实战

回到首页 个人中心 反馈问题 注册登录
下载APP
首页 课程 实战 体系课 手记 专栏 慕课教程

ingress-nginx暴露tcp端口

来源:11-1 ingress --- 四层代理、session保持、定制配置、流量控制(上)

pythonhello

2021-06-23

老师,您好,kubectl get cm -n ingress-nginx默认没有tcp-services,在创建tcp-ingress.yaml后,
30000端口无法暴漏,在node节点上,curl 10.233.12.15可以正常访问,k8s-web-demo与myapp使用的ingress-nginx,也可以正常访问

[root@node-1-1 ~]# kubectl get svc


NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
k8s-web-demo   ClusterIP   10.233.43.187   <none>        80/TCP         9d
kubernetes     ClusterIP   10.233.0.1      <none>        443/TCP        26d
myapp          ClusterIP   10.233.12.15    <none>        80/TCP         19d
nginx-ds       NodePort    10.233.94.84    <none>        80:30712/TCP   22d

tcp-ingress.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services
  namespace: ingress-nginx
data:
  "30000": default/myapp:80

ingress-nginx-controller.yaml

apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/version: 0.46.0
    helm.sh/chart: ingress-nginx-3.30.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --election-id=ingress-controller-leader
        - --ingress-class=nginx
        - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: LD_PRELOAD
          value: /usr/local/lib/libmimalloc.so
        image: registry.cn-hangzhou.aliyuncs.com/acs/aliyun-ingress-controller:v0.44.0.3-8e83e7dc6-aliyun
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
            exec:
              command:
              - /wait-shutdown
        livenessProbe:
          failureThreshold: 5
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: controller
        ports:
        - containerPort: 80
          hostPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          hostPort: 443
          name: https
          protocol: TCP
        - containerPort: 8443
          hostPort: 8443
          name: webhook
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 100m
            memory: 90Mi
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsUser: 101
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /usr/local/certificates/
          name: webhook-cert
          readOnly: true
      dnsPolicy: ClusterFirst
      hostNetwork: true
      nodeSelector:
        app: ingress
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: ingress-nginx
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
      - name: webhook-cert
        secret:
          defaultMode: 420
          secretName: ingress-nginx-admission
写回答

2回答

快乐源泉

2022-02-05

DaemonSet yaml文件中 arg参数需要添加

- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services

然后 apply



官方文档有说明 ,需要配置 --tcp-services-configmap

https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/

Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags --tcp-services-configmap and --udp-services-configmap to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format: <namespace/service name>:<service port>:[PROXY]:[PROXY]



1
0

刘果国

2021-06-30

首先这个端口不同于nodeport,它只在ingress-nginx的节点上暴露。另外确认下apply configmap之后看看是否成功。从官方文档看这种配置是没问题的,具体细节可以比对一下或直接按官方的走一波:https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/

0
0

Kubernetes生产落地全程实践

一个互联网公司落地Kubernetes全过程点点滴滴

2293 学习 · 2216 问题

查看课程

相似问题

暴露tcp端口

回答 1

ingress通过IP暴露服务

回答 1

ingress-nginx 暴露服务端口问题

回答 1

kubespray部署的集群,在node节点上ingress-nginx看不到监听的端口,这是怎么一回事?

回答 1

ingress-nginx安装问题

回答 1

打开慕课网App查看更多内容