在使用kubenetes的过程中,如何将服务开放到集群外部访问是一个重要的问题。当使用云平台(阿里云、腾讯云、AWS等)的容器服务时,我们可以通过配置 service 为 LoadBalancer 模式来绑定云平台的负载均衡器,从而实现外网的访问。但是,如果对于自建的 kubernetes裸机集群,这个问题则要麻烦的多。
祼机集群不支持负载均衡的方式,可用的不外乎NodePort、HostNetwork、ExternalIPs等方式来实现外部访问。但这些方式并不完美,他们或多或少都存在的一些缺点,这使得裸机集群成为Kubernetes生态系统中的二等公民。
MetalLB 旨在通过提供与标准网络设备集成的Network LB实施来解决这个痛点,从而使裸机群集上的外部服务也尽可能“正常运行”,减少运维上的管理成本。
部署
- 创建namespace
$ kubectl create namespace metallb-system - 新建 secret
$ kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
参数 from 前面是两个- - 部署
root@sxf-virtual-machine:~# kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/main/manifests/metallb.yaml Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+ podsecuritypolicy.policy/controller created podsecuritypolicy.policy/speaker created serviceaccount/controller created serviceaccount/speaker created clusterrole.rbac.authorization.k8s.io/metallb-system:controller created clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created role.rbac.authorization.k8s.io/config-watcher created role.rbac.authorization.k8s.io/pod-lister created role.rbac.authorization.k8s.io/controller created clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created rolebinding.rbac.authorization.k8s.io/config-watcher created rolebinding.rbac.authorization.k8s.io/pod-lister created rolebinding.rbac.authorization.k8s.io/controller created daemonset.apps/speaker created deployment.apps/controller created
查看部署结果
root@sxf-virtual-machine:~# kubectl get pod -n metallb-system NAME READY STATUS RESTARTS AGE controller-6cc57c4567-cn766 1/1 Running 0 29m speaker-4fv86 1/1 Running 0 32m
root@sxf-virtual-machine:~# kubectl get sa -n metallb-system NAME SECRETS AGE controller 1 33m default 1 33m speaker 1 33m
- 配置 MetalLB
配置 MetalLB 为 Layer 2模式 (使用 yaml 文件部署), 文件 MetalLB-Layer2-Configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: config
namespace: metallb-system
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 192.168.3.251-192.168.3.254
这里配置一个由 MetalLB 二层模式控制的 service 外部 IP 段为 192.168.3.251 - 192.168.3.254。
$ kubectl apply -f MetalLB-Layer2-Configmap.yaml
使用kubectl log -f [matellb-contoller-pod]能看到配置更新过程
查看结果
root@sxf-virtual-machine:~# kubectl get cm -n metallb-system NAME DATA AGE config 1 22s istio-ca-root-cert 1 43m kube-root-ca.crt 1 43m
测试
创建一个Nginx服务,服务类型为LoadBalancer:
deploy.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- name: http
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: LoadBalancer
服务创建,并查看服务信息:
$ kubectl apply -f deploy.yaml
查看pod
root@sxf-virtual-machine:~# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-8c9df995d-pvmkl 1/1 Running 0 2m10s
查看服务
root@sxf-virtual-machine:~# kubectl get svc -A NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default details ClusterIP 10.110.60.221 <none> 9080/TCP 3d1h default hostnames ClusterIP 10.111.190.216 <none> 80/TCP 3d1h default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d23h default nginx LoadBalancer 10.108.230.26 192.168.3.253 80:30829/TCP 65s default productpage ClusterIP 10.98.222.204 <none> 9080/TCP 3d1h default ratings ClusterIP 10.104.86.58 <none> 9080/TCP 3d1h default reviews ClusterIP 10.101.246.133 <none> 9080/TCP 3d1h istio-system istio-eastwestgateway LoadBalancer 10.99.130.139 192.168.3.252 15021:31544/TCP,15443:32575/TCP,15012:30747/TCP,15017:30099/TCP 3d istio-system istio-ingressgateway LoadBalancer 10.96.196.70 192.168.3.251 15021:30035/TCP,80:31245/TCP,443:31639/TCP 3d22h istio-system istiod ClusterIP 10.107.246.136 <none> 15010/TCP,15012/TCP,443/TCP,15014/TCP 3d23h kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 3d23h
这里就发现一些 LoadBalancer 类型的服务,被分配到了固定的 IP地址信息。这时我们用 curl 192.168.3.253 验证一下nginx服务,就会发现返回了 Nginx 的欢迎信息。
root@sxf-virtual-machine:~# curl 192.168.3.253
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
可以看到可以正常访问pod的内容。
最后我们清理pod
root@sxf-virtual-machine:~# kubectl delete -f deploy.yaml deployment.apps "nginx" deleted service "nginx" deleted