1.1 简单认识 traefik代理
Tr?f?k 是一个为了让部署微服务更加便捷而诞生的现代HTTP反向代理、负载均衡工具。 它支持多种后台 (Docker, Swarm, Kubernetes, Marathon, Mesos, Consul, Etcd, Zookeeper, BoltDB, Rest API, file…) 来自动化、动态的应用它的配置文件设置。ingress方案需要使用下列的组件:
1、反向代理负载均衡器
负责加载 ingress control 、ingress生成的配置,并实现reload功能。 ?
2、ingress control
ingress Controller 实质上是个监视器,Ingress Controller 通过不断地跟 kubernetes API 打交道,实时的获取后端 service、pod 的变化,比如新增和减少 pod,service 增加与减少等;当得到这些变化信息后,Ingress Controller 再结合下文的 Ingress 生成配置,然后更新反向代理负载均衡器,并刷新其配置,达到服务发现的作用。 ?
3、ingress
ingress,就类似于互联网应用的负载均衡器(比如Apache/nginx之类的),是kubernetes集群外访问集群的入口,将用户的URL请求转发到不同的service上。其中还包括规则定义,即URL的路由信息,路由信息得的刷新由Ingress controller来提供。
4、RBAC
在开始之前,需要先了解一下什么是RBAC。RBAC(基于角色的访问控制)使用 rbac.authorization.k8s.io API 组来实现权限控制,RBAC 允许管理员通过 Kubernetes API 动态的配置权限策略。在 1.6 版本中 RBAC 还处于 Beat 阶段,如果想要开启 RBAC 授权模式需要在 apiserver 组件中指定 --authorization-mode=RBAC 选项。
在 RBAC API 的四个重要概念: ?
Role:是一系列的权限的集合,例如一个角色可以包含读取 Pod 的权限和列出 Pod 的权限 ?
ClusterRole: 跟 Role 类似,但是可以在集群中到处使用( Role 是 namespace 一级的) ?
RoloBinding:把角色映射到用户,从而让这些用户继承角色在 namespace 中的权限。 ?
ClusterRoleBinding: 让用户继承 ClusterRole 在整个集群中的权限。
参考链接:
http://docs.traefik.cn/basics
https://rootsongjc.gitbooks.io/kubernetes-handbook/content/practice/traefik-ingress-installation.html
1.2 部署 Tr?f?k
因为我这里是作为kubernetes服务的暴露,因此你得有一个kubernetes集群。如果你没有,可以通过kubeadm/kops等方式快速部署一个kubernetes集群,具体使用那一种方式安装你的kubernetes集群,完全取决于你的爱好。
给集群的节点打上labe;
kubectl label nodes 192.168.2.11 edgenode=traefik-proxykubectl label nodes 192.168.2.12 edgenode=traefik-proxykubectl label nodes 192.168.2.13 edgenode=traefik-proxy kubectl get nodes --show-labelsNAME ??????????STATUS ????????????????????ROLES ????AGE ??????VERSION ??LABELS192.168.2.10 ??Ready,SchedulingDisabled ??master ???5d ???????v1.11.3 ??beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/hostname=192.168.2.10,kubernetes.io/role=master192.168.2.11 ??Ready ?????????????????????node ?????5d ???????v1.11.3 ??beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,edgenode=traefik-proxy,kubernetes.io/hostname=192.168.2.11,kubernetes.io/role=node192.168.2.12 ??Ready ?????????????????????node ?????5d ???????v1.11.3 ??beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,edgenode=traefik-proxy,kubernetes.io/hostname=192.168.2.12,kubernetes.io/role=node192.168.2.13 ??Ready ?????????????????????node ?????5d ???????v1.11.3 ??beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,edgenode=traefik-proxy,kubernetes.io/hostname=192.168.2.13,kubernetes.io/role=node192.168.2.14 ??Ready,SchedulingDisabled ??master ???5d ???????v1.11.3 ??beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/hostname=192.168.2.14,kubernetes.io/role=master准备所需配置文件:
# cat ingress-rbac.yaml apiVersion: v1kind: ServiceAccountmetadata: ?name: ingress ?namespace: kube-system---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: ?name: ingresssubjects: ?- kind: ServiceAccount ???name: ingress ???namespace: kube-systemroleRef: ?kind: ClusterRole ?name: cluster-admin ?apiGroup: rbac.authorization.k8s.io# cat traefik.yaml apiVersion: extensions/v1beta1kind: DaemonSetmetadata: ?name: traefik-ingress-lb ?namespace: kube-system ?labels: ???k8s-app: traefik-ingress-lbspec: ?template: ???metadata: ?????labels: ???????k8s-app: traefik-ingress-lb ???????name: traefik-ingress-lb ???spec: ?????terminationGracePeriodSeconds: 60 ?????hostNetwork: true ?????restartPolicy: Always ?????serviceAccountName: ingress ?????containers: ?????- image: traefik ???????name: traefik-ingress-lb ???????resources: ?????????limits: ???????????cpu: 200m ???????????memory: 30Mi ?????????requests: ???????????cpu: 100m ???????????memory: 20Mi ???????ports: ???????- name: http ?????????containerPort: 80 ?????????hostPort: 80 ???????- name: admin ?????????containerPort: 8580 ?????????hostPort: 8580 ???????args: ???????- --web ???????- --web.address=:8580 ???????- --kubernetes ?????nodeSelector: ???????edgenode: "traefik-proxy" ?#需要安装traefik的标签下面给traefik配置上ui:
# cat ui.yaml apiVersion: v1kind: Servicemetadata: ?name: traefik-web-ui ?namespace: kube-systemspec: ?selector: ???k8s-app: traefik-ingress-lb ?ports: ?- name: web ???port: 80 ???targetPort: 8580---apiVersion: extensions/v1beta1kind: Ingressmetadata: ?name: traefik-web-ui ?namespace: kube-systemspec: ?rules: ?- host: tf.abcgogo.com #配置ui的域名 ???http: ?????paths: ?????- path: / ???????backend: ?????????serviceName: traefik-web-ui ?????????servicePort: web准备好配置文件后,执行命令:
kubectl apply -f .检查是否执行成功:
# kubectl get svc,deployment,pod --all-namespaces -o wide | grep traefikkube-system ??service/traefik-web-ui ????????ClusterIP ??10.68.166.109 ??<none> ???????80/TCP ?????????????4h ???????k8s-app=traefik-ingress-lbkube-system ??pod/traefik-ingress-lb-2qbgd ???????????????1/1 ??????Running ??0 ?????????4h ???????192.168.2.12 ??192.168.2.12 ??<none>kube-system ??pod/traefik-ingress-lb-9tc6n ???????????????1/1 ??????Running ??0 ?????????4h ???????192.168.2.11 ??192.168.2.11 ??<none>kube-system ??pod/traefik-ingress-lb-fmfn6 ???????????????1/1 ??????Running ??0 ?????????4h ???????192.168.2.13 ??192.168.2.13 ??<none>查看svc,ing状态:
# kubectl describe svc,ing traefik-web-ui -n kube-systemName: ?????????????traefik-web-uiNamespace: ????????kube-systemLabels: ???????????<none>Annotations: ??????kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"traefik-web-ui","namespace":"kube-system"},"spec":{"ports":[{"name":"web","por...Selector: ?????????k8s-app=traefik-ingress-lbType: ?????????????ClusterIPIP: ???????????????10.68.166.109Port: ?????????????web ?80/TCPTargetPort: ???????8580/TCPEndpoints: ????????192.168.2.11:8580,192.168.2.12:8580,192.168.2.13:8580Session Affinity: ?NoneEvents: ???????????<none>Name: ????????????traefik-web-uiNamespace: ???????kube-systemAddress: ?????????Default backend: ?default-http-backend:80 (<none>)Rules: ?Host ???????????Path ?Backends ?---- ???????????---- ?-------- ?tf.abcgogo.com ???????????????????/ ??traefik-web-ui:web (192.168.2.11:8580,192.168.2.12:8580,192.168.2.13:8580)Annotations: ?kubectl.kubernetes.io/last-applied-configuration: ?{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"traefik-web-ui","namespace":"kube-system"},"spec":{"rules":[{"host":"tf.abcgogo.com","http":{"paths":[{"backend":{"serviceName":"traefik-web-ui","servicePort":"web"},"path":"/"}]}}]}}Events: ?<none>使用部署traefik节点的node ip: port就可以访问了,
当然刚才配置了域名,可以直接使用域名访问,前提是对域名做好了dns解析。
自定义一个ingress:
apiVersion: v1kind: Servicemetadata: ?name: nginx-svcspec: ?template: ???metadata: ?????labels: ???????name: nginx-svc ???????namespace: defaultspec: ?selector: ???run: ngx-pod ?ports: ?- protocol: TCP ???port: 80 ???targetPort: 80---apiVersion: apps/v1beta1kind: Deploymentmetadata: ?name: ngx-podspec: ?replicas: 4 ?template: ???metadata: ?????labels: ???????run: ngx-pod ???spec: ?????containers: ?????- name: nginx ???????image: nginx:1.10 ???????ports: ???????- containerPort: 80---apiVersion: extensions/v1beta1kind: Ingressmetadata: ?name: ngx-ing ?annotations: ???kubernetes.io/ingress.class: traefikspec: ?rules: ?- host: traefik.abcgogo.com ???http: ?????paths: ?????- backend: ?????????serviceName: nginx-svc ?????????servicePort: 80,
补充说明:
如果您将traefik部署为deployment
(https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-deployment.yaml),则应检查返回的NodePort kubectl describe svc traefik-ingress-service -n kube-system并将其用作您的URL(http: //traefik-ui.minikube:xxx)
(您不必将traefik-web-ui更改为NodePort)
如果您使用了DeamonSet
(https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-ds.yaml),请使用http://域名。
如果您想traefik-web-ui直接访问最简单的方法是: minikube service traefik-web-ui --url
linux下配置hosts本地解析:echo "$(my master node ip) traefik-ui.minikube" | sudo tee -a /etc/hosts
traefik(一) kubernetes 部署 traefik
原文地址:http://blog.51cto.com/m51cto/2328917