kubernetes安装ingress-nginx|江阴雨辰互联

2023年6月30日发(作者：)

kubernetes安装ingress-nginx1、修改apiserver参数# 在apiserver启动时添加MutatingAdmissionWebhook 、ValidatingAdmissionWebhook 参数- --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota,MutatingA注意：如果不加这⼆个参数，在后续创建⾃定义的ingress会有如下报错Error from server (InternalError): error when creating "": Internal error occurred: failed ": the server rejected our request for an unknown reason2、修改镜像地址# controller镜像对应地址image: /ingress-nginx/controller:v1.0.0 -> /google_containers/nginx-ingress-controller:v1.1.0image: /ingress-nginx/kube-webhook-certgen:v1.0 -> /google_containers/kube-webhook-certgen:v1.0docker pull /google_containers/nginx-ingress-controller:v1.1.0docker pull /google_containers/kube-webhook-certgen:v1.03、修改yaml⽂件# 修改点如下1：/ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6 改为：2：/ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 改为：-hangzho3：Deployment修改点 template:

metadata:

labels:

/name: ingress-nginx /instance: ingress-nginx /component: controller spec:

dnsPolicy: ClusterFirstWithHostNet #既能使⽤宿主机DNS，⼜能使⽤集群DNS hostNetwork: true #与宿主机共享⽹络 nodeName: master01 #设置只能在k8s-master-1节点运⾏ tolerations: #设置能容忍master污点 - key: /master operator: Exists containers:

- name: controller image: willdockerhub/ingress-nginx-controller:v1.1.0 imagePullPolicy: IfNotPresent

# 查看状态[root@master01 ~]# kubectl get pods -n ingress-nginx -l /name=ingress-nginx

NAME READY STATUS RESTARTS AGEingress-nginx-admission-create-64wms 0/1 Completed 0 172mingress-nginx-admission-patch-rz7lw 0/1 Completed 0 172mingress-nginx-controller-56cc5b778c-pzcwd 1/1 Running 0 172m原yaml⽂件# 官⽅yamlapiVersion: v1kind: Namespacemetadata: name: ingress-nginx labels: /name: ingress-nginx /instance: ingress-nginx---# Source: ingress-nginx/templates/iVersion: v1kind: ServiceAccountmetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: controller name: ingress-nginx namespace: ingress-nginxautomountServiceAccountToken: true---# Source: ingress-nginx/templates/iVersion: v1kind: ConfigMapmetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: controller name: ingress-nginx-controller namespace: ingress-nginxdata:---# Source: ingress-nginx/templates/iVersion: /v1kind: ClusterRolemetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm name: ingress-nginxrules: - apiGroups: - '' resources: - configmaps - endpoints - nodes - pods - secrets verbs: - list - watch - apiGroups: - '' resources: - nodes verbs: - get - apiGroups: - '' resources: - services verbs: - get - list - watch - watch - apiGroups: - resources: - ingresses verbs: - get - list - watch - apiGroups: - '' resources: - events verbs: - create - patch - apiGroups: - resources: - ingresses/status verbs: - update - apiGroups: - resources: - ingressclasses verbs: - get - list - watch---# Source: ingress-nginx/templates/iVersion: /v1kind: ClusterRoleBindingmetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm name: ingress-nginxroleRef: apiGroup: kind: ClusterRole name: ingress-nginxsubjects: - kind: ServiceAccount name: ingress-nginx namespace: ingress-nginx---# Source: ingress-nginx/templates/iVersion: /v1kind: Rolemetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: controller name: ingress-nginx namespace: ingress-nginxrules: - apiGroups: - '' resources: - namespaces verbs: - get - apiGroups: - '' resources: resources: - configmaps - pods - secrets - endpoints verbs: - get - list - watch - apiGroups: - '' resources: - services verbs: - get - list - watch - apiGroups: - resources: - ingresses verbs: - get - list - watch - apiGroups: - resources: - ingresses/status verbs: - update - apiGroups: - resources: - ingressclasses verbs: - get - list - watch - apiGroups: - '' resources: - configmaps resourceNames: - ingress-controller-leader verbs: - get - update - apiGroups: - '' resources: - configmaps verbs: - create - apiGroups: - '' resources: - events verbs: - create - patch---# Source: ingress-nginx/templates/iVersion: /v1kind: RoleBindingmetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: controller name: ingress-nginx namespace: ingress-nginxroleRef: apiGroup: kind: Role name: ingress-nginxsubjects: - kind: ServiceAccount name: ingress-nginx namespace: ingress-nginx---# Source: ingress-nginx/templates/iVersion: v1kind: Servicemetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: controller name: ingress-nginx-controller-admission namespace: ingress-nginxspec: type: ClusterIP ports: - name: https-webhook port: 443 targetPort: webhook appProtocol: https selector: /name: ingress-nginx /instance: ingress-nginx /component: controller---# Source: ingress-nginx/templates/iVersion: v1kind: Servicemetadata: annotations: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: controller name: ingress-nginx-controller namespace: ingress-nginxspec: type: NodePort ports: - name: http port: 80 protocol: TCP targetPort: http appProtocol: http - name: https port: 443 protocol: TCP targetPort: https appProtocol: https selector: /name: ingress-nginx /instance: ingress-nginx /component: controller---# Source: ingress-nginx/templates/iVersion: apps/v1kind: Deploymentmetadata: labels: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: controller name: ingress-nginx-controller namespace: ingress-nginxspec: selector: matchLabels: /name: ingress-nginx /instance: ingress-nginx /component: controller revisionHistoryLimit: 10 minReadySeconds: 0 template: metadata: labels: /name: ingress-nginx /instance: ingress-nginx /component: controller spec: dnsPolicy: ClusterFirst containers: - name: controller image: /ingress-nginx/controller:v1.0.0@sha256:0851b34f69f69352bf168e6ccf30e1e20714a264ab1ecd1933e4d8c0fc3215c6 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /wait-shutdown args: - /nginx-ingress-controller - --election-id=ingress-controller-leader - --controller-class=/ingress-nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE runAsUser: 101 allowPrivilegeEscalation: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: ace - name: LD_PRELOAD value: /usr/local/lib/ livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 3 httpGet: httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 ports: - name: http containerPort: 80 protocol: TCP - name: https containerPort: 443 protocol: TCP - name: webhook containerPort: 8443 protocol: TCP volumeMounts: - name: webhook-cert mountPath: /usr/local/certificates/ readOnly: true resources: requests: cpu: 100m memory: 90Mi nodeSelector: /os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: secretName: ingress-nginx-admission---# Source: ingress-nginx/templates/# We don't support namespaced ingressClass yet# So a ClusterRole and a ClusterRoleBinding is requiredapiVersion: /v1kind: IngressClassmetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: controller name: nginx namespace: ingress-nginxspec: controller: /ingress-nginx---# Source: ingress-nginx/templates/admission-webhooks/# before changing this value, check the required kubernetes version# /docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisitesapiVersion: /v1kind: ValidatingWebhookConfigurationmetadata: labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhook name: ingress-nginx-admissionwebhooks: - name: matchPolicy: Equivalent rules: - apiGroups: - apiVersions: - v1 operations: - CREATE - UPDATE resources: - ingresses failurePolicy: Fail sideEffects: None admissionReviewVersions: - v1 clientConfig: service: namespace: ingress-nginx name: ingress-nginx-controller-admission path: /networking/v1/ingresses---# Source: ingress-nginx/templates/admission-webhooks/job-patch/iVersion: v1kind: ServiceAccountmetadata: name: ingress-nginx-admission namespace: ingress-nginx annotations: /hook: pre-install,pre-upgrade,post-install,post-upgrade /hook-delete-policy: before-hook-creation,hook-succeeded labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhook---# Source: ingress-nginx/templates/admission-webhooks/job-patch/iVersion: /v1kind: ClusterRolemetadata: name: ingress-nginx-admission annotations: /hook: pre-install,pre-upgrade,post-install,post-upgrade /hook-delete-policy: before-hook-creation,hook-succeeded labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhookrules: - apiGroups: - resources: - validatingwebhookconfigurations verbs: - get - update---# Source: ingress-nginx/templates/admission-webhooks/job-patch/iVersion: /v1kind: ClusterRoleBindingmetadata: name: ingress-nginx-admission annotations: /hook: pre-install,pre-upgrade,post-install,post-upgrade /hook-delete-policy: before-hook-creation,hook-succeeded labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhook /component: admission-webhookroleRef: apiGroup: kind: ClusterRole name: ingress-nginx-admissionsubjects: - kind: ServiceAccount name: ingress-nginx-admission namespace: ingress-nginx---# Source: ingress-nginx/templates/admission-webhooks/job-patch/iVersion: /v1kind: Rolemetadata: name: ingress-nginx-admission namespace: ingress-nginx annotations: /hook: pre-install,pre-upgrade,post-install,post-upgrade /hook-delete-policy: before-hook-creation,hook-succeeded labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhookrules: - apiGroups: - '' resources: - secrets verbs: - get - create---# Source: ingress-nginx/templates/admission-webhooks/job-patch/iVersion: /v1kind: RoleBindingmetadata: name: ingress-nginx-admission namespace: ingress-nginx annotations: /hook: pre-install,pre-upgrade,post-install,post-upgrade /hook-delete-policy: before-hook-creation,hook-succeeded labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhookroleRef: apiGroup: kind: Role name: ingress-nginx-admissionsubjects: - kind: ServiceAccount name: ingress-nginx-admission namespace: ingress-nginx---# Source: ingress-nginx/templates/admission-webhooks/job-patch/iVersion: batch/v1kind: Jobmetadata: name: ingress-nginx-admission-create namespace: ingress-nginx annotations: /hook: pre-install,pre-upgrade /hook-delete-policy: before-hook-creation,hook-succeeded labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /version: 1.0.0 /managed-by: Helm /component: admission-webhookspec: template: metadata: name: ingress-nginx-admission-create labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhook spec: containers: - name: create image: /ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 imagePullPolicy: IfNotPresent args: - create - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: ace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission nodeSelector: /os: linux securityContext: runAsNonRoot: true runAsUser: 2000---# Source: ingress-nginx/templates/admission-webhooks/job-patch/iVersion: batch/v1kind: Jobmetadata: name: ingress-nginx-admission-patch namespace: ingress-nginx annotations: /hook: post-install,post-upgrade /hook-delete-policy: before-hook-creation,hook-succeeded labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhookspec: template: metadata: name: ingress-nginx-admission-patch labels: /chart: ingress-nginx-4.0.1 /name: ingress-nginx /instance: ingress-nginx /version: 1.0.0 /managed-by: Helm /component: admission-webhook spec: containers: - name: patch image: /ingress-nginx/kube-webhook-certgen:v1.0@sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 imagePullPolicy: IfNotPresent args: - patch - --webhook-name=ingress-nginx-admission - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: ace restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission nodeSelector: /os: linux securityContext: runAsNonRoot: true runAsUser: 2000

发布者：admin，转转请注明出处：http://www.yc00.com/xiaochengxu/1688056995a72380.html