Service是給予User透過特定的Port來訪問Pod,當有多個Service連接Pod,就會需要知道每個Port才可以去訪問。而Ingress就是去連接多個Service可以透過DNS或路徑去訪問不同的Pod,且Ingress透過HTTP/HTTPS協議(Layer 7)的方式進行訪問,也可以將URL掛上SSL憑證,提高安全性
使用AWS的EKS進行Ingress配置,AWS則會使用ALB進行deploy,而不清楚ALB功能的可以回顧[Day18],所以User只要透過ALB DNS就可以訪問到Pod上的服務,請看以下的圖,幫助理解:
此篇只要按照步驟,就可以在EKS上建立Ingress,請依序步驟執行指令
eksctl utils associate-iam-oidc-provider --cluster <your cluster name> --approve
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/rbac-role.yaml
curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.0/docs/install/iam_policy.json
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam_policy.json
eksctl create iamserviceaccount \
--cluster=itcluster \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--attach-policy-arn=arn:aws:iam::<your account ID>:policy/AWSLoadBalancerControllerIAMPolicy \
--override-existing-serviceaccounts \
--approve
kubectl apply \
--validate=false \
-f https://github.com/jetstack/cert-manager/releases/download/v1.1.1/cert-manager.yaml
curl -o v2_2_0_full.yaml https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.0/docs/install/v2_2_0_full.yaml
kubectl apply -f v2_2_0_full.yaml
kubectl apply -f ingress.yaml
kubectl apply -f web-deploy.yaml
底下會解析ingress.yaml和web-deploy.yaml這兩個檔案,以及cluster的配置
底下的設定跟之前的是一樣,如果有安全性考量,可以設定private Cluster,這樣Node就會配置在private subnet,且有配置ALB,也可以訪問到private subnet的機器
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: itcluster
region: us-east-2
vpc:
clusterEndpoints:
publicAccess: true
privateAccess: true
publicAccessCIDRs: ["MYIP"]
managedNodeGroups:
- name: it-mng
instanceType: t3.small
minSize: 1
maxSize: 3
desiredCapacity: 2
volumeSize: 10
volumeType: gp3
ssh:
publicKeyName: itdemo
labels:
name: morepods
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: instance
alb.ingress.kubernetes.io/target-node-labels: name=morepods
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-svc
port:
number: 80
annotations: 給AWS去識別ALB的設定
alb.ingress.kubernetes.io/scheme: 面對internet
alb.ingress.kubernetes.io/target-type: Instance(機器) or IP
alb.ingress.kubernetes.io/target-node-labels: 在target group設定要註冊的機器
Ingress會去尋找後面名稱為web-svc做連接
web-deploy這個檔案,筆者這邊有寫兩個服務,分別是Service和Deployment。這些參數之前的篇章都有介紹過,可以複習之前的章節。若EKS上面的Node持續增加,想要把Pod deploy到想要的Node上,就可以使用nodeSeletor做管理
apiVersion: v1
kind: Service
metadata:
name: web-svc
spec:
type: NodePort
selector:
app: web
ports:
- port: 80
targetPort: 80
protocol: TCP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deploy
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
nodeSelector:
name: morepods
containers:
- name: web
image: johnson860312/awswebdb
resources:
limits:
memory: "256Mi"
cpu: "128m"
ports:
- containerPort: 80
複製這個Address到browser,就可以看到deploy好的應用程式,或可以到ALB複製DNS name
Ingress大致上就講到這邊,明天會講HPA
iThome鐵人賽
看影片追技術