K8S实践Traefik-Ingress部署

一、原文链接:https://www.dqzboy.comTraefik介绍


Traefik 是一款开源的边缘路由器,它可以让发布服务变得轻松有趣。它代表您的系统接收请求,并找出负责处理这些请求的组件。与众不同之处在于,除了它的许多特性之外,它还可以自动为您的服务发现正确的配置。当 Traefik 检查您的基础设施时,它会发现相关信息,并发现哪个服务为哪个请求提供服务。

Traefik 与每个主要的集群技术都是原生兼容的,比如 Kubernetes、Docker、Docker Swarm、AWS、Mesos、Marathon 等等;并且可以同时处理多个。(它甚至适用于运行在裸机上的遗留软件。) 使用 Traefik,不需要维护和同步单独的配置文件:所有事情都是实时自动发生的(没有重启,没有连接中断)。使用 Traefik,只需要花费时间开发和部署新功能到您的系统,而不是配置和维护其工作状态。

1607855975 dd0d964bb9c49e5

二、部署Traefik


2.1:创建名称空间


[root@k8s-master1 ~]# cd /opt/k8s/work/

[root@k8s-master1 work]# mkdir traefik

[root@k8s-master1 work]# cd traefik/



[root@k8s-master1 traefik]# kubectl create ns ingress-traefik

2.2:创建CRD资源

 traefik v2.0 版本后,开始使用 CRD(Custom Resource Definition)来完成路由配置等,所以需要提前创建 CRD 资源。


[root@k8s-master1 traefik]# vim traefik-crd.yaml

## IngressRoute

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: ingressroutes.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: IngressRoute

plural: ingressroutes

singular: ingressroute

---

## IngressRouteTCP

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: ingressroutetcps.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: IngressRouteTCP

plural: ingressroutetcps

singular: ingressroutetcp

---

## Middleware

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: middlewares.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: Middleware

plural: middlewares

singular: middleware

---

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: tlsoptions.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: TLSOption

plural: tlsoptions

singular: tlsoption

---

## TraefikService

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: traefikservices.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: TraefikService

plural: traefikservices

singular: traefikservice



---

## TraefikTLSStore

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: tlsstores.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: TLSStore

plural: tlsstores

singular: tlsstore



---

## IngressRouteUDP

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: ingressrouteudps.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: IngressRouteUDP

plural: ingressrouteudps

singular: ingressrouteudp





#创建资源

[root@k8s-master1 traefik]# kubectl apply -f traefik-crd.yaml



#查看crd资源

[root@k8s-master1 traefik]# kubectl get crd | grep traefik
1607856116 6d94e641a6ec294

2.3:创建RBAC权限

Traefik 需要一定的权限,所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。


[root@k8s-master1 traefik]# vim traefik-rbac.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

namespace: ingress-traefik

name: traefik-ingress-controller

---

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

name: traefik-ingress-controller

rules:

- apiGroups: [""]

resources: ["services","endpoints","secrets"]

verbs: ["get","list","watch"]

- apiGroups: ["extensions"]

resources: ["ingresses"]

verbs: ["get","list","watch"]

- apiGroups: ["extensions"]

resources: ["ingresses/status"]

verbs: ["update"]

- apiGroups: ["traefik.containo.us"]

resources: ["middlewares"]

verbs: ["get","list","watch"]

- apiGroups: ["traefik.containo.us"]

resources: ["ingressroutes","traefikservices"]

verbs: ["get","list","watch"]

- apiGroups: ["traefik.containo.us"]

resources: ["ingressroutetcps","ingressrouteudps"]

verbs: ["get","list","watch"]

- apiGroups: ["traefik.containo.us"]

resources: ["tlsoptions","tlsstores"]

verbs: ["get","list","watch"]

---

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

name: traefik-ingress-controller

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

name: traefik-ingress-controller

subjects:

- kind: ServiceAccount

name: traefik-ingress-controller

namespace: ingress-traefik



#创建资源

[root@k8s-master1 traefik]# kubectl apply -f traefik-rbac.yaml



#检查资源

[root@k8s-master1 traefik]# kubectl get secrets -n ingress-traefik|grep traefik



[root@k8s-master1 traefik]# kubectl get clusterrole -n ingress-traefik|grep traefik

2.4:创建配置文件


[root@k8s-master1 traefik]# vim traefik-config.yaml

kind: ConfigMap

apiVersion: v1

metadata:

name: traefik-config

namespace: ingress-traefik

data:

traefik.yaml: |-

ping: "" ## 启用 Ping

serversTransport:

insecureSkipVerify: true ## Traefik 忽略验证代理服务的 TLS 证书

api:

insecure: true ## 允许 HTTP 方式访问 API

dashboard: true ## 启用 Dashboard

debug: false ## 启用 Debug 调试模式

metrics:

prometheus: "" ## 配置 Prometheus 监控指标数据,并使用默认配置

entryPoints:

web:

address: ":80" ## 配置 80 端口,并设置入口名称为 web

websecure:

address: ":443" ## 配置 443 端口,并设置入口名称为 websecure

providers:

kubernetesCRD: "" ## 启用 Kubernetes CRD 方式来配置路由规则

kubernetesIngress: "" ## 启动 Kubernetes Ingress 方式来配置路由规则

log:

filePath: "" ## 设置调试日志文件存储路径,如果为空则输出到控制台

level: error ## 设置调试日志级别

format: json ## 设置调试日志格式

accessLog:

filePath: "" ## 设置访问日志文件存储路径,如果为空则输出到控制台

format: json ## 设置访问调试日志格式

bufferingSize: 0 ## 设置访问日志缓存行数

filters:

#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志

retryAttempts: true ## 设置代理访问重试失败时,保留访问日志

minDuration: 20 ## 设置保留请求时间超过指定持续时间的访问日志

fields: ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)

defaultMode: keep ## 设置默认保留访问日志字段

names: ## 针对访问日志特别字段特别配置保留模式

ClientUsername: drop

headers: ## 设置 Header 中字段是否保留

defaultMode: keep ## 设置默认保留 Header 中字段

names: ## 针对 Header 中特别字段特别配置保留模式

User-Agent: redact

Authorization: drop

Content-Type: keep





#创建资源

[root@k8s-master1 traefik]# kubectl apply -f traefik-config.yaml

configmap/traefik-config created

#查看资源

[root@k8s-master1 traefik]# kubectl get cm -n ingress-traefik

NAME DATA AGE

traefik-config 1 13s

2.5:节点添加标签

因为我们这里是通过k8s Daemonset控制器去创建pod,所以需要提前给需要调度到指定节原文链接:https://www.dqzboy.com点设置标签,这样当程序部署时 Pod 会自动调度到设置了对应Label 的节点上


[root@k8s-master1 traefik]# kubectl get nodes





#添加标签

[root@k8s-master1 traefik]# kubectl label nodes k8s-node1 IngressProxy=true



[root@k8s-master1 traefik]# kubectl label nodes k8s-node2 IngressProxy=true



[root@k8s-master1 traefik]# kubectl label nodes k8s-node3 IngressProxy=true



#查看标签

[root@k8s-master1 traefik]# kubectl get nodes --show-labels
1607856320 096a56abc0128ce

2.6:部署Traefik

2.6.1:创建Service


[root@k8s-master1 traefik]# vim traefik-service.yaml

apiVersion: v1

kind: Service

metadata:

name: traefik

namespace: ingress-traefik

spec:

type: NodePort

ports:

- name: web

port: 80

- name: websecure

port: 443

- name: admin

port: 8080

selector:

app: traefik

2.6.2:创建DaemonSet


[root@k8s-master1 traefik]# vim traefik-deploy.yaml

apiVersion: apps/v1

kind: DaemonSet

metadata:

name: traefik-ingress-controller

namespace: ingress-traefik

labels:

app: traefik

spec:

selector:

matchLabels:

app: traefik

template:

metadata:

name: traefik

labels:

app: traefik

spec:

serviceAccountName: traefik-ingress-controller

terminationGracePeriodSeconds: 1

containers:

- image: traefik:v2.3.5

name: traefik-ingress-lb

ports:

- name: web

containerPort: 80

hostPort: 80 ## 将容器端口绑定所在服务器的 80 端口

- name: websecure

containerPort: 443

hostPort: 443 ## 将容器端口绑定所在服务器的 443 端口

- name: admin

containerPort: 8080 ## Traefik Dashboard 端口

resources:

limits:

cpu: 2000m

memory: 1024Mi

requests:

cpu: 1000m

memory: 1024Mi

securityContext:

capabilities:

drop:

- ALL

add:

- NET_BIND_SERVICE

args:

- --configfile=/config/traefik.yaml

volumeMounts:

- mountPath: "/config"

name: "config"

volumes:

- name: config

configMap:

name: traefik-config

tolerations: ## 设置容忍所有污点,防止节点被设置污点

- operator: "Exists"

nodeSelector: ## 设置node筛选器,在特定label的节点上启动

IngressProxy: "true"



#创建资源

[root@k8s-master1 traefik]# kubectl apply -f traefik-deploy.yaml



#检查资源

[root@k8s-master1 traefik]# kubectl get po -n ingress-traefik
1607856634 a0a0b84744b7a89

2.7:创建路由规则

  • 我这里以traefik的面板和K8S Dashboard面板进行演示

方式1:通过CRD配置路由规则

(1)配置HTTP协议的访问路由规则
  • 这里以traefik的看板进行演示

[root@k8s-master1 traefik]# vim traefik-dashboard-route.yaml

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

metadata:

name: traefik-dashboard-route

namespace: ingress-traefik

spec:

entryPoints:

- web

routes:

- match: Host(`traefik.dqzboy.com`)

kind: Rule

services:

- name: traefik #绑定至上面创建的service资源的名称

port: 8080
  • 在PC机上将DaemonSet调度的节点物理IP与CRD资源中挂载的Host域名进行绑定,然后浏览器中输入traefik.dqzboy.com即可访问traefik的看板了
1607856787 6cdeb967ddf1d1d
(2)配置HTTPS协议的访问路由规则
  • 这里以K8S的官方面板进行样式

#首先我们需要先生成证书文件

[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"
1607856847 2b13cd8909bda39

#将证书存储到 Kubernetes Secret 中

[root@k8s-master1 traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard



#创建HTTPS的官方面板访问路由规则

[root@k8s-master1 traefik]# vim k8s-dashboard-router.yaml

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

metadata:

name: kubernetes-dashboard-route

namespace: kubernetes-dashboard #dashboard所属的名称空间

spec:

entryPoints:

- websecure

tls:

secretName: k8s-dashboard-tls #上面导入的secret资源名称

routes:

- match: Host(`k8sboard.dqzboy.com`)

kind: Rule

services:

- name: kubernetes-dashboard #注意此名必须与之前部署k8s面板时的yaml文件中Service上下文中metadata段中的name段名称保持一致(也就是svc服务)

port: 443



#创建路由规则

[root@k8s-master1 traefik]# kubectl apply -f k8s-dashboard-router.yaml
  • 同样我们需要在自己的PC机上进行解析域名
1607856912 686732687fbca531607856912 cf8e26ba5b9ea0f

方式2:通过Ingress配置路由规则

(1)创建traefik路由规则

[root@k8s-master1 traefik]# vim traefik-dashboard-ingress.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

name: traefik-dashboard-ingress

namespace: ingress-traefik #traefik服务所属的名称空间

annotations:

kubernetes.io/ingress.class: traefik

traefik.ingress.kubernetes.io/router.entrypoints: web

spec:

rules:

- host: traefik01.dqzboy.com

http:

paths:

- path: /

backend:

serviceName: traefik

servicePort: 8080



#创建路由

[root@k8s-master1 traefik]# kubectl apply -f traefik-dashboard-ingress.yaml



#检查服务

[root@k8s-master1 traefik]# kubectl get ing -n ingress-traefik

NAME CLASS HOSTS ADDRESS PORTS AGE

traefik-dashboard-ingress <none> traefik01.dqzboy.com 80 26s
  • 自己的PC的hosts文件中进行域名解析,然后通过浏览器进行访问
1607857042 60089b95940e420
(2)创建K8S面板路由规则

#首先我们需要先生成证书文件

[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"



#将证书存储到 Kubernetes Secret 中

[root@k8s-master1 traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard



#创建资源

[root@k8s-master1 traefik]#

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

name: kubernetes-dashboard-ingress

namespace: kubernetes-dashboard #dashboard服务所属名称空间

annotations:

kubernetes.io/ingress.class: traefik

traefik.ingress.kubernetes.io/router.tls: "true"

traefik.ingress.kubernetes.io/router.entrypoints: websecure

spec:

tls:

- secretName: k8s-dashboard-tls

rules:

- host: k8sboard01.dqzboy.com

http:

paths:

- path: /

backend:

serviceName: kubernetes-dashboard #dashboard对应的service服务

servicePort: 443



[root@k8s-master1 traefik]# kubectl apply -f k8s-dashboard-ing.yaml





#检查服务

[root@k8s-master1 traefik]# kubectl get ing -n ingress-traefik
1607857110 a05cde8c0503dab
  • 本机PC进行域名解析,然后浏览器中进行访问
1607857110 58cb2e41e8ebeb1

本文作者:浅时光
原文链接:https://www.dqzboy.com/5210.html
版权声明:知识共享署名-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)协议进行许可
转载时请以超链接形式标明文章原始出处和作者信息

(完)