网站开发php未来发展,国外网站 国内访问速度,科技企业网站建设,如何在局域网做网站问题
我需要在k8s集群里面部署springboot服务#xff0c;通过k8s ingress访问集群内部的springboot服务#xff0c;应该怎么做#xff1f; 这里假设已经准备好k8s集群#xff0c;而且也准备好springboot服务的运行镜像了。这里我们将精力放在k8s服务编排上面。
一图胜千言…问题
我需要在k8s集群里面部署springboot服务通过k8s ingress访问集群内部的springboot服务应该怎么做 这里假设已经准备好k8s集群而且也准备好springboot服务的运行镜像了。这里我们将精力放在k8s服务编排上面。
一图胜千言 上图来自于kubernetes的ingress教程。接下来我们按照上述部署1个ingress2个服务。
service1
先用kubectl命令创建一个deployment.yaml和service.yaml然后将这两个内容合并到一个文件中即service1.yaml。具体命令如下 创建deployment.yaml
kubectl create deployment service1 --image xxx.dkr.ecr.us-east-1.amazonaws.com/service1:latest -o yaml --dry-runclient k8s/deployment.yaml 创建service.yaml kubectl create service clusterip service1 --tcp 8080:8080 -o yaml --dry-runclient k8s/service.yaml 根据自己需求去掉一下不要的内容调整相关配置合并成如下内容
service1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: service1name: service1
spec:replicas: 2selector:matchLabels:app: service1template:metadata:labels:app: service1spec:containers:- image: xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/service1:latestname: service1resources:requests:memory: 2Gicpu: 2limits:memory: 2Gicpu: 2# 准备检查通过则接入流量readinessProbe:httpGet:path: /foo/actuator/healthport: 8080# 活力检查不通过时重启容器livenessProbe:httpGet:path: /foo/actuator/healthport: 8080
---
apiVersion: v1
kind: Service
metadata:labels:app: service1name: service1
spec:ports:- name: httpport: 4200targetPort: 4200selector:app: service1type: ClusterIP
service2
按之前service1方式获得如下内容
service2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: service2name: service2
spec:replicas: 2selector:matchLabels:app: service2template:metadata:labels:app: service2spec:containers:- image: xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/service2:latestname: service2resources:requests:memory: 2Gicpu: 2limits:memory: 2Gicpu: 2# 准备检查通过则接入流量readinessProbe:httpGet:path: /bar/actuator/healthport: 8080# 活力检查不通过时重启容器livenessProbe:httpGet:path: /bar/actuator/healthport: 8080
---
apiVersion: v1
kind: Service
metadata:labels:app: service2name: service2
spec:ports:- name: httpport: 8080targetPort: 8080selector:app: service2type: ClusterIP
ingress
使用kubectl命令获得ingress基本配置如下命令
kubectl create ingress ingress --rule/pathservice1:8080 -o yaml --dry-runclient k8s/ingress.yaml根据自己的需求调整后的内容如下
ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingress
spec:rules:- http:paths:- backend:service:name: service1port:number: 4200path: /foopathType: Prefix- backend:service:name: service2port:number: 8080path: /barpathType: Prefix这里有个问题由于我现在使用的aws云所以这k8s ingress在aws云环境下面需要针对这种情况调整aws云相关配置。
AWS EKS配置AWS Load Balancer Controller
为集群创建 IAM OIDC 提供商
找到现有集群的OpenID Connect 提供商 URL值点击copy如下图 然后回到IAM主页为集群创建 IAM OIDC 提供商具体如下 创建提供商如下图
AWS Load Balancer Controller 部署到EKS
创建AWSLoadBalancerControllerIAMPolicy策略
我这里用到aws云区是普通云区所以这里使用的aws-load-balancer-controller的策略脚本如下 https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json 下载命令如下
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json新建一个策略
aws iam create-policy \--policy-name AWSLoadBalancerControllerIAMPolicy \--policy-document file://iam-policy.json创建一个ServiceAccount给k8s
eksctl create iamserviceaccount \
--clustercluster-name \
--namespacekube-system \
--nameaws-load-balancer-controller \
--attach-policy-arnarn:aws:iam::AWS_ACCOUNT_ID:policy/AWSLoadBalancerControllerIAMPolicy \
--override-existing-serviceaccounts \
--region region-code \
--approve这里用到eksctl命令给k8s集群创建一个ServiceAccount服务账号aws-load-balancer-controller并使用上面之前创建的权限策略。怎么安装eksctl命令可以看看官网这里就不提了。
helm安装aws-load-balancer-controller
这里假设我们已经会使用k8s集群的包管理器helm了。 添加EKS资源库到helm如下命令
helm repo add eks https://aws.github.io/eks-charts更新本地资源库如下命令
helm repo update eks安装aws-load-balancer-controller如下命令
helm install aws-load-balancer-controller eks/aws-load-balancer-controller --set clusterNamemy-cluster -n kube-system --set serviceAccount.createfalse --set serviceAccount.nameaws-load-balancer-controller等待一段时间出现如下反馈说明aws-load-balancer-controller安装成功
NAME: aws-load-balancer-controller
LAST DEPLOYED: Thu Mar 7 15:11:01 2024
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
AWS Load Balancer controller installed!如果出现如下错误 Error: INSTALLATION FAILED: cannot re-use a name that is still in use 说明需要先卸载再安装具体命令如下
helm delete aws-load-balancer-controller -n kube-system检查k8s集群中aws-load-balancer-controller是否安装成功具体命令如下
kubectl get deployment -n kube-system aws-load-balancer-controller安装成功示例如下
NAME READY UP-TO-DATE AVAILABLE AGE
aws-load-balancer-controller 2/2 2 2 10m调整ingress配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingressannotations:# alb名称alb.ingress.kubernetes.io/load-balancer-name: apg2# 内网alb.ingress.kubernetes.io/scheme: internal# 流量路由到pod层面alb.ingress.kubernetes.io/target-type: ip
spec:# 使用alb作为ingress默认类ingressClassName: albrules:- http:paths:- backend:service:name: service1port:number: 4200path: /foopathType: Prefix- backend:service:name: service2port:number: 8080path: /barpathType: Prefix调整service配置
除了再ingress里面添加lbc注解之外还需要再service中添加健康检查的lbc注解 annotations:alb.ingress.kubernetes.io/healthcheck-path: /api/demo/actuator/healthservice1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: service1name: service1
spec:replicas: 2selector:matchLabels:app: service1template:metadata:labels:app: service1spec:containers:- image: xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/service1:latestname: service1resources:requests:memory: 2Gicpu: 2limits:memory: 2Gicpu: 2# 准备检查通过则接入流量readinessProbe:httpGet:path: /foo/actuator/healthport: 8080# 活力检查不通过时重启容器livenessProbe:httpGet:path: /foo/actuator/healthport: 8080
---
apiVersion: v1
kind: Service
metadata:labels:app: service1name: service1annotations:# aws目标组健康检查alb.ingress.kubernetes.io/healthcheck-path: /for/actuator/health
spec:ports:- name: httpport: 4200targetPort: 4200selector:app: service1type: ClusterIP
service2.yaml
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: service2name: service2
spec:replicas: 2selector:matchLabels:app: service2template:metadata:labels:app: service2spec:containers:- image: xxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/service2:latestname: service2resources:requests:memory: 2Gicpu: 2limits:memory: 2Gicpu: 2# 准备检查通过则接入流量readinessProbe:httpGet:path: /bar/actuator/healthport: 8080# 活力检查不通过时重启容器livenessProbe:httpGet:path: /bar/actuator/healthport: 8080
---
apiVersion: v1
kind: Service
metadata:labels:app: service2name: service2annotations:# aws目标组健康检查alb.ingress.kubernetes.io/healthcheck-path: /bar/actuator/health
spec:ports:- name: httpport: 8080targetPort: 8080selector:app: service2type: ClusterIP
部署
kubectl apply -f ./k8s清除资源
kubectl delete -f ./k8s总结
AWS Load Balancer Controller没有重写路径功能注意安全。这里只介绍的主要是EKS创建ALB在私有VPC内部访问。这里没有介绍CDN套在API接口外面的情况一般来说预算足够的情况下面都会在API接口外面套一层CDN服务。需要注意的是AWS CloudFrontCDN服务只支持公网的LB。不知道什么原因维护AWS Load Balancer ControllerLBC团队的人死活不肯提供重写路径功能。这里还没有服务监控有机会再介绍介绍吧 下面是公有ingress创建ALB的配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: ingressannotations:# alb名称alb.ingress.kubernetes.io/load-balancer-name: apg2# 只让cdnCloudFront访问负载均衡器alb.ingress.kubernetes.io/security-groups: cloudfront-only# pod和node安全组自动生成alb.ingress.kubernetes.io/manage-backend-security-group-rules: true# 公网alb.ingress.kubernetes.io/scheme: internet-facing# 流量路由到pod层面alb.ingress.kubernetes.io/target-type: ip
spec:# 使用alb作为ingress默认类ingressClassName: albrules:- http:paths:- backend:service:name: service1port:number: 4200path: /foopathType: Prefix- backend:service:name: service2port:number: 8080path: /barpathType: Prefix就这样吧ingress用http端口然后限制只有cdn节点才能访问这样公网alb就相对安全了一些。加上前面有cdn的话基本上没人知道真实的alb地址。
参考
IngressDeploy a Spring Boot application on a multi-architecture Amazon EKS clusterSpring on KubernetesSpring Boot KubernetesAmazon EKS 上的应用程序负载均衡安装AWS Load Balancer Controller安装 AWS Load Balancer Controller 附加组件Security Groups for Load Balancers
