服务发现
k8s使用coredns实现了服务在集群内被自动解析,在集群外要访问,
使用NodePort 的 service
使用ingress资源,在七层调度http https协议 (https协议比较麻烦,需要使用证书资源)
ingress
一组规则,基于域名和URL,把请求转发至指定的service资源
可以把集群外部请求流量,转发至集群内部,实现服务暴露
ingress控制器:监听端口,根据匹配规则调度
本质上是一个简化版的nginx
ingress控制器实现软件
ingress-nginx
HaProxy
Traefik
Traefik
github
https://github.com/containous/traefik/
yml
https://github.com/containous/traefik/tree/v1.7/examples/k8s
docker
https://hub.docker.com/_/traefik?tab=tags&page=1&name=1.7
traefik可以用daemonset(每个节点跑一个)或者deployment,作为负载均衡,ds更合适些
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system
daemonset.yaml
容器里监听80端口,映射到hostport 80,注意hostport监听端口无法用netstat找到
开一个管理端口,8080,本身就是用ingress实现
--- apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system --- kind: DaemonSet apiVersion: apps/v1 metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: selector: matchLabels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 containers: - image: registry-vpc.cn-hangzhou.aliyuncs.com/e-dewin/traefik:v1.7.25-alpine name: traefik-ingress-lb ports: - name: http containerPort: 80 hostPort: 80 - name: admin containerPort: 8080 securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --api - --kubernetes - --logLevel=INFO --- kind: Service apiVersion: v1 metadata: name: traefik-ingress-service namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: TCP port: 8080 name: admin
ingress.yml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: kube-system annotations: kubernetes.io/ingress.class: traefik #指定用 traefik 控制器 traefik.frontend.rule.type: PathPrefixStrip #跳转后端时忽略 path traefik.ingress.kubernetes.io/frontend-entry-points: http #指定只能以 http,方式访问,也可以设置 https spec: rules: - host: traefik.e-dewin.com http: paths: - path: /admin backend: serviceName: traefik-ingress-service servicePort: 8080
部署好后,在命令行查看路由信息
# kubectl describe ingress traefik-web-ui -n kube-system Name: traefik-web-ui Namespace: kube-system Address: Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>) Rules: Host Path Backends ---- ---- -------- traefik.e-dewin.com /admin traefik-ingress-service:8080 (10.244.1.80:8080,10.244.3.34:8080) Annotations: kubernetes.io/ingress.class: traefik traefik.frontend.rule.type: PathPrefixStrip traefik.ingress.kubernetes.io/frontend-entry-points: http Events: <none>
ds在每个负载节点上都启动了80端口,先在PC上host里配置一个域名解析到其中一台节点上,访问域名就可以进入页面
http://traefik.e-dewin.com/admin