• K8S(05)核心插件-ingress(服务暴露)控制器-traefik


    K8S核心插件-ingress(服务暴露)控制器-traefik

    1 K8S两种服务暴露方法

    前面通过coredns在k8s集群内部做了serviceNAME和serviceIP之间的自动映射,使得不需要记录service的IP地址,只需要通过serviceNAME就能访问POD
    但是在K8S集群外部,显然是不能通过serviceNAME或serviceIP来解析服务的
    要在K8S集群外部来访问集群内部的资源,需要用到服务暴露功能

    1.1 K8S常用的两种服务暴露方法

    1. 使用NodePort型的Service
      nodeport型的service原理相当于端口映射,将容器内的端口映射到宿主机上的某个端口。
      K8S集群不能使用ipvs的方式调度,必须使用iptables,且只支持rr模式

    2. 使用Ingress资源
      Ingress是K8S API标准资源之一,也是核心资源
      是一组基于域名和URL路径的规则,把用户的请求转发至指定的service资源
      可以将集群外部的请求流量,转发至集群内部,从而实现'服务暴露'

    1.2 Ingress控制器是什么

    可以理解为一个简化版本的nginx
    Ingress控制器是能够为Ingress资源健康某套接字,然后根据ingress规则匹配机制路由调度流量的一个组件
    只能工作在七层网络下,建议暴露http, https可以使用前端nginx来做证书方面的卸载

    我们使用的ingress控制器为Traefik

    traefik:GITHUB官方地址

    2 部署traefik

    同样的,现在7.200完成docker镜像拉取和配置清单创建,然后再到任意master节点执行配置清单

    2.1 准备docker镜像

    docker pull traefik:v1.7.2-alpine
    docker tag  traefik:v1.7.2-alpine harbor.zq.com/public/traefik:v1.7.2
    docker push harbor.zq.com/public/traefik:v1.7.2
    

    2.2 创建资源清单

    mkdir -p /data/k8s-yaml/traefik
    

    2.2.1 rbac授权清单

    cat >/data/k8s-yaml/traefik/rbac.yaml <<EOF
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: traefik-ingress-controller
      namespace: kube-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
      name: traefik-ingress-controller
    rules:
      - apiGroups:
          - ""
        resources:
          - services
          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
      - apiGroups:
          - extensions
        resources:
          - ingresses
        verbs:
          - get
          - list
          - watch
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: traefik-ingress-controller
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: traefik-ingress-controller
    subjects:
    - kind: ServiceAccount
      name: traefik-ingress-controller
      namespace: kube-system
    EOF
    

    2.2.2 delepoly资源清单

    cat >/data/k8s-yaml/traefik/ds.yaml <<EOF
    apiVersion: extensions/v1beta1
    kind: DaemonSet
    metadata:
      name: traefik-ingress
      namespace: kube-system
      labels:
        k8s-app: traefik-ingress
    spec:
      template:
        metadata:
          labels:
            k8s-app: traefik-ingress
            name: traefik-ingress
        spec:
          serviceAccountName: traefik-ingress-controller
          terminationGracePeriodSeconds: 60
          containers:
          - image: harbor.zq.com/public/traefik:v1.7.2
            name: traefik-ingress
            ports:
            - name: controller
              containerPort: 80
              hostPort: 81
            - name: admin-web
              containerPort: 8080
            securityContext:
              capabilities:
                drop:
                - ALL
                add:
                - NET_BIND_SERVICE
            args:
            - --api
            - --kubernetes
            - --logLevel=INFO
            - --insecureskipverify=true
            - --kubernetes.endpoint=https://10.4.7.10:7443
            - --accesslog
            - --accesslog.filepath=/var/log/traefik_access.log
            - --traefiklog
            - --traefiklog.filepath=/var/log/traefik.log
            - --metrics.prometheus
    EOF
    

    2.2.3 service清单

    cat >/data/k8s-yaml/traefik/svc.yaml <<EOF
    kind: Service
    apiVersion: v1
    metadata:
      name: traefik-ingress-service
      namespace: kube-system
    spec:
      selector:
        k8s-app: traefik-ingress
      ports:
        - protocol: TCP
          port: 80
          name: controller
        - protocol: TCP
          port: 8080
          name: admin-web
    EOF
    

    2.2.4 ingress清单

    cat >/data/k8s-yaml/traefik/ingress.yaml <<EOF
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: traefik-web-ui
      namespace: kube-system
      annotations:
        kubernetes.io/ingress.class: traefik
    spec:
      rules:
      - host: traefik.zq.com
        http:
          paths:
          - path: /
            backend:
              serviceName: traefik-ingress-service
              servicePort: 8080
    EOF
    

    2.3 创建资源

    2.3.1 任意节点上创建资源

    kubectl create -f http://k8s-yaml.zq.com/traefik/rbac.yaml
    kubectl create -f http://k8s-yaml.zq.com/traefik/ds.yaml
    kubectl create -f http://k8s-yaml.zq.com/traefik/svc.yaml
    kubectl create -f http://k8s-yaml.zq.com/traefik/ingress.yaml
    

    2.3.2 在前端nginx上做反向代理

    7.117.12上,都做反向代理,将泛域名的解析都转发到traefik上去

    cat >/etc/nginx/conf.d/zq.com.conf <<'EOF'
    upstream default_backend_traefik {
        server 10.4.7.21:81    max_fails=3 fail_timeout=10s;
        server 10.4.7.22:81    max_fails=3 fail_timeout=10s;
    }
    server {
        server_name *.zq.com;
      
        location / {
            proxy_pass http://default_backend_traefik;
            proxy_set_header Host       $http_host;
            proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
        }
    }
    EOF
    
    # 重启nginx服务
    nginx -t
    nginx -s reload
    

    2.3.3 在bind9中添加域名解析

    需要将traefik 服务的解析记录添加的DNS解析中,注意是绑定到VIP上

    vi /var/named/zq.com.zone
    ........
    traefik            A    10.4.7.10
    

    注意前滚serial编号

    重启named服务

    systemctl restart named
    
    #dig验证解析结果
    [root@hdss7-11 ~]# dig -t A traefik.zq.com +short
    10.4.7.10
    

    2.3.4 在集群外访问验证

    在集群外,访问http://traefik.zq.com,如果能正常显示web页面.说明我们已经暴露服务成功

  • 相关阅读:
    Tuesday / Wednesday = Increased Response
    脚本语言
    py2exe
    脚本语言
    访问者模式
    C调用lua脚本的效率测试
    Python编码规范
    py2exe
    Python编码规范
    访问者模式
  • 原文地址:https://www.cnblogs.com/noah-luo/p/13345211.html
Copyright © 2020-2023  润新知