如何将 kubernetes nginx-ingress 路由到另一个命名空间中的仪表板

Question

我正在试用 kubernetes，我已经在默认命名空间中部署了我的 Nginx，我正在尝试创建一个虚拟服务器来路由仪表板。

nginx：默认命名空间 仪表板：kubernetes-dashboard 命名空间

但是，当我尝试创建虚拟服务器时，它会警告我 virtualserverroute 不存在或无效？据我了解，如果我想路由到不同的命名空间，我可以通过将命名空间放在服务前面来实现。

nginx-ingress-dashboard.yaml

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: kubernetes-dashboard
spec:
  host: k8.test.com
  tls:
    secret: nginx-tls-secret
    # basedOn: scheme
    redirect:
      enable: true
      code: 301
  upstreams:
  - name: kubernetes-dashboard
    service: kubernetes-dashboard
    port: 8443
  routes:
  - path: /
    route: kubernetes-dashboard/kubernetes-dashboard

kubernetes 仪表盘

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

任何提示我做错了什么？提前致谢。

192.168.254.9 - - [27/Apr/2021:07:14:43 +0000] "GET /api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ HTTP/2.0" 400 48 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36" "-"2021/04/27 07:14:43 [error] 137#137: *106 readv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.254.9, server: k8.test.com, request: "GET /api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ HTTP/2.0", upstream: "http://192.168.253.130:8443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/", host: "k8.test.com"
192.168.254.9 - - [27/Apr/2021:07:14:43 +0000] "GET /api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ HTTP/2.0" 400 48 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36" "-" 2021/04/27 07:14:43 [error] 137#137: *106 readv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.254.9, server: k8.test.com, request: "GET /api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/ HTTP/2.0", upstream: "http://192.168.253.130:8443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/", host: "k8.test.com"

secret.yaml

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
type: Opaque

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

Answer 1

您需要使用action.pass，而不是定义路由，因为您想将请求直接重定向到服务。

此外，我对VirtualServer 资源没有太多经验，但Ingress 资源通常应该位于您要提供的服务的同一个命名空间中。即使它们位于不同的命名空间中，入口控制器也会将它们拾取。 （这意味着 tls 机密需要在该命名空间中）

所以，我会将action.pass 和VirtualServer 放在您要服务的资源的同一个命名空间中，如下所示：

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  host: k8.test.com
  tls:
    secret: nginx-tls-secret
    # basedOn: scheme
    redirect:
      enable: true
      code: 301
  upstreams:
  - name: kubernetes-dashboard
    service: kubernetes-dashboard
    port: 443
  routes:
  - path: /
    action:
      pass: kubernetes-dashboard

如果您使用路由，则需要使用该名称定义 VirtualServerRoute，如文档中所述 (https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserverroute-specification)