k8s-traefik

VIP文章西幻001

已于 2023-07-14 16:27:04 修改

阅读量269

点赞数

文章标签： kubernetes 容器云原生

于 2023-07-13 10:57:48 首次发布

本文链接：https://blog.csdn.net/weixin_44257754/article/details/131696192

版权

traefik部署

环境：
kuberbetes版本:v1.25.0
traefik: v2.10
k8s版本不同，资源配置文件格式可能不同（如apiversion）

traefik要点
ingress与ingressroute功能相同，都是根据域名路由到对应的service，前者是k8s官方做的，后者是traefik官方做的
traefik有四个基本概念

EntryPoints(traefik的80,443端口等)
Routers(ingress或者ingressroute)
Middlewares中间件(日志记录，重定向，限流，身份验证，自定义中间件等)
Services（指traefik服务）

traefik请求流程

1.traefik官网部署
创建traefik部署目录

mkdir -p traefik_office
cd traefik_office

创建rbac
注意：
clusterrle与clusterrolebinding没有namespace；serviceaccount有namespace，跨namespace不可用
clusterrole权限可能不够，根据提示添加apigroups即可

cat traefik_rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller
rules:
- apiGroups:
  - ""
  resources:
  - services
  - endpoints
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses
  - ingressclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  - networking.k8s.io
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:     #权限不足添加
  - traefik.io
  resources:
  - ingressroutes
  - ingressroutetcps
  - ingressrouteudps
  - middlewares
  - middlewaretcps
  - tlsoptions
  - tlsstores
  - traefikservices
  - serverstransports
  verbs:
  - get
  - list
  - watch
- apiGroups:   #权限不足添加
  - traefik.containo.us
  resources:
  - ingressroutes
  - ingressroutetcps
  - ingressrouteudps
  - middlewares
  - middlewaretcps
  - tlsoptions
  - tlsstores
  - traefikservices
  - serverstransports
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: kube-system

创建traefik daemonset文件
注意：

该文件里资源未指定namespace，部署时需指定namespace，否则部署在default命名空间
hostport方式暴露Traefik容器的80，443端口至宿主机，用作转发

cat traefik.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: traefik
  labels:
    app: traefik

spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.10
          args:
            - --log.level=INFO
            - --api
            - --api.insecure
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.Address=:443
            - --providers.kubernetesingress
          ports:
            - name: web
              containerPort: 80
              hostPort: 80  # [增加] 暴露Traefik容器的80端口至节点[HTTP转发]
            - name: websecure  # [增加] 增加HTTPS转发的支持[选用]
              containerPort: 443 # [增加] Traefik容器上使用的端口[对应上面的配置][选用]
              hostPort: 443 # [增加] 暴露Traefik容器的443端口至节点[HTTPS转发]
            - name: admin # [增加] 实际上加不加也可以
              containerPort: 8080 # [增加] 这是Traefik的DashBoard访问端口
              hostPort: 8080  # [增加] 暴露Tracfik容器的8080端口至节点[尽量别使用，可以后期通用转发实现访问][选用]

---
apiVersion: v1
kind: Service  #此service实际用不到，80已经以hostport方式暴露至宿主机
metadata:
  name: traefik
spec:
  type: LoadBalancer  
  selector:
    app: traefik
  ports:
    - protocol: TCP
      port: 80
      name: web
      targetPort: 80

部署traefik

kubectl apply -f traefik_rbac.yaml && kubectl apply -f traefik.yaml

至此traefik部署完成，下面配置以域名访问traefik后台服务（配置其他服务相似）
创建traefik后台service

cat traefik_dashboard.yaml
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    app: traefik
  ports:
  - name: web
    port: 80
    targetPort: 8080

创建traefik后台service对应ingress

cat traefik_ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
       kubernetes.io/ingress.class: "traefik" #至关重要
spec:
  rules:
  - host: www.traefik.com					# 这里换成自己的域名(实验环境模拟一个就OK)
    http:
      paths:
      - backend:
          service:
            name: traefik-web-ui
            port:
              number: 80
        path: /
        pathType: Prefix

kubectl apply -f traefik_dashboard.yaml && kubectl apply -f traefik_ingress.yaml

查看ingreess资源及service

kubectl get service,ingress -n kube-system

本次在内网环境，需在hosts文件做对应的域名解释（解析到traefik pod所在宿主机）

cat /etc/hosts
192.168.40.210 www.traefik.com

测试域名访问

root@abm40210:~/traefik# curl -L www.traefik.com
<!DOCTYPE html><html><head><title>Traefik</title><meta charset=utf-8><meta name=description content="Traefik UI"><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png href=statics/app-logo-128x128.png><link rel=icon type=image/png sizes=16x16 href=statics/icons/favicon-16x16.png><link rel=icon type=image/png sizes=32x32 href=statics/icons/favicon-32x32.png><link rel=icon type=image/png sizes=96x96 href=statics/icons/favicon-96x96.png>

最低0.47元/天解锁文章

西幻001

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
k8s-traefik

本次在内网环境，需在hosts文件做对应的域名解释（解析到traefik pod所在宿主机）至此traefik部署完成，下面配置以域名访问traefik后台服务（配置其他服务相似）k8s版本不同，资源配置文件格式可能不同（如apiversion）创建traefik后台service对应ingress。创建traefik daemonset文件。kuberbetes版本:v1.25.0。创建traefik后台service。1.traefik官网部署。创建traefik部署目录。资源的namespace。
复制链接

扫一扫