在开始之前,需要先了解一下什么是RBAC。RBAC(基于角色的访问控制)使用?rbac.authorization.k8s.io? API 组来实现权限控制,RBAC 允许管理员通过 Kubernetes API 动态的配置权限策略。在 1.6 版本中 RBAC 还处于 Beat 阶段,如果想要开启 RBAC 授权模式需要在 apiserver 组件中指定?--authorization-mode=RBAC?选项。
在 RBAC API 的四个重要概念:
Role:是一系列的权限的集合,例如一个角色可以包含读取 Pod 的权限和列出 Pod 的权限
ClusterRole: 跟 Role 类似,但是可以在集群中到处使用( Role 是 namespace 一级的)
RoloBinding:把角色映射到用户,从而让这些用户继承角色在 namespace 中的权限。
ClusterRoleBinding: 让用户继承 ClusterRole 在整个集群中的权限。
简单点说RBAC实现了在k8s集群中对api-server的鉴权,更多的RBAC知识点请查阅官方文档:https://kubernetes.io/docs/admin/authorization/rbac/
一、给集群的节点打上label
因为选择deployment方式部署,所以要给集群的节点打上label,后续选择nodeSelector指定traefik=proxy,副本数和集群节点数一致的时候,所有的节点上都会运行一个pod
# kubectl get nodes --show-labels# kubectl label ?node vm1 traefik=proxy# kubectl label ?node vm2 traefik=proxy# kubectl get nodes --show-labels
二、准备yaml文件
1、rbac文件
# cat traefik-rbac.yaml ---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: ?name: traefik-ingress-controllerrules: ?- apiGroups: ?????- "" ???resources: ?????- services ?????- endpoints ?????- secrets ???verbs: ?????- get ?????- list ?????- watch ?- apiGroups: ?????- extensions ???resources: ?????- ingresses ???verbs: ?????- get ?????- list ?????- watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: ?name: traefik-ingress-controllerroleRef: ?apiGroup: rbac.authorization.k8s.io ?kind: ClusterRole ?name: traefik-ingress-controllersubjects:- kind: ServiceAccount ?name: traefik-ingress-controller ?namespace: kube-system2、traefik的deployment文件
# cat traefik-deployment.yaml ??---apiVersion: v1kind: ServiceAccountmetadata: ?name: traefik-ingress-controller ?namespace: kube-system---kind: DeploymentapiVersion: extensions/v1beta1metadata: ?name: traefik-ingress-controller ?namespace: kube-system ?labels: ???k8s-app: traefik-ingress-lbspec: ?replicas: 2 ?selector: ???matchLabels: ?????k8s-app: traefik-ingress-lb ?template: ???metadata: ?????labels: ???????k8s-app: traefik-ingress-lb ???????name: traefik-ingress-lb ???spec: ?????serviceAccountName: traefik-ingress-controller ?????hostNetwork: true ?????nodeSelector: ???????traefik: proxy ?????terminationGracePeriodSeconds: 60 ?????containers: ?????- image: traefik ???????name: traefik-ingress-lb ???????ports: ???????- name: web ?????????containerPort: 80 ?????????hostPort: 80 ???????- name: admin ?????????containerPort: 8081 ???????args: ???????- --web ???????- --web.address=:8081 ???????- --kubernetes3、traefik的service文件
# cat traefik-service.yamlapiVersion: v1kind: Servicemetadata: ?name: traefik-web-ui ?namespace: kube-systemspec: ?selector: ???k8s-app: traefik-ingress-lb ?ports: ?- port: 80targetPort: 80814、通过yaml文件创建clusterrole、clusterrolebinding、deployment、serviceaccount、service
# ls# kubectl create -f traefik-rbac.yaml # kubectl create -f traefik-deployment.yaml # kubectl create -f traefik-service.yaml # kubectl get pod -n kube-system# kubectl get svc -n kube-system# kubectl get svc
可以看到集群中default namespace中存在一个frontend服务。kube-system namespace中存在nginx-test、traefik-web-ui、kubernetes-dashboard三个服务。我们后续将创建4个ingress
通过web-ui可以看到在两个节点上各运行了一个pod
三、通过yaml文件创建ingress
# cat ui.yaml apiVersion: v1kind: Servicemetadata: ?name: traefik-web-ui ?namespace: kube-systemspec: ?selector: ???k8s-app: traefik-ingress-lb ?ports: ?- port: 80 ???targetPort: 8081---apiVersion: extensions/v1beta1kind: Ingressmetadata: ?name: traefik-web-ui ?namespace: kube-system ?annotations: ???kubernetes.io/ingress.class: traefikspec: ?rules: ?- host: traefik-ui ???http: ?????paths: ?????- backend: ?????????serviceName: traefik-web-ui ?????????servicePort: 80# cat webui-ing.yaml ?????????????????apiVersion: extensions/v1beta1kind: Ingressmetadata: ?name: traefik-ingress ?namespace: kube-system ?annotations: ???kubernetes.io/ingress.class: traefikspec: ?rules: ?- host: k8s.webui ???http: ?????paths: ?????- backend: ?????????serviceName: kubernetes-dashboard ??????????servicePort: 443# cat redis-ing.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata: ?name: traefik-ingress ?namespace: default ?annotations: ???kubernetes.io/ingress.class: traefikspec: ?rules: ?- host: k8s.frontend ???http: ?????paths: ?????- backend: ?????????serviceName: frontend ??????????servicePort: 80# cat nginx-ing.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata: ?name: traefik-nginx-ingress ?namespace: kube-system ?annotations: ???kubernetes.io/ingress.class: traefikspec: ?rules: ?- host: test.fjhb.cn ???http: ?????paths: ?????- backend: ?????????serviceName: nginx-test ?????????servicePort: 80# kubectl create -f ui.yaml # kubectl create -f webui-ing.yaml # kubectl create -f redis-ing.yaml # kubectl get ingress # kubectl get ingress -n kube-system
三、验证
1、通过访问traefik service对应的nodeport端口,4个ingress配置都加载到了
2、修改测试机hosts文件,将4个域名的解析分配到两台节点上
3、浏览器访问测试
这里出现500错误的原因是,后端的kubernetes-dashboard配置的是https协议
可以在health页面看到http状态码的统计信息
Kubernetes 1.9集群使用traefik发布服务
原文地址:http://blog.51cto.com/ylw6006/2073718