k8s之traefik部署

  • Ingress 其实就是集群外部访问的一个入口,将外部的请求转发到不同的Server上,其实就相当于Nginx、Haproxy等负载均衡器。
  • Ingress实际上是通过服务发现的功能进行实现,通过Ingress controller来提供路由信息的刷新
  • Ingress controller可以理解为一个监视器,不断监听kube-apiserver,实时感知service、Pod的变化,Ingress controller再结合Ingress的配置,更新反向代理负载均衡器,达到服务发现的作用。
  • 目前可以提供Ingress controller有很多,比如traefik、nginx-ingress、Kubernetes Ingress Cpmtrper for Kong、HAProxy Ingress controller等。
企业最常见的负载均衡有Nginx-Ingress和traefik
 。所以这里使用traefik进行演示,主要是目前traefik已经成为主流。并且traefik有漂亮的dashboard界面,配置简单,已经已经深入和prometheus集成。traefik2.0支持灰度发布。nginx-ingress需要有3个组件镜像,而traefik只有2个
traefik是一款开源的反向代理和负载均衡工具,最大的优点是能够和常见的微服务系统直接整合,可以实现自动化动态配置。目前支持Docker、Swarm、Mesos、Mesos、Kubernetes、Consul、ETCD、Zookeeper等后端模型
traefik架构图:

traefik部署
主流常用的外部流量导入k8s集群内部一般都是使用traefik或者ingress-nginx。并且一般都是部署在具有外网网卡的边缘节点上。

1、创建traefik的RBAC安全认证

[root@k8s-master ~]# vim traefik-rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
2、创建deployment管理traefik的pod,这里WEB UI先采用nodeport访问方式
这里采用traefik:1.17.7的镜像

[root@k8s-master ~]# vim traefik-deployment.yaml
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      tolerations:
      - operator: "Exists"
      nodeSelector:
        kubernetes.io/hostname: master
      containers:
      - image: traefik:v1.7.17
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort
注意:上面deployment中定义的容忍度。如果你的K8s集群没有设置污点,则这里容忍度需要删除或者根据你自己的污点进行设置相应的容忍度

tolerations:
- operator: "Exists"
nodeSelector:
  kubernetes.io/hostname: master
应用文件
[root@k8s-master ~]# kubectl apply -f traefik-rbac.yaml -f traefik-deployment.yaml 
serviceaccount/traefik-ingress-controller configured
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller configured
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller configured
deployment.extensions/traefik-ingress-controller configured
service/traefik-ingress-service configured
查看
[root@k8s-master ~]# kubectl get po -n kube-system -l k8s-app=traefik-ingress-lb -o wide
NAME                                          READY   STATUS    RESTARTS   AGE   IP            NODE            NOMINATED NODE   READINESS GATES
traefik-ingress-controller-86769d5d99-926cz   1/1     Running   0          46s   172.20.2.17   192.168.2.221   <none>           <none>
[root@k8s-master ~]# kubectl get svc -n kube-system
NAME                      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                       AGE                 3d19h
kube-dns                  ClusterIP   10.68.0.2       <none>        53/UDP,53/TCP,9153/TCP        3d19h
kubernetes-dashboard      NodePort    10.68.59.107    <none>        443:33937/TCP                 3d19h
metrics-server            ClusterIP   10.68.247.20    <none>        443/TCP                       3d19h
traefik-ingress-service   NodePort    10.68.231.115   <none>        80:20093/TCP,8080:28059/TCP   3d19h
浏览器输入:192.168.2.221:28059 即可访问traefik的UI

创建ingress对象,通过ingress域名形式来访问dashboard

[root@k8s-master ~]# vim traefik-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.ayunw.cn
    http:
      paths:
      - backend:
          serviceName: traefik-ingress-service
          servicePort: 8080

[root@k8s-master ~]# kubectl apply -f traefik-ingress.yaml 
ingress.extensions/traefik-web-ui created
设置域名解析:
解析到ingress-controller所在的这台机器的外网ip上:
192.168.2.221 traefik.ayunw.cn

解析了以后如果用域名不加端口访问的方式还是不行。为什么呢?因为我们这里用的svc是NodePort的方式,所以需要加上nodeport的端口号才行
浏览器访问:traefik.ayunw.cn:28059

但是一般访问不会带上端口,所以这里就可以直接在 Pod 中指定一个 hostPort 即可,更改上面的 traefik-deployment.yaml 文件中的容器端口。
     ......
       containers:
      - image: traefik:v1.7.17
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
更新应用
[root@k8s-master ~]# kubectl apply -f traefik-deployment.yaml
deployment.extensions/traefik-ingress-controller configured
service/traefik-ingress-service unchanged
然后直接访问traefik.ayunw.cn即可。可以点击HEALTH,查看我们的健康检查 (没有数据可以稍等一下)

****************************** 文章结束 ******************************

博客地址:https://www.ayunw.cn

公众号:竹下侯小姜运维

版权声明:
作者:allenjol
链接:https://www.ayunw.cn/archives/677
来源:爱生活,爱运维
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>