k8s implements cluster external network access function through nginx-ingress
One: Ingress Overview
1.1 How ingress works
Step1: The ingress controller interacts with the k8s API to dynamically perceive the changes in the ingress service rules in the k8s cluster, then reads it, and forwards it to the corresponding service in the k8s cluster according to the defined ingress rules.
Step2: The ingress rule specifies which domain name corresponds to which service in the k8s cluster, and then generates a corresponding nginx configuration according to the nginx configuration template in the ingress-controller.
Step3: Then dynamically write the configuration to the pod of the ingress-controller. An nginx service is running in the pod of the ingress-controller. The controller will write the generated nginx configuration into the nginx configuration file, and then reload Click to make the configuration take effect, so as to achieve the effect of domain name sub-configuration and dynamic update.
1.2 Problems that ingress can solve
1) Dynamic configuration service
If we follow the traditional method, when we add a new service, we may need to add a reverse proxy at the traffic entrance to point to our new k8s service. But if Ingress is used, we only need to configure this service, and when the service starts, it will automatically To register with Ingress, no extra operations are required.
2) Reduce unnecessary port exposure
Anyone who has configured k8s knows that the first step is to close the firewall. The main reason is that many services of k8s will be mapped out in the form of NodePort, which is equivalent to punching a lot of holes in the host machine, which is neither safe nor elegant. Ingress can avoid this problem, except that Ingress’s own service may need to be mapped out, and other services should not use the NodePort method.
2. Deploy nginx-ingress
2.0 2.2 Description of related deployment components
PodName | namespace | ServiceName | ports | deployment method | Function |
---|---|---|---|---|---|
ingress-nginx-controller | test | ingress-nginx-controller | NodePort: 80(http), 443(https) | DaemonSet | Realize service routing function based on flexible ingress policy definition |
ingress-nginx-admission-create | test | ingress-nginx-controller-admission | LoadBalancer: 443 | Job | is used to create a certificate, you need to specify the certificate name, domain name, ns and other information |
ingress-nginx-admission- patch | test | ingress-nginx-controller-admission | LoadBalancer: 443 | Job | will be front The ca in the created certificate is extracted and written to the specified admission webhook configuration |
ingress instance | test | ingress | nginx forwards specific configuration files |
2.1 Write nginx-ingreess related resource files
[root@master1 ingress]# cat > nginx-ingress.yaml << EOF apiVersion: v1 kind:Namespace metadata: name: test --- apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx namespace: test --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission namespace: test --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx namespace: test rules: - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - "" resources: - configmaps - pods - secrets - endpoints verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - networking.k8s.io resources: - ingress classes verbs: - get - list - watch - apiGroups: - "" resourceNames: - ingress-controller-leader resources: - configmaps verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - coordination.k8s.io resourceNames: - ingress-controller-leader resources: - leases verbs: - get - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - apiGroups: - "" resources: -events verbs: - create - patch - apiGroups: - discovery.k8s.io resources: - endpoint slices verbs: - list - watch - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission namespace: test rules: - apiGroups: - "" resources: - secrets verbs: - get - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx rules: - apiGroups: - "" resources: - configmaps - endpoints -nodes - pods - secrets - namespaces verbs: - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - list - watch - apiGroups: - "" resources: -nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - "" resources: -events verbs: - create - patch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update - apiGroups: - networking.k8s.io resources: - ingress classes verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpoint slices verbs: - list - watch - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission rules: - apiGroups: - admissionregistration.k8s.io resources: - validating webhook configurations verbs: - get - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx namespace: test roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ingress-nginx subjects: - kind: ServiceAccount name: ingress-nginx namespace: test --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission namespace: test roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ingress-nginx-admission subjects: - kind: ServiceAccount name: ingress-nginx-admission namespace: test --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ingress-nginx subjects: - kind: ServiceAccount name: ingress-nginx namespace: test --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ingress-nginx-admission subjects: - kind: ServiceAccount name: ingress-nginx-admission namespace: test --- apiVersion: v1 data: allow-snippet-annotations: "true" kind: ConfigMap metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-controller namespace: test --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-controller namespace: test spec: externalTrafficPolicy: Local ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - appProtocol: http name: http port: 80 protocol: TCP targetPort: http - appProtocol: https name: https port: 443 protocol: TCP targetPort: https selector: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx type: NodePort --- apiVersion: v1 kind: Service metadata: annotations: ingressclass.kubernetes.io/is-default-class: "true" labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-controller-admission namespace: test spec: ports: - appProtocol: https name: https-webhook port: 443 targetPort: webhook selector: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx type: LoadBalancer --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-controller namespace: test spec: minReadySeconds: 0 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx spec: hostNetwork: true containers: - args: - /nginx-ingress-controller - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - --election-id=ingress-controller-leader - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so image: anjia0532/google-containers.ingress-nginx.controller:v1.4.0 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /wait-shutdown livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: controller ports: - containerPort: 80 name: http protocol: TCP -containerPort: 443 name: https protocol: TCP - containerPort: 8443 name: webhook protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: requests: cpu: 100m memory: 90Mi securityContext: allowPrivilegeEscalation: true capabilities: add: - NET_BIND_SERVICE drop: - ALL runAsUser: 101 volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert readOnly: true dnsPolicy: ClusterFirst nodeSelector: kubernetes.io/os:linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: secretName: ingress-nginx-admission --- apiVersion: batch/v1 kind: Job metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission-create namespace: test spec: template: metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission-create spec: containers: - args: - create - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - --secret-name=ingress-nginx-admission env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: anjia0532/google-containers.ingress-nginx.kube-webhook-certgen:v20220916-gd32f8c343 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os:linux restartPolicy: OnFailure securityContext: fsGroup: 2000 runAsNonRoot: true runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 kind: Job metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission-patch namespace: test spec: template: metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission-patch spec: containers: - args: - patch - --webhook-name=ingress-nginx-admission - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - --secret-name=ingress-nginx-admission - --patch-failure-policy=Fail env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: anjia0532/google-containers.ingress-nginx.kube-webhook-certgen:v20220916-gd32f8c343 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os:linux restartPolicy: OnFailure securityContext: fsGroup: 2000 runAsNonRoot: true runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: annotations: ingressclass.kubernetes.io/is-default-class: "true" labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: nginx spec: controller: k8s.io/ingress-nginx --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: app.kubernetes.io/component: admission-webhook app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.4.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: -v1 clientConfig: service: name: ingress-nginx-controller-admission namespace: test path: /networking/v1/ingresses failurePolicy: Fail matchPolicy: Equivalent name: validate.nginx.ingress.kubernetes.io rules: - apiGroups: - networking.k8s.io apiVersions: - v1 operations: -CREATE -UPDATE resources: - ingresses sideEffects: None EOF
Apply active
[root@master1 ingress]# kubectl apply -f nginx-ingress.yaml serviceaccount/ingress-nginx created serviceaccount/ingress-nginx-admission created role.rbac.authorization.k8s.io/ingress-nginx created role.rbac.authorization.k8s.io/ingress-nginx-admission created clusterrole.rbac.authorization.k8s.io/ingress-nginx created clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created rolebinding.rbac.authorization.k8s.io/ingress-nginx created rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created configmap/ingress-nginx-controller created service/ingress-nginx-controller created service/ingress-nginx-controller-admission created daemonset.apps/ingress-nginx-controller created job.batch/ingress-nginx-admission-create created job.batch/ingress-nginx-admission-patch created ingressclass.networking.k8s.io/nginx created validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created
Authentication
[root@master1 ingress]# kubectl get pods -n test NAME READY STATUS RESTARTS AGE ingress-nginx-admission-create-z2xgq 0/1 Completed 0 3m8s ingress-nginx-admission-patch-qpnh7 0/1 Completed 2 3m8s ingress-nginx-controller-kc 7km 1/1 Running 0 3m8s ingress-nginx-controller-knjm6 0/1 CrashLoopBackOff 3 (19s ago) 3m8s ingress-nginx-controller-mzqjn 1/1 Running 0 3m8s ingress-nginx-controller-xcxsd 1/1 Running 0 3m8s nfs-client-provisioner-fb55999fb-pcrqt 1/1 Running 0 4h11m web-0 1/1 Running 0 4h5m web-1 1/1 Running 0 4h5m [root@master1 ingress]# kubectl logs -n test ingress-nginx-controller-knjm6 -------------------------------------------------- ----------------------------- NGINX Ingress controller Release: v1.4.0 Build: 50be2bf95fd1ef480420e2aa1d6c5c7c138c95ea Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.19.10 -------------------------------------------------- ----------------------------- F0524 06:17:54.168788 6 main.go:67] port 80 is already in use. Please check the flag --http-port
Error resolution:
From the POD error log, it can be seen that port 80 is occupied, and restart the pod after solving the problem.
[root@master1 ingress]# docker ps|grep rancher 56e840839dc1 rancher/rancher:v2.7.0-rc12 "entrypoint.sh" 7 days ago Up 7 days 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp rancher [root@master1 ingress]# docker stop rancher rancher [root@master1 ingress]# kubectl get pods -n test NAME READY STATUS RESTARTS AGE ingress-nginx-admission-create-z2xgq 0/1 Completed 0 8m46s ingress-nginx-admission-patch-qpnh7 0/1 Completed 2 8m46s ingress-nginx-controller-kc 7km 1/1 Running 0 8m46s ingress-nginx-controller-knjm6 0/1 CrashLoopBackOff 6 (53s ago) 8m46s ingress-nginx-controller-mzqjn 1/1 Running 0 8m46s ingress-nginx-controller-xcxsd 1/1 Running 0 8m46s nfs-client-provisioner-fb55999fb-pcrqt 1/1 Running 0 4h17m web-0 1/1 Running 0 4h11m web-1 1/1 Running 0 4h11m [root@master1 ingress]# kubectl delete pods -n test ingress-nginx-controller-knjm6 pod "ingress-nginx-controller-knjm6" deleted [root@master1 ingress]# kubectl get pods -n test NAME READY STATUS RESTARTS AGE ingress-nginx-admission-create-z2xgq 0/1 Completed 0 9m13s ingress-nginx-admission-patch-qpnh7 0/1 Completed 2 9m13s ingress-nginx-controller-kc 7km 1/1 Running 0 9m13s ingress-nginx-controller-mzqjn 1/1 Running 0 9m13s ingress-nginx-controller-r7knt 1/1 Running 0 12s ingress-nginx-controller-xcxsd 1/1 Running 0 9m13s nfs-client-provisioner-fb55999fb-pcrqt 1/1 Running 0 4h17m web-0 1/1 Running 0 4h11m web-1 1/1 Running 0 4h11m
Create an inree to test external network access
View current svc
[root@master1 ingress]# kubectl get svc -n test NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller NodePort 10.96.117.202 <none> 80:32210/TCP,443:32008/TCP 11m ingress-nginx-controller-admission LoadBalancer 10.96.131.36 <pending> 443:32639/TCP 11m nginx ClusterIP None <none> 80/TCP 4h14m You have new mail in /var/spool/mail/root [root@master1 ingress]# kubectl get svc -n test nginx -oyaml apiVersion: v1 kind: Service metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{" app":"nginx"},"name":"nginx","namespace":"test"},"spec":{"clusterIP":" "None","ports":[{"name":"web","port":80}],"selector":{"app":" nginx"}}} creationTimestamp: "2023-05-24T02:11:37Z" labels: app: nginx name: nginx namespace: test resourceVersion: "2499378" uid: a4584c4d-51ea-4bf0-b711-880090ad1dae spec: clusterIP: None clusterIPs: - None internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: web port: 80 protocol: TCP targetPort: 80 selector: app: nginx sessionAffinity: None type: ClusterIP status: loadBalancer: {<!-- -->}
Create ingress
cat > web-ing.yaml << EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: web-ing namespace: test spec: rules: - host: web.example.com http: paths: -backend: service: name: nginx port: number: 80 path: / pathType: Prefix EOF
Apply
[root@master1 ingress]# kubectl apply -f web-ing.yaml ingress.networking.k8s.io/web-ing created
Authentication
# Confirm deployment
- Ingress-nginx-controller:
? For high availability, the deployment method adopts DaemonSet, so all schedulable nodes in the cluster will deploy one (the master node cannot be scheduled), and confirm that it is in the Running state.
- Ingress-nginx-controller service
? Use the NodePort method to confirm that there are more than 30000 local ports after PORTS
[root@master1 nfs-provisioner]# kubectl get pod,svc -n test NAME READY STATUS RESTARTS AGE pod/ingress-nginx-admission-create-z2xgq 0/1 Completed 0 67m pod/ingress-nginx-admission-patch-qpnh7 0/1 Completed 2 67m pod/ingress-nginx-controller-kc 7km 1/1 Running 0 67m pod/ingress-nginx-controller-mzqjn 1/1 Running 0 67m pod/ingress-nginx-controller-r7knt 1/1 Running 0 58m pod/ingress-nginx-controller-xcxsd 1/1 Running 0 67m pod/nfs-client-provisioner-fb55999fb-pcrqt 1/1 Running 0 5h15m pod/web-0 1/1 Running 0 5h9m pod/web-1 1/1 Running 0 5h9m pod/web-7849c945f4-k9xzz 1/1 Running 0 21m pod/web-7849c945f4-x246j 1/1 Running 0 21m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/ingress-nginx-controller NodePort 10.96.117.202 <none> 80:32210/TCP,443:32008/TCP 67m service/ingress-nginx-controller-admission LoadBalancer 10.96.131.36 <pending> 443:32639/TCP 67m service/nginx ClusterIP 10.96.6.151 <none> 80/TCP 21m [root@master1 nfs-provisioner]# telnet 10.140.20.142 32210 Trying 10.140.20.142... Connected to 10.140.20.142. Escape character is '^]'. ^CConnection closed by foreign host.
Access authentication
[root@master1 nfs-provisioner]# kubectl exec -n test web-7849c945f4-k9xzz -it bash kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. root@web-7849c945f4-k9xzz:/# ls /usr/share/nginx/html/ root@web-7849c945f4-k9xzz:/# root@web-7849c945f4-k9xzz:/# ls /usr/share/nginx/html/ root@web-7849c945f4-k9xzz:/# echo 1 > /usr/share/nginx/html/index.html root@web-7849c945f4-k9xzz:/# curl http://localhost/ 1 root@web-7849c945f4-k9xzz:/# exit [root@master1 nfs-provisioner]# kubectl get svc -n test NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller NodePort 10.96.117.202 <none> 80:32210/TCP,443:32008/TCP 51m ingress-nginx-controller-admission LoadBalancer 10.96.131.36 <pending> 443:32639/TCP 51m nginx ClusterIP 10.96.6.151 <none> 80/TCP 5m40s [root@master1 nfs-provisioner]# kubectl get ing -n test NAME CLASS HOSTS ADDRESS PORTS AGE web-ing nginx web.example.com 10.96.117.202 80 26m #Log in to a server outside the k8s cluster for verification after hosts analysis root@k8s-master1:~# tail -n 1 /etc/hosts 10.140.20.141 web.example.com root@k8s-master1:~# curl http://web.example.com 1