k8s集群中的ingress---基于traefik
發(fā)布時(shí)間:2023-05-26 09:20
來(lái)源:西部
閱讀:120
作者:西部數碼
欄目: 虛擬主機
歡迎投稿:712375056
云計算
為了對外發(fā)布pod內的應用�,k8s支持兩種負載均衡機制
1���、一種是service��,用于實(shí)現四層TCP負載均衡
service主要實(shí)現集群內部通信�����,以及基于四層的內外通信(如端口)
2��、另一種是ingress���,用戶(hù)實(shí)現七層HTTP負載均衡
ingress主要實(shí)現基于七層的內外通信(如URL)
ingress僅僅是一組路由規則的集合�����,它需要借助ingress控制器才能發(fā)揮作用
ingress控制器不受controller-manager管理���,它作為一個(gè)附件直接運行在k8s集群上
ingress控制器本身也是以pod形式運行�,它與被代理的pod運行在同一個(gè)網(wǎng)絡(luò )
和service不同的是���,要使用ingress�����,必須先創(chuàng )建ingress-controller這個(gè)pod和基于該pod的svc
對于小規模的應用我們使用 NodePort 或許能夠滿(mǎn)足我們的需求��,但是當你的應用越來(lái)越多的時(shí)候��,你就會(huì )發(fā)現對于 NodePort 的管理就非常麻煩了�����,這個(gè)時(shí)候使用 ingress 就非常方便了�����,可以避免管理大量的 Port����。
igress類(lèi)型
1�、單service資源型
2��、基于URL路徑進(jìn)行轉發(fā)
3���、基于虛擬主機進(jìn)行轉發(fā)
4���、TLS類(lèi)型
ingress控制器可以由如下反向代理程序實(shí)現:
1��、haproxy
2��、nginx
3���、envoy
4���、traefik
5�、Vulcand
創(chuàng )建基于treafik的ingress
1��、創(chuàng )建rbac認證
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
-
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
$ kubectl create -f rbac.yaml
serviceaccount "traefik-ingress-controller" created
clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created
2���、創(chuàng )建基于treafik的ingress控制器pod及svc
將該控制器pod部署在master上
$ docker pull traefik
$ vim traefik.yaml
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
tolerations:
- operator: Exists #允許污點(diǎn)
nodeSelector:
kubernetes.io/hostname: master #部署在master上
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80 #外網(wǎng)訪(fǎng)問(wèn)時(shí)不用使用nodePort端口�����,直接使用域名即可
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: NodePort
因為traefik容器中有兩個(gè)端口��,80和8080(管理端口)�,所以其對應的服務(wù)中也需要兩個(gè)端口80和8080.
$ kubectl apply -f traefik.yaml
deployment.extensions "traefik-ingress-controller" created
service "traefik-ingress-service" created
$ kubectl get svc -n kube-system
traefik-ingress-service NodePort 10.100.222.78 <none> 80:31657/TCP,8080:31572/TCP 79d
通過(guò)svc訪(fǎng)問(wèn)traefik的管理界面
http://wap.friendlycc.com.cn/host/
3���、為上述ingress控制器及其svc本身(8080)創(chuàng )建ingress實(shí)例
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik.example.com
http:
paths:
- backend:
serviceName: traefik-ingress-service
servicePort: 8080
模擬dns解析
$ vim /etc/hosts
192.168.1.243 traefik.example.com
因為pod中有hostPort: 80 ��,所以能夠以ingress的方式直接使用域名訪(fǎng)問(wèn)traefik的管理界面
http://wap.friendlycc.com.cn/host/ ingress-controller 服務(wù)�����,然后在master前面掛一個(gè)負載均衡器�����,比如 nginx����,將所有的master均作為這個(gè)負載均衡器的后端�,這樣就可以實(shí)現 ingress-controller 的高可用和負載均衡了�。
4����、定義后端普通應用pod及其svc
svc的type為ClusterIP
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: svc1
spec:
replicas: 1
template:
metadata:
labels:
app: svc1
spec:
containers:
- name: svc1
image: cnych/example-web-service
env:
- name: APP_SVC
value: svc1
ports:
- containerPort: 8080
protocol: TCP
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: svc2
spec:
replicas: 1
template:
metadata:
labels:
app: svc2
spec:
containers:
- name: svc2
image: cnych/example-web-service
env:
- name: APP_SVC
value: svc2
ports:
- containerPort: 8080
protocol: TCP
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: svc3
spec:
replicas: 1
template:
metadata:
labels:
app: svc3
spec:
containers:
- name: svc3
image: cnych/example-web-service
env:
- name: APP_SVC
value: svc3
ports:
- containerPort: 8080
protocol: TCP
---
kind: Service
apiVersion: v1
metadata:
labels:
app: svc1
name: svc1
spec:
type: ClusterIP
ports:
- port: 8080
name: http
selector:
app: svc1
---
kind: Service
apiVersion: v1
metadata:
labels:
app: svc2
name: svc2
spec:
type: ClusterIP
ports:
- port: 8080
name: http
selector:
app: svc2
---
kind: Service
apiVersion: v1
metadata:
labels:
app: svc3
name: svc3
spec:
type: ClusterIP
ports:
- port: 8080
name: http
selector:
app: svc3
$ kubectl create -f backend.yaml
deployment.extensions "svc1" created
deployment.extensions "svc2" created
deployment.extensions "svc3" created
service "svc1" created
service "svc2" created
service "svc3" created
5��、為上述普通應用pod及其svc定義ingress策略
ingress策略的后端是應用pod的svc
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-web-app
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: www.example.com
http:
paths:
- path: /s1
backend:
serviceName: svc1
servicePort: 8080
- path: /s2
backend:
serviceName: svc2
servicePort: 8080
- path: /
backend:
serviceName: svc3
servicePort: 8080
$ kubectl create -f example-ingress.yaml
ingress.extensions "example-web-app" created
$ kubectl get ingress
$ kubectl describe ingress example-web-app
模擬dns
$ vim /etc/hosts
192.168.1.243 www.example.com
http://wap.friendlycc.com.cn/host/ —訪(fǎng)問(wèn)svc3
http://wap.friendlycc.com.cn/host/ —訪(fǎng)問(wèn)svc1
http://wap.friendlycc.com.cn/host/ —訪(fǎng)問(wèn)svc2
6���、使traefik ingress支持TLS
要使其支持tls需要三個(gè)方面的支持
一�����、生成ca證書(shū)
$ mkdir /ssl
$ cd /ssl
$ openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
$ ls
tls.crt tls.key
然后創(chuàng )建secret用于存儲證書(shū)
$ kubectl create secret generic traefik-cert –from-file=tls.crt –from-file=tls.key -n kube-system
$ kubectl get secret -n kube-system |grep traefik
二�����、增加默認配置文件traefik.toml
該文件和traefik pod文件在同一個(gè)目錄
$ vim traefik.toml
defaultEntryPoints = [http, https]
[entryPoints]
[entryPoints.http]
address = :80
[entryPoints.http.redirect]
entryPoint = https
[entryPoints.https]
address = :443
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = /ssl/tls.crt
KeyFile = /ssl/tls.key
創(chuàng )建configmap用于存儲該配置文件
$ kubectl create configmap traefik-conf –from-file=traefik.toml -n kube-system
$ kubectl get configmap -n kube-system |grep traefik
三���、修改第2步中的 traefik pod 的 yaml文件
$ vim traefik.yaml
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
tolerations:
- operator: Exists
nodeSelector:
kubernetes.io/hostname: master
containers:
- image: traefik
name: traefik-ingress-lb
volumeMounts:
- mountPath: /ssl
name: ssl
- mountPath: /config
name: config
ports:
- name: http
containerPort: 80
hostPort: 80
- name: https
containerPort: 443
hostPort: 443
- name: admin
containerPort: 8080
args:
- --configfile=/config/traefik.toml
- --api
- --kubernetes
- --logLevel=INFO
$ kubectl apply -f traefik.yaml
$ kubectl logs -f traefik-ingress-controller-7dcfd9c6df-v58k7 -n kube-system
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :80"
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :443"
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :8080"
更多關(guān)于云服務(wù)器�,域名注冊����,虛擬主機的問(wèn)題��,請訪(fǎng)問(wèn)特網(wǎng)科技官網(wǎng):wap.friendlycc.com.cn
