合规国际互联网加速 OSASE为企业客户提供高速稳定SD-WAN国际加速解决方案。 广告
[TOC] # 环境说明 | kubernetes版本 | nginx-ingress-controller版本 | 使用端口情况 | |----------|-------------------|------------------------------| | 1.18.18 | 0.45.0 | 80、443、8443 | > **官方说明:** > ![](../images/Snipaste_2021-09-10_15-41-36.png) # 下载所需的 yaml 文件 ```shell mkdir -p ~/ingress/nginx curl -o ~/ingress/nginx/deploy.yml https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.45.0/deploy/static/provider/baremetal/deploy.yaml ``` # 修改配置文件 将原本的 nodeport 修改成 clusterIP ```shell # 在 ingress-nginx-controller service的 svc.spec 注释掉 type: NodePort spec: # type: NodePort type: ClusterIP ``` 将容器端口映射到宿主机 ```shell # 在 ingress-nginx-controller 容器的 deploy.spec.template.spec 添加 hostNetwork: true spec: hostNetwork: true ``` 修改DNS的策略 ```shell # 在 ingress-nginx-controller 容器的 deploy.spec.template.spec 修改 dnsPolicy spec: dnsPolicy: ClusterFirstWithHostNet ``` 修改下载镜像路径 ```shell # 在 ingress-nginx-controller 容器的 deploy.spec.template.spec.containers 修改 image 字段 containers: - name: controller image: jiaxzeng/nginx-ingress-controller:v0.45.0 ``` 容忍污点 ```shell # 在 ingress-nginx-controller 容器的 deployment.spec.template.spec 添加以下字段 tolerations: - key: node-role.kubernetes.io/master operator: Equal value: "" effect: NoSchedule ``` 指定 pod 调度特定节点 ```shell # 节点添加标签 kubectl label node 192.168.31.103 node-role.kubernetes.io/ingress="" kubectl label node 192.168.31.79 node-role.kubernetes.io/ingress="" # 在 ingress-nginx-controller 容器的 deploy.spec.template.spec 修改 nodeSelector nodeSelector: node-role.kubernetes.io/ingress: "" ``` > 注意:原本已经有 `nodeSelector` 配置,将其修改即可。 # 启动服务 ```shell $ kubectl apply -f deploy.yaml namespace/ingress-nginx created serviceaccount/ingress-nginx created configmap/ingress-nginx-controller created clusterrole.rbac.authorization.k8s.io/ingress-nginx created clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created role.rbac.authorization.k8s.io/ingress-nginx created rolebinding.rbac.authorization.k8s.io/ingress-nginx created service/ingress-nginx-controller-admission created service/ingress-nginx-controller created deployment.apps/ingress-nginx-controller created validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created serviceaccount/ingress-nginx-admission created clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created role.rbac.authorization.k8s.io/ingress-nginx-admission created rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created job.batch/ingress-nginx-admission-create created job.batch/ingress-nginx-admission-patch created $ kubectl -n ingress-nginx get pod -owide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES ingress-nginx-admission-create-tm6hb 0/1 Completed 0 21s 20.0.85.198 192.168.31.95 <none> <none> ingress-nginx-admission-patch-64bgc 0/1 Completed 1 21s 20.0.32.136 192.168.31.103 <none> <none> ingress-nginx-controller-656cf6c7fd-lw9dx 1/1 Running 0 21s 192.168.31.253 192.168.31.253 <none> <none> ``` # 附加iptables规则 ```shell iptables -t filter -I INPUT -p tcp -m multiport --dport 80,443,8443 -m comment --comment "nginx ingress controller ports" -j ACCEPT iptables -t filter -I INPUT -p tcp --source 192.168.31.0/24 --dport 10254 -m comment --comment "nginx ingress metrics ports" -j ACCEPT ``` > 有监控 `nginx-ingress` 的话,则需要放通 `10254` 端口。