1. 创建K8S项目Namespace
1.1 通过KubeSphere创建Namespace
进入到KubeSphere之后,在左侧的项目一栏,选择创建,去新建一个项目(或者说叫namespace),我们这里起名叫wanna-project。
需要注意的是:K8S当中,所有的资源都是namespace层面隔离的。
1.2 通过命令/yaml常见namespace
可以使用如下的命令去创建Namespace
kubectl create namespace wanna-project
可以使用如下的资源清单去创建Namespace,通过kubectl apply -f namespace.yaml应用资源清单创建资源。
#
apiVersion: v1
kind: Namespace
metadata:
name: wanna-project # 替换为你需要的 Namespace 名称
labels:
environment: production # 可选,添加一些标识信息
创建完成之后,可以通过如下的命令kubectl get namespaces查看当前K8S集群下的已经存在的namespace信息。
root@node1:~/yaml# kubectl get namespaces
NAME STATUS AGE
default Active 21d
ingress-nginx Active 16d
kube-node-lease Active 21d
kube-public Active 21d
kube-system Active 21d
kubekey-system Active 21d
kubesphere-system Active 21d
wanna-project Active 20d
2. 通过Secret新建镜像仓库配置
2.1 使用KubeSphere在"配置-保密字典"当中新建镜像仓库
创建完成项目之后,我们可以选择创建一个保密字典,在保密字典当中,新建一个Harbor仓库地址。进入到保密字典后,给仓库名称起一个名,比如wanna-project-habor,并选择我们上面创建的namespace(项目),需要注意的是必须选择同一个namespace!
接着就到了下面这个页面,可以填写Harbor机器的服务器地址,授权用户名和密码。
需要注意的是,这里的服务器地址如果填HTTP地址和IP地址,看着都有点问题,我们在这里需要填写Harbor的HTTPS的地址,如果没有HTTPS,需要去弄一下服务器的SSL配置才能好,不然会导致一直尝试pull镜像都无法pull成功。
3. 通过KubeSpere部署项目并允许外网访问
3.1 通过KubeSphere创建K8S工作负载用于Pod(容器)的部署
在保密字典(Secret)当中配置好Harbor仓库的之后,我们可以KubeSphere当中创建创建一个工作负载(Deployment),用于进行容器的发布和运行。
首先,指定一个负载的名称,需要注意的是:项目(namespace)必须选用和上面我们指定的同一个项目"wanna-project"。
接着,下一步进入的是下面的页面,选择运行的配置信息,首先选择Habor仓库地址,从Harbor仓库选择合适的镜像,比如"library/nginx:latest",并选择容器的运行端口,接着下一步。
其中我们运行的端口号可以选择使用默认的镜像端口号。
需要注意的是:如果指定的项目namespace不对那么这里是没有我们新建的Harbor仓库地址的,必须指定上面我们创建Harbor仓库时指定的namespace项目。
下面两项("存储设置"和"高级设置"),我们暂时不需要进行配置,接着我们继续下一步。
再下一步,选择我们刚刚创建的负载,就到了下面这样的页面,它是根据Harbor仓库当中拉取到的镜像完成容器的部署。
最终呈现的结果就是如下,提示容器已经部署完成。(如果部署过程中出现了什么问题,可以在"事件"处查看到可能的原因,最常见的原因就是镜像拉取失败。)
3.2 创建K8S服务(Service)允许POD以NodePort方式暴露端口号允许服务外网访问
让容器可以外网访问,需要创建一个服务,我们起个名叫nginx-service,同样选中我们之前创建的namespace项目。
接着,在"服务设置"这里,绑定工作负载为刚刚创建出来的nginx的负载,并选择容器绑定的端口号,下一步即可。
接着,我们在"高级设置"配置当中,设置允许"外部访问",并指定访问模式为NodePort,也就是创建一个虚拟的节点,通过这个节点对外统一暴露端口号。
接着,我们就可以看到,在服务页面,新增了我们刚刚创建出来的服务,并且给出了端口号为31123,接着,我们就可以通过NodeIP,再加上端口号去访问。
比如通过Node2的IP+端口号的方式去访问,可以看到如下的页面,至此我们的Nginx就部署完成。
默认情况,NodePort的端口号是从30000-33767这个范围随机分配的,也可以通过yaml配置文件去修改NodePort的端口号。
在KubeSphere的页面当中,默认情况NodePort没有提供指定端口号的方式,但是我们可以通过修改我们自定义的Service的yaml文件去实现。
进入到下面这样的yaml配置文件页面,我们需要修改的是nodePort部分,这部分是对外Node暴露的端口号。
修改nodePort(从31000修改到32000)之后,我们回到服务首页可以发现,端口已经修改成功,此时我们通过32000端口就能正常访问到该服务,也就是说这里修改的nodePort是可以实时生效的,支持动态热配置。
3.3 安装Ingress网关处理Service服务流量
(1) 基于Yaml安装Ingress
可以基于下面的命令执行资源清单yaml,去进行安装Ingress,但是往往会遇到镜像无法下载问题。
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
原因是镜像仓库用的是registry.k8s.io,因为外网的原因可能无法导致访问,比如registry.k8s.io/ingress-nginx/kube-webhook-certgen资源就无法访问。
此时我们就需要下载 https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml配置文件,并替换其中的镜像仓库,才能成功安装Ingress。
比如我们这里换成本地的Harbor镜像仓库。
image: wanna1314y.top:1443/library/kube-webhook-certgen:latest
我们参照上面已经构建好的Nginx的服务,构建一个新的Halo的服务,下面演示将会涉及到使用halo-service服务进行演示,如果是别的服务,整体的创建流程完全类似。
我们生成一个full-ingress.yaml配置文件,对于文件可以参考如下的配置:full-ingress.yaml,通过kubectl apply -f full-ingress.yaml去执行K8S的Yaml资源清单去安装Ingress。
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-nginx-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data: null
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
strategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: wanna1314y.top:1443/library/nginx-ingress-controller:latest
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: false
runAsGroup: 82
runAsNonRoot: true
runAsUser: 101
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirst
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: wanna1314y.top:1443/library/kube-webhook-certgen:latest
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: wanna1314y.top:1443/library/kube-webhook-certgen:latest
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.12.0-beta.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None
(2) 创建IngressClass资源
我们定义如下的资源清单ingress-class.yaml,对于Ingress资源是K8S集群级别的,不需要区分namespace,因此无需指定metadata.namespace参数。
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: nginx
spec:
controller: k8s.io/ingress-nginx
通过kubectl apply -f ingress-class.yaml去创建Ingress资源。
(3) 配置Ingress路径映射
我们通过K8S的资源清单yaml,去创建一条ingress的路由配置并指定IngressClass为nginx,映射各个域名以及各个域名下的路径的访问是怎么进行访问的,并通过kubectl去进行应用kubectl apply -f ingress-config.yaml资源清单让配置生效。
在下面的资源清单配置当中,我们将全部的请求都去打到halo-service这个Service。
# ingress-config.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wanna-project-nginx-ingress
namespace: wanna-project
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: halo-service # 指定要路由到的 Service 名称
port:
number: 8090 # 这里需要配置Service暴露的端口号, 而不是NodePort的端口号
下面的配置当中,通过域名的方式,限定域名的映射关系,比如限制wanna1314y.top才能访问,则通过IP等方式访问请求该服务的接口都不通。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wanna-project-nginx-ingress
namespace: wanna-project
spec:
ingressClassName: nginx
rules:
- host: wanna1314y.top # 指定当访问这个域名时才将请求交给下面的Service
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: halo-service # 指定要路由到的 Service 名称
port:
number: 8090 # 这里需要配置Service暴露的端口号, 而不是NodePort的端口号
通过KubeSphere查看Ingress Service启动的端口号,在31888端口启动。(可以修改运行的端口号)
接着,我们通过访问宿主机的31888端口尝试访问,则可以访问到Halo的主页面,访问之前注意确认防火墙已经放开这个端口。
(4) 为什么要有Ingress的存在
其实Ingress服务本质上也是一个Deployment+Service的架构,Ingress的Service也是通过NodePort的方式暴露的端口号,但是我们之前部署的Halo的Service和Nginx的Service,也能以NodePort的方式暴露端口号,那么为什么还需要有Ingress的存在呢?
原因在于,我们这里部署的HaloService和NginxService,对应的其实应该是微服务架构当中的多个微服务,最佳实践是多个微服务最终以Gateway网关的方式(比如SpringCloudGateway),统一对外暴露接口。
- 在传统的微服务架构当中,SpringCloudGateway的承担着网关的作用,通过Eureka,Zookeeper,Nacos等作为注册中心,提供服务发现的功能,在网关当中通过注册中心,按照服务的名称实现服务的路由以及负载均衡。
- 在K8S架构当中,Ingress则承担着的网关这样的作用,通过Ingress可以基于Service实现服务发现,Ingress可以将请求打到Service,Service则可以将请求派发给具体的Pod从而实现负载均衡。