OKR实践中的痛点(1):老板的KR我的O,怎么办?(okr上级的kr是自己的o吗)
1531
2022-05-29
Traefik 是一款开源的边缘路由器,它可以让发布服务变得轻松有趣。它代表您的系统接收请求,并找出负责处理这些请求的组件。与众不同之处在于,除了它的许多特性之外,它还可以自动为您的服务发现正确的配置。当 Traefik 检查您的基础设施时,它会发现相关信息,并发现哪个服务为哪个请求提供服务。
Traefik 与每个主要的集群技术都是原生兼容的,比如 Kubernetes、Docker、Docker Swarm、AWS、Mesos、Marathon 等等;并且可以同时处理多个。(它甚至适用于运行在裸机上的遗留软件。) 使用 Traefik,不需要维护和同步单独的配置文件:所有事情都是实时自动发生的(没有重启,没有连接中断)。使用 Traefik,只需要花费时间开发和部署新功能到您的系统,而不是配置和维护其工作状态。
项目地址:https://github.com/traefik/traefik
官网文档:https://doc.traefik.io/traefik/
二、部署Traefik
2.1:创建名称空间
[root@k8s-master1 ~]# cd /opt/k8s/work/
[root@k8s-master1 work]# mkdir traefik
[root@k8s-master1 work]# cd traefik/
[root@k8s-master1 traefik]# kubectl create ns ingress-traefik
2.2:创建CRD资源
在 traefik v2.0 版本后,开始使用 CRD(Custom Resource Definition)来完成路由配置等,所以需要提前创建 CRD 资源。
[root@k8s-master1 traefik]# vim traefik-crd.yaml
## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
---
## TraefikService
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: traefikservices.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TraefikService
plural: traefikservices
singular: traefikservice
---
## TraefikTLSStore
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
---
## IngressRouteUDP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressrouteudps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteUDP
plural: ingressrouteudps
singular: ingressrouteudp
#创建资源
[root@k8s-master1 traefik]# kubectl apply -f traefik-crd.yaml
#查看crd资源
[root@k8s-master1 traefik]# kubectl get crd | grep traefik
2.3:创建RBAC权限
Traefik 需要一定的权限,所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。
[root@k8s-master1 traefik]# vim traefik-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: ingress-traefik
name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups: [""]
resources: ["services","endpoints","secrets"]
verbs: ["get","list","watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get","list","watch"]
- apiGroups: ["extensions"]
resources: ["ingresses/status"]
verbs: ["update"]
- apiGroups: ["traefik.containo.us"]
resources: ["middlewares"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutes","traefikservices"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutetcps","ingressrouteudps"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["tlsoptions","tlsstores"]
verbs: ["get","list","watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: ingress-traefik
#创建资源
[root@k8s-master1 traefik]# kubectl apply -f traefik-rbac.yaml
#检查资源
[root@k8s-master1 traefik]# kubectl get secrets -n ingress-traefik|grep traefik
[root@k8s-master1 traefik]# kubectl get clusterrole -n ingress-traefik|grep traefik
2.4:创建配置文件
[root@k8s-master1 traefik]# vim traefik-config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
namespace: ingress-traefik
data:
traefik.yaml: |-
ping: "" ## 启用 Ping
serversTransport:
insecureSkipVerify: true ## Traefik 忽略验证代理服务的 TLS 证书
api:
insecure: true ## 允许 HTTP 方式访问 API
dashboard: true ## 启用 Dashboard
debug: false ## 启用 Debug 调试模式
metrics:
prometheus: "" ## 配置 Prometheus 监控指标数据,并使用默认配置
entryPoints:
web:
address: ":80" ## 配置 80 端口,并设置入口名称为 web
websecure:
address: ":443" ## 配置 443 端口,并设置入口名称为 websecure
providers:
kubernetesCRD: "" ## 启用 Kubernetes CRD 方式来配置路由规则
kubernetesIngress: "" ## 启动 Kubernetes Ingress 方式来配置路由规则
log:
filePath: "" ## 设置调试日志文件存储路径,如果为空则输出到控制台
level: error ## 设置调试日志级别
format: json ## 设置调试日志格式
accessLog:
filePath: "" ## 设置访问日志文件存储路径,如果为空则输出到控制台
format: json ## 设置访问调试日志格式
bufferingSize: 0 ## 设置访问日志缓存行数
filters:
#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志
retryAttempts: true ## 设置代理访问重试失败时,保留访问日志
minDuration: 20 ## 设置保留请求时间超过指定持续时间的访问日志
fields: ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
defaultMode: keep ## 设置默认保留访问日志字段
names: ## 针对访问日志特别字段特别配置保留模式
ClientUsername: drop
headers: ## 设置 Header 中字段是否保留
defaultMode: keep ## 设置默认保留 Header 中字段
names: ## 针对 Header 中特别字段特别配置保留模式
User-Agent: redact
Authorization: drop
Content-Type: keep
#创建资源
[root@k8s-master1 traefik]# kubectl apply -f traefik-config.yaml
configmap/traefik-config created
#查看资源
[root@k8s-master1 traefik]# kubectl get cm -n ingress-traefik
NAME DATA AGE
traefik-config 1 13s
2.5:节点添加标签
[root@k8s-master1 traefik]# kubectl get nodes
#添加标签
[root@k8s-master1 traefik]# kubectl label nodes k8s-node1 IngressProxy=true
[root@k8s-master1 traefik]# kubectl label nodes k8s-node2 IngressProxy=true
[root@k8s-master1 traefik]# kubectl label nodes k8s-node3 IngressProxy=true
#查看标签
[root@k8s-master1 traefik]# kubectl get nodes --show-labels
2.6:部署Traefik
2.6.1:创建Service
[root@k8s-master1 traefik]# vim traefik-service.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik
namespace: ingress-traefik
spec:
type: NodePort
ports:
- name: web
port: 80
- name: websecure
port: 443
- name: admin
port: 8080
selector:
app: traefik
2.6.2:创建DaemonSet
[root@k8s-master1 traefik]# vim traefik-deploy.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: traefik-ingress-controller
namespace: ingress-traefik
labels:
app: traefik
spec:
selector:
matchLabels:
app: traefik
template:
metadata:
name: traefik
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 1
containers:
- image: traefik:v2.3.5
name: traefik-ingress-lb
ports:
- name: web
containerPort: 80
hostPort: 80 ## 将容器端口绑定所在服务器的 80 端口
- name: websecure
containerPort: 443
hostPort: 443 ## 将容器端口绑定所在服务器的 443 端口
- name: admin
containerPort: 8080 ## Traefik Dashboard 端口
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 1000m
memory: 1024Mi
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --configfile=/config/traefik.yaml
volumeMounts:
- mountPath: "/config"
name: "config"
volumes:
- name: config
configMap:
name: traefik-config
tolerations: ## 设置容忍所有污点,防止节点被设置污点
- operator: "Exists"
nodeSelector: ## 设置node筛选器,在特定label的节点上启动
IngressProxy: "true"
#创建资源
[root@k8s-master1 traefik]# kubectl apply -f traefik-deploy.yaml
#检查资源
[root@k8s-master1 traefik]# kubectl get po -n ingress-traefik
2.7:创建路由规则
我这里以traefik的面板和K8S Dashboard面板进行演示
方式1:通过CRD配置路由规则
(1)配置HTTP协议的访问路由规则
这里以traefik的看板进行演示
[root@k8s-master1 traefik]# vim traefik-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
namespace: ingress-traefik
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.dqzboy.com`)
kind: Rule
services:
- name: traefik #绑定至上面创建的service资源的名称
port: 8080
在PC机上将DaemonSet调度的节点物理IP与CRD资源中挂载的Host域名进行绑定,然后浏览器中输入traefik.dqzboy.com即可访问traefik的看板了
(2)配置HTTPS协议的访问路由规则
这里以K8S的官方面板进行样式
#首先我们需要先生成证书文件
[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"
#将证书存储到 Kubernetes Secret 中
[root@k8s-master1 traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard
#创建HTTPS的官方面板访问路由规则
[root@k8s-master1 traefik]# vim k8s-dashboard-router.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: kubernetes-dashboard-route
namespace: kubernetes-dashboard #dashboard所属的名称空间
spec:
entryPoints:
- websecure
tls:
secretName: k8s-dashboard-tls #上面导入的secret资源名称
routes:
- match: Host(`k8sboard.dqzboy.com`)
kind: Rule
services:
- name: kubernetes-dashboard #注意此名必须与之前部署k8s面板时的yaml文件中Service上下文中metadata段中的name段名称保持一致(也就是svc服务)
port: 443
#创建路由规则
[root@k8s-master1 traefik]# kubectl apply -f k8s-dashboard-router.yaml
同样我们需要在自己的PC机上进行解析域名
方式2:通过Ingress配置路由规则
(1)创建traefik路由规则
[root@k8s-master1 traefik]# vim traefik-dashboard-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-dashboard-ingress
namespace: ingress-traefik #traefik服务所属的名称空间
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: traefik01.dqzboy.com
http:
paths:
- path: /
backend:
serviceName: traefik
servicePort: 8080
#创建路由
[root@k8s-master1 traefik]# kubectl apply -f traefik-dashboard-ingress.yaml
#检查服务
[root@k8s-master1 traefik]# kubectl get ing -n ingress-traefik
NAME CLASS HOSTS ADDRESS PORTS AGE
traefik-dashboard-ingress
自己的PC的hosts文件中进行域名解析,然后通过浏览器进行访问
(2)创建K8S面板路由规则
#首先我们需要先生成证书文件
[root@k8s-master1 traefik]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout traefik.key -out traefik.crt -subj "/CN=dqzboy"
#将证书存储到 Kubernetes Secret 中
[root@k8s-master1 traefik]# kubectl create secret generic k8s-dashboard-tls --from-file=traefik.crt --from-file=traefik.key -n kubernetes-dashboard
#创建资源
[root@k8s-master1 traefik]#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard #dashboard服务所属名称空间
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- secretName: k8s-dashboard-tls
rules:
- host: k8sboard01.dqzboy.com
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard #dashboard对应的service服务
servicePort: 443
[root@k8s-master1 traefik]# kubectl apply -f k8s-dashboard-ing.yaml
#检查服务
[root@k8s-master1 traefik]# kubectl get ing -n ingress-traefik
本机PC进行域名解析,然后浏览器中进行访问
Kubernetes NAT
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。