# CNI插件对比
[root@k8s-master ~]# cat > /root/cni-comparison.txt << 'EOF' Kubernetes CNI插件对比 ===================== 1. Calico - 特点: 高性能,支持网络策略 - 适用: 生产环境,安全要求高 - 模式: BGP,IPIP,VXLAN 2. Flannel - 特点: 简单易用,部署快速 - 适用: 开发测试环境 - 模式: VXLAN,host-gw 3. Cilium - 特点: eBPF技术,可观测性强 - 适用: 云原生环境 - 模式: eBPF 4. Weave - 特点: 简单,支持多主机 - 适用: 小型集群 - 模式: VXLAN 5. 推荐选择 - 生产环境: Calico - 开发环境: Flannel - 高级需求: Cilium EOF # 查看当前CNI [root@k8s-master ~]# kubectl get pods -n kube-system -l k8s-app=calico-node NAME READY STATUS RESTARTS AGE calico-node-abc12 1/1 Running 0 10d calico-node-def34 1/1 Running 0 10d

# 查看Calico配置
[root@k8s-master ~]# calicoctl get ippool -o yaml
apiVersion: projectcalico.org/v3
items:
– apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
name: default-ipv4-ippool
spec:
blockSize: 26
cidr: 10.244.0.0/16
ipipMode: Always
natOutgoing: true
nodeSelector: all()
vxlanMode: Never
kind: IPPoolList

# 创建IP池
[root@k8s-master ~]# cat > fgedu-ippool.yaml << 'EOF' apiVersion: projectcalico.org/v3 kind: IPPool metadata: name: fgedu-pool spec: cidr: 10.245.0.0/16 ipipMode: CrossSubnet natOutgoing: true disabled: false nodeSelector: all() EOF [root@k8s-master ~]# calicoctl apply -f fgedu-ippool.yaml Successfully applied 1 'IPPool' resource(s) # 配置网络策略 [root@k8s-master ~]# cat > fgedu-network-policy.yaml << 'EOF' apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: fgedu-default-deny spec: selector: all() types: - Ingress - Egress ingress: - action: Deny egress: - action: Deny EOF [root@k8s-master ~]# calicoctl apply -f fgedu-network-policy.更多视频教程www.fgedu.net.cnyaml Successfully applied 1 'GlobalNetworkPolicy' resource(s) # 允许特定流量 [root@k8s-master ~]# cat > fgedu-allow-policy.yaml << 'EOF' apiVersion: projectcalico.org/v3 kind: GlobalNetworkPolicy metadata: name: fgedu-allow-dns spec: selector: all() types: - Egress egress: - action: Allow protocol: UDP destination: ports: - 53 EOF [root@k8s-master ~]# calicoctl apply -f fgedu-allow-policy.yaml Successfully applied 1 'GlobalNetworkPolicy' resource(s)

# 安装Nginx Ingress Controller
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml
namespace/ingress-nginx created
serviceaccount/ingress-nginx created
serviceaccount/ingress-nginx-admission created
role.rbac.authorization.k8s.io/ingress-nginx created
role.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrole.rbac.authorization.k8s.io/ingress-nginx created
clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created
rolebinding.rbac.authorization.k8s.io/ingress-nginx created
rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created
clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created
clusterrolebinding.r学习交流加群风哥QQ113257174bac.authorization.k8s.io/ingress-nginx-admission created
configmap/ingress-nginx-controller created
service/ingress-nginx-controller created
service/ingress-nginx-controller-admission created
deployment.apps/ingress-nginx-controller created

# 查看Ingress Controller
[root@k8s-master ~]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-abc12 0/1 Completed 0 2m
ingress-nginx-admission-patch-def34 0/1 Completed 0 2m
ingress-nginx-controller-abc12-xyz789 1/1 Running 0 2m

# 创建Ingress资源
[root@k8s-master ~]# cat > fgedu-ingress.yaml << 'EOF' apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: fgedu-app-ingress namespace: fgedu-prod annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "50m" cert-manager.io/cluster-issuer: "letsencrypt-prod" spec: ingressClassName: nginx tls: - hosts: - app.fgedu.net.cn secretName: fgedu-app-tls rules: - host: app.fgedu.net.cn http: paths: - path: / pathType: Prefix backend: service: name: fgedu-app-svc port: number: 80 EOF [root@k8s-master ~]# kubectl apply -f fgedu-ingress.yaml ingress.networking.k8s.io/fgedu-app-ingress created # 查看Ingress状态 [root@k8s-master ~]# kubectl get ingress -n fgedu-prod NAME CLASS HOSTS ADDRESS PORTS AGE fgedu-app-ingress nginx app.fgedu.net.cn 192.168.1.100 80, 443 1m

# 查看CoreDNS配置
[root@k8s-master ~]# kubectl get configmap coredns -n kube-system -o yaml
apiVersion: v1
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
}
kind: ConfigMap

# 添加自定义DNS记录
[root@k8s-master ~]# cat > coredns-custom.yaml << 'EOF' apiVersion: v1 kind: ConfigMap metadata: name: coredns-custom namespace: kube-system data: fgedu.server: | fgedu.net.cn:53 { errors cache 30 forward . 192.168.1.1 } EOF [root@k8s-master ~]# kubectl apply -f coredns-custom.yaml configmap/coredns-custom created # 重启CoreDNS使配置生效 [root@k8s-master ~]# kubectl rollout restart deployment coredns -n kube-system deployment.apps/coredns restarted # 配置Service负载均衡 [root@k8s-master ~]# cat > fgedu-lb-service.yaml << 'EOF' apiVersion: v1 kind: Service metadata: name: fgedu-app-lb namespace: fgedu-prod annotations: service.beta.kubernetes.io/aws-load-balancer-学习交流加群风哥微信: itpux-comtype: nlb service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" spec: type: LoadBalancer externalTrafficPolicy: Local ports: - port: 80 targetPort: 80 nodePort: 30080 selector: app: fgedu-app EOF [root@k8s-master ~]# kubectl apply -f fgedu-lb-service.yaml service/fgedu-app-lb created # 查看Service [root@k8s-master ~]# kubectl get svc -n fgedu-prod NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE fgedu-app-lb LoadBalancer 10.96.100.100 192.168.1.200 80:30080/TCP 30s