Ingress Controller V2 TargetGroupBinding使用方法 场景
实现EC2到EKS的平滑过渡,想在暴露EKS Ingress的时候使用原来给EC2使用的ALB,因此可以使用Ingress Controller V2版本的TargetGroupBinding新功能。
Demo步骤
- 安装ALBIngressControllerv2版本, 或将v1版本迁移至v2
- 创建一个新的targetgroup,并记录下arn,后续要把该arn写到TargetGroupBinding的CR当中
- 在alb上配置到目标组的路由策略
- 赋予nodegroup上的iam role能够注册到目标组的权限
- 创建ns/deployment/services
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: wormhole
service: wormhole
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: wormhole
service: wormhole
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: wormhole
service: wormhole
spec:
containers:
- envFrom:
- configMapRef:
name: wormhole
image: nginx
imagePullPolicy: IfNotPresent
name: wormhole
ports:
- containerPort: 80
name: http-web
protocol: TCP
- containerPort: 443
name: https-web
protocol: TCP
nodeSelector:
node.kubernetes.io/service-type: product
node.kubernetes.io/workload-type: stateless
restartPolicy: Always
apiVersion: v1
kind: Service
metadata:
name: wormhole-svc
spec:
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: http-web
- name: https
port: 443
protocol: TCP
targetPort: https-web
selector:
app: wormhole
type: NodePort - service暴露完成之后,不再需要创建ingress了,直接和targetgroup进行绑定,(kubectl logs aws-load-balancer-controller-xxx -f -n kube-system可查看是否发生错误),注册到目标组的方式通过targetType来指定,支持ip与instance两种方式,绑定后,实例或ip会自动注册到目标组中
apiVersion: elbv2.k8s.aws/v1alpha1 kind: TargetGroupBinding metadata: name: wormhole-tg-bind spec: targetType: instance serviceRef: name: wormhole-svc port: 80 targetGroupArn: arn:aws:elasticloadbalancer:xxxxxx:xxxxxxxx:targetgroup/tg-bind
注意
- 和一般的ingress不同,路由策略要在alb侦听器上自行编辑
- 实例端口也不会自动在安全组中开放,需要在node使用的安全组上自行打开
- node需要有足够的权限注册到目标组中