K8S部署ingress-nginx主机模式

前言

使用helm 3.0+ 方式部署 ingress-nginx
官方地址：https://kubernetes.github.io/ingress-nginx/

使用了hostNetwork模式部署ingress-nginx组件，调整了如下参数

controller:
  # 启用hostNetwork使用宿主机网络
  hostNetwork: true
  # 调整DNS策略以适应hostNetwork模式
  dnsPolicy: ClusterFirstWithHostNet
  # 强制使用节点IP报告Ingress状态
  reportNodeInternalIp: true
  
  # 关闭控制器的Service
  service:
    enabled: false  # 完全禁用Service创建
    external:
      enabled: false  # 显式关闭外部Service
    internal:
      enabled: false  # 显式关闭内部Service

  # 禁用通过Service发布状态（因Service已关闭）
  publishService:
    enabled: false

  # （可选）确保hostPort配置与hostNetwork一致
  hostPort:
    enabled: false  # hostNetwork模式下通常不需要单独启用hostPort

Helm安装部署

Helm添加仓库并拉取chart包

$ helm version
version.BuildInfo{Version:"v3.6.0", GitCommit:"7f2df6467771a75f5646b7f12afb408590ed1755", GitTreeState:"clean", GoVersion:"go1.16.3"}

$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

$ helm search repo ingress-nginx
NAME                       	CHART VERSION	APP VERSION	DESCRIPTION                                     
ingress-nginx/ingress-nginx	4.12.0       	1.12.0     	Ingress controller for Kubernetes using NGINX a...

$ helm pull ingress-nginx/ingress-nginx --version 4.12.0

配置values

global:
  image:
    registry: registry.k8s.io

namespaceOverride: ""
commonLabels: {}

controller:
  name: controller
  enableAnnotationValidations: true
  image:
    chroot: false
    image: ingress-nginx/controller
    tag: "v1.12.0"
    pullPolicy: IfNotPresent
    runAsNonRoot: true
    runAsUser: 101
    runAsGroup: 82
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: false
  containerName: controller
  containerPort:
    http: 80
    https: 443
  config: {}
  configAnnotations: {}
  proxySetHeaders: {}
  addHeaders: {}
  dnsConfig: {}
  hostAliases: []
  hostname: {}
  dnsPolicy: ClusterFirstWithHostNet
  reportNodeInternalIp: true
  watchIngressWithoutClass: false
  ingressClassByName: false
  enableTopologyAwareRouting: false
  disableLeaderElection: false
  electionTTL: ""
  allowSnippetAnnotations: false
  hostNetwork: true
  hostPort:
    enabled: false
    ports:
      http: 80
      https: 443
  networkPolicy:
    enabled: false
  electionID: ""
  ingressClassResource:
    name: nginx
    enabled: true
    default: false
    annotations: {}
    controllerValue: k8s.io/ingress-nginx
    aliases: []
    parameters: {}
  ingressClass: nginx
  podLabels: {}

  podSecurityContext: {}
  sysctls: {}
  containerSecurityContext: {}
  publishService:
    enabled: false
    pathOverride: ""
  scope:
    enabled: false
    namespace: ""
    namespaceSelector: ""
  configMapNamespace: ""
  tcp:
    configMapNamespace: ""
    annotations: {}
  udp:
    configMapNamespace: ""
    annotations: {}
  maxmindLicenseKey: ""
  extraArgs: 
    update-status: "false"

  extraEnvs: []

  kind: Deployment
  annotations: {}

  labels: {}

  updateStrategy: {}

  progressDeadlineSeconds: 0
  minReadySeconds: 0
  tolerations: []

  affinity: {}


  topologySpreadConstraints: []

  terminationGracePeriodSeconds: 300
  nodeSelector:
    kubernetes.io/os: linux
  livenessProbe:
    httpGet:
      path: "/healthz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 10
    periodSeconds: 10
    timeoutSeconds: 1
    successThreshold: 1
    failureThreshold: 5
  readinessProbe:
    httpGet:
      path: "/healthz"
      port: 10254
      scheme: HTTP
    initialDelaySeconds: 10
    periodSeconds: 10
    timeoutSeconds: 1
    successThreshold: 1
    failureThreshold: 3
  healthCheckPath: "/healthz"
  healthCheckHost: ""
  podAnnotations: {}
  replicaCount: 1
  minAvailable: 1
  unhealthyPodEvictionPolicy: ""
  resources:
    requests:
      cpu: 100m
      memory: 90Mi
  autoscaling:
    enabled: false
    annotations: {}
    minReplicas: 1
    maxReplicas: 11
    targetCPUUtilizationPercentage: 50
    targetMemoryUtilizationPercentage: 50
    behavior: {}
  autoscalingTemplate: []

  keda:
    apiVersion: "keda.sh/v1alpha1"
    enabled: false
    minReplicas: 1
    maxReplicas: 11
    pollingInterval: 30
    cooldownPeriod: 300
    restoreToOriginalReplicaCount: false
    scaledObject:
      annotations: {}
    triggers: []

    behavior: {}
  enableMimalloc: true
  customTemplate:
    configMapName: ""
    configMapKey: ""
  service:
    enabled: false
    external:
      enabled: false
    annotations: {}
    labels: {}
    type: ClusterIP 
    clusterIP: ""
    externalIPs: []
    loadBalancerIP: ""
    loadBalancerSourceRanges: []
    loadBalancerClass: ""

    externalTrafficPolicy: ""
    sessionAffinity: ""

    ipFamilyPolicy: SingleStack
    ipFamilies:
      - IPv4
    enableHttp: true
    enableHttps: true
    ports:
      http: 80
      https: 443
    targetPorts:
      http: http
      https: https
    appProtocol: true
    nodePorts:
      http: ""
      https: ""
      tcp: {}
      udp: {}
    internal:
      enabled: false
      annotations: {}
      type: ""
      clusterIP: ""
      externalIPs: []
      loadBalancerIP: ""
      loadBalancerSourceRanges: []
      loadBalancerClass: ""

      externalTrafficPolicy: ""
      sessionAffinity: ""

      ipFamilyPolicy: SingleStack
      ipFamilies:
        - IPv4
      ports: {}

      targetPorts: {}

      appProtocol: true
      nodePorts:
        http: ""
        https: ""
        tcp: {}
        udp: {}
  shareProcessNamespace: false
  extraContainers: []

  extraVolumeMounts: []

  extraVolumes: []

  extraInitContainers: []

  extraModules: []

  admissionWebhooks:
    name: admission
    annotations: {}

    enabled: true
    extraEnvs: []
    failurePolicy: Fail
    port: 8443
    certificate: "/usr/local/certificates/cert"
    key: "/usr/local/certificates/key"
    namespaceSelector: {}
    objectSelector: {}
    labels: {}
    service:
      annotations: {}
      externalIPs: []
      loadBalancerSourceRanges: []
      servicePort: 443
      type: ClusterIP
    createSecretJob:
      name: create
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
        runAsGroup: 65532
        allowPrivilegeEscalation: false
        seccompProfile:
          type: RuntimeDefault
        capabilities:
          drop:
            - ALL
        readOnlyRootFilesystem: true
      resources: {}
    patchWebhookJob:
      name: patch
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
        runAsGroup: 65532
        allowPrivilegeEscalation: false
        seccompProfile:
          type: RuntimeDefault
        capabilities:
          drop:
            - ALL
        readOnlyRootFilesystem: true
      resources: {}
    patch:
      enabled: true
      image:
        image: ingress-nginx/kube-webhook-certgen
        tag: v1.5.0
      priorityClassName: ""
      podAnnotations: {}
      networkPolicy:
        enabled: false
      nodeSelector:
        kubernetes.io/os: linux
      tolerations: []
      labels: {}
      securityContext: {}
      rbac:
        create: true
      serviceAccount:
        create: true
        name: ""
        automountServiceAccountToken: true
    certManager:
      enabled: false
      rootCert:
        duration: ""
      admissionCert:
        duration: ""
  metrics:
    port: 10254
    portName: metrics
    enabled: false
    service:
      enabled: true
      annotations: {}
      labels: {}

      externalIPs: []
      loadBalancerSourceRanges: []
      servicePort: 10254
      type: ClusterIP
    serviceMonitor:
      enabled: false
      additionalLabels: {}
      annotations: {}
      namespace: ""
      namespaceSelector: {}
      scrapeInterval: 30s
      targetLabels: []
      relabelings: []
      metricRelabelings: []
    prometheusRule:
      enabled: false
      additionalLabels: {}
      annotations: {}
      rules: []
  lifecycle:
    preStop:
      exec:
        command:
          - /wait-shutdown
  priorityClassName: ""
revisionHistoryLimit: 10
defaultBackend:
  enabled: false
  name: defaultbackend
  image:
    image: defaultbackend-amd64
    tag: "1.5"
    pullPolicy: IfNotPresent
    runAsNonRoot: true
    runAsUser: 65534
    runAsGroup: 65534
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: true
  extraArgs: {}
  serviceAccount:
    create: true
    name: ""
    automountServiceAccountToken: true
  extraEnvs: []
  port: 8080
  livenessProbe:
    failureThreshold: 3
    initialDelaySeconds: 30
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 5
  readinessProbe:
    failureThreshold: 6
    initialDelaySeconds: 0
    periodSeconds: 5
    successThreshold: 1
    timeoutSeconds: 5
  updateStrategy: {}

  minReadySeconds: 0
  tolerations: []

  affinity: {}


  topologySpreadConstraints: []
  podSecurityContext: {}
  containerSecurityContext: {}
  podLabels: {}

  nodeSelector:
    kubernetes.io/os: linux
  podAnnotations: {}
  replicaCount: 1
  minAvailable: 1
  unhealthyPodEvictionPolicy: ""
  resources: {}

  extraVolumeMounts: []

  extraVolumes: []

  extraConfigMaps: []

  autoscaling:
    annotations: {}
    enabled: false
    minReplicas: 1
    maxReplicas: 2
    targetCPUUtilizationPercentage: 50
    targetMemoryUtilizationPercentage: 50
  networkPolicy:
    enabled: false
  service:
    annotations: {}

    externalIPs: []
    loadBalancerSourceRanges: []
    servicePort: 80
    type: ClusterIP
  priorityClassName: ""
  labels: {}
rbac:
  create: true
  scope: false
serviceAccount:
  create: true
  name: ""
  automountServiceAccountToken: true
  annotations: {}
imagePullSecrets: []

tcp: {}

udp: {}

portNamePrefix: ""
dhParam: ""

安装部署

$ helm install ingress-nginx  -n ingress-nginx --create-namespace  -f values.yaml .

$ kubectl get all -n ingress-nginx
NAME                                            READY   STATUS    RESTARTS   AGE
pod/ingress-nginx-controller-5db47578f5-cvsv9   1/1     Running   0          51m

NAME                                         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/ingress-nginx-controller-admission   ClusterIP   10.96.215.211   <none>        443/TCP   51m

NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/ingress-nginx-controller   1/1     1            1           51m

NAME                                                  DESIRED   CURRENT   READY   AGE
replicaset.apps/ingress-nginx-controller-5db47578f5   1         1         1       51m

测试验证

$ cat test_ingress.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.24.0
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
spec:
  ingressClassName: nginx     
  rules:
  - host: nginx.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-service
            port:
              number: 80

测试

$ kubectl get ingress
NAME            CLASS   HOSTS               ADDRESS   PORTS   AGE
nginx-ingress   nginx   nginx.example.com             80      141m

$ curl -I  nginx.example.com
HTTP/1.1 200 OK
Date: Mon, 10 Mar 2025 09:51:34 GMT
Content-Type: text/html
Content-Length: 615
Connection: keep-alive
Last-Modified: Tue, 11 Apr 2023 01:45:34 GMT
ETag: "6434bbbe-267"
Accept-Ranges: bytes