k8s实践12:traefik基础部署(外部访问kuberntes业务应用)

1.

项目地址
https://docs.traefik.io/

获取配置文件

wget  https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-rbac.yaml
wget  https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-deployment.yaml
wget  https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-ds.yaml
wget  https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/ui.yaml

[[email protected] traefik]# ls
traefik-deployment.yaml traefik-ds.yaml traefik-rbac.yaml ui.yaml

2.
配置文件简要说明

[[email protected] traefik]# cat traefik-rbac.yaml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses/status
    verbs:
    - update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
[[email protected] traefik]#

指定sa traefik-ingress-controller的rbac权限

[[email protected] traefik]# cat traefik-deployment.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort
[[email protected] traefik]#

创建sa traefik-ingress-controller
创建svc 指定type为NodePort
创建deployment 指定只生成一个副本

[[email protected] traefik]# cat traefik-ds.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
          hostPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
[[email protected] traefik]#

创建sa traefik-ingress-controller
创建svc 这里并没用指定type为NodePort
创建Daemonset,和deployment不同,每个节点都会创建一个pod

[[email protected] traefik]# cat ui.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  rules:
  - host: traefik-ui.minikube
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web
[[email protected] traefik]#

这只是个测试用的svc而已.

3.
部署

这里部署用的是
traefik-rbac.yaml
traefik-ds.yaml
其中traefik-ds.yaml做了修改,指定svc的type类型为NodePort

[[email protected] traefik]# kubectl apply -f traefik-ds.yaml
serviceaccount "traefik-ingress-controller" created
daemonset.extensions "traefik-ingress-controller" created
service "traefik-ingress-service" created
[[email protected] traefik]# kubectl apply -f traefik-rbac.yaml
clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created
[[email protected] traefik]# 
[[email protected] traefik]# kubectl get svc,pod -n kube-system
NAME                              TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                     AGE
service/kube-dns                  ClusterIP   10.254.0.2       <none>        53/UDP,53/TCP               14d
service/kubernetes-dashboard      ClusterIP   10.254.64.196    <none>        443/TCP                     3h
service/traefik-ingress-service   NodePort    10.254.201.201   <none>        80:8437/TCP,8080:8950/TCP   1m

NAME                                        READY     STATUS    RESTARTS   AGE
pod/coredns-779ffd89bd-k6r7l                1/1       Running   8          14d
pod/kubernetes-dashboard-65c76f6c97-2b2qd   1/1       Running   0          3h
pod/traefik-ingress-controller-69962        1/1       Running   0          1m
pod/traefik-ingress-controller-6xf47        1/1       Running   0          1m
pod/traefik-ingress-controller-tshc9        1/1       Running   0          1m
pod/traefik-ingress-controller-zmpw2        1/1       Running   0          1m
[[email protected] traefik]#

用浏览器通过任意一个node的ip:8950,即可访问traefik.

一片空白,因为没有生成启用任何规则.
启用测试ui看看.

[[email protected] traefik]# kubectl apply -f ui.yaml
service "traefik-web-ui" created
ingress.extensions "traefik-web-ui" created
[[email protected] traefik]#

创建个httpd的svc来测试traefik功能

[[email protected] test]# cat httpd-svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: httpd-svc
spec:
  ports:
  - port: 80
  selector:
    app: httpd-app
  type: NodePort

---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: httpd-app
spec:
  template:
    metadata:
      labels:
        app: httpd-app
    spec:
      containers:
      - image: httpd
        name: httpd-app
[[email protected] test]# kubectl apply -f httpd-svc.yaml
service "httpd-svc" created
deployment.apps "httpd-app" created
[[email protected] test]# 
[[email protected] test]# kubectl get svc,pod
NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)       AGE
service/httpd-svc    NodePort    10.254.71.79     <none>        80:8763/TCP   45s

NAME                            READY     STATUS    RESTARTS   AGE
pod/httpd-app-bbcbfb6cd-96v28   1/1       Running   0          44s

创建traefik ingress规则

[[email protected] test]# kubectl apply -f httpd-svc-ingress.yaml
ingress.extensions "httpd-svc-ingress" created
[[email protected] test]# cat httpd-svc-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: httpd-svc-ingress
  namespace: default
spec:
  rules:
  - host: httpd-svc.ingress
    http:
      paths:
      - path: /
        backend:
          serviceName: httpd-svc
          servicePort: 80
[[email protected] test]#

traefik ui可以看到httpd-svc了.

5.
暴露traefik服务

用示意图分析下traefik的转发过程,见下:

简易分析:
k8s里有很多的service,我们通过traefik转发来访问service.
traefik我们已经部署后了,也能够发现后端service的了.
但是,我们怎么访问traefik呢?

暴露traefik服务
对比ingress的暴露服务方法:
1.创建个service,然后给这个service指定extIP.
2.把pod配置hostNotwork: true模式,Pod中所有容器的端口号都将直接被映射到物理机上,访问物理机的端口就直接访问到了pod的容器的端口.

使用第2种方法暴露服务

[[email protected] traefik]# cat traefik-ds.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8080
          hostPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort
[[email protected] traefik]#

注意:

      hostNetwork: true

重新执行命令

[[email protected] traefik]# kubectl apply -f traefik-ds.yaml
serviceaccount "traefik-ingress-controller" unchanged
daemonset.extensions "traefik-ingress-controller" configured
service "traefik-ingress-service" unchanged
[[email protected] traefik]#

6.
指定域名到任意一个node的ip,traefik能够实现正常转发.
注意这个域名要是ing规则里的host名字

 rules:
  - host: httpd-svc.ingress
    http:
      paths:
      - path: /
        backend:
          serviceName: httpd-svc
          servicePort: 80

原文地址:https://blog.51cto.com/goome/2383324

时间: 2025-01-11 19:20:55

k8s实践12:traefik基础部署(外部访问kuberntes业务应用)的相关文章

k8s实践19:kubernetes二进制部署集群v1.12升级v1.15

1.升级前的版本 [[email protected] ~]# kubectl version Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.4", GitCommit:"5ca598b4ba5abb89bb773071ce452e33fb66339d", GitTreeState:"clean", BuildDa

k8s实践(八):ConfigMap and Secret

环境说明: 主机名 操作系统版本 ip docker version kubelet version 配置 备注 master Centos 7.6.1810 172.27.9.131 Docker 18.09.6 V1.14.2 2C2G master主机 node01 Centos 7.6.1810 172.27.9.135 Docker 18.09.6 V1.14.2 2C2G node节点 node02 Centos 7.6.1810 172.27.9.136 Docker 18.09.

k8s之Ingress-nginx基本原理及部署实战

kubernetes服务暴露介绍 到目前为止,kubernetes总共有三种暴露服务的方式: LoadBlancer Service NodePort Service Ingress LoadBlancer Service LoadBlancer Service是kubernetes结合云平台的组件,如国外的GCE,AWS,国内阿里云等等.使用它项使用的底层云平台申请创建负载均衡器来实现,对使用云平台的集群比较方便,但有局限,费用高. NodePort Service 我们之前博文中暴露服务时,

虚拟化原理到K8s实践经验路线总结

以下这些内容均为自行学习总结的内容,很多没有内容概括介绍,看起来可能会有些突兀,但并不影响整体性,我自己的学习经验告诉我,这些内容还仅仅是最精简的核心部分,周边还有很多扩展内容,主要是操作系统生态方面的内容,这些内容我无法概括,因为我自己也仅仅是了解到很局限,但我的经验是捕捉每一个学习的机会,不分Windows,Linux,Unix,其实你积累的多了,有了对系统生态的整体感觉相信你就会发现,下面这些内容学起来就不难了,另外告诉所有认真对待自己的道友一个小窍门,就是“慢慢来”,总结8个字“慢就是快

k8s实践(七):存储卷和数据持久化(Volumes and Persistent Storage)

环境说明: 主机名 操作系统版本 ip docker version kubelet version 配置 备注 master Centos 7.6.1810 172.27.9.131 Docker 18.09.6 V1.14.2 2C2G master主机 node01 Centos 7.6.1810 172.27.9.135 Docker 18.09.6 V1.14.2 2C2G node节点 node02 Centos 7.6.1810 172.27.9.136 Docker 18.09.

k8s实践(九):Helm and Kubeapps UI

环境说明: 主机名 操作系统版本 ip docker version kubelet version helm version 配置 备注 master Centos 7.6.1810 172.27.9.131 Docker 18.09.6 V1.14.2 v2.14.3 2C2G master主机 node01 Centos 7.6.1810 172.27.9.135 Docker 18.09.6 V1.14.2 v2.14.3 2C2G node节点 node02 Centos 7.6.18

k8s监控组件heapster安装部署

k8s监控组件heapster安装部署 参考文档 https://github.com/kubernetes/heapster/tree/master/deploy k8s集群安装部署 http://jerrymin.blog.51cto.com/3002256/1898243  k8s集群RC.SVC.POD部署 http://jerrymin.blog.51cto.com/3002256/1900260     k8s集群组件kubernetes-dashboard和kube-dns部署 h

阿里云服务器Tomcat无法从外部访问

一.环境 阿里云 Ubuntu 12.04.5 LTS tomcat和java都是阿里云默认的7的版本,如下图 二.问题 部署后./startup.sh启动tomcat 之后外部访问http://ip:8080/无法访问,之后去查看防火墙 关闭了Ubuntu下面的防火墙 [email protected]:/alidata/server# sudo ufw status Status: inactive [email protected]:/alidata/server# 再次访问http://

centos7 打开mysql 3306端口并 设置外部访问

mysql安装后默认是localhost访问,如果需要外部访问可以设置一个新的账号把host改为%,意味着所有ip均可以访问 grant all privileges on *.* to 'outUser'@'%' identified by '12' with grant option 然后 flush privileges; 就可以使用outUser账户密码12来外部访问,有的时候无法访问需要打开防火墙开放端口 centos 7 中使用的是firewall-cmd命令 # firewall-