Create CCE Ingress via YAML

Last Updated：2024-10-22

This document describes how to create and manage CCE Ingress through YAML.

Create Ingress Controller Resources

Create an Ingress Controller with the following yaml content:

kubectl create -f ingress-controller.yaml

ingress-controller.yaml As shown in the following:

apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRole 
metadata: 
  namespace: kube-system 
  name: cce-ingress-clusterrole 
rules: 
- apiGroups: [""] 
  resources: 
  - nodes 
  - services 
  verbs: ["get", "list", "watch"] 
- apiGroups: ["extensions"] 
  resources: 
  - ingresses 
  verbs: ["get", "list", "watch", "update", "patch"] 
- apiGroups: [""] 
  resources: 
  - events 
  verbs: ["create", "update", "patch"] 
- apiGroups: 
    - "extensions" 
  resources: 
    - ingresses/status
  verbs: 
    - update 
---
apiVersion: v1 
kind: ServiceAccount 
metadata: 
  namespace: kube-system 
  name: cce-ingress-serviceaccount 
---
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata: 
  namespace: kube-system 
  name: cce-ingress-binding 
roleRef: 
  apiGroup: rbac.authorization.k8s.io 
  kind: ClusterRole 
  name: cce-ingress-clusterrole 
subjects: 
- kind: ServiceAccount 
  namespace: kube-system 
  name: cce-ingress-serviceaccount 
---
apiVersion: apps/v1
kind: Deployment 
metadata: 
  name: cce-ingress-controller 
  namespace: kube-system 
spec: 
  replicas: 1 
  selector: 
    matchLabels: 
      app: cce-ingress-controller 
  template: 
    metadata: 
      labels: 
        app: cce-ingress-controller 
    spec: 
      hostNetwork: true 
      serviceAccountName: cce-ingress-serviceaccount 
      dnsPolicy: ClusterFirst 
      restartPolicy: Always 
      terminationGracePeriodSeconds: 30 
      containers: 
      - name: ingress-controller 
        image: hub.baidubce.com/cce/cce-ingress-controller:latest 
        imagePullPolicy: Always 
        volumeMounts: 
          - name: etc-volume 
            mountPath: /etc/kubernetes/ 
            readOnly: true 
        resources: 
          limits: 
            cpu: 0.5 
            memory: 500Mi 
      volumes: 
      - name: etc-volume 
        hostPath: 
          path: /etc/kubernetes/

Create Sample Deployment and Service

apiVersion: apps/v1 
kind: Deployment 
metadata: 
  name: ingress-nginx-deployment 
  labels: 
    app: ingress-nginx 
spec: 
  replicas: 2 
  selector: 
    matchLabels: 
      app: ingress-nginx 
  template: 
    metadata: 
      labels: 
        app: ingress-nginx 
    spec: 
      containers: 
      - name: nginx 
        image: hub.baidubce.com/cce/nginx-ingress 
        ports: 
        - containerPort: 80 
---
kind: Service 
apiVersion: v1 
metadata: 
  name: hello-service 
spec: 
  selector: 
    app: ingress-nginx 
  type: NodePort 
  ports: 
  - protocol: TCP 
    port: 8000 
    targetPort: 80 
---
kind: Service 
apiVersion: v1 
metadata: 
  name: world-service 
spec: 
  selector: 
    app: ingress-nginx 
  type: NodePort 
  ports: 
  - protocol: TCP 
    port: 9000 
    targetPort: 80

Create Ingress

Create an Ingress object named helloworld with the following yaml content, and configure Ingress forwarding rules:

www.cce-ingress.com/hello/ -> hello-service:8000/hello/
www.cce-ingress.com/world/ -> world-service:9000/world/

Ingress can be configured through the parameters in Ingress annotations, such as specifying BLB or EIP.

The back-end service corresponding to Service must support the URI of the forwarding policy. If you want to support all cases, it is recommended to set it to /*. Here, the path requirements of the URI are very strict. Note "/" "/"。

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: 
  annotations: 
    cce.ingress.blb-backup-content: ""
    kubernetes.io/cce.ingress.blb-cert-id: "" 
    kubernetes.io/cce.ingress.blb-id: "" 
    kubernetes.io/cce.ingress.eip: "" 
    kubernetes.io/cce.ingress.http-redirect: "false" 
    kubernetes.io/cce.ingress.https: "false" 
    kubernetes.io/cce.ingress.internal: "false" 
    kubernetes.io/cce.ingress.timeout-in-seconds: "30" 
    kubernetes.io/cce.ingress.vpc-subnet-id: "" 
    kubernetes.io/ingress.class: cce 
  name: helloworld 
  namespace: default 
spec: 
  rules: 
  - host: www.cce-ingress.com 
    http: 
      paths: 
      - backend: 
          serviceName: hello-service 
          servicePort: 8000 
        path: /hello/* 
      - backend: 
          serviceName: world-service 
          servicePort: 9000 
        path: /world/*

Access Test

Modify the local /etc/hosts, point www.cce-ingress.com to EIP (for example: 106.12.52.80), and you can view the ingress information on the console or in the cluster:

# kubectl get ingress 
NAME         HOSTS                 ADDRESS                    PORTS   AGE 
helloworld   www.cce-ingress.com   10.0.3.251,106.12.52.80   80      6m34s

Access test:

Ingress Annotation Description

Parameter name	Type	Description	Example
kubernetes.io/ingress.class	string	Designated as cce-Ingress-controller hosting	"cce"
kubernetes.io/cce.ingress.blb-id	string	Ingress binds BLB, **Modification or deletion may cause BLB leakage	"lb-asdfDsXS"
kubernetes.io/cce.ingress.internal	string	Intranet access only, default "false"	"true" or "false"
kubernetes.io/cce.ingress.eip	string	Ingress binds EIP, Modification or deletion may cause EIP leakage	"100.0.0.1"
kubernetes.io/cce.ingress.eip-bandwidth-in-mbps	string	EIP bandwidth, billing by traffic 1-1000 mbps	"500"
kubernetes.io/cce.ingress.timeout-in-seconds	string	Access timeout 1 ~ 3600	"1500"
kubernetes.io/cce.ingress.https	string	Whether HTTPSS is supported	"true" or "false"
kubernetes.io/cce.ingress.http-redirect	string	Whether HTTPS supports HTTPSS redirection? Only when HTTPSS is enabled can it take effect	"true" or "false"
kubernetes.io/cce.ingress.blb-cert-id	string	HTTPSS certificate ID	"xs-asdfDESz"
kubernetes.io/cce.ingress.max-backend-count	string	Default RS number of BLB mount, no limit by default	"50"
kubernetes.io/cce.ingress.vpc-subnet-id	string	Specify BLB VPC subnet, not used by default	"sb-adfEsDzs"

CCE Ingress to support HTTPS and HTTPSS forwarding for a single domain name, two new Annotations are added as follows:

kubernetes.io/cce.ingress.http-rules：

[ 
    { 
        "host":"baidu-cce-ingress.com", 
        "http":{ 
            "paths":[ 
                { 
                    "path":"/apple/", 
                    "backend":{ 
                        "serviceName":"service-example", 
                        "servicePort":80 
                    } 
                }, 
                { 
                    "path":"/banana/", 
                    "backend":{ 
                        "serviceName":"service-example", 
                        "servicePort":80 
                    } 
                } 
            ] 
        } 
    } 
]

kubernetes.io/cce.ingress.https-rules

[ 
    { 
        "host":"baidu-cce-ingress.com", 
        "http":{ 
            "paths":[ 
                { 
                    "path":"/orange/", 
                    "backend":{ 
                        "serviceName":"service-example", 
                        "servicePort":80 
                    } 
                } 
            ] 
        } 
    } 
]

The logic of the rule is as follows:

for rule in rules: 
    if rule in annotation_https_rules: 
        setHTTPS(rule) 
     
    if rule in annotation_http_rule: 
        setHTTP(rule) 
 
    if rule not in annotation_https_rules && rule not in annotation_http_rule: 
        setHTTP(rule)

Gated Launch

Create LoadBalancer_Service Through YAML

百度智能云

Cloud Container Engine