零、修改iptable为ipvs（可选）

1. 修改 kube-proxy 配置：

   kubectl edit cm kube-proxy -n kube-system 
   # 将 mode 字段改为 "ipvs"

2. 重启 kube-proxy：

   kubectl delete pod -l k8s-app=kube-proxy -n kube-system

3. 验证 IPVS 状态：

   ipvsadm -Ln 
   # 查看负载均衡规则

一、github下载最新的包（4.12.0）

Releases · kubernetes/ingress-nginx · GitHub

二、解压

tar -zxvf ingress-nginx-4.12.0.tgz
cd ingress-nginx

三、修改values.ymal

#如果是在集群中部署项目使用ingress-nginx，需要提前在工作节点下载docker或者containerd，手动拉取从而测试该仓库和镜像是否可用，手动拉取的命令是
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.12.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.5.0

cd ingress-nginx

[root@k8s-master ingress-nginx]# vim values.yaml # 第一处：修改全局仓库为阿里云仓库
global:image:# -- Registry host to pull images from.registry: registry.cn-hangzhou.aliyuncs.com# 第二处：修改controller的image名称和注释digest
controller:name: controllerenableAnnotationValidations: trueimage:## Keep false as default for now!chroot: false# registry: registry.k8s.io
#    image: google_containers/ingress-nginx/controllerimage: google_containers/nginx-ingress-controller## for backwards compatibility consider setting the full image url via the repository value below## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail## repository:tag: "v1.12.0"#   digest: sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
#    digestChroot: sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3# 第三处：修改patch附近的镜像名称，以及注释digestpatch:enabled: trueimage:# registry: registry.k8s.ioimage: google_containers/kube-webhook-certgen## for backwards compatibility consider setting the full image url via the repository value below## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail## repository:tag: v1.5.0
#        digest: sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4# 第四处：修改hostNetwork：# false 改成 truehostNetwork: true# 第五处：修改dnsPolicy# ClusterFirst 改成 dnsPolicy: ClusterFirstWithHostNet# 第六处：修改kind（可选）# -- Use a `DaemonSet` or `Deployment`# Deployment 改成 DaemonSetkind: DaemonSet# 第七处：添加标签（可选，由于我两台从节点都部署了单机nginx，80端口被占用，想让他部署到master）。记得在节点上打上标签。kubectl label node k8s-node1 ingress=truenodeSelector:kubernetes.io/os: linux# 增加ingress: "true"# 第八处：（可选。我没改）enabled要改为falseadmissionWebhooks:name: admissionannotations: {}# ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".## Additional annotations to the admission webhooks.## These annotations will be added to the ValidatingWebhookConfiguration and## the Jobs Spec of the admission webhooks.enabled: false# 第九处（本地化），找到controller.service.type,修改为NodePort，这是由于要向外部暴露服务。该type的缩进在controller.service下，一定要找到正确的进行修改。
controller service.annotations: {}# -- Labels to be added to both controller services.labels: {}# -- Type of the external controller service.# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-typestype: NodePort#第10处（可选，如果上面的第四处改为了true，这里的配置不生效，因为用的宿主机的80与443），顺便把暴露的端口固定appProtocol: truenodePorts:# -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.http: "30080"# -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.https: "30443"

三、部署

退出到上一层

helm install ingress-nginx ./ingress-nginx   --namespace ingress-nginx   --create-namespace   -f ./ingress-nginx/values.yaml

四、主节点部署（因从节点都部署了nginx。80等端口被占用）

1、给主节点打标签

# 给主节点打标签（标签名可自定义）k8s-master为ip也可以
kubectl label node k8s-master ingress-node=true# 确认标签是否生效
kubectl get node k8s-master --show-labels

2、修改values.yaml，让其容忍主节点的污点

controller:nodeSelector:ingress-node: "true"  # 匹配主节点的标签tolerations:- key: "node-role.kubernetes.io/control-plane"operator: "Exists"  # 容忍主节点的污点effect: "NoSchedule"

3、若主节点的 80/443 端口已被占用，需调整 ingress-nginx 的端口映射：

controller:hostNetwork: false       # 禁用宿主机网络模式service:type: NodePort         # 使用 NodePort 暴露服务ports:http: 30080          # 自定义外部访问端口（避免与节点 Nginx 冲突）https: 30443targetPorts:http: 80             # 容器内部端口保持默认https: 443

4、部署验证

# 更新 Helm 配置
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \-n ingress-nginx \-f values.yaml# 检查 Pod 是否调度到主节点
kubectl get pods -n ingress-nginx -o wide# 查看 Service 端口映射
kubectl get svc -n ingress-nginx