContext:
fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes and AWS token files
关于外部DNS RBAC:
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-dns
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: external-dns
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","watch","list"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get","watch","list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: ServiceAccount
name: external-dns
namespace: kube-system
此后,我验证了一切正常,因此我部署了应用程序的前端:
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
labels:
app: frontend
env: prod
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
containers:
- name: frontend
image: my-react-frontend:latest
imagePullPolicy: Always
ports:
- containerPort: 8080
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 5
successThreshold: 2
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 90
periodSeconds: 60
timeoutSeconds: 5
failureThreshold: 2
hostname: frontend
imagePullSecrets:
- name: regcred
---
apiVersion: v1
kind: Service
metadata:
name: frontend
labels:
app: frontend
spec:
type: ClusterIP
ports:
- port: 8080
name: "frontend-service"
selector:
app: frontend
最后,我部署了 Ingress RESOURCE :
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: "test-cluster-ingress"
annotations:
kubernetes.io/ingress.class: "skipper"
labels:
app: foo-app
spec:
rules:
- host: my.example.com
http:
paths:
- backend:
serviceName: frontend
servicePort: 8080
正如预期的那样,“ my.example.com”记录集是在我的AWS ROUTE 53上创建的,是我的ALB的别名。 但是,当我尝试转到主机(my.example.com)时,未显示我的前端,并且显示消息“ 503服务暂时不可用”。...
你能告诉我我在做什么错吗? 预先感谢您的帮助!