k8s实践12:traefik基础部署(外部访问kuberntes业务应用)
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了k8s实践12:traefik基础部署(外部访问kuberntes业务应用)相关的知识,希望对你有一定的参考价值。
1.获取配置文件
wget https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-rbac.yaml
wget https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-deployment.yaml
wget https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-ds.yaml
wget https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/ui.yaml[[email protected] traefik]# ls
traefik-deployment.yaml traefik-ds.yaml traefik-rbac.yaml ui.yaml
2.
配置文件简要说明
[[email protected] traefik]# cat traefik-rbac.yaml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
[[email protected] traefik]#指定sa traefik-ingress-controller的rbac权限
[[email protected] traefik]# cat traefik-deployment.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: NodePort
[[email protected] traefik]# 创建sa traefik-ingress-controller
创建svc 指定type为NodePort
创建deployment 指定只生成一个副本
[[email protected] traefik]# cat traefik-ds.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
hostPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
[[email protected] traefik]# 创建sa traefik-ingress-controller
创建svc 这里并没用指定type为NodePort
创建Daemonset,和deployment不同,每个节点都会创建一个pod
[[email protected] traefik]# cat ui.yaml
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: traefik-ui.minikube
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
[[email protected] traefik]# 这只是个测试用的svc而已.
3.
部署
这里部署用的是
traefik-rbac.yaml
traefik-ds.yaml
其中traefik-ds.yaml做了修改,指定svc的type类型为NodePort
[[email protected] traefik]# kubectl apply -f traefik-ds.yaml
serviceaccount "traefik-ingress-controller" created
daemonset.extensions "traefik-ingress-controller" created
service "traefik-ingress-service" created
[[email protected] traefik]# kubectl apply -f traefik-rbac.yaml
clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created
[[email protected] traefik]# [[email protected] traefik]# kubectl get svc,pod -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kube-dns ClusterIP 10.254.0.2 <none> 53/UDP,53/TCP 14d
service/kubernetes-dashboard ClusterIP 10.254.64.196 <none> 443/TCP 3h
service/traefik-ingress-service NodePort 10.254.201.201 <none> 80:8437/TCP,8080:8950/TCP 1m
NAME READY STATUS RESTARTS AGE
pod/coredns-779ffd89bd-k6r7l 1/1 Running 8 14d
pod/kubernetes-dashboard-65c76f6c97-2b2qd 1/1 Running 0 3h
pod/traefik-ingress-controller-69962 1/1 Running 0 1m
pod/traefik-ingress-controller-6xf47 1/1 Running 0 1m
pod/traefik-ingress-controller-tshc9 1/1 Running 0 1m
pod/traefik-ingress-controller-zmpw2 1/1 Running 0 1m
[[email protected] traefik]# 用浏览器通过任意一个node的ip:8950,即可访问traefik.
一片空白,因为没有生成启用任何规则.
启用测试ui看看.
[[email protected] traefik]# kubectl apply -f ui.yaml
service "traefik-web-ui" created
ingress.extensions "traefik-web-ui" created
[[email protected] traefik]#
创建个httpd的svc来测试traefik功能
[[email protected] test]# cat httpd-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
ports:
- port: 80
selector:
app: httpd-app
type: NodePort
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: httpd-app
spec:
template:
metadata:
labels:
app: httpd-app
spec:
containers:
- image: httpd
name: httpd-app
[[email protected] test]# kubectl apply -f httpd-svc.yaml
service "httpd-svc" created
deployment.apps "httpd-app" created
[[email protected] test]# [[email protected] test]# kubectl get svc,pod
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/httpd-svc NodePort 10.254.71.79 <none> 80:8763/TCP 45s
NAME READY STATUS RESTARTS AGE
pod/httpd-app-bbcbfb6cd-96v28 1/1 Running 0 44s创建traefik ingress规则
[[email protected] test]# kubectl apply -f httpd-svc-ingress.yaml
ingress.extensions "httpd-svc-ingress" created
[[email protected] test]# cat httpd-svc-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: httpd-svc-ingress
namespace: default
spec:
rules:
- host: httpd-svc.ingress
http:
paths:
- path: /
backend:
serviceName: httpd-svc
servicePort: 80
[[email protected] test]# 
traefik ui可以看到httpd-svc了.
5.
暴露traefik服务
用示意图分析下traefik的转发过程,见下:
简易分析:
k8s里有很多的service,我们通过traefik转发来访问service.
traefik我们已经部署后了,也能够发现后端service的了.
但是,我们怎么访问traefik呢?
暴露traefik服务
对比ingress的暴露服务方法:
1.创建个service,然后给这个service指定extIP.
2.把pod配置hostNotwork: true模式,Pod中所有容器的端口号都将直接被映射到物理机上,访问物理机的端口就直接访问到了pod的容器的端口.
使用第2种方法暴露服务
[[email protected] traefik]# cat traefik-ds.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
hostPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: NodePort
[[email protected] traefik]# 注意:
hostNetwork: true重新执行命令
[[email protected] traefik]# kubectl apply -f traefik-ds.yaml
serviceaccount "traefik-ingress-controller" unchanged
daemonset.extensions "traefik-ingress-controller" configured
service "traefik-ingress-service" unchanged
[[email protected] traefik]# 6.
指定域名到任意一个node的ip,traefik能够实现正常转发.
注意这个域名要是ing规则里的host名字
rules:
- host: httpd-svc.ingress
http:
paths:
- path: /
backend:
serviceName: httpd-svc
servicePort: 80以上是关于k8s实践12:traefik基础部署(外部访问kuberntes业务应用)的主要内容,如果未能解决你的问题,请参考以下文章
Kubernetes(k8s)生产级实践指南 从部署到核心应用