标签:href ports SOS RoCE ini none kubectl inux code
一、traefik 简介1.1 简单认识 traefik代理
Tr?f?k 是一个为了让部署微服务更加便捷而诞生的现代HTTP反向代理、负载均衡工具。 它支持多种后台 (Docker, Swarm, Kubernetes, Marathon, Mesos, Consul, Etcd, Zookeeper, BoltDB, Rest API, file…) 来自动化、动态的应用它的配置文件设置。ingress方案需要使用下列的组件:
1、反向代理负载均衡器
负责加载 ingress control 、ingress生成的配置,并实现reload功能。
2、ingress control
ingress Controller 实质上是个监视器,Ingress Controller 通过不断地跟 kubernetes API 打交道,实时的获取后端 service、pod 的变化,比如新增和减少 pod,service 增加与减少等;当得到这些变化信息后,Ingress Controller 再结合下文的 Ingress 生成配置,然后更新反向代理负载均衡器,并刷新其配置,达到服务发现的作用。
3、ingress
ingress,就类似于互联网应用的负载均衡器(比如Apache/nginx之类的),是kubernetes集群外访问集群的入口,将用户的URL请求转发到不同的service上。其中还包括规则定义,即URL的路由信息,路由信息得的刷新由Ingress controller来提供。
4、RBAC
在开始之前,需要先了解一下什么是RBAC。RBAC(基于角色的访问控制)使用 rbac.authorization.k8s.io API 组来实现权限控制,RBAC 允许管理员通过 Kubernetes API 动态的配置权限策略。在 1.6 版本中 RBAC 还处于 Beat 阶段,如果想要开启 RBAC 授权模式需要在 apiserver 组件中指定 --authorization-mode=RBAC 选项。
在 RBAC API 的四个重要概念:
Role:是一系列的权限的集合,例如一个角色可以包含读取 Pod 的权限和列出 Pod 的权限
ClusterRole: 跟 Role 类似,但是可以在集群中到处使用( Role 是 namespace 一级的)
RoloBinding:把角色映射到用户,从而让这些用户继承角色在 namespace 中的权限。
ClusterRoleBinding: 让用户继承 ClusterRole 在整个集群中的权限。
参考链接:
1.2 部署 Tr?f?k
因为我这里是作为kubernetes服务的暴露,因此你得有一个kubernetes集群。如果你没有,可以通过kubeadm/kops等方式快速部署一个kubernetes集群,具体使用那一种方式安装你的kubernetes集群,完全取决于你的爱好。
给集群的节点打上labe;
kubectl label nodes 192.168.2.11 edgenode=traefik-proxy
kubectl label nodes 192.168.2.12 edgenode=traefik-proxy
kubectl label nodes 192.168.2.13 edgenode=traefik-proxy kubectl get nodes --show-labels
NAME STATUS ROLES AGE VERSION LABELS
192.168.2.10 Ready,SchedulingDisabled master 5d v1.11.3 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/hostname=192.168.2.10,kubernetes.io/role=master
192.168.2.11 Ready node 5d v1.11.3 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,edgenode=traefik-proxy,kubernetes.io/hostname=192.168.2.11,kubernetes.io/role=node
192.168.2.12 Ready node 5d v1.11.3 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,edgenode=traefik-proxy,kubernetes.io/hostname=192.168.2.12,kubernetes.io/role=node
192.168.2.13 Ready node 5d v1.11.3 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,edgenode=traefik-proxy,kubernetes.io/hostname=192.168.2.13,kubernetes.io/role=node
192.168.2.14 Ready,SchedulingDisabled master 5d v1.11.3 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/hostname=192.168.2.14,kubernetes.io/role=master准备所需配置文件:
# cat ingress-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ingress
subjects:
- kind: ServiceAccount
name: ingress
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io# cat traefik.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: traefik-ingress-lb
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
terminationGracePeriodSeconds: 60
hostNetwork: true
restartPolicy: Always
serviceAccountName: ingress
containers:
- image: traefik
name: traefik-ingress-lb
resources:
limits:
cpu: 200m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8580
hostPort: 8580
args:
- --web
- --web.address=:8580
- --kubernetes
nodeSelector:
edgenode: "traefik-proxy" #需要安装traefik的标签下面给traefik配置上ui:
# cat ui.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8580
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: tf.abcgogo.com #配置ui的域名
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web准备好配置文件后,执行命令:
kubectl apply -f .检查是否执行成功:
# kubectl get svc,deployment,pod --all-namespaces -o wide | grep traefik
kube-system service/traefik-web-ui ClusterIP 10.68.166.109 <none> 80/TCP 4h k8s-app=traefik-ingress-lb
kube-system pod/traefik-ingress-lb-2qbgd 1/1 Running 0 4h 192.168.2.12 192.168.2.12 <none>
kube-system pod/traefik-ingress-lb-9tc6n 1/1 Running 0 4h 192.168.2.11 192.168.2.11 <none>
kube-system pod/traefik-ingress-lb-fmfn6 1/1 Running 0 4h 192.168.2.13 192.168.2.13 <none>查看svc,ing状态:
# kubectl describe svc,ing traefik-web-ui -n kube-system
Name: traefik-web-ui
Namespace: kube-system
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"traefik-web-ui","namespace":"kube-system"},"spec":{"ports":[{"name":"web","por...
Selector: k8s-app=traefik-ingress-lb
Type: ClusterIP
IP: 10.68.166.109
Port: web 80/TCP
TargetPort: 8580/TCP
Endpoints: 192.168.2.11:8580,192.168.2.12:8580,192.168.2.13:8580
Session Affinity: None
Events: <none>
Name: traefik-web-ui
Namespace: kube-system
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
tf.abcgogo.com
/ traefik-web-ui:web (192.168.2.11:8580,192.168.2.12:8580,192.168.2.13:8580)
Annotations:
kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{},"name":"traefik-web-ui","namespace":"kube-system"},"spec":{"rules":[{"host":"tf.abcgogo.com","http":{"paths":[{"backend":{"serviceName":"traefik-web-ui","servicePort":"web"},"path":"/"}]}}]}}
Events: <none>使用部署traefik节点的node ip: port就可以访问了,
当然刚才配置了域名,可以直接使用域名访问,前提是对域名做好了dns解析。
自定义一个ingress:
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
template:
metadata:
labels:
name: nginx-svc
namespace: default
spec:
selector:
run: ngx-pod
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: ngx-pod
spec:
replicas: 4
template:
metadata:
labels:
run: ngx-pod
spec:
containers:
- name: nginx
image: nginx:1.10
ports:
- containerPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ngx-ing
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik.abcgogo.com
http:
paths:
- backend:
serviceName: nginx-svc
servicePort: 80,
补充说明:
如果您将traefik部署为deployment
(https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-deployment.yaml),则应检查返回的NodePort kubectl describe svc traefik-ingress-service -n kube-system并将其用作您的URL(http: //traefik-ui.minikube:xxx)
(您不必将traefik-web-ui更改为NodePort)
如果您使用了DeamonSet
(https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-ds.yaml),请使用http://域名。
如果您想traefik-web-ui直接访问最简单的方法是: minikube service traefik-web-ui --url
linux下配置hosts本地解析:echo "$(my master node ip) traefik-ui.minikube" | sudo tee -a /etc/hosts
traefik(一) kubernetes 部署 traefik
标签:href ports SOS RoCE ini none kubectl inux code
原文地址:http://blog.51cto.com/m51cto/2328917
