kubernetes的Ingrss之Traefik
目录:
traefik
traefix是一个Golang开源的轻量级http代理和负载均衡器,主要的优点可以自动watch获取service等对象变化,省略了nginx和haproxy需要维护与service的关系,非常值得一用
环境准备
安装一个单节点的kubernetes集群即可
# 安装docker
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install -y docker-ce
systemctl enable docker && systemctl start docker
# 安装kubernetes
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kube*
EOF
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
systemctl enable kubelet && systemctl start kubelet
# 创建kubernetes集群
hostnamectl set-hostname k8s
kubeadm init --apiserver-advertise-address 10.202.0.10 --pod-network-cidr=10.244.0.0/16
# 创建flannel网络
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
# 删除master的taint
kubectl taint nodes --all node-role.kubernetes.io/master
查看pod运行情况
$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-86c58d9df4-77p5m 1/1 Running 0 6m24s
kube-system coredns-86c58d9df4-mcf2d 1/1 Running 0 6m24s
kube-system etcd-k8s 1/1 Running 0 5m30s
kube-system kube-apiserver-k8s 1/1 Running 0 5m33s
kube-system kube-controller-manager-k8s 1/1 Running 0 5m45s
kube-system kube-flannel-ds-amd64-x8nq5 1/1 Running 0 2m38s
kube-system kube-proxy-82nqv 1/1 Running 0 6m25s
kube-system kube-scheduler-k8s 1/1 Running 0 5m23s
安装traefik
下载最新的代码
$ wget https://github.com/containous/traefik/archive/v1.7.9.zip
$ unzip v1.7.9.zip
$ cd traefik-1.7.9/examples/k8s/
$ kubectl apply -f traefik-rbac.yaml
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
$ kubectl get clusterrole traefik-ingress-controller
NAME AGE
traefik-ingress-controller 20s
$ kubectl apply -f traefik-ds.yaml
serviceaccount/traefik-ingress-controller created
daemonset.extensions/traefik-ingress-controller created
service/traefik-ingress-service created
$ kubectl get ds -n kube-system traefik-ingress-controller
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
traefik-ingress-controller 1 1 1 1 1 <none> 4m51s
创建service,deployment和ingress对象
service和deployment的yaml
apiVersion: v1
kind: Service
metadata:
name: service-v1
labels:
app: flaskapp
spec:
selector:
app: flaskapp
version: v1
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: service-v2
labels:
app: flaskapp
spec:
selector:
app: flaskapp
version: v2
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: flaskapp-v1
spec:
replicas: 1
template:
metadata:
labels:
app: flaskapp
version: v1
spec:
containers:
- name: flaskapp
image: dustise/flaskapp
imagePullPolicy: IfNotPresent
env:
- name: version
value: v1
ports:
- containerPort: 80
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: flaskapp-v2
spec:
replicas: 1
template:
metadata:
labels:
app: flaskapp
version: v2
spec:
containers:
- name: flaskapp
image: dustise/flaskapp
imagePullPolicy: IfNotPresent
env:
- name: version
value: v2
ports:
- containerPort: 80
traefik的ingress的yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-v1
annotations:
ingress.kubernetes.io/protocol: http
spec:
rules:
- host: v1.whysdomain.com
http:
paths:
- path: /
backend:
serviceName: service-v1
servicePort: http
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-v2
annotations:
ingress.kubernetes.io/protocol: http
spec:
rules:
- host: v2.whysdomain.com
http:
paths:
- path: /
backend:
serviceName: service-v2
servicePort: http
创建对象
$ kubectl apply -f test_svc.yaml
$ kubectl apply -f test_traefik.yaml
$ kubectl get endpoints
NAME ENDPOINTS AGE
kubernetes 10.202.0.10:6443 60m
service-v1 10.244.0.4:80 5m7s
service-v2 10.244.0.5:80 5m7s
[root@k8s ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 71m
service-v1 ClusterIP 10.108.155.141 <none> 80/TCP 16m
service-v2 ClusterIP 10.97.100.35 <none> 80/TCP 16m
$ kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
traefik-v1 v1.whysdomain.com 80 2m51s
traefik-v2 v1.whysdomain.com 80 2m51s
检验服务
测试service
$ curl 10.108.155.141:80/env/version
v1
$ curl 10.97.100.35:80/env/version
v2
测试traefik
$ curl -H "Host: v1.whysdomain.com" 127.0.0.1/env/version
v1
$ curl -H "Host: v2.whysdomain.com" 127.0.0.1/env/version
v2
可以看到traefik完成了域名直接到service的映射
对于没有启用apiserver的ServerAccount
没有启动apiserver的ServerAccount,所以需要指定endpoint为http,加上KUBERNETES_SERVICE_HOST和KUBERNETES_SERVICE_PORT,参考官方文档
args:
- --api
- --kubernetes.endpoint=http://192.168.21.246:8080
- --loglevel=DEBUG
- --traefikLog.filePath=/var/log/traefik/traefik.log
- --traefikLog.format=json
- --accessLog.filePath=/var/log/traefik/access.log
- --accessLog.format=json
env:
- name: KUBERNETES_SERVICE_HOST
- name: KUBERNETES_SERVICE_PORT
traefik ui
$ kubectl apply -f traefik-1.7.9/examples/k8s/ui.yaml
service/traefik-web-ui created
ingress.extensions/traefik-web-ui created
我这边直接修改yaml为NodePort了,也可以通过修改ingress的host,然后通过域名访问
$ lsof -i:31000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
kube-prox 12821 root 6u IPv6 519069 0t0 TCP *:31000 (LISTEN)
就可以直接访问对应的31000端口了
traefik配置
kubernetes.io/ingress.class: traefik
Ingress声明,这里声明了ingress后端采用traefik实现,而不是nginx的controller
ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"
配置访问白名单,支持ipv4和ipv6
ingress.kubernetes.io/auth-type: basic
http认证模式,此处为basic模式
ingress.kubernetes.io/auth-secret: mysecret
basic认证的对应的username和password,这里对应的traefik所在kubernetes命名空间里的secrets
前端配置
traefik.frontend.rule.type: PathPrefixStrip
可以根据uri进行转发
traefik.frontend.priority: "3"
配置前端的权重,值越高则优先匹配
traefik.frontend.passHostHeader: "false"
关闭传入Hearder
traefik.protocol=https
使用https协议
traefik.frontend.entryPoints=http,https
同时支持http和https
后端配置
traefik.backend.loadbalancer.method=drr
后端Service的负载均衡策略,目前traefik支持的策略包括:wrr(加权轮训调度算法)和drr(动态加权循环调度算法)
traefik.backend.loadbalancer.stickiness=true
是否开启负载均衡器的session亲和性
traefik.backend.loadbalancer.stickiness.cookieName=NAME
手动配置后端session亲和性的cookie名称
traefik.backend.loadbalancer.sticky=true
弃用
健康检查
traefik.backend.healthcheck.path=/health
traefik的监控检查路径
traefik.backend.healthcheck.interval=5s
健康检查的时间间隔
traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.5"
监测某台节点上的服务错误率达到50%时,自动下线该节点。
traefik.backend.circuitbreaker: "LatencyAtQuantileMS(50.0) > 50"
监测某台节点上服务的延时大于50ms时,自动下线该节点。
traefik.backend.circuitbreaker: "ResponseCodeRatio(500, 600, 0, 600) > 0.5"
监测某台节点上服务返回状态码为[500-600]在[0-600]区间占比超过50%时,自动下线该节点。
配置参考简书
作者:Magine1989 链接:https://www.jianshu.com/p/1afe374f4333 来源:简书 简书著作权归作者所有,任何形式的转载都请联系作者获得授权并注明出处。
