mirror of
https://github.com/docker/docs.git
synced 2026-04-05 10:48:55 +07:00
Merge pull request #8168 from docker/kube-ingress-updates
Kube ingress updates and updates for EE 2.1
This commit is contained in:
paigehargrave
@@ -440,4 +440,4 @@ Click the **permalink** to view the site.
|
||||
## Where to go next
|
||||
|
||||
- [Example of NFS based persistent volume](https://github.com/kubernetes/examples/tree/master/staging/volumes/nfs#nfs-server-part)
|
||||
- [Example: Deploying WordPress and MySQL with Persistent Volumes](https://v1-8.docs.kubernetes.io/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/)
|
||||
- [Example: Deploying WordPress and MySQL with Persistent Volumes](https://v1-11.docs.kubernetes.io/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/)
|
||||
|
||||
@@ -18,7 +18,7 @@ and resource quotas for the namespace.</p>
|
||||
<p>Each Kubernetes resources can only be in one namespace, and namespaces cannot
|
||||
be nested inside one another.</p>
|
||||
|
||||
<p><a href="https://v1-8.docs.kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/">Learn more about Kubernetes namespaces</a>.</p>
|
||||
<p><a href="https://v1-11.docs.kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/">Learn more about Kubernetes namespaces</a>.</p>
|
||||
|
||||
<h2 id="swarm-collections">Swarm collections</h2>
|
||||
|
||||
|
||||
@@ -68,7 +68,7 @@ networks, nodes, services, secrets, and volumes.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p><strong>Kubernetes namespaces</strong>: A
|
||||
<a href="https://v1-8.docs.kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/">namespace</a>
|
||||
<a href="https://v1-11.docs.kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/">namespace</a>
|
||||
is a logical area for a Kubernetes cluster. Kubernetes comes with a <code class="highlighter-rouge">default</code>
|
||||
namespace for your cluster objects, plus two more namespaces for system and
|
||||
public resources. You can create custom namespaces, but unlike Swarm
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
<p>With Docker Enterprise Edition, you can create roles and grants
|
||||
that implement the permissions that are defined in your Kubernetes apps.
|
||||
Learn about <a href="https://v1-8.docs.kubernetes.io/docs/admin/authorization/rbac/">RBAC authorization in Kubernetes</a>.</p>
|
||||
Learn about <a href="https://v1-11.docs.kubernetes.io/docs/admin/authorization/rbac/">RBAC authorization in Kubernetes</a>.</p>
|
||||
|
||||
<p>Docker EE has its own implementation of role-based access control, so you
|
||||
can’t use Kubernetes RBAC objects directly. Instead, you create UCP roles
|
||||
|
||||
@@ -24,7 +24,7 @@ and resource quotas for the namespace.
|
||||
Each Kubernetes resources can only be in one namespace, and namespaces cannot
|
||||
be nested inside one another.
|
||||
|
||||
[Learn more about Kubernetes namespaces](https://v1-8.docs.kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/).
|
||||
[Learn more about Kubernetes namespaces](https://v1-11.docs.kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/).
|
||||
|
||||
## Swarm collections
|
||||
|
||||
|
||||
@@ -67,7 +67,7 @@ To control user access, cluster resources are grouped into Docker Swarm
|
||||
networks, nodes, services, secrets, and volumes.
|
||||
|
||||
- **Kubernetes namespaces**: A
|
||||
[namespace](https://v1-8.docs.kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
|
||||
[namespace](https://v1-11.docs.kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
|
||||
is a logical area for a Kubernetes cluster. Kubernetes comes with a `default`
|
||||
namespace for your cluster objects, plus two more namespaces for system and
|
||||
public resources. You can create custom namespaces, but unlike Swarm
|
||||
|
||||
@@ -6,7 +6,7 @@ keywords: authorization, authentication, authorize, authenticate, user, team, UC
|
||||
|
||||
With Docker Enterprise Edition, you can create roles and grants
|
||||
that implement the permissions that are defined in your Kubernetes apps.
|
||||
Learn about [RBAC authorization in Kubernetes](https://v1-8.docs.kubernetes.io/docs/admin/authorization/rbac/).
|
||||
Learn about [RBAC authorization in Kubernetes](https://v1-11.docs.kubernetes.io/docs/admin/authorization/rbac/).
|
||||
|
||||
Docker EE has its own implementation of role-based access control, so you
|
||||
can't use Kubernetes RBAC objects directly. Instead, you create UCP roles
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 59 KiB After Width: | Height: | Size: 41 KiB |
@@ -9,7 +9,7 @@ A service account represents an identity for processes that run in a pod.
|
||||
When a process is authenticated through a service account, it can contact the
|
||||
API server and access cluster resources. If a pod doesn't have an assigned
|
||||
service account, it gets the `default` service account.
|
||||
Learn about [managing service accounts](https://v1-8.docs.kubernetes.io/docs/admin/service-accounts-admin/).
|
||||
Learn about [managing service accounts](https://v1-11.docs.kubernetes.io/docs/admin/service-accounts-admin/).
|
||||
|
||||
In Docker EE, you give a service account access to cluster resources by
|
||||
creating a grant, the same way that you would give access to a user or a team.
|
||||
@@ -86,4 +86,4 @@ assigned to the `nginx` namespace.
|
||||
|
||||
## Where to go next
|
||||
|
||||
- [Deploy an ingress controller for a Kubernetes app](deploy-ingress-controller.md)
|
||||
- [Deploy an ingress controller for a Kubernetes app](deploy-ingress-controller.md)
|
||||
|
||||
@@ -152,7 +152,7 @@ spec:
|
||||
## Use the CLI to deploy Kubernetes objects
|
||||
|
||||
With Docker EE, you deploy your Kubernetes objects on the command line by using
|
||||
`kubectl`. [Install and set up kubectl](https://v1-8.docs.kubernetes.io/docs/tasks/tools/install-kubectl/).
|
||||
`kubectl`. [Install and set up kubectl](https://v1-11.docs.kubernetes.io/docs/tasks/tools/install-kubectl/).
|
||||
|
||||
Use a client bundle to configure your client tools, like Docker CLI and `kubectl`
|
||||
to communicate with UCP instead of the local deployments you might have running.
|
||||
|
||||
@@ -26,7 +26,7 @@ Ingress is an API object that manages external access to the services in a clust
|
||||
## Prerequisites
|
||||
|
||||
- UCP deployed and properly configured
|
||||
- Two or three dedicated infrae nodes deployed as UCP worker nodes
|
||||
- Two or three dedicated infra nodes deployed as UCP worker nodes
|
||||
- An external load-balancer fronting these nodes with an associated VIP that resolves the application DNS (for example, `*.app.docker.mycompany.com`)
|
||||
|
||||
### Step 1: Labeling infrastructure nodes
|
||||
@@ -51,14 +51,17 @@ node "dockeree-worker-linux-1" labeled
|
||||
node "dockeree-worker-linux-2" labeled
|
||||
🐳 → kubectl label node dockeree-worker-linux-3 infra.role=ingress
|
||||
node "dockeree-worker-linux-3" labeled
|
||||
|
||||
```
|
||||
|
||||
### Step 2: Create a Dedicated Namespace
|
||||
|
||||
A dedicated namespace, for example, `infra`, is needed for all infrastructure deployment activities. You also need a service account to enable the ingress controller to work with the Kubernetes API. After creating a namespace and a service account, you must create an RBAC policy to only allow infrastructure deployments on the dedicated nodes that were labelled in the previous example.
|
||||
|
||||
To create a namespace and a service account, simply use the following [YAML file](config/ns-and-sa.yaml) and apply it via the CLI or the UI:
|
||||
Because Kubernetes role based access control (RBAC) is supported, you can download an example
|
||||
[YAML file](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/mandatory.yaml) from the Kubernetes community
|
||||
to create the necessary Kubernetes objects.
|
||||
|
||||
Or, simply use the following [YAML file](config/ns-and-sa.yaml) to create a namespace and a service account, and apply it via the CLI or the UI:
|
||||
|
||||
```
|
||||
🐳 → cat ns-and-sa.yaml
|
||||
@@ -85,8 +88,7 @@ serviceaccount "nginx-ingress-service-account" created
|
||||
|
||||
### Step 3: Create an RBAC Policy
|
||||
|
||||
Apply an RBAC role-binding for NGINX controller access to the API Server, as shown in the following example:
|
||||
|
||||
Apply an RBAC role-binding for NGINX controller access to the API Server, such as the one shown in the following example:
|
||||
|
||||
```
|
||||
🐳 → cat ingress-rbac.yaml
|
||||
@@ -173,163 +175,16 @@ Then apply it with `kubectl`:
|
||||
|
||||
### Step 4: Deploy NGINX Controller
|
||||
|
||||
Note that following example uses hostPorts for controller ports. This exposes the host port ( selected in a high range using `hostPort: 38080`) directly into the nodes. Port 38080 is used for HTTP and port 38443 is used for HTTPS. Make sure that your loadbalancer forwards to the applicable ports on the nodes. You can change them as needed.
|
||||
Kubernetes provides an NGINX ingress controller that is based on the Kubernetes community [NGINX controller](https://github.com/kubernetes/ingress-nginx), and can be used in Docker Enterprise Edition,
|
||||
but it is not directly supported by Docker, Inc.
|
||||
|
||||
For another example of a YAML NGINX kube ingress deployment, refer to <https://success.docker.com/article/how-to-configure-a-default-tls-certificate-for-the-kubernetes-nginx-ingress-controller>.
|
||||
Note that this example uses hostPorts for controller ports. This exposes the host port ( selected in a high range using `hostPort: 38080`) directly into the nodes.
|
||||
Port 38080 is used for HTTP and port 38443 is used for HTTPS. Make sure that your loadbalancer forwards to the applicable ports on the nodes. You can change them as needed.
|
||||
|
||||
```
|
||||
🐳 → cat nginx-ingress-deployment.yaml
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: default-http-backend
|
||||
labels:
|
||||
app: default-http-backend
|
||||
namespace: infra
|
||||
spec:
|
||||
replicas: 3
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: default-http-backend
|
||||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: default-http-backend
|
||||
image: gcr.io/google_containers/defaultbackend:1.4
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 5
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
resources:
|
||||
limits:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
nodeSelector:
|
||||
infra.role: ingress
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: default-http-backend
|
||||
namespace: infra
|
||||
labels:
|
||||
app: default-http-backend
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
selector:
|
||||
app: default-http-backend
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: nginx-configuration
|
||||
namespace: infra
|
||||
labels:
|
||||
app: ingress-nginx
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: tcp-services
|
||||
namespace: infra
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: udp-services
|
||||
namespace: infra
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: nginx-ingress-controller
|
||||
namespace: infra
|
||||
spec:
|
||||
replicas: 3
|
||||
selector:
|
||||
matchLabels:
|
||||
app: ingress-nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: ingress-nginx
|
||||
annotations:
|
||||
prometheus.io/port: '10254'
|
||||
prometheus.io/scrape: 'true'
|
||||
spec:
|
||||
initContainers:
|
||||
- command:
|
||||
- sh
|
||||
- -c
|
||||
- sysctl -w net.core.somaxconn=32768; sysctl -w net.ipv4.ip_local_port_range="1024 65535"
|
||||
image: alpine:3.6
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: sysctl
|
||||
securityContext:
|
||||
privileged: true
|
||||
serviceAccountName: nginx-ingress-service-account
|
||||
containers:
|
||||
- name: nginx-ingress-controller
|
||||
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
|
||||
args:
|
||||
- /nginx-ingress-controller
|
||||
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
|
||||
- --configmap=$(POD_NAMESPACE)/nginx-configuration
|
||||
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
|
||||
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
|
||||
- --annotations-prefix=nginx.ingress.kubernetes.io
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 80
|
||||
hostPort: 38443
|
||||
protocol: TCP
|
||||
- name: https
|
||||
containerPort: 443
|
||||
hostPort: 38443
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 10254
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
readinessProbe:
|
||||
failureThreshold: 3
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 10254
|
||||
scheme: HTTP
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
nodeSelector:
|
||||
infra.role: ingress
|
||||
```
|
||||
Learn more about [ingress in Kubernetes](https://v1-11.docs.kubernetes.io/docs/concepts/services-networking/ingress/).
|
||||
|
||||
Deploy the controller using `kubectl` and verify pods are deployed successfully:
|
||||
Deploy your controller using `kubectl` and verify pods are deployed successfully:
|
||||
|
||||
```
|
||||
🐳 → kubectl apply -f nginx-ingress-deployment.yaml
|
||||
|
||||
@@ -87,7 +87,7 @@ persist the state of UCP. These are the UCP services running on manager nodes:
|
||||
| k8s_POD_kube-dns | Pause container for the `kube-dns` pod. |
|
||||
| k8s_ucp-dnsmasq-nanny | A dnsmasq instance used in the Kubernetes DNS Service. Part of the `kube-dns` deployment. Runs on one manager node only. |
|
||||
| k8s_ucp-kube-compose | A custom Kubernetes resource component that's responsible for translating Compose files into Kubernetes constructs. Part of the `compose` deployment. Runs on one manager node only. |
|
||||
| k8s_ucp-kube-dns | The main Kubernetes DNS Service, used by pods to [resolve service names](https://v1-8.docs.kubernetes.io/docs/concepts/services-networking/dns-pod-service/). Part of the `kube-dns` deployment. Runs on one manager node only. Provides service discovery for Kubernetes services and pods. A set of three containers deployed via Kubernetes as a single pod. |
|
||||
| k8s_ucp-kube-dns | The main Kubernetes DNS Service, used by pods to [resolve service names](https://v1-11.docs.kubernetes.io/docs/concepts/services-networking/dns-pod-service/). Part of the `kube-dns` deployment. Runs on one manager node only. Provides service discovery for Kubernetes services and pods. A set of three containers deployed via Kubernetes as a single pod. |
|
||||
| k8s_ucp-kubedns-sidecar | Health checking and metrics daemon of the Kubernetes DNS Service. Part of the `kube-dns` deployment. Runs on one manager node only. |
|
||||
| ucp-agent | Monitors the node and ensures the right UCP services are running. |
|
||||
| ucp-auth-api | The centralized service for identity and authentication used by UCP and DTR. |
|
||||
|
||||
@@ -83,7 +83,7 @@ You can download the binary from this [link](https://storage.googleapis.com/kube
|
||||
If you have curl installed on your system, you use these commands in Powershell.
|
||||
|
||||
```cmd
|
||||
$env:k8sversion = "v1.8.11"
|
||||
$env:k8sversion = "v1.11.5"
|
||||
|
||||
curl https://storage.googleapis.com/kubernetes-release/release/$env:k8sversion/bin/windows/amd64/kubectl.exe
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user