k8s-学习笔记3-ingress服务暴露
Traefik 1.7
github
https://github.com/containous/traefik/
yml
https://github.com/containous/traefik/tree/v1.7/examples/k8s
docker
https://hub.docker.com/_/traefik?tab=tags&page=1&name=1.7
traefik可以用daemonset(每个节点跑一个)或者deployment,作为负载均衡,ds更合适些
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
daemonset.yaml
容器里监听80端口,映射到hostport 80,注意hostport监听端口无法用netstat找到
开一个管理端口,8080,本身就是用ingress实现
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/traefik:v1.7.25-alpine
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
ingress.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik #指定用 traefik 控制器
traefik.frontend.rule.type: PathPrefixStrip #跳转后端时忽略 path
traefik.ingress.kubernetes.io/frontend-entry-points: http #指定只能以 http,方式访问,也可以设置 https
spec:
rules:
- host: traefik.e-dewin.com
http:
paths:
- path: /admin
backend:
serviceName: traefik-ingress-service
servicePort: 8080
部署好后,在命令行查看路由信息
# kubectl describe ingress traefik-web-ui -n kube-system
Name: traefik-web-ui
Namespace: kube-system
Address:
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
traefik.e-dewin.com
/admin traefik-ingress-service:8080 (10.244.1.80:8080,10.244.3.34:8080)
Annotations: kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
traefik.ingress.kubernetes.io/frontend-entry-points: http
Events: <none>
ds在每个负载节点上都启动了80端口,先在PC上host里配置一个域名解析到其中一台节点上,访问域名就可以进入页面
http://traefik.e-dewin.com/admin
添加http basic
首先采用htpasswd创建文件
htpasswd -bc auth admin admin
基于上面的htpasswd创建secret(注意命名空间)
kubectl create secret generic nginx-basic-auth --from-file=auth -n kube-system
treafik引用对应的secret进行认证(注意如下)
- Secret文件必须与Ingress规则在同一命名空间。
- 目前只支持basic authentication。
- Realm不可配置,默认使用traefik。
- Secret必须只包含一个文件。
引用secret的yaml配置
[root@master traefik]# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-test
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
# 认证类型
ingress.kubernetes.io/auth-type: basic
# 包含 user/password 的 Secret 名称
ingress.kubernetes.io/auth-secret: nginx-basic-auth
# 当认证的时候显示一个合适的上下文信息
#ingress.kubernetes.io/auth-realm: 'Authentication Required - admin'
nginx(aws)
ingress-nginx/index.md at master · kubernetes/ingress-nginx (github.com)
ingress-nginx详解和部署方案_最美dee时光的博客-CSDN博客
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.45.0/deploy/static/provider/aws/deploy.yaml
部署一个Load Balance的ingress controller,aws上自动生成一个ELB。
设定运行节点:
alb
Annotations - AWS LoadBalancer Controller (kubernetes-sigs.github.io)
浙公网安备 33010602011771号