Ingress Controller V2 TargetGroupBinding使用方法

Ingress Controller V2 TargetGroupBinding使用方法 场景
实现EC2到EKS的平滑过渡,想在暴露EKS Ingress的时候使用原来给EC2使用的ALB,因此可以使用Ingress Controller V2版本的TargetGroupBinding新功能。
Demo步骤

  • 安装ALBIngressControllerv2版本, 或将v1版本迁移至v2
  • 创建一个新的targetgroup,并记录下arn,后续要把该arn写到TargetGroupBinding的CR当中
  • 在alb上配置到目标组的路由策略
    • tgbinding-rule
  • 赋予nodegroup上的iam role能够注册到目标组的权限
  • 创建ns/deployment/services
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    apiVersion: apps/v1
    kind: Deployment
    metadata:
    labels:
    app: wormhole
    service: wormhole
    spec:
    progressDeadlineSeconds: 600
    replicas: 1
    revisionHistoryLimit: 10
    selector:
    matchLabels:
    app: wormhole
    service: wormhole
    strategy:
    rollingUpdate:
    maxSurge: 25%
    maxUnavailable: 25%
    type: RollingUpdate
    template:
    metadata:
    labels:
    app: wormhole
    service: wormhole
    spec:
    containers:
    - envFrom:
    - configMapRef:
    name: wormhole
    image: nginx
    imagePullPolicy: IfNotPresent
    name: wormhole
    ports:
    - containerPort: 80
    name: http-web
    protocol: TCP
    - containerPort: 443
    name: https-web
    protocol: TCP
    nodeSelector:
    node.kubernetes.io/service-type: product
    node.kubernetes.io/workload-type: stateless
    restartPolicy: Always
    ---
    apiVersion: v1
    kind: Service
    metadata:
    name: wormhole-svc
    spec:
    externalTrafficPolicy: Local
    ports:
    - name: http
    port: 80
    protocol: TCP
    targetPort: http-web
    - name: https
    port: 443
    protocol: TCP
    targetPort: https-web
    selector:
    app: wormhole
    type: NodePort
  • service暴露完成之后,不再需要创建ingress了,直接和targetgroup进行绑定,(kubectl logs aws-load-balancer-controller-xxx -f -n kube-system可查看是否发生错误),注册到目标组的方式通过targetType来指定,支持ip与instance两种方式,绑定后,实例或ip会自动注册到目标组中
    • apiVersion: elbv2.k8s.aws/v1alpha1
      kind: TargetGroupBinding
      metadata: 
        name: wormhole-tg-bind
      spec:
        targetType: instance
      serviceRef:
        name: wormhole-svc
        port: 80
      targetGroupArn: arn:aws:elasticloadbalancer:xxxxxx:xxxxxxxx:targetgroup/tg-bind
    • aws-tgbinding-ec2

注意

  • 和一般的ingress不同,路由策略要在alb侦听器上自行编辑
  • 实例端口也不会自动在安全组中开放,需要在node使用的安全组上自行打开
  • node需要有足够的权限注册到目标组中