k8s-学习笔记3-ingress服务暴露

Traefik 1.7

github

https://github.com/containous/traefik/

yml

https://github.com/containous/traefik/tree/v1.7/examples/k8s

docker

https://hub.docker.com/_/traefik?tab=tags&page=1&name=1.7

traefik可以用daemonset（每个节点跑一个）或者deployment，作为负载均衡，ds更合适些

rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

daemonset.yaml

容器里监听80端口，映射到hostport 80，注意hostport监听端口无法用netstat找到

开一个管理端口，8080，本身就是用ingress实现

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
      name: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/traefik:v1.7.25-alpine
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin

ingress.yml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik                        #指定用 traefik 控制器
    traefik.frontend.rule.type: PathPrefixStrip                 #跳转后端时忽略 path
    traefik.ingress.kubernetes.io/frontend-entry-points: http   #指定只能以 http，方式访问，也可以设置 https
spec:
  rules:
  - host: traefik.e-dewin.com
    http:
      paths:
      - path: /admin
        backend:
          serviceName: traefik-ingress-service
          servicePort: 8080

部署好后，在命令行查看路由信息

# kubectl describe ingress traefik-web-ui -n kube-system
Name:             traefik-web-ui
Namespace:        kube-system
Address:          
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  traefik.e-dewin.com  
                       /admin   traefik-ingress-service:8080 (10.244.1.80:8080,10.244.3.34:8080)
Annotations:           kubernetes.io/ingress.class: traefik
                       traefik.frontend.rule.type: PathPrefixStrip
                       traefik.ingress.kubernetes.io/frontend-entry-points: http
Events:                <none>

ds在每个负载节点上都启动了80端口，先在PC上host里配置一个域名解析到其中一台节点上，访问域名就可以进入页面

http://traefik.e-dewin.com/admin

添加http basic

首先采用htpasswd创建文件

htpasswd -bc auth admin admin

基于上面的htpasswd创建secret(注意命名空间)

kubectl create secret generic nginx-basic-auth --from-file=auth -n kube-system

treafik引用对应的secret进行认证（注意如下）

Secret文件必须与Ingress规则在同一命名空间。
目前只支持basic authentication。
Realm不可配置，默认使用traefik。
Secret必须只包含一个文件。

引用secret的yaml配置

[root@master traefik]# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-test
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
    # 认证类型
    ingress.kubernetes.io/auth-type: basic
    # 包含 user/password 的 Secret 名称
    ingress.kubernetes.io/auth-secret: nginx-basic-auth
    # 当认证的时候显示一个合适的上下文信息
    #ingress.kubernetes.io/auth-realm: 'Authentication Required - admin'

nginx（aws）

ingress-nginx/index.md at master · kubernetes/ingress-nginx (github.com)

ingress-nginx详解和部署方案_最美dee时光的博客-CSDN博客

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.45.0/deploy/static/provider/aws/deploy.yaml

部署一个Load Balance的ingress controller，aws上自动生成一个ELB。

设定运行节点：

alb

Annotations - AWS LoadBalancer Controller (kubernetes-sigs.github.io)

posted @ 2020-06-02 17:52 jabbok 阅读(576) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

jabbok

k8s-学习笔记3-ingress服务暴露

Traefik 1.7

nginx（aws）

alb

公告