微信公众号搜索 DevOps和k8s全栈技术 ,即可关注公众号,也可扫描文章最后的二维码关注公众号,每天会分享技术文章供大家阅读参考哈~
正文
前面部署了kubernetes/ingress-nginx 做为 Ingress Controller,使用 Nginx 反向代理与负载,经过 Ingress Controller 不断的跟 Kubernetes API 交互,实时获取后端 Service、Pod 等的变化,而后动态更新 Nginx 配置,并刷新使配置生效。Traefik 是一个用 Golang 开发的轻量级的 Http 反向代理和负载均衡器软件,因为能够自动化配置和刷新 backend 节点,目前能够被绝大部分容器平台与组件支持,例如 Docker, Swarm mode, Kubernetes,,Consul, Etcd, Rancher, Eureka 等。Traefik 设计的就可以实时跟 Kubernetes API 交互,感知后端 Service、Pod 等的变化,自动更新配置并热重载,使用上大致上差很少,可是 Traefik 更快速更方便,同时支持更多的特性,使反向代理、负载均衡更直接,更高效。node
Traefik 特性 nginx
自动化动态配置无需服务重启
支持多个负载平衡算法
支持 Let’s Encrypt (通配符支持) 向您的微服务提供 HTTPS
支持熔断,重试
集群模式的高可用性
提供简洁的 UI 界面
支持 Websocket, HTTP/2, GRPC 协议
提供监控的服务(Rest、Prometheus、Datadog、Statsd、InfluxDB)
保留访问日志(JSON,CLF)
快速
支持 Rest API
使用二进制文件打包,并做为一个 docker 镜像提供
部署 Traefik
全部的配置文件能够在官方的 github 仓库中找到,按照官方文档来便可。git
Role Based Access Control configuration (Kubernetes 1.6+ only) github
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
$ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml
Deploy Traefik using a Deployment or DaemonSetweb
DaemonSet 会在每台 Node 节点上都建立 Pod 而 Deployment 是人为控制的副本数量(根据实际需求来取决),这里使用 DaemonSet 类型来部署 Traefik。算法
部署 Traefik(修改 hostNetwork: true) docker
#https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-ds.yamlvi traefik-ds.yaml
vi traefik-ds.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: true
restartPolicy: Always
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
hostPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
部署查看
$ kubectl apply -f traefik-ds.yaml
serviceaccount/traefik-ingress-controller unchanged
daemonset.extensions/traefik-ingress-controller configured
service/traefik-ingress-service unchanged
$ kubectl apply -f traefik-ds.yaml
serviceaccount/traefik-ingress-controller unchanged
daemonset.extensions/traefik-ingress-controller unchanged
service/traefik-ingress-service unchanged
[root@kubernetes-master k8s]# kubectl -n kube-system get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
traefik-ingress-controller-6fk9n 1/1 Running 0 41m 10.38.0.0 kubernetes-node-2 <none>
traefik-ingress-controller-f7kmc 1/1 Running 0 41m 10.40.0.1 kubernetes-node-1 <none>
备注:上述因为修改 hostNetwork: true ,其实已经在每一个 Node 节点开放了 80 与 8080 端口,80 提供正常服务,8080 是其自带的 UI 界面。后端
Node 节点查看开放的端口 api
$ netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::8080 :::* LISTEN 10253/traefik
tcp6 0 0 :::80 :::* LISTEN 10253/traefik
Ingress 方式暴露 Traefik Web UI app
# https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/ui.yaml
vi traefik-web-ui.yaml
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui.com
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
部署查看
$ kubectl apply -f traefik-web-ui.yaml
service/traefik-web-ui created
ingress.extensions/traefik-web-ui created
$ kubectl get ingress -o wide --all-namespaces
NAMESPACE NAME HOSTS ADDRESS PORTS AGE
kube-system traefik-web-ui traefik-ui.com 80 18s
配置Host文件
172.23.216.49 k8s.dashboard.com
172.23.216.49 traefik-ui.com
访问 http://traefik-ui.com/dashboard/ 经过 80 端口转发。
模拟部署一个程序
下面模拟部署一个程序,已 Nginx 为例:
vi nginx-deployment.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
template:
metadata:
labels:
name: nginx-svc
namespace: default
spec:
selector:
run: nginx-pod
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: nginx-pod
spec:
replicas: 4
template:
metadata:
labels:
run: nginx-pod
spec:
containers:
- name: nginx
image: nginx:1.15.5
ports:
- containerPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ngx-ing
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: k8s.nginx.com
http:
paths:
- backend:
serviceName: nginx-svc
servicePort: 80
部署查看
$ kubectl apply -f nginx-deployment.yam
$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default nginx-pod-5b5bc94455-ndcl6 1/1 Running 0 18m
default nginx-pod-5b5bc94455-nptm5 1/1 Running 0 18m
default nginx-pod-5b5bc94455-ptvzp 1/1 Running 0 18m
default nginx-pod-5b5bc94455-vw667 1/1 Running 0 18m
修改 Host 文件
172.23.216.49 k8s.dashboard.com
172.23.216.49 traefik-ui.com
172.23.216.49 k8s.nginx.com
访问 k8s.nginx.com 便可,查看 traefik-ui(对应 4个 Pod)。
HTTPS 证书配置
生成自签名证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=traefik-ui.com"
kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt
配置
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui.com
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
tls:
- secretName: traefik-ui-tls-cert
自动熔断
在集群中,当某一个服务大量出现请求错误,或者请求响应时间过久,或者返回500+错误状态码时,我们希望可以主动剔除该服务,也就是不在将请求转发到该服务上,而这一个过程是自动完成,不需要人工执行。Traefik 通过配置很容易就能帮我们实现,Traefik 可以通过定义策略来主动熔断服务
举例:
NetworkErrorRatio() > 0.6:监测服务错误率达到60%时,熔断
LatencyAtQuantileMS(60.0) > 60:监测延时大于60ms时,熔断
ResponseCodeRatio(500, 600, 0, 600) > 0.5:监测返回状态码为[500-600]在[0-600]区间占比超过50%时,熔断
例子
apiVersion: v1
kind: Service
metadata:
name: wensleydale
annotations:
traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.6"
traefik.backend.circuitbreaker: LatencyAtQuantileMS(60.0) > 2000 #>2秒熔断
往期精彩文章
kubernetes全栈技术+企业案例演示【带你快速掌握和使用k8s】
Prometheus+Grafana+Alertmanager搭建全方位的监控告警系统-超详细文档
k8s1.18多master节点高可用集群安装-超详细中文官方文档
jenkins+kubernetes+harbor+gitlab构建企业级devops平台
通过kubeconfig登陆k8s的dashboard ui界面
prometheus operator监控k8s集群之外的haproxy组件
技术交流群
学无止境,了解更多关于kubernetes/docker/devops/openstack/openshift/linux/IaaS/PaaS相关内容,想要获取更多资料和免费视频,可按如下方式进入技术交流群
扫码加群????
微信:luckylucky421302
微信公众号
长按指纹关注公众号????