K8s部署Ingress Traefik

服务介绍

Ingress

ngress可以给service提供集群外部访问的URL、负载均衡、SSL终止、HTTP路由等。为了配置这些Ingress规则,集群管理员需要部署一个Ingress controller,它监听Ingress和service的变化,并根据规则配置负载均衡并提供访问入口

TraeFik

raefik是一个用Golang开发的轻量级的Http反向代理和负载均衡器。由于可以自动配置和刷新backend节点,目前可以被绝大部分容器平台支持,例如Kubernetes,Swarm,Rancher等。由于traefik会实时与Kubernetes API交互,所以对于Service的节点变化,traefik的反应会更加迅速。总体来说traefik可以在Kubernetes中完美的运行.

《K8s部署Ingress Traefik》

RBAC

基于角色的访问控制
RBAC引入了4个新的顶级资源对象:Role、ClusterRole、RoleBinding、ClusterRoleBinding。同其他API资源对象一样,用户可以使用kubectl或者API调用等方式操作这些资源对象。
- 角色(Role)和集群角色(ClusterRole)
   一个角色就是一组权限的集合,这里的权限都是许可形式的,不存在拒绝的规则。在一个命名空间中,可以用角色来定义一个角色,如果是集群级别的,就需要使用ClusterRole了
- 角色绑定(RoleBinding)和集群角色绑定(ClusterRoleBinding)
   角色绑定或集群角色绑定用来把一个角色绑定到一个目标上,绑定目标可以是User、Group或者Service Account。使用RoleBinding为某个命名空间授权,ClusterRoleBinding为集群范围内授权
《K8s部署Ingress Traefik》

部署traefik服务

官方主要定义了两种部署模式,分别是Daemonset和Deployment,它们之间的区别主要是:
  • 相比一个节点只部署一个daemonset的traefik,采用deployment会更易于伸缩和扩展;
  • 采用Daemonset方式,可以在任何节点上访问80和443端口,而使用deployment者必须依赖service里面定义的对象去访问。

DaemonSet保证在每个Node上都运行一个容器副本,常用来部署一些集群的日志、监控或者其他系统管理应用。典型的应用包括:

  • 日志收集,比如fluentd,logstash等
  • 系统监控,比如Prometheus Node Exporter,collectd,New Relic agent,Ganglia gmond等
  • 系统程序,比如kube-proxy, kube-dns, glusterd, ceph等
这里是daemonset去部署的
# vim traefik_http.yml
# 创建rbac集群角色 traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
# 创建serviceaccount用户
# Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
# 集群角色绑定 
# traefik-ingress-controller用户与traefik-ingress-controller角色进行绑定,这就授予了traefik-ingress-controller能够访问kube-system命名空间下的Pod
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
# 创建traefik服务
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      containers:
      - image: traefik:1.7.9
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
        securityContext:
          privileged: true
        args:
        - -d
        - --web
        - --kubernetes
---
# traefik的ui服务
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - port: 80
    targetPort: 8080
---
# traefik的ui ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.ui.com    # 域名
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui  # traefik服务名
          servicePort: 80   

创建服务

# kubectl apply -f traefik.yml
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller unchanged
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller unchanged
serviceaccount/traefik-ingress-controller unchanged
configmap/traefik-conf configured
daemonset.extensions/traefik-ingress-controller configured
service/traefik-web-ui unchanged
ingress.extensions/traefik-web-ui configured

查看web服务

# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
heapster               ClusterIP   10.254.173.231   <none>        80/TCP                   29h
kube-dns               ClusterIP   10.254.0.10      <none>        53/UDP,53/TCP,9153/TCP   4d5h
kubernetes-dashboard   NodePort    10.254.252.116   <none>        443:30195/TCP            4d3h
monitoring-grafana     ClusterIP   10.254.48.16     <none>        80/TCP                   29h
monitoring-influxdb    ClusterIP   10.254.68.108    <none>        8086/TCP                 29h
traefik-web-ui         ClusterIP   10.254.219.247   <none>        80/TCP                   10m
《K8s部署Ingress Traefik》
点赞

发表评论

电子邮件地址不会被公开。

20 − 16 =