#服务反向代理
#部署Traefik 2.0版本
14.1创建 traefik-crd.yaml 文件 (yanglin1)
[root@yanglin1 ~]# mkdir /root/ingress && cd /root/ingress [root@yanglin1 ~]# vim traefik-crd.yaml ## IngressRoute apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutes.traefik.containo.us spec: scope: Namespaced group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute --- ## IngressRouteTCP apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutetcps.traefik.containo.us spec: scope: Namespaced group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteTCP plural: ingressroutetcps singular: ingressroutetcp --- ## Middleware apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: middlewares.traefik.containo.us spec: scope: Namespaced group: traefik.containo.us version: v1alpha1 names: kind: Middleware plural: middlewares singular: middleware --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsoptions.traefik.containo.us spec: scope: Namespaced group: traefik.containo.us version: v1alpha1 names: kind: TLSOption plural: tlsoptions singular: tlsoption
14.1.1 :Q创建Traefik CRD资源(yanglin1)
[root@yanglin1 ~]# cd /root/ingress [root@yanglin1 ingress]# kubectl create -f traefik-crd.yaml customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created [root@yanglin1 ingress]# kubectl get CustomResourceDefinition NAME CREATED AT ingressroutes.traefik.containo.us 2022-06-13T08:40:56Z ingressroutetcps.traefik.containo.us 2022-06-13T08:40:56Z middlewares.traefik.containo.us 2022-06-13T08:40:56Z tlsoptions.traefik.containo.us 2022-06-13T08:40:56Z
14.2 创建Traefik RBAC文件(master-1)
[root@yanglin1 ~]# vi traefik-rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: namespace: kube-system name: traefik-ingress-controller --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: [""] resources: ["services","endpoints","secrets"] verbs: ["get","list","watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["get","list","watch"] - apiGroups: ["extensions"] resources: ["ingresses/status"] verbs: ["update"] - apiGroups: ["traefik.containo.us"] resources: ["middlewares"] verbs: ["get","list","watch"] - apiGroups: ["traefik.containo.us"] resources: ["ingressroutes"] verbs: ["get","list","watch"] - apiGroups: ["traefik.containo.us"] resources: ["ingressroutetcps"] verbs: ["get","list","watch"] - apiGroups: ["traefik.containo.us"] resources: ["tlsoptions"] verbs: ["get","list","watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system
14.2.1 创建RABC 资源
[root@yanglin1 ingress]# kubectl create -f traefik-rbac.yaml serviceaccount/traefik-ingress-controller created clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
14.3 创建Traefik ConfigMap (yanglin1)
[root@yanglin1 ~]# vi traefik-config.yaml kind: ConfigMap apiVersion: v1 metadata: name: traefik-config data: traefik.yaml: |- serversTransport: insecureSkipVerify: true api: insecure: true dashboard: true debug: true metrics: prometheus: "" entryPoints: web: address: ":80" websecure: address: ":443" providers: kubernetesCRD: "" log: filePath: "" level: error format: json accessLog: filePath: "" format: json bufferingSize: 0 filters: retryAttempts: true minDuration: 20 fields: defaultMode: keep names: ClientUsername: drop headers: defaultMode: keep names: User-Agent: redact Authorization: drop Content-Type: keep
14.3.1 创建Traefik ConfigMap资源配置
[root@yanglin1 ~]# kubectl apply -f traefik-config.yaml -n kube-system
14.4 设置节点标签
#设置节点label [root@yanglin1 ingress]# kubectl label nodes 192.168.177.155 IngressProxy=true #暂时不做 [root@yanglin1 ingress]# kubectl label nodes 192.168.177.156 IngressProxy=true
14.4.1 查看节点标签
#检查是否成功 [root@yanglin1 ingress]# kubectl get nodes --show-labels
14.5 创建 traefik 部署文件
#注意每个Node节点的80与443端口不能被占用 [root@yanglin1 ingress]# netstat -antupl | grep -E "80|443" [root@yanglin1 ingress]# vi traefik-deploy.yaml apiVersion: v1 kind: Service metadata: name: traefik spec: ports: - name: web port: 80 - name: websecure port: 443 - name: admin port: 8080 selector: app: traefik --- apiVersion: apps/v1 kind: DaemonSet metadata: name: traefik-ingress-controller labels: app: traefik spec: selector: matchLabels: app: traefik template: metadata: name: traefik labels: app: traefik spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 1 containers: - image: traefik:latest name: traefik-ingress-lb ports: - name: web containerPort: 80 hostPort: 80 - name: websecure containerPort: 443 hostPort: 443 - name: admin containerPort: 8080 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 1000m memory: 1024Mi securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --configfile=/config/traefik.yaml volumeMounts: - mountPath: "/config" name: "config" volumes: - name: config configMap: name: traefik-config tolerations: - operator: "Exists" nodeSelector: IngressProxy: "true"
14.5.1部署 Traefik 资源
[root@yanglin1 ingress]# kubectl apply -f traefik-deploy.yaml -n kube-system #查看运行状态 [root@yanglin1 ingress]# kubectl get DaemonSet -n kube-system NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE traefik-ingress-controller 1 1 1 1 1 IngressProxy=true 77s
14.6 Traefik 路由配置
14.6.1 配置Traefik Dashboard
[root@yanglin1 ingress]# vi traefik-dashboard-route.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard-route namespace: kube-system spec: entryPoints: - web routes: - match: Host(`ingress.abcd.com`) kind: Rule services: - name: traefik port: 8080 #创建Ingress (traefik) [root@yanglin1 ingress]# kubectl apply -f traefik-dashboard-route.yaml
14.6.2 客户端访问Traefik Dashboard
14.6.2.1 绑定物理主机Hosts文件或者域名解析
/etc/hosts
192.168.177.155 ingress.abcd.com
访问web
14.7 部署访问服务(http)
#创建nginx服务 [root@yanglin1 ingress]# kubectl run nginx-ingress-demo1 --image=nginx --replicas=1 -n kube-system [root@yanglin1 ingress]# kubectl expose deployment nginx-ingress-demo1 --port=1099 --target-port=80 -n kube-system #创建nginx路由服务 vim nginx-ingress-demo-route1.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-nginx-demo-route1 namespace: kube-system spec: entryPoints: - web routes: - match: Host(`nginx11.abcd.com`) kind: Rule services: - name: nginx-ingress-demo1 port: 1099 #创建 [root@yanglin1 ingress]# kubectl apply -f nginx-ingress-demo-route1.yaml [root@yanglin1 ingress]# kubectl get IngressRoute -A NAMESPACE NAME AGE default traefik-dashboard-route 48m kube-system traefik-nginx-demo-route 68s #访问 #绑定hosts (物理机器) 192.168.177.155 nginx11.abcd.com
14.8 创建https服务
#代理dashboard https 服务 # 创建自签名证书 [root@master-1 ingress]# cd /root/ingress [root@master-1 ingress]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=cloud.abcd.com" #将证书存储到 Kubernetes Secret中 [root@master-1 ingress]# kubectl create secret tls dashboard-tls --key=tls.key --cert=tls.crt -n kube-system #查看系统secret [root@master-1 ingress]# kubectl get secret NAME TYPE DATA AGE default-token-l77nw kubernetes.io/service-account-token 3 6d22h traefik-ingress-controller-token-pdbhn kubernetes.io/service-account-token 3 132m #创建路由文件 #先查询kuberbentes dashboard 的命名空间 [root@master-1 ingress]# cat kubernetes-dashboard-route.yaml #注意命名空间 apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: kubernetes-dashboard-route namespace: kube-system spec: entryPoints: - websecure tls: secretName: dashboard-tls routes: - match: Host(`cloud.abcd.com`) kind: Rule services: - name: kubernetes-dashboard port: 443 #创建 Kubernetes Dashboard 路由规则对象 [root@master-1 ingress]# kubectl apply -f kubernetes-dashboard-route.yaml #查看创建的路由 [root@master-1 ingress]# kubectl get IngressRoute -A NAMESPACE NAME AGE default traefik-dashboard-route 125m kube-system traefik-nginx-demo-route 77m kube-system traefik-nginx-demo-route1 3m5s kubernetes-dashboard kubernetes-dashboard-route 13s #绑定hosts 访问 192.168.91.21 cloud.abcd.com 配置完成后,打开浏览器输入地址:https://cloud.abcd.com打开 Dashboard Dashboard。
14.9 TCP服务访问
#修改配置文件 #traefik-config.yaml entryPoints: web: address: ":80" websecure: address: ":443" redistcp: address: ":6379" #应用配置 [root@yanglin1 ingress]# kubectl apply -f traefik-config.yaml -n kube-system #修改配置文件 #traefik-deploy.yaml containers: ports: - name: web containerPort: 80 hostPort: 80 - name: websecure containerPort: 443 hostPort: 443 - name: admin containerPort: 8080 - name: redistcp containerPort: 6379 hostPort: 6379 #应用配置 [root@yanglin1 ingress]#kubectl apply -f traefik-deploy.yaml -n kube-system #配置redis文件 [root@yanglin1 ingress]# cat redis-tcp-deploy.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: name: redis-tcp spec: template: metadata: labels: app: redis-tcp spec: containers: - name: redis-tcp image: redis ports: - containerPort: 6379 protocol: TCP --- apiVersion: v1 kind: Service metadata: name: redis-tcp-svc spec: ports: - port: 6379 targetPort: 6379 selector: app: redis-tcp #部署redis [root@yanglin1 ingress]# kubectl apply -f redis-tcp-deploy.yaml deployment.extensions/redis-tcp unchanged service/redis-tcp-svc unchanged #配置路由 [root@yanglin1 ingress]# cat traefik-redis-tcp-route.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteTCP metadata: name: redis-tcp-ingress spec: entryPoints: - redistcp routes: - match: HostSNI(`*`) services: - name: redis-tcp-svc port: 6379 weight: 10 terminationDelay: 400 #部署路由 [root@yanglin1 ingress]# kubectl apply -f traefik-redis-tcp-route.yaml #查看界面 #绑定任意主机名到node节点访问 #192.168.177.155 redis.cc.com (注意节点,也可以直接使用node Ip 访问) [root@yanglin2 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo [root@yanglin2 ~]# redis-cli -h 192.168.177.155 -p 6379 或者 [root@yanglin2 ~]# redis-cli -h redis.cc.com -p 6379 redis.cc.com:6379> set a 12131 OK redis.cc.com:6379> get a "12131"