k8s基本概念

Master

1、k8s集群的管理节点，负责管理集群，提供集群的资源数据访问入口。
2、拥有Etcd存储服务（可选），
3、运行Api Server进程，Controller Manager服务进程及Scheduler服务进程，关联工作节点Node。
4、Kubernetes API server提供HTTP Rest接口的关键服务进程，是Kubernetes里所有资源的增、删、改、查等操作的唯一入口。也是集群控制的入口进程；
5、Kubernetes Controller Manager是Kubernetes所有资源对象的自动化控制中心；
6、Kubernetes Schedule是负责资源调度（Pod调度）的进程

Node

Node是Kubernetes集群架构中运行Pod的服务节点（亦叫agent或minion）。
Node是Kubernetes集群操作的单元，用来承载被分配Pod的运行，是Pod运行的宿主机。
关联Master管理节点，拥有名称和IP、系统资源信息。
运行docker eninge服务，守护进程kunelet及负载均衡器kube-proxy.

每个Node节点都运行着以下一组关键进程
kubelet：负责对Pod对于的容器的创建、启停等任务
kube-proxy：实现Kubernetes Service的通信与负载均衡机制的重要组件
Docker Engine（Docker）：Docker引擎，负责本机容器的创建和管理工作

Node节点可以在运行期间动态增加到Kubernetes集群中，默认情况下，kubelet会想master注册自己，这也是 Kubernetes推荐的Node管理方式，kubelet进程会定时向Master汇报自身情报，如操作系统、Docker版本、CPU和内存，以及 有哪些Pod在运行等等，这样Master可以获知每个Node节点的资源使用情况，冰实现高效均衡的资源调度策略。

Node也可以是K8S集群中的一个逻辑概念，表示加入集群中的物理节点或者虚拟机的信息：
Node地址：主机的IP地址、或者NODEID
Node运行状态：包括Padding、running、terminated三种状态。
Node Condition：描述running状态Node的运行条件，当前只有一个Ready.表示Node处于健康状态，可以接收Master发来的创建Pod的指令。
Node系统容量：描述Node可用的系统资源，包括CPU，最大可用内存数量、可调度的Pod数量等。
其他：Node节点的其他信息，包括实例的内核版本号、Kubernetes的版本号、Docker版本号、操作系统名称等。

Pod

运行于Node节点上，若干相关容器的组合。
Pod内包含的容器运行在同一宿主机上，使用相同的网络命名空间、IP地址和端口，能够通过 localhost进行通。
Pod是Kurbernetes进行创建、调度和管理的最小单位，它提供了比容器更高层次的抽象，使得部署和管理更加灵活。
一 个Pod可以包含一个容器或者多个相关容器，其中的应用容器共享一组资源：PID命名空间、网络命名空间、IPC命名空间、UTS命名空间、Volumes(共享存储卷)。
PID命名空间：Pod中的应用程序可以看到其他应用程序的进程ID
网络命名空间：Pod中的多个容器能够访问同一个IP和端口范围。
IPC命名空间：Pod中多个容器能够使用SystemV IPC或者POSIX消息队列进行通信
UTS命名空间：Pod中多个容器共享一个主机名
Volumes(共享存储卷)：Pod中各个容器可以访问在Pod级别定义的Volumes

Pod其实有两种类型：普通Pod和静态Pod，后者比较特殊，它并不存在Kubernetes的etcd存储中，而是存放在某个具体的 Node上的一个具体文件中，并且只在此Node上启动。普通Pod一旦被创建，就会被放入etcd存储中，随后会被Kubernetes Master调度到摸个具体的Node上进行绑定，随后该Pod被对应的Node上的kubelet进程实例化成一组相关的Docker容器并启动起来。在默认情况下，当Pod里的某个容器停止时，Kubernetes会自动检测到这个问起并且重启这个Pod（重启Pod里的所有容器），如果Pod所在的Node宕机，则会将这个Node上的所有Pod重新调度到其他节点上。

Pod的生命周期
Pod 相位的数量和含义是严格指定的，不应该再假定 Pod 有其他的 phase 值。
下面是 phase 可能的值：
挂起（Pending）：Pod 已被 Kubernetes 系统接受，但有一个或者多个容器镜像尚未创建。等待时间包括调度 Pod 的时间和通过网络下载镜像的时间，这可能需要花点时间。
运行中（Running）：该 Pod 已经绑定到了一个节点上，Pod 中所有的容器都已被创建。至少有一个容器正在运行，或者正处于启动或重启状态。
成功（Succeeded）：Pod 中的所有容器都被成功终止，并且不会再重启。
失败（Failed）：Pod 中的所有容器都已终止了，并且至少有一个容器是因为失败终止。也就是说，容器以非0状态退出或者被系统终止。
未知（Unknown）：因为某些原因无法取得 Pod 的状态，通常是因为与 Pod 所在主机通信失败。

Replication Controller

在Master内，Controller Manager通过Replication Controller（RC）来进行Pod的启动、停止、监控。
Replication Controller用来管理Pod的副本，保证集群中存在指定数量的Pod副本。集群中副本的数量大于指定数量，则会停止指定数量之外的多余容器数量， 反之，则会启动少于指定数量个数的容器，保证数量不变。
Replication Controller是实现弹性伸缩、动态扩容和滚动升级的核心。

Service

Service定义了Pod的逻辑集合和访问该集合的策略，是真实服务的抽象。Service提供了一个统一的服务访问入口以及服务代理和发现机制，关联多个相同Label的Pod，用户不需要了解后台Pod是如何运行。

外部系统访问Service的问题，首先需要弄明白Kubernetes的三种IP这个问题
Node IP：Node节点的IP地址，Node IP是Kubernetes集群中节点的物理网卡IP地址，所有属于这个网络的服务器之间都能通过这个网络直接通信。这也表明Kubernetes集群之 外的节点访问Kubernetes集群之内的某个节点或者TCP/IP服务的时候，必须通过Node IP进行通信
Pod IP： Pod的IP地址，Pod IP是每个Pod的IP地址，他是Docker Engine根据docker0网桥的IP地址段进行分配的，通常是一个虚拟的二层网络。
Cluster IP：Service的IP地址，Cluster IP是Kubernetes系统中的一个虚拟的IP，但更像是一个伪造的IP网络，原因有以下几点
Cluster IP仅仅作用于Kubernetes Service这个对象，并由Kubernetes管理和分配P地址；
Cluster IP无法被ping，他没有一个“实体网络对象”来响应；
Cluster IP只能结合Service Port组成一个具体的通信端口，单独的Cluster IP不具备通信的基础，并且他们属于Kubernetes集群这样一个封闭的空间。

Kubernetes集群之内，Node IP网、Pod IP网于Cluster IP网之间的通信，采用的是Kubernetes自己设计的一种编程方式的特殊路由规则。

Label

Kubernetes中的任意API对象都是通过Label进行标识，Label的实质是一系列的Key/Value键值对，其中key于 value由用户自己指定。Label可以附加在各种资源对象上，如Node、Pod、Service、RC等，一个资源对象可以定义任意数量的 Label，同一个Label也可以被添加到任意数量的资源对象上去。Label是Replication Controller和Service运行的基础，二者通过Label来进行关联Node上运行的Pod。

我们可以通过给指定的资源对象捆绑一个或者多个不同的Label来实现多维度的资源分组管理功能，以便于灵活、方便的进行资源分配、调度、配置等管理工作。

一些常用的Label如下：
版本标签："release":"stable","release":"canary"......
环境标签："environment":"dev","environment":"qa","environment":"production"
架构标签："tier":"frontend","tier":"backend","tier":"middleware"
分区标签："partition":"customerA","partition":"customerB"
质量管控标签："track":"daily","track":"weekly"

Label相当于我们熟悉的标签，给某个资源对象定义一个Label就相当于给它大了一个标签，随后可以通过Label Selector（标签选择器）查询和筛选拥有某些Label的资源对象，Kubernetes通过这种方式实现了类似SQL的简单又通用的对象查询机 制。

Label Selector在Kubernetes中重要使用场景如下:
kube-Controller进程通过资源对象RC上定义Label Selector来筛选要监控的Pod副本的数量，从而实现副本数量始终符合预期设定的全自动控制流程
kube-proxy进程通过Service的Label Selector来选择对应的Pod，自动建立起每个Service岛对应Pod的请求转发路由表，从而实现Service的智能负载均衡，通过对某些Node定义特定的Label，并且在Pod定义文件中使用Nodeselector这种标签调度策略，kuber-scheduler进程可以实现Pod”定向调度“的特性

Volume

Volume是Pod中能够被多个容器访问的共享目录。Kubernetes的Volume与Docker的Volume比较相似，但并不完全相同。
Kubernetes中的Volume与Pod的生命周期相同，但与容器的生命周期不相关，当容器终止或者重启时，Volume中的数据不会丢失。
Kubernetes支持多种类型的Volume，并且一个Pod可以同时使用任意多个Volume。
1) EmptyDir：在Pod分配到Node时创建，初始内容为空，当Pod从Node上移除时，EmptyDir中的数据也会被删除。
2) HostPath：在Pod上挂载宿主机的文件或目录。
3) GCE Persistent Disk
4) AWS Elastic Block Store
5) NFS
6) iSCSI
7) Flocker
8) GlusterFS
9) RBD
10)Git Repo
11)Secret
12)Persistent Volume Claim
13)Downward API

Namespace

Namespace是Kubernetes中另一个非常重要的概念，通过将系统内部的对象分配到不同的Namespace中，形成逻辑上分组的不同项目、小组或者用户组，便于不同的分组在共享使用整个集群的资源的同时还能被分别管理。

Kubernetes集群在启动后，会创建一个命名为default的Namespace,Pod、RC、Service如果不指明namespace则默认分配到default namespace中。

使用Namespace来组织Kubernetes中的各种对象，可以实现对用户的分组、即多租户管理。

kubectl get namespaces kubectl get pods --namespace=xxx

Annotation

Annotation与Label类似，可使用K-V键值对的形式进行定义。
与Label具有严格定义相对的是，Annotation是用户任意定义的“附加”信息，以便于进行查找。

K8S安装

CentOS Linux release 7.5.1804 (Core)
Docker version 18.06.1-ce, build e68fc7a
安装kubeadm 1.12.1版本

#设置主机名、关闭selinux、关闭防火墙、重启系统 hostnamectl set-hostname master sed -i 's/enforcing/disabled/' /etc/selinux/config set selinux false systemctl stop firewalld systemctl disable firewalld reboot #配置本地DNS echo "192.168.31.105 master 192.168.31.106 node01 192.168.31.107 node02" >> /etc/hosts #添加docker-ce的yum库 echo '[docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://download.docker.com/linux/centos/7/$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://download.docker.com/linux/centos/gpg'>/etc/yum.repos.d/docker-ce.repo #安装docker-ce、配置开机启动 yum list docker-ce --showduplicates|grep "^doc"|sort -r yum -y install docker-ce-18.06.1.ce-3.el7 systemctl start docker systemctl enable docker #开启ip转发 echo "net.ipv4.ip_forward = 1">>/etc/sysctl.conf sysctl -p #配置kubernetes的yum库 echo '[kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg'>/etc/yum.repos.d/kubernetes.repo #由于k8s.gcr.io的Google无法下载，故从阿里云上下载，重新打上k8s.gcr.io的tag docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver-amd64:v1.12.1 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager-amd64:v1.12.1 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler-amd64:v1.12.1 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy-amd64:v1.12.1 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd-amd64:3.2.24 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.1 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.2.2 #重新打tag docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.1 k8s.gcr.io/pause:3.1 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.2.2 k8s.gcr.io/coredns:1.2.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd-amd64:3.2.24 k8s.gcr.io/etcd:3.2.24 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler-amd64:v1.12.1 k8s.gcr.io/kube-scheduler:v1.12.1 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager-amd64:v1.12.1 k8s.gcr.io/kube-controller-manager:v1.12.1 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver-amd64:v1.12.1 k8s.gcr.io/kube-apiserver:v1.12.1 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy-amd64:v1.12.1 k8s.gcr.io/kube-proxy:v1.12.1 #安装kubelet kubeadm kubectl yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes #设置忽略swap、并关闭swap挂载 vi /etc/sysconfig/kubelet #add args to KUBELET_EXTRA_ARGS KUBELET_EXTRA_ARGS=--fail-swap-on=false swapoff -a sed -i 's/.swap./#&/' /etc/fstab free -h #如果要永久禁止swap挂载，可以修改/etc/fstab，将与swap有关的配置注释，重启系统即可 sed -i 's/.swap./#&/' /etc/fstab #初始化 kubeadm init --kubernetes-version=1.12.1 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.31.105 #如果初始化失败，可以使用kubeadm reset后再重新初始化 #初始化成功返回的信息 [init] using Kubernetes version: v1.12.1 [preflight] running pre-flight checks [preflight/images] Pulling images required for setting up a Kubernetes cluster [preflight/images] This might take a minute or two, depending on the speed of your internet connection [preflight/images] You can also perform this action in beforehand using 'kubeadm config images pull' [kubelet] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [preflight] Activating the kubelet service [certificates] Generated ca certificate and key. [certificates] Generated apiserver certificate and key. [certificates] apiserver serving cert is signed for DNS names [master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.31.105] [certificates] Generated apiserver-kubelet-client certificate and key. [certificates] Generated front-proxy-ca certificate and key. [certificates] Generated front-proxy-client certificate and key. [certificates] Generated etcd/ca certificate and key. [certificates] Generated etcd/healthcheck-client certificate and key. [certificates] Generated apiserver-etcd-client certificate and key. [certificates] Generated etcd/server certificate and key. [certificates] etcd/server serving cert is signed for DNS names [master localhost] and IPs [127.0.0.1 ::1] [certificates] Generated etcd/peer certificate and key. [certificates] etcd/peer serving cert is signed for DNS names [master localhost] and IPs [192.168.31.105 127.0.0.1 ::1] [certificates] valid certificates and keys now exist in "/etc/kubernetes/pki" [certificates] Generated sa key and public key. [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf" [controlplane] wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml" [controlplane] wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml" [controlplane] wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml" [etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml" [init] waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests" [init] this might take a minute or longer if the control plane images have to be pulled [apiclient] All control plane components are healthy after 19.003253 seconds [uploadconfig] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace [kubelet] Creating a ConfigMap "kubelet-config-1.12" in namespace kube-system with the configuration for the kubelets in the cluster [markmaster] Marking the node master as master by adding the label "node-role.kubernetes.io/master=''" [markmaster] Marking the node master as master by adding the taints [node-role.kubernetes.io/master:NoSchedule] [patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "master" as an annotation [bootstraptoken] using token: ayy3kb.npks65qpznhb39w7 [bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstraptoken] creating the "cluster-info" ConfigMap in the "kube-public" namespace [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy Your Kubernetes master has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ You can now join any number of machines by running the following on each node as root: kubeadm join 192.168.31.105:6443 --token ayy3kb.npks65qpznhb39w7 --discovery-token-ca-cert-hash sha256:c3d0f476fc857b6ee05e840bb4dd95799405fd9086b095284cdffb43382a3370 #可以使用如下命令找回token kubeadm token create --print-join-command I1027 01:37:16.239107 19974 version.go:89] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get https://storage.googleapis.com/kubernetes-release/release/stable-1.txt: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) I1027 01:37:16.239173 19974 version.go:94] falling back to the local client version: v1.12.1 kubeadm join 192.168.31.105:6443 --token xv6nlv.pqq3gss1uisty93k --discovery-token-ca-cert-hash sha256:c3d0f476fc857b6ee05e840bb4dd95799405fd9086b095284cdffb43382a3370 #若是非root用户 mkdir -p $HOME/.kube cp -i /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config #若是root用户 echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile source ~/.bash_profile kubeadm join 172.31.3.11:6443 --token jlidhg.sczmdc5wnvgi5pir --discovery-token-ca-cert-hash sha256:74f5e3a3b1163fdafe9a634ff5ca81ea314a6895af18e03a5b482635b4ca93e0

过程中遇到一个问题，各个节点的状态都是NotReady，原因是没有按照网络插件，按照flannel后重启docker引擎即可（systemctl restart docker）

Ready False Sat, 27 Oct 2018 11:17:06 +0800 Sat, 27 Oct 2018 01:10:19 +0800 KubeletNotReady runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized cat /var/lib/kubelet/kubeadm-flags.env kubectl get pod -n kube-system -o wide kubectl get nodes #按照flannel kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml #master node 参与工作负载 kubectl taint nodes master node.kubernetes.io/not-ready-

最终集群状态

[root@master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION master Ready master 11h v1.12.1 node01 Ready <none> 10h v1.12.1 node02 Ready <none> 10h v1.12.1 [root@master ~]# kubectl get pods --all-namespaces -owide NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE kube-system coredns-576cbf47c7-2tsdz 1/1 Running 0 11h 10.244.1.3 node01 <none> kube-system coredns-576cbf47c7-87cvn 1/1 Running 0 11h 10.244.1.2 node01 <none> kube-system etcd-master 1/1 Running 1 18m 192.168.31.105 master <none> kube-system kube-apiserver-master 1/1 Running 1 18m 192.168.31.105 master <none> kube-system kube-controller-manager-master 1/1 Running 1 18m 192.168.31.105 master <none> kube-system kube-flannel-ds-amd64-76z5p 1/1 Running 0 20m 192.168.31.107 node02 <none> kube-system kube-flannel-ds-amd64-7kw2n 1/1 Running 1 20m 192.168.31.105 master <none> kube-system kube-flannel-ds-amd64-f45t2 1/1 Running 0 20m 192.168.31.106 node01 <none> kube-system kube-proxy-mg62l 1/1 Running 0 10h 192.168.31.107 node02 <none> kube-system kube-proxy-n7njk 1/1 Running 1 11h 192.168.31.105 master <none> kube-system kube-proxy-ws6v2 1/1 Running 0 10h 192.168.31.106 node01 <none> kube-system kube-scheduler-master 1/1 Running 2 18m 192.168.31.105 master <none>

wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml [root@master ~]# grep image kubernetes-dashboard.yaml image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.0 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.0 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0 docker image rm registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.0 kubectl create -f kubernetes-dashboard.yaml #rc扩容 kubectl scale rc nginx-controller --replicas=4

Ingress

在kubernetes 1.2 版本之前，实现服务对外暴露的方式有两种

• LoadBlancer Service
• NodePort Service

通过NodePort 的方式，后期随着进入的服务增多，众多的端口映射，后期端口管理是个大麻烦
通过LoadBlancer 暴露，一般为对接GCE、阿里云、Openstack等云平台，深度结合了云平台，所以只能在一些云平台上来使用，对于后期的迁移是个麻烦

为了解决服务暴露的问题，同时避免NodePort 的端口管理问题和LoadBlancer 的云平台深度结合问题，Kubernetes在1.2版本支持通过 Ingress 用户可以实现使用 nginx 等开源的反向代理负载均衡器实现对外暴露服务。

1、Ingress 可以解决什么问题？

• 动态配置服务
  如果按照传统方式, 当新增加一个服务时, 我们可能需要在流量入口加一个反向代理指向我们新的k8s服务. 而如果用了Ingress, 只需要配置好这个服务, 当服务启动时, 会自动注册到Ingress的中, 不需要而外的操作.
• 减少不必要的端口暴露
  配置过k8s的都清楚, 第一步是要关闭防火墙的, 主要原因是k8s的很多服务会以NodePort方式映射出去, 这样就相当于给宿主机打了很多孔, 既不安全也不优雅. 而Ingress可以避免这个问题, 除了Ingress自身服务可能需要映射出去, 其他服务都不要用NodePort方式。Ingresss是k8s集群中的一个API资源对象，扮演边缘路由器(edge router)的角色，也可以理解为集群防火墙、集群网关，我们可以自定义路由规则来转发、管理、暴露服务(一组pod)，非常灵活，生产环境建议使用这种方式。另外LoadBlancer也可以暴露服务，不过这种方式需要向云平台申请负债均衡器；虽然目前很多云平台都支持，但是这种方式深度耦合了云平台

2、使用 Ingress 时一般会有三个组件:反向代理负载均衡器、Ingress Controller、 Ingress

• 反向代理负载均衡器
  反向代理负载均衡器很简单，说白了就是 nginx、apache 什么的；在集群中反向代理负载均衡器可以自由部署，可以使用 Replication Controller、Deployment、DaemonSet 等等，不过个人喜欢以 DaemonSet 的方式部署，感觉比较方便
• Ingress Controller
  Ingress Controller 实质上可以理解为是个监视器，Ingress Controller 通过不断地跟 kubernetes API 打交道，实时的感知后端 service、pod 等变化，比如新增和减少 pod，service 增加与减少等；当得到这些变化信息后，Ingress Controller 再结合下文的 Ingress 生成配置，然后更新反向代理负载均衡器，并刷新其配置，达到服务发现的作用
• Ingress
  Ingress 简单理解就是个规则定义；比如说某个域名对应某个 service，即当某个域名的请求进来时转发给某个 service;这个规则将与 Ingress Controller 结合，然后 Ingress Controller 将其动态写入到负载均衡器配置中，从而实现整体的服务发现和负载均衡

ingress nginx的实现方式

aliyun docker镜像库下载：https://dev.aliyun.com/search.html

#查看github上ingress-nginx的配置文件，需要在k8s.gce.io上下载如下几个镜像，提前在aliyun的docker镜像库中下载好，本地重新打上k8s.gce.io的tag，配置文件地址为https://github.com/kubernetes/ingress-nginx/blob/master/deploy/mandatory.yaml docker pull registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5 docker tag registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5 k8s.gcr.io/defaultbackend-amd64:1.5 docker image rm registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/defaultbackend-amd64:1.5 docker pull registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0 docker tag registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0 quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0 docker image rm registry.cn-qingdao.aliyuncs.com/kubernetes_xingej/nginx-ingress-controller:0.20.0 wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.20.0/deploy/mandatory.yaml mv mandatory.yaml ingress-nginx-mandatory.yaml kubectl apply -f ingress-nginx-mandatory.yaml wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml kubectl apply -f service-nodeport.yaml #至此，nginx的ingress rc controller和ingress nginx service创建完成，并且ingress nginx使用如下方式（NodePort 10.111.38.64 <none> 80:30412/TCP,443:31488/TCP）进行服务暴露。 [root@master ~]# kubectl get deployment,svc,rc,pod,ing -o wide -n ingress-nginx NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR deployment.extensions/default-http-backend 1 1 1 1 14h default-http-backend k8s.gcr.io/defaultbackend-amd64:1.5 app.kubernetes.io/name=default-http-backend,app.kubernetes.io/part-of=ingress-nginx deployment.extensions/nginx-ingress-controller 1 1 1 1 14h nginx-ingress-controller quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0 app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/default-http-backend ClusterIP 10.108.66.33 <none> 80/TCP 14h app.kubernetes.io/name=default-http-backend,app.kubernetes.io/part-of=ingress-nginx service/ingress-nginx NodePort 10.111.38.64 <none> 80:30412/TCP,443:31488/TCP 6m5s app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod/default-http-backend-85b8b595f9-pcdjb 1/1 Running 0 14h 10.244.1.10 node01 <none> pod/nginx-ingress-controller-866568b999-sqvmk 1/1 Running 0 14h 10.244.2.17 node02 <none> #创建应用服务，本地文件名为nginx.yaml kubectl apply -f nginx.yaml [root@master ~]# cat nginx.yaml apiVersion: v1 kind: Service metadata: name: test-ingress namespace: default spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: test-ingress --- apiVersion: apps/v1beta1 kind: Deployment metadata: name: test-ingress spec: replicas: 1 template: metadata: labels: app: test-ingress spec: containers: - image: nginx:latest imagePullPolicy: IfNotPresent name: test-nginx ports: - containerPort: 80 #可以看到，本地创建的服务（ClusterIP 10.110.198.202 <none> 80/TCP）并没有对外进行暴露。 [root@master ~]# kubectl get deployment,svc,rc,pod,ing -o wide -n default NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR deployment.extensions/test-ingress 1 1 1 1 73m test-nginx nginx:latest app=test-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 26h <none> service/test-ingress ClusterIP 10.110.198.202 <none> 80/TCP 73m app=test-ingress NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod/test-ingress-78fc77444f-5pvn4 1/1 Running 0 73m 10.244.1.11 node01 <none> #下面需要继续创建与改服务相关的ingress对象，ingress-nginx（namespace:ingress-nginx 下的service/ingress-nginx）服务监听ingress来完成nginx的配置的更新，本地文件名为nginx-ingress.yaml [root@master ~]# cat nginx-ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: test-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: feiutest.cn http: paths: - path: backend: serviceName: test-ingress servicePort: 80 #最终的kubernetes集群中的对象信息如下 [root@master ~]# kubectl get deployment,svc,rc,pod,ing -o wide -n default NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR deployment.extensions/test-ingress 1 1 1 1 86m test-nginx nginx:latest app=test-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 27h <none> service/test-ingress ClusterIP 10.110.198.202 <none> 80/TCP 86m app=test-ingress NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod/test-ingress-78fc77444f-5pvn4 1/1 Running 0 86m 10.244.1.11 node01 <none> #创建的ingress对象 NAME HOSTS ADDRESS PORTS AGE ingress.extensions/test-ingress feiutest.cn 80 85m [root@master ~]# kubectl get deployment,svc,rc,pod,ing -o wide -n ingress-nginx NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR deployment.extensions/default-http-backend 1 1 1 1 14h default-http-backend k8s.gcr.io/defaultbackend-amd64:1.5 app.kubernetes.io/name=default-http-backend,app.kubernetes.io/part-of=ingress-nginx deployment.extensions/nginx-ingress-controller 1 1 1 1 14h nginx-ingress-controller quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0 app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/default-http-backend ClusterIP 10.108.66.33 <none> 80/TCP 14h app.kubernetes.io/name=default-http-backend,app.kubernetes.io/part-of=ingress-nginx service/ingress-nginx NodePort 10.111.38.64 <none> 80:30412/TCP,443:31488/TCP 26m app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod/default-http-backend-85b8b595f9-pcdjb 1/1 Running 0 14h 10.244.1.10 node01 <none> pod/nginx-ingress-controller-866568b999-sqvmk 1/1 Running 0 14h 10.244.2.17 node02 <none> #最终效果 [root@master ~]# curl -H "Host: feiutest.cn" http://127.0.0.1:30412 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> #资源不存在，直接路由到default backend上 [root@master ~]# curl http://127.0.0.1:30412 default backend - 404[root@master ~]# 

创建应用的tls证书，待验证

第一步：制作自签证书 [root@master demo]# openssl genrsa -out tls.key 2048 [root@master demo]# openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Guangdong/L=Guangzhou/O=devops/CN=feiutest.cn 生成两个文件： [root@master demo]# ls tls.crt  tls.key [root@master demo]# kubectl create secret tls nginx-test --cert=tls.crt --key=tls.key [root@master demo]# kubectl get secret NAME                     TYPE                                  DATA      AGE nginx-test               kubernetes.io/tls                     2         17s #服务对应的ingress文件nginx-ingress.yaml中增加tls的配置，最终如下 apiVersion: extensions/v1beta1 kind: Ingress metadata: name: test-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" spec: rules: - host: feiutest.cn http: paths: - path: backend: serviceName: test-ingress servicePort: 80 tls: - hosts: - feiutest.cn secretName: nginx-test 

使用traefik部署Ingress

由于微服务架构以及 Docker 技术和 kubernetes 编排工具最近几年才开始逐渐流行，所以一开始的反向代理服务器比如 nginx、apache 并未提供其支持，毕竟他们也不是先知；所以才会出现 Ingress Controller 这种东西来做 kubernetes 和前端负载均衡器如 nginx 之间做衔接；即 Ingress Controller 的存在就是为了能跟 kubernetes 交互，又能写 nginx 配置，还能 reload 它，这是一种折中方案；
而最近开始出现的 traefik 天生就是提供了对 kubernetes 的支持，也就是说 traefik 本身就能跟 kubernetes API 交互，感知后端变化，使用traefix有天然的优势。

在docker的中央仓库中搜索traefix，最新版本为v1.7.3版本
https://hub.docker.com/explore/

• traefik的github地址
  https://github.com/containous/traefik/
• traefik的官网地址
  https://docs.traefik.io/

#下载镜像 docker pull traefik:v1.7.3 [root@master ~]# docker image ls | grep traefik traefik v1.7.3 99dafcf4b2eb 13 days ago 68.7MB 

ca.crt Issuer: CN=kubernetes Validity Not Before: Oct 26 17:10:07 2018 GMT Not After : Oct 23 17:10:07 2028 GMT Subject: CN=kubernetes apiserver.crt Issuer: CN=kubernetes Validity Not Before: Oct 26 17:10:07 2018 GMT Not After : Oct 26 17:10:07 2019 GMT Subject: CN=kube-apiserver X509v3 Subject Alternative Name: DNS:master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.31.105 apiserver-etcd-client.crt Issuer: CN=etcd-ca Validity Not Before: Oct 26 17:10:08 2018 GMT Not After : Oct 26 17:10:08 2019 GMT Subject: O=system:masters, CN=kube-apiserver-etcd-client apiserver-kubelet-client.crt Issuer: CN=kubernetes Validity Not Before: Oct 26 17:10:07 2018 GMT Not After : Oct 26 17:10:08 2019 GMT Subject: O=system:masters, CN=kube-apiserver-kubelet-client front-proxy-ca.crt Issuer: CN=front-proxy-ca Validity Not Before: Oct 26 17:10:08 2018 GMT Not After : Oct 23 17:10:08 2028 GMT Subject: CN=front-proxy-ca front-proxy-client.crt Issuer: CN=front-proxy-ca Validity Not Before: Oct 26 17:10:08 2018 GMT Not After : Oct 26 17:10:08 2019 GMT Subject: CN=front-proxy-client etc/ca.crt Issuer: CN=etcd-ca Validity Not Before: Oct 26 17:10:08 2018 GMT Not After : Oct 23 17:10:08 2028 GMT Subject: CN=etcd-ca etcd/healthcheck-client.crt Issuer: CN=etcd-ca Validity Not Before: Oct 26 17:10:08 2018 GMT Not After : Oct 26 17:10:08 2019 GMT Subject: O=system:masters, CN=kube-etcd-healthcheck-client etcd/peer.crt Issuer: CN=etcd-ca Validity Not Before: Oct 26 17:10:08 2018 GMT Not After : Oct 26 17:10:09 2019 GMT Subject: CN=master X509v3 Subject Alternative Name: DNS:master, DNS:localhost, IP Address:192.168.31.105, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1 etcd/server.crt Issuer: CN=etcd-ca Validity Not Before: Oct 26 17:10:08 2018 GMT Not After : Oct 26 17:10:09 2019 GMT Subject: CN=master X509v3 Subject Alternative Name: DNS:master, DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1 /etc/kubernetes/manifests/kube-apiserver.yaml spec: containers: - command: - kube-apiserver - --anonymous-auth=false - --authorization-mode=Node,RBAC - --advertise-address=192.168.31.105 - --allow-privileged=true - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key - --etcd-servers=https://127.0.0.1:2379 - --insecure-port=0 - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key - --requestheader-allowed-names=front-proxy-client - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --secure-port=6443 - --service-account-key-file=/etc/kubernetes/pki/sa.pub - --service-cluster-ip-range=10.96.0.0/12 - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key image: k8s.gcr.io/kube-apiserver:v1.12.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: host: 192.168.31.105 path: /healthz port: 6443 scheme: HTTPS initialDelaySeconds: 15 timeoutSeconds: 15 name: kube-apiserver resources: requests: cpu: 250m volumeMounts: - mountPath: /etc/kubernetes/pki name: k8s-certs readOnly: true - mountPath: /etc/ssl/certs name: ca-certs readOnly: true - mountPath: /etc/pki name: etc-pki readOnly: true hostNetwork: true priorityClassName: system-cluster-critical volumes: - hostPath: path: /etc/ssl/certs type: DirectoryOrCreate name: ca-certs - hostPath: path: /etc/pki type: DirectoryOrCreate name: etc-pki - hostPath: path: /etc/kubernetes/pki type: DirectoryOrCreate name: k8s-certs kube-controller-manager.yaml spec: containers: - command: - kube-controller-manager - --address=127.0.0.1 - --allocate-node-cidrs=true - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf - --client-ca-file=/etc/kubernetes/pki/ca.crt - --cluster-cidr=10.244.0.0/16 - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key - --controllers=*,bootstrapsigner,tokencleaner - --kubeconfig=/etc/kubernetes/controller-manager.conf - --leader-elect=true - --node-cidr-mask-size=24 - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --root-ca-file=/etc/kubernetes/pki/ca.crt - --service-account-private-key-file=/etc/kubernetes/pki/sa.key - --use-service-account-credentials=true image: k8s.gcr.io/kube-controller-manager:v1.12.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: host: 127.0.0.1 path: /healthz port: 10252 scheme: HTTP initialDelaySeconds: 15 timeoutSeconds: 15 name: kube-controller-manager resources: requests: cpu: 200m volumeMounts: - mountPath: /etc/kubernetes/pki name: k8s-certs readOnly: true - mountPath: /etc/ssl/certs name: ca-certs readOnly: true - mountPath: /etc/kubernetes/controller-manager.conf name: kubeconfig readOnly: true - mountPath: /etc/pki name: etc-pki readOnly: true hostNetwork: true priorityClassName: system-cluster-critical volumes: - hostPath: path: /etc/kubernetes/pki type: DirectoryOrCreate name: k8s-certs - hostPath: path: /etc/ssl/certs type: DirectoryOrCreate name: ca-certs - hostPath: path: /etc/kubernetes/controller-manager.conf type: FileOrCreate name: kubeconfig - hostPath: path: /etc/pki type: DirectoryOrCreate name: etc-pki kube-scheduler.yaml spec: containers: - command: - kube-scheduler - --address=127.0.0.1 - --kubeconfig=/etc/kubernetes/scheduler.conf - --leader-elect=true image: k8s.gcr.io/kube-scheduler:v1.12.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: host: 127.0.0.1 path: /healthz port: 10251 scheme: HTTP initialDelaySeconds: 15 timeoutSeconds: 15 name: kube-scheduler resources: requests: cpu: 100m volumeMounts: - mountPath: /etc/kubernetes/scheduler.conf name: kubeconfig readOnly: true hostNetwork: true priorityClassName: system-cluster-critical volumes: - hostPath: path: /etc/kubernetes/scheduler.conf type: FileOrCreate name: kubeconfig etcd.yaml spec: containers: - command: - etcd - --advertise-client-urls=https://127.0.0.1:2379 - --cert-file=/etc/kubernetes/pki/etcd/server.crt - --client-cert-auth=true - --data-dir=/var/lib/etcd - --initial-advertise-peer-urls=https://127.0.0.1:2380 - --initial-cluster=master=https://127.0.0.1:2380 - --key-file=/etc/kubernetes/pki/etcd/server.key - --listen-client-urls=https://127.0.0.1:2379 - --listen-peer-urls=https://127.0.0.1:2380 - --name=master - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt - --peer-client-cert-auth=true - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - --snapshot-count=10000 - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt image: k8s.gcr.io/etcd:3.2.24 imagePullPolicy: IfNotPresent livenessProbe: exec: command: - /bin/sh - -ec - ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key get foo failureThreshold: 8 initialDelaySeconds: 15 timeoutSeconds: 15 name: etcd resources: {} volumeMounts: - mountPath: /var/lib/etcd name: etcd-data - mountPath: /etc/kubernetes/pki/etcd name: etcd-certs hostNetwork: true priorityClassName: system-cluster-critical volumes: - hostPath: path: /var/lib/etcd type: DirectoryOrCreate name: etcd-data - hostPath: path: /etc/kubernetes/pki/etcd type: DirectoryOrCreate name: etcd-certs

证书名称 颁发者 证书主体 Subject Alternative Name（信任范围）
ca.crt CN=kubernetes CN=kubernetes
apiserver.crt CN=kubernetes CN=kube-apiserver DNS:master, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.31.105
apiserver-etcd-client.crt CN=etcd-ca O=system:masters, CN=kube-apiserver-etcd-client
apiserver-kubelet-client.crt CN=kubernetes O=system:masters, CN=kube-apiserver-kubelet-client
front-proxy-ca.crt CN=front-proxy-ca CN=front-proxy-ca
front-proxy-client.crt CN=front-proxy-ca CN=front-proxy-client
etc/ca.crt CN=etcd-ca CN=etcd-ca
etcd/healthcheck-client.crt CN=etcd-ca O=system:masters, CN=kube-etcd-healthcheck-client
etcd/peer.crt CN=etcd-ca CN=master DNS:master, DNS:localhost, IP Address:192.168.31.105, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
etcd/server.crt CN=etcd-ca CN=master DNS:master, DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
组件 相关证书
kube-apiserver.yaml " - --client-ca-file=/etc/kubernetes/pki/ca.crt

- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt" 

kube-controller-manager.yaml " - --client-ca-file=/etc/kubernetes/pki/ca.crt

- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --root-ca-file=/etc/kubernetes/pki/ca.crt" 

etcd.yaml " - --cert-file=/etc/kubernetes/pki/etcd/server.crt

- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key" 

参考
https://docs.traefik.io/user-guide/kubernetes/
https://www.jianshu.com/p/e30b06906b77
https://github.com/kubernetes/ingress-nginx/
https://kubernetes.github.io/ingress-nginx/
https://mritd.me/2017/03/04/how-to-use-nginx-ingress/
http://blog.51cto.com/tryingstuff/2136831
https://www.cnblogs.com/justmine/p/8991379.html

其他资源
https://blog.csdn.net/liukuan73/article/details/78883847
https://www.jianshu.com/p/fada87851e63
https://blog.csdn.net/huwh_/article/details/71308171
https://www.kubernetes.org.cn/kubernetes%E8%AE%BE%E8%AE%A1%E6%9E%B6%E6%9E%84
https://www.kubernetes.org.cn/3096.html
https://www.kubernetes.org.cn/