1.集群信息

NAME       STATUS   ROLES    AGE    VERSION    INTERNAL-IP     EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION          CONTAINER-RUNTIME
k-master   Ready    master   139d   v1.18.10   192.168.6.211   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://18.9.9
k-node-1   Ready    <none>   138d   v1.18.10   192.168.6.212   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://18.9.9
k-node-2   Ready    <none>   138d   v1.18.10   192.168.6.213   <none>        CentOS Linux 7 (Core)   3.10.0-957.el7.x86_64   docker://18.9.9

2.安装ingress控制器

使用k8s官方ingress项目ingress-nginx，使用官方提供的Bare-metal环境yaml进行安装，文件链接：
https://raw.githubusercontent...

3.安装完成后
kubectl get po -n ingress-nginx -o wide

NAME                                      READY   STATUS      RESTARTS   AGE    IP             NODE       NOMINATED NODE   READINESS GATES
ingress-nginx-admission-create-czr9h      0/1     Completed   0          12d    10.244.1.151   k-node-1   <none>           <none>
ingress-nginx-admission-patch-mgtzg       0/1     Completed   1          12d    10.244.1.152   k-node-1   <none>           <none>
ingress-nginx-controller-d95888b7-7fnv4   1/1     Running     0          3d1h   10.244.2.186   k-node-2   <none>           <none>

kubectl get svc -n ingress-nginx

NAME                                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.1.149.161   <none>        80:32440/TCP,443:31870/TCP   12d
ingress-nginx-controller-admission   ClusterIP   10.1.36.105    <none>        443/TCP                      12d

4.创建ingress资源

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-test
spec:
  tls:
  - hosts:
      - ng.foo.com
    secretName: ng
  - hosts:
      - to.foo.com
    secretName: to.foo.com
  backend:
    serviceName: nginx-svc
    servicePort: 80
  rules:
    - host: ng.foo.com
      http:
        paths:
          - path: /
            backend:
              serviceName: nginx-svc
              servicePort: 80
    - host: to.foo.com
      http:
        paths:
          - path: /
            backend:
              serviceName: tomcat-svc
              servicePort: 8080

nginx-svc和tomcat-svc已经创建，相关service对应的pod也已经创建

ingress资源：
kubectl get ing -o wide

NAME           CLASS    HOSTS                   ADDRESS         PORTS     AGE
ingress-test   <none>   ng.foo.com,to.foo.com   192.168.6.213   80, 443   5d

kubectl describe ing ingress-test

Name:             ingress-test
Namespace:        default
Address:          192.168.6.213
Default backend:  nginx-svc:80 (10.244.1.154:80,10.244.1.158:80)
TLS:
  ng terminates ng.foo.com
  to.foo.com terminates to.foo.com
Rules:
  Host        Path  Backends
  ----        ----  --------
  ng.foo.com
              /   nginx-svc:80 (10.244.1.154:80,10.244.1.158:80)
  to.foo.com
              /        tomcat-svc:8080 (10.244.1.162:8080,10.244.2.185:8080)
Annotations:  Events:  <none>

注：ng.foo.com/to.foo.com等相关域名已在系统hosts中解析到192.168.6.213（是集群中节点的内网IP）

5.提问
现在只能通过ng.foo.com:32440也就是192.168.6.213:32440访问服务， 为什么不能通过192.168.6.213:80/443访问服务呢？请问怎样实现不实用NodePort提供的随机端口访问ingress？

k8s 常用的暴露服务方式

1. NodePort 缺点不能指定30000以下端
2. loadBalancer 类型需要云服务的支持，其实也就是在nodeport前做了负载均衡
3. 在创建Pod时指定hostNetwork为true，这种就类似docker中的host网络模型，你的pod直接再用当前部署的宿主机的网络，自然服务也就暴漏出去了。

参见：
https://kubernetes.github.io/...