kubernetes的Ingrss之Traefik

时间:March 25, 2019 分类:

目录:

traefik

github地址

traefix是一个Golang开源的轻量级http代理和负载均衡器,主要的优点可以自动watch获取service等对象变化,省略了nginx和haproxy需要维护与service的关系,非常值得一用

环境准备

安装一个单节点的kubernetes集群即可

# 安装docker
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install -y docker-ce
systemctl enable docker && systemctl start docker
# 安装kubernetes
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kube*
EOF
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
systemctl enable kubelet && systemctl start kubelet
# 创建kubernetes集群
hostnamectl set-hostname k8s
kubeadm init --apiserver-advertise-address 10.202.0.10 --pod-network-cidr=10.244.0.0/16
# 创建flannel网络
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
# 删除master的taint
kubectl taint nodes --all node-role.kubernetes.io/master

查看pod运行情况

$ kubectl get pods --all-namespaces
NAMESPACE     NAME                          READY   STATUS    RESTARTS   AGE
kube-system   coredns-86c58d9df4-77p5m      1/1     Running   0          6m24s
kube-system   coredns-86c58d9df4-mcf2d      1/1     Running   0          6m24s
kube-system   etcd-k8s                      1/1     Running   0          5m30s
kube-system   kube-apiserver-k8s            1/1     Running   0          5m33s
kube-system   kube-controller-manager-k8s   1/1     Running   0          5m45s
kube-system   kube-flannel-ds-amd64-x8nq5   1/1     Running   0          2m38s
kube-system   kube-proxy-82nqv              1/1     Running   0          6m25s
kube-system   kube-scheduler-k8s            1/1     Running   0          5m23s

安装traefik

下载最新的代码

连接地址

$ wget https://github.com/containous/traefik/archive/v1.7.9.zip
$ unzip v1.7.9.zip 
$ cd traefik-1.7.9/examples/k8s/
$ kubectl apply -f traefik-rbac.yaml
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
$ kubectl get clusterrole traefik-ingress-controller
NAME                         AGE
traefik-ingress-controller   20s
$ kubectl apply -f traefik-ds.yaml 
serviceaccount/traefik-ingress-controller created
daemonset.extensions/traefik-ingress-controller created
service/traefik-ingress-service created
$ kubectl get ds -n kube-system traefik-ingress-controller
NAME                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
traefik-ingress-controller   1         1         1       1            1           <none>          4m51s

创建service,deployment和ingress对象

service和deployment的yaml

apiVersion: v1
kind: Service
metadata:
  name: service-v1
  labels:
    app: flaskapp
spec:
  selector:
    app: flaskapp
    version: v1
  ports:
    - name: http
      port: 80
      targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: service-v2
  labels:
    app: flaskapp
spec:
  selector:
    app: flaskapp
    version: v2
  ports:
    - name: http
      port: 80
      targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: flaskapp-v1
spec:
  replicas: 1
  template: 
    metadata:
      labels:
        app: flaskapp
        version: v1
    spec:
      containers:
      - name: flaskapp
        image: dustise/flaskapp
        imagePullPolicy: IfNotPresent
        env:
        - name: version
          value: v1
        ports:
          - containerPort: 80

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: flaskapp-v2
spec:
  replicas: 1 
  template: 
    metadata:
      labels:
        app: flaskapp
        version: v2
    spec:
      containers:
      - name: flaskapp
        image: dustise/flaskapp
        imagePullPolicy: IfNotPresent
        env:
        - name: version
          value: v2
        ports:
          - containerPort: 80

traefik的ingress的yaml

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-v1
  annotations:
    ingress.kubernetes.io/protocol: http
spec:
  rules:
  - host: v1.whysdomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: service-v1
          servicePort: http
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-v2
  annotations:
    ingress.kubernetes.io/protocol: http
spec:
  rules:
  - host: v2.whysdomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: service-v2
          servicePort: http

创建对象

$ kubectl apply -f test_svc.yaml
$ kubectl apply -f test_traefik.yaml
$ kubectl get endpoints
NAME         ENDPOINTS          AGE
kubernetes   10.202.0.10:6443   60m
service-v1   10.244.0.4:80      5m7s
service-v2   10.244.0.5:80      5m7s
[root@k8s ~]# kubectl get svc
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP   71m
service-v1   ClusterIP   10.108.155.141   <none>        80/TCP    16m
service-v2   ClusterIP   10.97.100.35     <none>        80/TCP    16m
$ kubectl get ingress
NAME         HOSTS               ADDRESS   PORTS   AGE
traefik-v1   v1.whysdomain.com             80      2m51s
traefik-v2   v1.whysdomain.com             80      2m51s

检验服务

测试service

$ curl 10.108.155.141:80/env/version
v1
$ curl 10.97.100.35:80/env/version
v2

测试traefik

$ curl -H "Host: v1.whysdomain.com" 127.0.0.1/env/version
v1
$ curl -H "Host: v2.whysdomain.com" 127.0.0.1/env/version
v2

可以看到traefik完成了域名直接到service的映射

对于没有启用apiserver的ServerAccount

没有启动apiserver的ServerAccount,所以需要指定endpoint为http,加上KUBERNETES_SERVICE_HOSTKUBERNETES_SERVICE_PORT,参考官方文档

args:
- --api
- --kubernetes.endpoint=http://192.168.21.246:8080
- --loglevel=DEBUG
- --traefikLog.filePath=/var/log/traefik/traefik.log
- --traefikLog.format=json
- --accessLog.filePath=/var/log/traefik/access.log
- --accessLog.format=json
env:
- name: KUBERNETES_SERVICE_HOST
- name: KUBERNETES_SERVICE_PORT

traefik ui

$ kubectl apply -f traefik-1.7.9/examples/k8s/ui.yaml
service/traefik-web-ui created
ingress.extensions/traefik-web-ui created

我这边直接修改yaml为NodePort了,也可以通过修改ingress的host,然后通过域名访问

$ lsof -i:31000
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
kube-prox 12821 root    6u  IPv6 519069      0t0  TCP *:31000 (LISTEN)

就可以直接访问对应的31000端口了

traefik配置

kubernetes.io/ingress.class: traefik

Ingress声明,这里声明了ingress后端采用traefik实现,而不是nginx的controller

ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"

配置访问白名单,支持ipv4和ipv6

ingress.kubernetes.io/auth-type: basic

http认证模式,此处为basic模式

ingress.kubernetes.io/auth-secret: mysecret

basic认证的对应的username和password,这里对应的traefik所在kubernetes命名空间里的secrets

前端配置

traefik.frontend.rule.type: PathPrefixStrip

可以根据uri进行转发

traefik.frontend.priority: "3"

配置前端的权重,值越高则优先匹配

traefik.frontend.passHostHeader: "false"

关闭传入Hearder

traefik.protocol=https

使用https协议

traefik.frontend.entryPoints=http,https

同时支持http和https

后端配置

traefik.backend.loadbalancer.method=drr

后端Service的负载均衡策略,目前traefik支持的策略包括:wrr(加权轮训调度算法)和drr(动态加权循环调度算法)

traefik.backend.loadbalancer.stickiness=true

是否开启负载均衡器的session亲和性

traefik.backend.loadbalancer.stickiness.cookieName=NAME

手动配置后端session亲和性的cookie名称

traefik.backend.loadbalancer.sticky=true

弃用

健康检查

traefik.backend.healthcheck.path=/health

traefik的监控检查路径

traefik.backend.healthcheck.interval=5s

健康检查的时间间隔

traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.5"

监测某台节点上的服务错误率达到50%时,自动下线该节点。

traefik.backend.circuitbreaker: "LatencyAtQuantileMS(50.0) > 50"

监测某台节点上服务的延时大于50ms时,自动下线该节点。

traefik.backend.circuitbreaker: "ResponseCodeRatio(500, 600, 0, 600) > 0.5"

监测某台节点上服务返回状态码为[500-600]在[0-600]区间占比超过50%时,自动下线该节点。

配置参考简书

作者:Magine1989 链接:https://www.jianshu.com/p/1afe374f4333 来源:简书 简书著作权归作者所有,任何形式的转载都请联系作者获得授权并注明出处。