网络与访问

Ingress controller之traefik2在k8s上

2019-10-28  本文已影响0人  jerry的技术与思维

本次文章的traefik以v2.0.2版本为例。

架构介绍

安装之前我们先简单了解traefik的基本原理


image.png

Traefik是Edge路由器,它拦截并路由每个传入的请求:它了解确定哪些服务处理哪些请求的所有逻辑和规则(比如path,header,host等等)。传统上,边缘路由器(或反向代理)需要一个配置文件,配置包含需要你事先配置好的所有可能路由,比如nginx就是这样做的,而Traefik则从服务本身获取它们,通过支持自动发现来做的,并且服务发现天然支持k8s,consul等。

安装

traefik支持多种安装方式,比如直接的二进制包安装,docker安装,rancher安装,k8s安装。本次我们把traefik直接安装在k8s上面。采用是k8s的CRD方式。

废话不多说,让我们开始吧:

  1. 准备RBAC 权限和CRD(CustomResourceDefinition)
    新建文件:01-crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutetcps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - tlsoptions
    verbs:
      - get
      - list
      - watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default
  1. Service定义
    新建文件 02-svc.yaml,注意service采用nodeport方式,这个三个端口不能被占用,可以按需要修改端口
apiVersion: v1
kind: Service
metadata:
  name: traefik

spec:
  type: NodePort
  ports:
    - protocol: TCP
      name: web
      port: 8000
    - protocol: TCP
      name: admin
      port: 8080
    - protocol: TCP
      name: websecure
      port: 4443
  selector:
    app: traefik
  1. 部署文件定义
    新建03-deploy.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: traefik-ingress-controller

---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.0.2
          args:
            - --api.insecure
            - --accesslog
            - --entrypoints.web.Address=:8000
            - --entrypoints.websecure.Address=:4443
            - --providers.kubernetescrd
            - --certificatesresolvers.default.acme.tlschallenge
            - --certificatesresolvers.default.acme.email=foo@you.com
            - --certificatesresolvers.default.acme.storage=acme.json
            # Please note that this is the staging Let's Encrypt server.
            # Once you get things working, you should remove that whole line altogether.
            - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
          ports:
            - name: web
              containerPort: 8000
            - name: websecure
              containerPort: 4443
            - name: admin
              containerPort: 8080
  1. 执行kubectl命令安装
    在对于的有kubectl权限的k8s节点上执行安装命令
kubectl apply -f 01-crd.yaml
kubectl apply -f 02-svc.yaml
kubectl apply -f 03-deploy.yaml

正确安装后,打开安装的节点ip,以本机为例:http://127.0.0.1:8080
就可以看到管理界面了:


image.png
  1. 安装whoami服务进行验证
    新建文件 whoaim.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: whoami

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami
---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami
  labels:
    app: whoami

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: containous/whoami
          ports:
            - name: web
              containerPort: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: simpleingressroute
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`192.168.0.200`) && PathPrefix(`/notls`)
    kind: Rule
    services:
    - name: whoami
      port: 80

通过crd定义的IngressRoute 资源来对whoaim进行配置,routes里面host配置traefik支持直接用对应的节点ip,当然用域名也可以,想nginx ingress只能用域名在测试环境就比较麻烦。
在traefik管理界面看到注册成功:


image.png

服务详情如下:


image.png

通过地址进行访问whoami,正常访问。到此traefik在k8s安装成功。当然还有中间件还没有介绍,下篇我们再见。


image.png
上一篇 下一篇

猜你喜欢

热点阅读