kubernetes進階（四）服務暴露-ingress控制器之traefik

時間 2019-11-24

標籤 kubernetes 進階服務暴露 ingress 控制器 traefik 简体版

原文原文鏈接

上一章咱們測試了在集羣內部解析service名稱，前端

下面咱們測試在集羣外部解析：node

根本解析不到，由於咱們外部用的dns是10.4.7.11，也就是咱們的自建bind dns，這個DNS服務器上也沒有響應的搜索域。nginx

如何能讓集羣外部訪問nginx-dp？git

這裏有兩種服務暴露方式：修改工做模式，在kube-proxy中修改，並重啓github

一、使用nodeport方式，可是這種方式不能使用ipvs，只能使用iptables，iptables只能使用rr調度方式。原理至關於端口映射，將容器內的端口映射到宿主機上的某個端口。web

二、使用ingress，可是隻能工做在七層網絡下，建議暴露http, https能夠使用前端nginx來作證書方面的卸載 ---推薦使用docker

Ingress是基於域名和URL路徑，將用戶的請求轉發至特定的service資源。api

下面咱們部署traefik：GITHUB官方地址在hdss7-200上執行：瀏覽器

下載鏡像：服務器

# docker pull traefik:v1.7.2-alpine
# docker tag add5fac61ae5 harbor.od.com/public/traefik:v1.7.2
# docker push harbor.od.com/public/traefik:v1.7.

建立資源配置清單：

1.rbac.yaml

# cd /data/k8s-yaml/traefik/

# vi rbac.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

2.ds.yaml

# vi ds.yaml

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: traefik-ingress
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress
        name: traefik-ingress
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: harbor.od.com/public/traefik:v1.7.2
        name: traefik-ingress
        ports:
        - name: controller
          containerPort: 80
          hostPort: 81
        - name: admin-web
          containerPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
        - --insecureskipverify=true
        - --kubernetes.endpoint=https://10.4.7.10:7443
        - --accesslog
        - --accesslog.filepath=/var/log/traefik_access.log
        - --traefiklog
        - --traefiklog.filepath=/var/log/traefik.log
        - --metrics.prometheus

3.svc.yaml

# vi svc.yaml

kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress
  ports:
    - protocol: TCP
      port: 80
      name: controller
    - protocol: TCP
      port: 8080
      name: admin-web

4.ingress.yaml

# vi ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.od.com
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-ingress-service
          servicePort: 8080

而後到node節點上建立資源：

# kubectl create -f http://k8s-yaml.od.com/traefik/rbac.yaml
# kubectl create -f http://k8s-yaml.od.com/traefik/ds.yaml
# kubectl create -f http://k8s-yaml.od.com/traefik/svc.yaml
# kubectl create -f http://k8s-yaml.od.com/traefik/ingress.yaml

配置nginx解析：hdss7-11,hdss7-12

# vi /etc/nginx/conf.d/od.com.conf

upstream default_backend_traefik {
    server 10.4.7.21:81    max_fails=3 fail_timeout=10s;
    server 10.4.7.22:81    max_fails=3 fail_timeout=10s;
}
server {
    server_name *.od.com;
  
    location / {
        proxy_pass http://default_backend_traefik;
        proxy_set_header Host       $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}

在hdss7-11上添加域名解析：在ingress.yaml中的host值：

# vi /var/named/od.com.zone

在最後加上traefik的域名解析：

$ORIGIN od.com.
$TTL 600        ; 10 minutes
@               IN SOA  dns.od.com. dnsadmin.od.com. (
                                2019061804 ; serial
                                10800      ; refresh (3 hours)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                                NS   dns.od.com.
$TTL 60 ; 1 minute
dns                A    10.4.7.11
harbor             A    10.4.7.200
k8s-yaml           A    10.4.7.200 traefik A 10.4.7.10

# systemctl restart named

而後咱們就能夠在集羣外，經過瀏覽器訪問這個域名了：

http://traefik.od.com  #咱們的宿主機的虛擬網卡指定了bind域名解析服務器

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。