- K8S在反向代理與負載均衡Ingress元件選擇上有多樣選擇,在看到Traefik老王賣瓜的介紹下,決定來使用他來實作Ingress,以下會用Command Line方式直接實作,最新Yaml檔都可在Traefik上取得
- 讓Traefik有相對應權限
- 為 Træfik 建立一個 cluster role(traefik-ingress-controller)
- 為 Træfik 建立一個 service account(traefik-ingress-controller),並繫結(透過 cluster role binding traefik-ingress-controller)到上述的 cluster role 以取得權限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38# 準備traefik-rbac.yaml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
並將其掛載1
Kubectl apply -f traefik-rbac.yaml
SSL應用
1
2# 準備證書 tls.crt, tls.key,並掛載
kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system創建configmap保存Traefik配置文件
1
2
3
4
5
6
7
8
9
10
11
12defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/etc/ssl/tls.crt"
KeyFile = "/etc/ssl/tls.key"
並將其掛載1
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
- 部屬traefik有DaemonSet與Deployment兩種,若在硬體配置上需要自定義的話就選擇後者,若無特別需求則建議用前者來部屬。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74# 準備traefik-dp.yaml
---
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
containers:
- image: traefik
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/etc/ssl"
name: "ssl"
- mountPath: "/etc/config"
name: "config"
ports:
- containerPort: 80
hostPort: 80
name: http
- containerPort: 443
hostPort: 443
name: https
securityContext:
privileged: true
args:
- -d
- --web
- --kubernetes
- --configfile=/etc/config/traefik.toml
nodeSelector:
k8stype: "webproject"
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: http
- protocol: TCP
port: 443
name: https
type: NodePort
並將其掛載1
kubectl apply -f traefik-dp.yaml
- 另外Traefik有提供了自己的Dashboard來監看Ingress狀態
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28# 準備traefik-ui.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui.rd2.atcity.dev
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
在這邊hostname將其設定為traefik-ui.rd2.atcity.dev,若要在瀏覽器正確拜訪記得設定DNS對Master做指向
並將其掛載1
kubectl apply -f traefik-ui.yaml
- 一般站台ingress設定可以參考traefik-ui配置