traefik部署
环境:
kuberbetes版本:v1.25.0
traefik: v2.10
k8s版本不同,资源配置文件格式可能不同(如apiversion)
traefik要点
ingress与ingressroute功能相同,都是根据域名路由到对应的service,前者是k8s官方做的,后者是traefik官方做的
traefik有四个基本概念
- EntryPoints(traefik的80,443端口等)
- Routers(ingress或者ingressroute)
- Middlewares中间件(日志记录,重定向,限流,身份验证,自定义中间件等)
- Services(指traefik服务)
traefik请求流程
1.traefik官网部署
创建traefik部署目录
mkdir -p traefik_office
cd traefik_office
创建rbac
注意:
clusterrle与clusterrolebinding没有namespace;serviceaccount有namespace,跨namespace不可用
clusterrole权限可能不够,根据提示添加apigroups即可
cat traefik_rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups: #权限不足添加
- traefik.io
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
verbs:
- get
- list
- watch
- apiGroups: #权限不足添加
- traefik.containo.us
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
创建traefik daemonset文件
注意:
- 该文件里资源未指定namespace,部署时需指定namespace,否则部署在default命名空间
- hostport方式暴露Traefik容器的80,443端口至宿主机,用作转发
cat traefik.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: traefik
labels:
app: traefik
spec:
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.10
args:
- --log.level=INFO
- --api
- --api.insecure
- --entrypoints.web.address=:80
- --entrypoints.websecure.Address=:443
- --providers.kubernetesingress
ports:
- name: web
containerPort: 80
hostPort: 80 # [增加] 暴露Traefik容器的80端口至节点[HTTP转发]
- name: websecure # [增加] 增加HTTPS转发的支持[选用]
containerPort: 443 # [增加] Traefik容器上使用的端口[对应上面的配置][选用]
hostPort: 443 # [增加] 暴露Traefik容器的443端口至节点[HTTPS转发]
- name: admin # [增加] 实际上加不加也可以
containerPort: 8080 # [增加] 这是Traefik的DashBoard访问端口
hostPort: 8080 # [增加] 暴露Tracfik容器的8080端口至节点[尽量别使用,可以后期通用转发实现访问][选用]
---
apiVersion: v1
kind: Service #此service实际用不到,80已经以hostport方式暴露至宿主机
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
部署traefik
kubectl apply -f traefik_rbac.yaml && kubectl apply -f traefik.yaml
至此traefik部署完成,下面配置以域名访问traefik后台服务(配置其他服务相似)
创建traefik后台service
cat traefik_dashboard.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
app: traefik
ports:
- name: web
port: 80
targetPort: 8080
创建traefik后台service对应ingress
cat traefik_ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: "traefik" #至关重要
spec:
rules:
- host: www.traefik.com # 这里换成自己的域名(实验环境模拟一个就OK)
http:
paths:
- backend:
service:
name: traefik-web-ui
port:
number: 80
path: /
pathType: Prefix
kubectl apply -f traefik_dashboard.yaml && kubectl apply -f traefik_ingress.yaml
查看ingreess资源及service
kubectl get service,ingress -n kube-system
本次在内网环境,需在hosts文件做对应的域名解释(解析到traefik pod所在宿主机)
cat /etc/hosts
192.168.40.210 www.traefik.com
测试域名访问
root@abm40210:~/traefik# curl -L www.traefik.com
<!DOCTYPE html><html><head><title>Traefik</title><meta charset=utf-8><meta name=description content="Traefik UI"><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png href=statics/app-logo-128x128.png><link rel=icon type=image/png sizes=16x16 href=statics/icons/favicon-16x16.png><link rel=icon type=image/png sizes=32x32 href=statics/icons/favicon-32x32.png><link rel=icon type=image/png sizes=96x96 href=statics/icons/favicon-96x96.png>