K8S实践Traefik-Ingress部署

Traefik 是一款开源的边缘路由器，它可以让发布服务变得轻松有趣。它代表您的系统接收请求，并找出负责处理这些请求的组件。与众不同之处在于，除了它的许多特性之外，它还可以自动为您的服务发现正确的配置。当 Traefik 检查您的基础设施时，它会发现相关信息，并发现哪个服务为哪个请求提供服务。

Traefik 与每个主要的集群技术都是原生兼容的，比如 Kubernetes、Docker、Docker Swarm、AWS、Mesos、Marathon 等等;并且可以同时处理多个。(它甚至适用于运行在裸机上的遗留软件。) 使用 Traefik，不需要维护和同步单独的配置文件:所有事情都是实时自动发生的(没有重启，没有连接中断)。使用 Traefik，只需要花费时间开发和部署新功能到您的系统，而不是配置和维护其工作状态。

项目地址：https://github.com/traefik/traefik

官网文档：https://doc.traefik.io/traefik/

二、部署Traefik

2.1：创建名称空间

[root@k8s-master1 ~]# cd /opt/k8s/work/

[root@k8s-master1 work]# mkdir traefik

[root@k8s-master1 work]# cd traefik/

[root@k8s-master1 traefik]# kubectl create ns ingress-traefik

2.2：创建CRD资源

在 traefik v2.0 版本后，开始使用 CRD（Custom Resource Definition）来完成路由配置等，所以需要提前创建 CRD 资源。

[root@k8s-master1 traefik]# vim traefik-crd.yaml

## IngressRoute

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: ingressroutes.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: IngressRoute

plural: ingressroutes

singular: ingressroute

---

## IngressRouteTCP

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: ingressroutetcps.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: IngressRouteTCP

plural: ingressroutetcps

singular: ingressroutetcp

---

## Middleware

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: middlewares.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: Middleware

plural: middlewares

singular: middleware

---

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: tlsoptions.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: TLSOption

plural: tlsoptions

singular: tlsoption

---

## TraefikService

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: traefikservices.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: TraefikService

plural: traefikservices

singular: traefikservice

---

## TraefikTLSStore

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: tlsstores.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: TLSStore

plural: tlsstores

singular: tlsstore

---

## IngressRouteUDP

apiVersion: apiextensions.k8s.io/v1beta1

kind: CustomResourceDefinition

metadata:

name: ingressrouteudps.traefik.containo.us

spec:

scope: Namespaced

group: traefik.containo.us

version: v1alpha1

names:

kind: IngressRouteUDP

plural: ingressrouteudps

singular: ingressrouteudp

#创建资源

[root@k8s-master1 traefik]# kubectl apply -f traefik-crd.yaml

#查看crd资源

[root@k8s-master1 traefik]# kubectl get crd | grep traefik

2.3：创建RBAC权限

Traefik 需要一定的权限，所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。

[root@k8s-master1 traefik]# vim traefik-rbac.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

namespace: ingress-traefik

name: traefik-ingress-controller

---

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

name: traefik-ingress-controller

rules:

- apiGroups: [""]

resources: ["services","endpoints","secrets"]

verbs: ["get","list","watch"]

- apiGroups: ["extensions"]

resources: ["ingresses"]

verbs: ["get","list","watch"]

- apiGroups: ["extensions"]

resources: ["ingresses/status"]

verbs: ["update"]

- apiGroups: ["traefik.containo.us"]

resources: ["middlewares"]

verbs: ["get","list","watch"]

- apiGroups: ["traefik.containo.us"]

resources: ["ingressroutes","traefikservices"]

verbs: ["get","list","watch"]

- apiGroups: ["traefik.containo.us"]

resources: ["ingressroutetcps","ingressrouteudps"]

verbs: ["get","list","watch"]

- apiGroups: ["traefik.containo.us"]

resources: ["tlsoptions","tlsstores"]

verbs: ["get","list","watch"]

---

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

name: traefik-ingress-controller

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

name: traefik-ingress-controller

subjects:

- kind: ServiceAccount

name: traefik-ingress-controller

namespace: ingress-traefik

#创建资源

[root@k8s-master1 traefik]# kubectl apply -f traefik-rbac.yaml

#检查资源

[root@k8s-master1 traefik]# kubectl get secrets -n ingress-traefik|grep traefik

[root@k8s-master1 traefik]# kubectl get clusterrole -n ingress-traefik|grep traefik

2.4：创建配置文件

[root@k8s-master1 traefik]# vim traefik-config.yaml

kind: ConfigMap

apiVersion: v1

metadata:

name: traefik-config

namespace: ingress-traefik

data:

traefik.yaml: |-

ping: "" ## 启用 Ping

serversTransport:

insecureSkipVerify: true ## Traefik 忽略验证代理服务的 TLS 证书

api:

insecure: true ## 允许 HTTP 方式访问 API

dashboard: true ## 启用 Dashboard

debug: false ## 启用 Debug 调试模式

metrics:

prometheus: "" ## 配置 Prometheus 监控指标数据，并使用默认配置

entryPoints:

web:

address: ":80" ## 配置 80 端口，并设置入口名称为 web

websecure:

address: ":443" ## 配置 443 端口，并设置入口名称为 websecure

providers:

kubernetesCRD: "" ## 启用 Kubernetes CRD 方式来配置路由规则

kubernetesIngress: "" ## 启动 Kubernetes Ingress 方式来配置路由规则

log:

filePath: "" ## 设置调试日志文件存储路径，如果为空则输出到控制台

level: error ## 设置调试日志级别

format: json ## 设置调试日志格式

accessLog:

filePath: "" ## 设置访问日志文件存储路径，如果为空则输出到控制台

format: json ## 设置访问调试日志格式

bufferingSize: 0 ## 设置访问日志缓存行数

filters:

#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志

retryAttempts: true ## 设置代理访问重试失败时，保留访问日志

minDuration: 20 ## 设置保留请求时间超过指定持续时间的访问日志

fields: ## 设置访问日志中的字段是否保留（keep 保留、drop 不保留）

defaultMode: keep ## 设置默认保留访问日志字段

names: ## 针对访问日志特别字段特别配置保留模式

ClientUsername: drop

headers: ## 设置 Header 中字段是否保留

defaultMode: keep ## 设置默认保留 Header 中字段

names: ## 针对 Header 中特别字段特别配置保留模式

User-Agent: redact

Authorization: drop

Content-Type: keep

#创建资源

[root@k8s-master1 traefik]# kubectl apply -f traefik-config.yaml

configmap/traefik-config created

#查看资源

[root@k8s-master1 traefik]# kubectl get cm -n ingress-traefik

NAME DATA AGE

traefik-config 1 13s

2.5：节点添加标签

[root@k8s-master1 traefik]# kubectl get nodes

#添加标签

[root@k8s-master1 traefik]# kubectl label nodes k8s-node1 IngressProxy=true

[root@k8s-master1 traefik]# kubectl label nodes k8s-node2 IngressProxy=true

[root@k8s-master1 traefik]# kubectl label nodes k8s-node3 IngressProxy=true

#查看标签

[root@k8s-master1 traefik]# kubectl get nodes --show-labels

2.6：部署Traefik

2.6.1：创建Service

[root@k8s-master1 traefik]# vim traefik-service.yaml

apiVersion: v1

kind: Service

metadata:

name: traefik

namespace: ingress-traefik

spec:

type: NodePort

ports:

- name: web

port: 80

- name: websecure

port: 443

- name: admin

port: 8080

selector:

app: traefik

2.6.2：创建DaemonSet

[root@k8s-master1 traefik]# vim traefik-deploy.yaml

apiVersion: apps/v1

kind: DaemonSet

metadata:

name: traefik-ingress-controller

namespace: ingress-traefik

labels:

app: traefik

spec:

selector:

matchLabels:

app: traefik

template:

metadata:

name: traefik

labels:

app: traefik

spec:

serviceAccountName: traefik-ingress-controller

terminationGracePeriodSeconds: 1

containers:

- image: traefik:v2.3.5

name: traefik-ingress-lb

ports:

- name: web

containerPort: 80

hostPort: 80 ## 将容器端口绑定所在服务器的 80 端口

- name: websecure

containerPort: 443

hostPort: 443 ## 将容器端口绑定所在服务器的 443 端口

- name: admin

containerPort: 8080 ## Traefik Dashboard 端口

resources:

limits:

cpu: 2000m

memory: 1024Mi

requests:

cpu: 1000m

memory: 1024Mi

securityContext:

capabilities:

drop:

- ALL

add:

- NET_BIND_SERVICE

args:

- --configfile=/config/traefik.yaml

volumeMounts:

- mountPath: "/config"

name: "config"

volumes:

- name: config

configMap:

name: traefik-config

tolerations: ## 设置容忍所有污点，防止节点被设置污点

- operator: "Exists"

nodeSelector: ## 设置node筛选器，在特定label的节点上启动

IngressProxy: "true"

#创建资源

[root@k8s-master1 traefik]# kubectl apply -f traefik-deploy.yaml

#检查资源

[root@k8s-master1 traefik]# kubectl get po -n ingress-traefik

2.7：创建路由规则

我这里以traefik的面板和K8S Dashboard面板进行演示

方式1：通过CRD配置路由规则

（1）配置HTTP协议的访问路由规则

这里以traefik的看板进行演示

[root@k8s-master1 traefik]# vim traefik-dashboard-route.yaml

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

metadata:

name: traefik-dashboard-route

namespace: ingress-traefik

spec:

entryPoints:

- web

routes:

- match: Host(`traefik.dqzboy.com`)

kind: Rule

services:

- name: traefik #绑定至上面创建的service资源的名称

port: 8080

在PC机上将DaemonSet调度的节点物理IP与CRD资源中挂载的Host域名进行绑定，然后浏览器中输入traefik.dqzboy.com即可访问traefik的看板了

（2）配置HTTPS协议的访问路由规则

这里以K8S的官方面板进行样式

#首先我们需要先生成证书文件

[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"

#将证书存储到 Kubernetes Secret 中

[root@k8s-master1 traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard

#创建HTTPS的官方面板访问路由规则

[root@k8s-master1 traefik]# vim k8s-dashboard-router.yaml

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

metadata:

name: kubernetes-dashboard-route

namespace: kubernetes-dashboard #dashboard所属的名称空间

spec:

entryPoints:

- websecure

tls:

secretName: k8s-dashboard-tls #上面导入的secret资源名称

routes:

- match: Host(`k8sboard.dqzboy.com`)

kind: Rule

services:

- name: kubernetes-dashboard #注意此名必须与之前部署k8s面板时的yaml文件中Service上下文中metadata段中的name段名称保持一致(也就是svc服务)

port: 443

#创建路由规则

[root@k8s-master1 traefik]# kubectl apply -f k8s-dashboard-router.yaml

同样我们需要在自己的PC机上进行解析域名

方式2：通过Ingress配置路由规则

（1）创建traefik路由规则

[root@k8s-master1 traefik]# vim traefik-dashboard-ingress.yaml

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

name: traefik-dashboard-ingress

namespace: ingress-traefik #traefik服务所属的名称空间

annotations:

kubernetes.io/ingress.class: traefik

traefik.ingress.kubernetes.io/router.entrypoints: web

spec:

rules:

- host: traefik01.dqzboy.com

http:

paths:

- path: /

backend:

serviceName: traefik

servicePort: 8080

#创建路由

[root@k8s-master1 traefik]# kubectl apply -f traefik-dashboard-ingress.yaml

#检查服务

[root@k8s-master1 traefik]# kubectl get ing -n ingress-traefik

NAME CLASS HOSTS ADDRESS PORTS AGE

traefik-dashboard-ingress traefik01.dqzboy.com 80 26s

自己的PC的hosts文件中进行域名解析，然后通过浏览器进行访问

(2）创建K8S面板路由规则

#首先我们需要先生成证书文件

[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"

#将证书存储到 Kubernetes Secret 中

[root@k8s-master1 traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard

#创建资源

[root@k8s-master1 traefik]#

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

name: kubernetes-dashboard-ingress

namespace: kubernetes-dashboard #dashboard服务所属名称空间

annotations:

kubernetes.io/ingress.class: traefik

traefik.ingress.kubernetes.io/router.tls: "true"

traefik.ingress.kubernetes.io/router.entrypoints: websecure

spec:

tls:

- secretName: k8s-dashboard-tls

rules:

- host: k8sboard01.dqzboy.com

http:

paths:

- path: /

backend:

serviceName: kubernetes-dashboard #dashboard对应的service服务

servicePort: 443

[root@k8s-master1 traefik]# kubectl apply -f k8s-dashboard-ing.yaml

#检查服务

[root@k8s-master1 traefik]# kubectl get ing -n ingress-traefik

本机PC进行域名解析，然后浏览器中进行访问

Kubernetes NAT

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。