Kubernetes v1.9.7安装部署-配置Ingress Controller

  • A+
所属分类:Kubernetes

Ingress其实就是从kuberenets集群外部访问集群的一个入口,将外部的请求转发到集群内不同的Service 上,其实就相当于nginx、apache 等负载均衡代理服务器,再加上一个规则定义,路由信息的刷新需要靠Ingress controller来提供。Ingress controller可以理解为一个监听器,通过不断地与kube-apiserver打交道,实时的感知后端service、pod 等的变化,当得到这些变化信息后,Ingress controller再结合Ingress的配置,更新反向代理负载均衡器,达到服务发现的作用。其实这点和服务发现工具consulconsul-template非常类似。

1、部署traefik

Traefik是一款开源的反向代理与负载均衡工具。它最大的优点是能够与常见的微服务系统直接整合,可以实现自动化动态配置。目前支持Docker、Swarm、Mesos/Marathon、 Mesos、Kubernetes、Consul、Etcd、Zookeeper、BoltDB、Rest API等等后端模型。

Kubernetes v1.9.7安装部署-配置Ingress Controller

 

2、创建rbac

创建文件:ingress-rbac.yaml,用于service account验证

apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ingress
subjects:
- kind: ServiceAccount
name: ingress
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

 

3DaemonSet 形式部署traefik

创建文件:traefik-daemonset.yaml,为保证traefik 总能提供服务,在每个节点上都部署一个traefik,所以这里使用DaemonSet 的形式。

使用httpyaml配置:

[root@NodeA ~]# cat traefik-daemonset.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

name: ingress

namespace: kube-system

---

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

name: ingress

subjects:

- kind: ServiceAccount

name: ingress

namespace: kube-system

roleRef:

kind: ClusterRole

name: cluster-admin

apiGroup: rbac.authorization.k8s.io

 

---

kind: ConfigMap

apiVersion: v1

metadata:

name: traefik-conf

namespace: kube-system

data:

traefik-config: |-

defaultEntryPoints = ["http"]

[entryPoints]

[entryPoints.http]

address = ":80"

 

---

kind: DaemonSet

apiVersion: extensions/v1beta1

metadata:

name: traefik-ingress

namespace: kube-system

labels:

k8s-app: traefik-ingress

spec:

template:

metadata:

labels:

k8s-app: traefik-ingress

name: traefik-ingress

spec:

terminationGracePeriodSeconds: 60

restartPolicy: Always

serviceAccountName: ingress

containers:

- image: traefik:v1.5.3

name: traefik-ingress

ports:

- name: http

containerPort: 80

hostPort: 80

- name: https

containerPort: 443

hostPort: 443

- name: admin

containerPort: 8080

args:

- --configFile=/etc/traefik/traefik.toml

- -d

- --web

- --kubernetes

- --logLevel=DEBUG

volumeMounts:

- name: traefik-config-volume

mountPath: /etc/traefik

volumes:

- name: traefik-config-volume

configMap:

name: traefik-conf

items:

- key: traefik-config

path: traefik.toml

 

使用httpsyaml配置:

创建文件:traefik-daemonset.yaml,为保证traefik 总能提供服务,在每个节点上都部署一个traefik,所以这里使用DaemonSet 的形式

kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-conf
namespace: kube-system
data:
traefik-config: |-
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/ssl.crt"
KeyFile = "/ssl/ssl.key"

---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress
namespace: kube-system
labels:
k8s-app: traefik-ingress
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress
name: traefik-ingress
spec:
terminationGracePeriodSeconds: 60
restartPolicy: Always
serviceAccountName: ingress
containers:
- image: traefik:latest  #//镜像需要提前pull一下
name: traefik-ingress
ports:
- name: http
containerPort: 80
hostPort: 80
- name: https
containerPort: 443
hostPort: 443
- name: admin
containerPort: 8080
args:
- --configFile=/etc/traefik/traefik.toml
- -d
- --web
- --kubernetes
- --logLevel=DEBUG
volumeMounts:
- name: traefik-config-volume
mountPath: /etc/traefik
- name: traefik-ssl-volume
mountPath: /ssl
volumes:
- name: traefik-config-volume
configMap:
name: traefik-conf
items:
- key: traefik-config
path: traefik.toml
- name: traefik-ssl-volume
secret:
secretName: traefik-ssl

 

注释:第二种使用https的yaml 文件中我们添加了一个名为traefik-conf的ConfigMap,该配置是用来将http 请求强制跳转成https,并指定https 所需CA 文件地址,这里我们使用secret的形式来指定CA 文件的路径:

$ ls

ssl.crt     ssl.key

$ kubectl create secret generic traefik-ssl --from-file=ssl.crt --from-file=ssl.key --namespace=kube-system

secret "traefik-ssl" created

 

4、创建Ingress

创建文件:traefik-ingress.yaml,现在可以通过创建ingress文件来定义请求规则了,根据自己集群中的service 自己修改相应的serviceName 和servicePort

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-ingress
spec:
rules:
- host: traefik.nginx.io  #//公网访问的域名、可自定义、如果只是内网测试可以在客户端添加对应的hosts
http:
paths:
- path: /
backend:
serviceName: my-nginx
servicePort: 80

执行创建命令:

$ kubectl create -f ingress-rbac.yaml

serviceaccount "ingress" created

clusterrolebinding "ingress" created

$ kubectl create -f traefik-daemonset.yaml

configmap "traefik-conf" created

daemonset "traefik-ingress" created

$ kubectl create -f traefik-ingress.yaml

ingress "traefik-ingress" created

 

5Traefik UI

创建文件:traefik-ui.yaml,

apiVersion: v1
kind: Service
metadata:
name: traefik-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-ui
namespace: kube-system
spec:
rules:
- host: traefik-ui.local  #//可自定义、如果只是内网测试可以在客户端添加对应的hosts
http:
paths:
- path: /
backend:
serviceName: traefik-ui
servicePort: web

 

6、测试

部署完成后,在本地/etc/hosts添加一条配置:

# 将下面的xx.xx.xx.xx替换成任意节点IP

xx.xx.xx.xx master03 traefik.nginx.io traefik-ui.local

配置完成后,在本地访问:traefik-ui.local,则可以访问到traefik的dashboard页面:

Kubernetes v1.9.7安装部署-配置Ingress Controller

同样的可以访问traefik.nginx.io,得到正确的结果页面:

Kubernetes v1.9.7安装部署-配置Ingress Controller

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin
avatar

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: