Kubernetes(K8S) 之 部署 traefik ingress 控制器
部署 traefik ingressTraefik 是一款开源的反向代理与负载均衡工具。它最大的优点是能够与常见的微服务系统直接整合,可以实现自动化动态配置。目前支持 Docker、Swarm、Mesos/Marathon、 Mesos、Kubernetes、Consul、Etcd、Zookeeper、BoltDB、Rest API 等等后端模型。traefik 架构图安装1、下载yaml文件ht
·
部署 traefik ingress
Traefik 是一款开源的反向代理与负载均衡工具。它最大的优点是能够与常见的微服务系统直接整合,可以实现自动化动态配置。
traefik 架构图
安装
1、下载yaml文件
https://github.com/traefik/traefik.git
https://github.com/traefik/traefik/tree/v1.7/examples/k8s
wget https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/traefik-ds.yaml
wget https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/traefik-rbac.yaml
wget https://raw.githubusercontent.com/traefik/traefik/v1.7/examples/k8s/ui.yaml
2、修改yaml文件
traefik-rbac.yaml 文件不用修改
[root@k8s-001 traefik]# cat traefik-rbac.yaml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
修改 traefik-ds.yaml
[root@k8s-001 traefik]# cat traefik-ds.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
tolerations: # 打上污点容忍,这样就可以在master节点运行这个pod
- operator: Exists
effect: NoSchedule
nodeSelector: # 选择打了ingress=traefik 标签的节点上运行
ingress: traefik
containers:
- image: traefik:v1.7.29
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 81 #这里我选择81,80端口等下需要给nginx代理使用
- name: admin-web
containerPort: 8080
#hostPort: 8080 # 本实验应节点有限,需要在master运行traefik pod, 而8080端口被apiserver占用了,选择注释掉,不适用8080端口
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
- --insecureskipverify=true
- --kubernetes.endpoint=https://10.128.25.204:8443 # 多 master节点时,选择VIP地址, 如果是单master节点可以选择注释掉
- --accesslog
- --accesslog.filepath=/var/log/traefik_access.log
- --traefiklog
- --traefiklog.filepath=/var/log/traefik.log
- --metrics.prometheus
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin-web
#type: NodePort
修改ui.yaml
[root@k8s-001 traefik]# cat traefik-ui.yaml
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: traefik.example.com # 修改为自己的域名
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
3、创建
[root@k8s-001 traefik]# kubectl apply -f traefik-rbac.yaml -f traefik-ds.yaml -f ui.yaml
4、检查
[root@k8s-001 traefik]# kubectl get ds -A
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
kube-system traefik-ingress-controller 0 0 0 0 0 ingress=traefik 61s
5、选择给k8s-003 和k8s-005节点打上ingress=traefik标签
[root@k8s-001 traefik]# kubectl label nodes k8s-003 ingress=traefik
[root@k8s-001 traefik]# kubectl label nodes k8s-005 ingress=traefik
6、再次检查,发现在k8s-003 和k8s-005节点上已经运行这个pod
[root@k8s-001 traefik]# kubectl get ds -n kube-system
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
kube-system traefik-ingress-controller 2 2 2 2 2 ingress=traefik 2m54s
[root@k8s-001 traefik]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
traefik-ingress-controller-ssb2n 1/1 Running 0 12s
traefik-ingress-controller-w87nj 1/1 Running 0 79s
[root@k8s-001 traefik]# kubectl get pods -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
traefik-ingress-controller-ssb2n 1/1 Running 0 28s 172.17.7.3 k8s-003 <none> <none>
traefik-ingress-controller-w87nj 1/1 Running 0 95s 172.17.83.2 k8s-005 <none> <none>
4、查看ds,pod,ingress
[root@k8s-001 traefik]# kubectl get ds,pod,ingress -n kube-system
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.extensions/traefik-ingress-controller 2 2 2 2 2 ingress=traefik 15m
NAME READY STATUS RESTARTS AGE
pod/traefik-ingress-controller-ssb2n 1/1 Running 0 12m
pod/traefik-ingress-controller-w87nj 1/1 Running 0 14m
NAME HOSTS ADDRESS PORTS AGE
ingress.extensions/traefik-web-ui traefik.example.com 80 20m
配置NGINX代理
在前端nginx上做反向代理, Naginx + Keepalive 搭建高可用NGINX代理(这里我就不再搭建)
配置traefik.com.conf 文件
# cat /etc/nginx/conf.d/traefik.com.conf
upstream default_backend_traefik {
server 10.128.25.203:81 max_fails=3 fail_timeout=10s; # 这里的ip是运行了traefik pod的k8s-003 和k8s-005节点
server 10.128.25.205:81 max_fails=3 fail_timeout=10s;
}
server {
listen 80;
server_name *.example.com;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
重启nginx
nginx -t
systemctl restart nginx
添加本地解析
在Windows目录C:\Windows\System32\drivers\etc\hosts添加解析:
10.128.25.230 traefik.example.com # 这里是NGINX代理的VIP地址
通过浏览器打开:http://traefik.example.com
更多推荐
已为社区贡献11条内容
所有评论(0)