k8s-部署-19-traefix(ingress控制器)

1、准备镜像

镜像地址：https://github.com/containous/traefik

k8s两种暴露服务的方法：

前面通过coredns在k8s集群内部做了serviceNAME和serviceIP之间的自动映射,使得不需要记录service的IP地址,只需要通过serviceNAME就能访问pod但是在K8S集群外部,显然是不能通过serviceNAME或serviceIP来解析服务的，要在K8S集群外部来访问集群内部的资源,需要用到服务暴露功能。

NodePort型的Service：

• nodeport型的service原理相当于端口映射，将容器内的端口映射到宿主机上的某个端口。
• K8S集群不能使用ipvs的方式调度,必须使用iptables,且只支持rr模式

Ingress资源：

• Ingress是K8S API标准资源之一,也是核心资源
• 是一组基于域名和URL路径的规则,把用户的请求转发至指定的service资源
• 可以将集群外部的请求流量,转发至集群内部,从而实现'服务暴露'

traefix:

• 可以理解为一个简化版本的nginx
• Ingress控制器是能够为Ingress资源健康某套接字,然后根据ingress规则匹配机制路由调度流量的一个组件
• 只能工作在七层网络下，建议暴露http, https可以使用前端nginx来做证书方面的卸载
• 我们使用的ingress控制器为Traefik

traefix部署:

# 在运维主机上10.4.7.200
~]# docker pull traefik:v1.7.2-alpine

~]# docker tag traefik:v1.7.2-alpine harbor.od.com/public/traefik:v1.7.2

~]# docker push harbor.od.com/public/traefik:v1.7.2

# 创建资源配置清单
~]# cd /data/k8s-yaml/

k8s-yaml]# mkdir traefik

k8s-yaml]# cd traefik/

 

rbac授权清单：

[root@hdss7-12 traefik]# vi rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
    - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

 

deploy资源清单：

[root@hdss7-12 traefik]# vi ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: traefik-ingress
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress
        name: traefik-ingress
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: harbor.od.com/public/traefik:v1.7.2
        name: traefik-ingress
        ports:
        - name: controller
          containerPort: 80
          hostPort: 81
        - name: admin-web
          containerPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
        - --insecureskipverify=true
        - --kubernetes.endpoint=https://10.4.7.10:7443
        - --accesslog
        - --accesslog.filepath=/var/log/traefik_access.log
        - --traefiklog
        - --traefiklog.filepath=/var/log/traefik.log
        - --metrics.prometheus

 

service资源清单：

[root@hdss7-12 traefik]# vi svc.yaml
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress
  ports:
    - protocol: TCP
      port: 80
      name: controller
    - protocol: TCP
      port: 8080
      name: admin-web

 

ingress资源清单：

[root@hdss7-12 traefik]# vi ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.od.com
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-ingress-service
          servicePort: 8080

 

创建资源：

# 在任意节点创建资源
~]# kubectl apply -f http://k8s-yaml.od.com/traefik/rbac.yaml

~]# kubectl apply -f http://k8s-yaml.od.com/traefik/ds.yaml

~]# kubectl apply -f http://k8s-yaml.od.com/traefik/svc.yaml

~]# kubectl apply -f http://k8s-yaml.od.com/traefik/ingress.yaml

 

创建反向代理：

 # 在反向代理节点配置
~]# vi /etc/nginx/conf.d/od.com.conf
upstream default_backend_traefik {
    server 10.4.7.21:81    max_fails=3 fail_timeout=10s;
    server 10.4.7.22:81    max_fails=3 fail_timeout=10s;
}
server {
    server_name *.od.com;

    location / {
        proxy_pass http://default_backend_traefik;
        proxy_set_header Host       $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}

# 重启相应的服务
~]# nginx -t

~]# nginx -s reload

 

添加域名解析：

# 添加域名解析
~]# vi /var/named/od.com.zone 
$ORIGIN od.com.
$TTL 600        ; 10 minutes
@               IN SOA  dns.od.com. dnsadmin.od.com. (
                                2019120904 ; serial                    # 04前滚一个序号
                                10800      ; refresh (3 hours)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                                NS   dns.od.com.
$TTL 60 ; 1 minute
dns                A    10.4.7..11
harbor             A    10.4.7..12
k8s-yaml           A    10.4.7..12
traefik            A    10.4.7..10   # 添加域名解析，直线keepalive的vip地址

# 重启bind9服务
~]# systemctl restart named

# 验证
~]# dig -t A traefik.zq.com +short

 

在浏览器中访问：

traefik的web端：http://traefik.od.com/