Ingress其实就是从 kuberenets 集群外部访问集群的一个入口,将外部的请求转发到集群内不同的 Service 上,其实就相当于 nginx、haproxy 等负载均衡代理服务器。
1、部署Traefik
创建安全验证
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress
subjects:
- kind: ServiceAccount
name: traefik-ingress
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
kubectl apply -f rbac.yaml
下载traefik镜像并上传至私服
docker pull emilevauge/traefik
docker tag emilevauge/traefik 192.168.100.87:80/traefik:emilevauge
docker push 192.168.100.87:80/traefik:emilevauge
创建traefik.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: traefik-ingress-lb
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 2
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
restartPolicy: Always
serviceAccountName: traefik-ingress
containers:
- image: 192.168.100.87:80/traefik:emilevauge
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 81
- name: admin
containerPort: 8080
args:
- --api
- --web
- --kubernetes
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: NodePort
kubectl apply -f traefik.yaml
[root@k8s-node1 k8s]# kubectl get services -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 10d
kubernetes-dashboard NodePort 10.108.19.186 <none> 443:31620/TCP 10d
metrics-server ClusterIP 10.109.127.41 <none> 443/TCP 10d
traefik-ingress-service NodePort 10.109.29.248 <none> 80:30889/TCP,8080:32541/TCP 13s
访问http://192.168.100.87:32541
2、部署ingress 访问traefik dashboard
创建ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: ingress.test.com
http:
paths:
- backend:
serviceName: traefik-ingress-service
servicePort: admin
kubectl apply -f ingress.yaml
修改用户浏览器所在机器的hostname将 192.168.100.87映射到ingress.test.com
访问ingress.test.com:81
3、部署一个ingress
创建一个ingress 指定之前创建的一个service
ingress-default.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui-default
# namespace: default
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
rules:
- host: ingress.test2.com
http:
paths:
- path: /
backend:
serviceName: kube-node-service
servicePort: 8080
kubectl apply -f ingress-default.yaml
修改用户浏览器所在机器的hostname将 192.168.100.87映射到ingress.test2.com
访问ingress.test2.com:81/index
4、使用tls
生成CA证书
openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
使用 kubectl 创建一个 secret 对象来存储上面的证书:
kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
创建traefik.toml文件引用上面创建的证书
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/root/k8s/ingress-tls/tls.crt"
KeyFile = "/root/k8s/ingress-tls/tls.key"
将traefik创建为configmap
kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
修改traefik.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: traefik-ingress-lb
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 2
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
restartPolicy: Always
serviceAccountName: traefik-ingress
volumes:
- name: ssl
secret:
secretName: traefik-cert
- name: config
configMap:
name: traefik-conf
containers:
- image: 192.168.100.87:80/traefik:emilevauge
name: traefik-ingress-lb
volumeMounts:
- mountPath: "/root/k8s/ingress-tls"
name: "ssl"
- mountPath: "/config"
name: "config"
ports:
- name: http
containerPort: 80
hostPort: 81
- name: https
containerPort: 443
hostPort: 443
- name: admin
containerPort: 8080
args:
- --configfile=/config/traefik.toml
- --api
- --web
- --kubernetes
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: NodePort
kubectl apply -f traefik.yaml
ingress.yaml中添加secret
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
tls:
- secretName: traefik-cert
rules:
- host: ingress.test.com
http:
paths:
- backend:
serviceName: traefik-ingress-service
servicePort: admin
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui-default
# namespace: default
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
tls:
- secretName: traefik-cert
rules:
- host: ingress.test2.com
http:
paths:
- path: /
backend:
serviceName: kube-node-service
servicePort: 8080
访问https://ingress.test.com
访问https://ingress.test2.com/index