在没有负载均衡器的情况下在 Digital Ocean 的托管 Kubernetes 上公开端口 80 [英] Expose port 80 on Digital Ocean's managed Kubernetes without a load balancer

问题描述

我想在不使用 Digital Ocean 的负载均衡器的情况下，在端口 80 上公开我的 Kubernetes Managed Digital Ocean(单节点)集群的服务.这可能吗?我该怎么做?

I would like to expose my Kubernetes Managed Digital Ocean (single node) cluster's service on port 80 without the use of Digital Ocean's load balancer. Is this possible? How would I do this?

这本质上是一个业余爱好项目(我是从 Kubernetes 开始的)，只是想保持非常低的成本.

This is essentially a hobby project (I am beginning with Kubernetes) and just want to keep the cost very low.

推荐答案

您可以部署配置为使用主机网络和端口 80/443 的 Ingress.

You can deploy an Ingress configured to use the host network and port 80/443.

1. 默认情况下，DO 的集群防火墙没有打开 80/443 入站.

1. DO's firewall for your cluster doesn't have 80/443 inbound open by default.

如果您编辑自动创建的防火墙规则 最终会自行重置.解决方案是创建一个单独的防火墙，也指向相同的 Kubernetes 工作节点:

If you edit the auto-created firewall the rules will eventually reset themselves. The solution is to create a separate firewall also pointing at the same Kubernetes worker nodes:

$ doctl compute firewall create 
--inbound-rules="protocol:tcp,ports:80,address:0.0.0.0/0,address:::/0 protocol:tcp,ports:443,address:0.0.0.0/0,address:::/0" 
--tag-names=k8s:CLUSTER_UUID 
--name=k8s-extra-mycluster

(从仪表板获取CLUSTER_UUID值或从doctl kubernetes集群列表获取ID列)

(Get the CLUSTER_UUID value from the dashboard or the ID column from doctl kubernetes cluster list)

1. 使用主机网络创建 nginx 入口.我在下面包含了 helm chart 配置，但你可以也可以通过直接安装过程来完成.

1. Create the nginx ingress using the host network. I've included the helm chart config below, but you could do it via the direct install process too.

上述链接中的 Helm 图表已被弃用，因此安装图表的正确方法是 (根据新文档)是:

The Helm chart in the above link has been DEPRECATED, Therefore the correct way of installing the chart would be(as per the new docs) is :

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

在添加这个 repo 之后 &更新了

After this repo is added & updated

# For Helm 2
$ helm install stable/nginx-ingress --name=myingress -f myingress.values.yml

# For Helm 3
$ helm install myingress stable/nginx-ingress -f myingress.values.yml

#EDIT: The New way to install in helm 3
helm install myingress ingress-nginx/ingress-nginx -f myingress.values.yaml

myingress.values.yml 用于图表:

---
controller:
  kind: DaemonSet
  hostNetwork: true
  dnsPolicy: ClusterFirstWithHostNet
  daemonset:
    useHostPort: true
  service:
    type: ClusterIP
rbac:
  create: true

1. 您应该能够通过任何工作节点 IP 访问 :80 和 :443 上的集群，并且它将流量路由到您的入口.

1. you should be able to access the cluster on :80 and :443 via any worker node IP and it'll route traffic to your ingress.

因为节点 IP 可以 &做改变，看看部署 external-dns 来管理 DNS 条目以指向你的工作节点.同样，使用舵图并假设您的 DNS 域由 DigitalOcean 托管(尽管任何受支持的 DNS 提供商都可以使用):

since node IPs can & do change, look at deploying external-dns to manage DNS entries to point to your worker nodes. Again, using the helm chart and assuming your DNS domain is hosted by DigitalOcean (though any supported DNS provider will work):

# For Helm 2
$ helm install --name=mydns -f mydns.values.yml stable/external-dns

# For Helm 3
$ helm install mydns stable/external-dns -f mydns.values.yml

mydns.values.yml 用于图表:

---
provider: digitalocean
digitalocean:
  # create the API token at https://cloud.digitalocean.com/account/api/tokens
  # needs read + write
  apiToken: "DIGITALOCEAN_API_TOKEN"
domainFilters:
  # domains you want external-dns to be able to edit
  - example.com
rbac:
  create: true

1. 创建一个 Kubernetes Ingress 资源以将请求路由到现有的 Kubernetes 服务:

1. create a Kubernetes Ingress resource to route requests to an existing Kubernetes service:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: testing123-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
    - host: testing123.example.com             # the domain you want associated
      http:
        paths:
          - path: /
            backend:
              serviceName: testing123-service  # existing service
              servicePort: 8000                # existing service port

1. 大约一分钟后，您应该会看到 DNS 记录出现并且可以解析:

$ dig testing123.example.com             # should return worker IP address
$ curl -v http://testing123.example.com  # should send the request through the Ingress to your backend service

(编辑自动创建的防火墙规则最终会中断，改为添加单独的防火墙).

( editing the automatically created firewall rules eventually breaks, add a separate firewall instead).

这篇关于在没有负载均衡器的情况下在 Digital Ocean 的托管 Kubernetes 上公开端口 80的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！