Kubernetes / 云计算

K8S实践Traefik-Ingress部署

温馨提示:本文最后更新于2021-02-24 22:52:50,某些文章具有时效性,若有错误或已失效,请在下方留言或提交工单提交工单
浅时光 · 2月22日 · 2021年 本文10116个字,预计阅读26分钟 20982次已读

一、Traefik介绍


Traefik 是一款开源的边缘路由器,它可以让发布服务变得轻松有趣。它代表您的系统接收请求,并找出负责处理这些请求的组件。与众不同之处在于,除了它的许多特性之外,它还可以自动为您的服务发现正确的配置。当 Traefik 检查您的基础设施时,它会发现相关信息,并发现哪个文章来源(Source):浅时光博客服务为哪个请求提供服务。

Traefik 与每个主要的集群技术都是原生兼容的,比如 Kubernetes、Docker、Docker Swarm、AWS、Mesos、Marathon 等等;并且可以同时处理多个。(它甚至适用于运行在裸机上的遗留软件。) 使用 Traefik,不需要维护和同步单独的配置文件:所有事情都是实时自动发生的(没有重启,没有连接中断)。使用 Traefik,只需要花费时间开发和部署新功能到您的系统,而不是配置和维护其工作状态。

K8S实践Traefik-Ingress部署-浅时光博客
K8S集群部署,可参考以下文章

二、部署Traefik


2.1:创建名称空间

[root@k8s-master1 ~]# cd /opt/k8s/work/
[root@k8s-master1 work]# mkdir traefik
[root@k8s-master1 work]# cd traefik/

[root@k8s-master1 traefik]# kubectl create ns ingress-traefik

2.2:创建CRD资源

traefik v2.0 版本后,开始使用 CRD(Custom Resource Definition)来完成路由配置等,所以需要提前创建 CRD 资源。

[root@k8s-master1 traefik]# vim traefik-crd.yaml
## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
---
## TraefikService
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice

---
## TraefikTLSStore
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore

---
## IngressRouteUDP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us 
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
singular: ingressrouteudp


#创建资源
[root@k8s-master1 traefik]# kubectl apply -f traefik-crd.yaml

#查看crd资源
[root@k8s-master1 traefik]# kubectl get crd | grep traefik
K8S实践Traefik-Ingress部署-浅时光博客

2.3:创建RBAC权限

Traefik 需要一定的权限,所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。

[root@k8s-master1 traefik]# vim traefik-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: ingress-traefik 
  name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups: [""]
    resources: ["services","endpoints","secrets"]
    verbs: ["get","list","watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["get","list","watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["middlewares"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutes","traefikservices"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutetcps","ingressrouteudps"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["tlsoptions","tlsstores"]
    verbs: ["get","list","watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: ingress-traefik

#创建资源
[root@k8s-master1 traefik]# kubectl apply -f traefik-rbac.yaml

#检查资源
[root@k8s-master1 traefik]# kubectl get secrets -n ingress-traefik|grep traefik

[root@k8s-master1 traefik]# kubectl get clusterrole -n ingress-traefik|grep traefik

2.4:创建配置文件

[root@k8s-master1 traefik]# vim traefik-config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik-config
  namespace: ingress-traefik
data:
  traefik.yaml: |-
    ping: ""                    ## 启用 Ping
    serversTransport:
      insecureSkipVerify: true  ## Traefik 忽略验证代理服务的 TLS 证书
    api:
      insecure: true            ## 允许 HTTP 方式访问 API
      dashboard: true           ## 启用 Dashboard
      debug: false              ## 启用 Debug 调试模式
    metrics:
      prometheus: ""            ## 配置 Prometheus 监控指标数据,并使用默认配置
    entryPoints:
      web:
        address: ":80"          ## 配置 80 端口,并设置入口名称为 web
      websecure:
        address: ":443"         ## 配置 443 端口,并设置入口名称为 websecure
    providers:
      kubernetesCRD: ""         ## 启用 Kubernetes CRD 方式来配置路由规则
      kubernetesIngress: ""     ## 启动 Kubernetes Ingress 方式来配置路由规则
    log:
      filePath: ""              ## 设置调试日志文件存储路径,如果为空则输出到控制台
      level: error              ## 设置调试日志级别
      format: json              ## 设置调试日志格式
    accessLog:
      filePath: ""              ## 设置访问日志文件存储路径,如果为空则输出到控制台
      format: json              ## 设置访问调试日志格式
      bufferingSize: 0          ## 设置访问日志缓存行数
      filters:
        #statusCodes: ["200"]   ## 设置只保留指定状态码范围内的访问日志
        retryAttempts: true     ## 设置代理访问重试失败时,保留访问日志
        minDuration: 20         ## 设置保留请求时间超过指定持续时间的访问日志
      fields:                   ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
        defaultMode: keep       ## 设置默认保留访问日志字段
        names:                  ## 针对访问日志特别字段特别配置保留模式
          ClientUsername: drop  
        headers:                ## 设置 Header 中字段是否保留
          defaultMode: keep     ## 设置默认保留 Header 中字段
          names:                ## 针对 Header 中特别字段特别配置保留模式
            User-Agent: redact
            Authorization: drop
            Content-Type: keep


#创建资源
[root@k8s-master1 traefik]# kubectl apply -f traefik-config.yaml 
configmap/traefik-config created
#查看资源
[root@k8s-master1 traefik]# kubectl get cm -n ingress-traefik
NAME             DATA   AGE
traefik-config   1      13s

2.5:节点添加标签

因为我们这里是通过k8s Daemonset控制器去创建pod,所以需要提前给需要调度到指定节点设置标签,这样当程序部署时 Pod 会自动调度到设置了对应Label 的节点上

[root@k8s-master1 traefik]# kubectl get nodes


#添加标签
[root@k8s-master1 traefik]# kubectl label nodes k8s-node1 IngressProxy=true

[root@k8s-master1 traefik]# kubectl label nodes k8s-node2 IngressProxy=true

[root@k8s-master1 traefik]# kubectl label nodes k8s-node3 IngressProxy=true

#查看标签
[root@k8s-master1 traefik]# kubectl get nodes --show-labels
K8S实践Traefik-Ingress部署-浅时光博客

2.6:部署Traefik

2.6.1:创建Service

[root@k8s-master1 traefik]# vim traefik-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: traefik
  namespace: ingress-traefik
spec:
  type: NodePort
  ports:
    - name: web
      port: 80
    - name: websecure
      port: 443
    - name: admin
      port: 8080
  selector:
    app: traefik

2.6.2:创建DaemonSet

[root@k8s-master1 traefik]# vim traefik-deploy.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: traefik-ingress-controller
  namespace: ingress-traefik
  labels:
    app: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      name: traefik
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 1
      containers:
        - image: traefik:v2.3.5
          name: traefik-ingress-lb
          ports:
            - name: web
              containerPort: 80
              hostPort: 80         ## 将容器端口绑定所在服务器的 80 端口
            - name: websecure
              containerPort: 443
              hostPort: 443        ## 将容器端口绑定所在服务器的 443 端口
            - name: admin
              containerPort: 8080  ## Traefik Dashboard 端口
          resources:
            limits:
              cpu: 2000m
              memory: 1024Mi
            requests:
              cpu: 1000m
              memory: 1024Mi
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
          args:
            - --configfile=/config/traefik.yaml
          volumeMounts:
            - mountPath: "/config"
              name: "config"
      volumes:
        - name: config
          configMap:
            name: traefik-config 
      tolerations:              ## 设置容忍所有污点,防止节点被设置污点
        - operator: "Exists"
      nodeSelector:             ## 设置node筛选器,在特定label的节点上启动
        IngressProxy: "true"

#创建资源
[root@k8s-master1 traefik]# kubectl apply -f traefik-deploy.yaml

#检查资源
[root@k8s-master1 traefik]# kubectl get po -n ingress-traefik
K8S实践Traefik-Ingress部署-浅时光博客

2.7:文章来源(Source):https://www.dqzboy.com创建路由规则

  • 我这里以traefik的面板和K8S Dashboard面板进行演示

方式1:通过CRD配置路由规则

(1)配置HTTP协议的访问路由规则
  • 这里以traefik的看板进行演示
[root@k8s-master1 traefik]# vim traefik-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-route
  namespace: ingress-traefik
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`traefik.dqzboy.com`)
    kind: Rule
    services:
      - name: traefik	#绑定至上面创建的service资源的名称
        port: 8080
  • 在PC机上将DaemonSet调文章来源(Source):浅时光博客度的节点物理IP与CRD资源中挂载的Host域名文章来源(Source):https://www.dqzboy.com进行绑定,然后浏览器中输入traefik.dqzboy.com即可访问traefik的看板了
K8S实践Traefik-Ingress部署-浅时光博客
(2)配置HTTPS协议的访问路由规则
  • 这里以K8S的官方面板进行样式
#首先我们需要先生成证书文件
[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"
K8S实践Traefik-Ingress部署-浅时光博客
#将证书存储到 Kubernetes Secret 中
[root@k8s-master1 traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard

#创建HTTPS的官方面板访问路由规则
[root@k8s-master1 traefik]# vim k8s-dashboard-router.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: kubernetes-dashboard-route
  namespace: kubernetes-dashboard	#dashboard所属的名称空间
spec:
  entryPoints:
  - websecure
  tls:
    secretName: k8s-dashboard-tls	#上面导入的secret资源名称
  routes:
  - match: Host(`k8sboard.dqzboy.com`) 
    kind: Rule
    services:
      - name: kubernetes-dashboard  #注意此名必须与之前部署k8s面板时的yaml文件中Service上下文中metadata段中的name段名称保持一致(也就是svc服务)
        port: 443

#创建路由规则
[root@k8s-master1 traefik]# kubectl apply -f k8s-dashboard-router.yaml
  • 同样我们需要在自己的PC机上进行解析域名
K8S实践Traefik-Ingress部署-浅时光博客
K8S实践Traefik-Ingress部署-浅时光博客

方式2:通过Ingress配置路由规则

(1)创建traefik路由规则
[root@k8s-master1 traefik]# vim traefik-dashboard-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-dashboard-ingress
  namespace: ingress-traefik	#traefik服务所属的名称空间
  annotations:
    kubernetes.io/ingress.class: traefik            
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
  - host: traefik01.dqzboy.com                                
    http:
      paths:
      - path: /              
        backend:
          serviceName: traefik
          servicePort: 8080

#创建路由
[root@k8s-master1 traefik]# kubectl apply -f traefik-dashboard-ingress.yaml

#检查服务
[root@k8s-master1 traefik]# kubectl get ing -n ingress-traefik
NAME                     CLASS    HOSTS             ADDRESS   PORTS   AGE
traefik-dashboard-ingress  <none>   traefik01.dqzboy.com      80      26s
  • 自己的PC的hosts文件中进行域名解析,然后通过浏览器进行访问
K8S实践Traefik-Ingress部署-浅时光博客
(2)创建K8S面板路由规则
#首先我们需要先生成证书文件
[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"

#将证书存储到 Kubernetes Secret 中
[root@k8s-master1 traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard

#创建资源
[root@k8s-master1 traefik]# 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kubernetes-dashboard-ingress
  namespace: kubernetes-dashboard	#dashboard服务所属名称空间
  annotations:
    kubernetes.io/ingress.class: traefik                  
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  tls:
  - secretName: k8s-dashboard-tls
  rules:
  - host: k8sboard01.dqzboy.com
    http:
      paths:
      - path: /                                     
        backend:
          serviceName: kubernetes-dashboard  #dashboard对应的service服务
          servicePort: 443

[root@k8s-master1 traefik]# kubectl apply -f k8s-dashboard-ing.yaml


#检查服务
[root@k8s-master1 traefik]# kubectl get ing -n ingress-traefik
K8S实践Traefik-Ingress部署-浅时光博客
  • 本机PC进行域名解析,然后浏览器中进行访问
K8S实践Traefik-Ingress部署-浅时光博客




本文作者:浅时光
原文链接:https://www.dqzboy.com/5210.html
版权声明:知识共享署名-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)协议进行许可
转载时请以超链接形式标明文章原始出处和作者信息

0 条回应

必须 注册 为本站用户, 登录 后才可以发表评论!

    本站已稳定运行: | 耗时 0.391 秒 | 查询 46 次 | 内存 14.28 MB