traefik基础部署记录

1.参考文档

http://traefik.cn/


2.traefik和ingress的对比


ingress:

使用nginx作为前端负载均衡,通过ingress controller不断的和kubernetes api交互,实时获取后端service,pod等的变化,然后动态更新nginx配置,并刷新使配置生效,达到服务发现的目的。


traefik:

traefik本身设计的就能够实时跟kubernetes api交互,感知后端service,pod等的变化,自动更新配置并重载。

traefik更快速方便,同时支持更多的特性,使反向代理,负载均衡更直接更高效。


3.部署traefik


下载包

[root@kubernetes1 ~]# git clone https://github.com/containous/traefik.git

如果没有git命令,用yum安装下


目录情况

[root@kubernetes1 ~]# ls |grep tra
traefik
[root@kubernetes1 ~]#
[root@kubernetes1 ~]# cd traefik/
[root@kubernetes1 traefik]# cd examples/
[root@kubernetes1 examples]# cd k8s
[root@kubernetes1 k8s]# ls
cheese-default-ingress.yaml  cheese-ingress.yaml   cheeses-ingress.yaml     traefik-ds.yaml    ui.yaml
cheese-deployments.yaml      cheese-services.yaml  traefik-deployment.yaml  traefik-rbac.yaml
[root@kubernetes1 k8s]# pwd
/root/traefik/examples/k8s
[root@kubernetes1 k8s]#

traefik/examples/k8s这个目录下就是traefik启动需要用到的yaml文件。实际一般只需要使用traefik-deployment.yaml  traefik-rbac.yaml


traefik-rbac.yaml

创建ServiceAccount traefik-ingress-controller,并创建相关的ClusterRole,  ClusterRoleBinding以对其进行授权

简易说明:

Service Account它并不是给kubernetes集群的用户使用的,而是给pod里面的进程使用的,它为pod提供必要的身份认证。 

[root@kubernetes1 k8s]# cat traefik-rbac.yaml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

traefik-deployment.yaml

创建serviceaccount traefik-ingress-controller

配置文件默认使用deployment部署方式,只部署一个副本

默认配置文件如下:

[root@kubernetes1 k8s]# cat traefik-deployment.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort

kubectl执行traefik-deployment.yaml  traefik-rbac.yaml文件

[root@kubernetes1 k8s]# kubectl apply -f traefik-rbac.yaml
clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created
[root@kubernetes1 k8s]# kubectl get clusterrole
NAME                                                                   AGE
............
traefik-ingress-controller                                             1m
view                                                                   64d
[root@kubernetes1 k8s]#

[root@kubernetes1 k8s]# kubectl get clusterrolebinding
NAME                                                   AGE
..........
traefik-ingress-controller                             3m
[root@kubernetes1 k8s]#

可以看到clusterrole,clusterrolebinding都创建成功了

[root@kubernetes1 k8s]# kubectl apply -f traefik-deployment.yaml
serviceaccount "traefik-ingress-controller" created
deployment.extensions "traefik-ingress-controller" created
service "traefik-ingress-service" created
[root@kubernetes1 k8s]#
[root@kubernetes1 k8s]# kubectl get sa -n kube-system
NAME                                 SECRETS   AGE
..........
traefik-ingress-controller           1         28s
ttl-controller                       1         64d
[root@kubernetes1 k8s]#

[root@kubernetes1 k8s]# kubectl get svc,deployment,pod -n kube-system
NAME                              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                       AGE
service/kube-dns                  ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP                 64d
service/kubernetes-dashboard      ClusterIP   10.111.97.40    <none>        443/TCP                       21h
service/tiller-deploy             ClusterIP   10.97.252.140   <none>        44134/TCP                     22d
service/traefik-ingress-service   NodePort    10.109.186.72   <none>        80:30555/TCP,8080:31695/TCP   1m

NAME                                               DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.extensions/kube-dns                     1         1         1            1           64d
deployment.extensions/kubernetes-dashboard         1         1         1            1           21h
deployment.extensions/tiller-deploy                1         1         1            1           22d
deployment.extensions/traefik-ingress-controller   1         1         1            1           1m

NAME                                             READY     STATUS    RESTARTS   AGE
..........
pod/traefik-ingress-controller-7dcd6f447-fwwmg   1/1       Running   0          1m
[root@kubernetes1 k8s]#

service,pod都起来了


service/traefik-ingress-service   NodePort    10.109.186.72   <none>        80:30555/TCP,8080:31695/TCP   1m

注意:80端口对应的服务端口,8080端口对应的是ui端口,也就是说我们可以通过访问8080端口来访问traefik的web界面

通过测试可以看到,k8s集群的任意一个nodeIP:31695,都可以访问到traefik的web ui界面


默认是没有任何东西的,可以直接用目录下ui.yaml,执行看看

[root@kubernetes1 k8s]# kubectl apply -f ui.yaml
service "traefik-web-ui" created
ingress.extensions "traefik-web-ui" created
[root@kubernetes1 k8s]#

image.png


4.用起来看看

用下面这个svc做示例

[root@kubernetes1 k8s]# kubectl get svc
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
httpd-svc    ClusterIP   10.106.13.46     <none>        80/TCP     6d

ingress文件

[root@kubernetes1 wp]# cat httpd-svc-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: httpd-svc-ingress
  namespace: default
spec:
  rules:
  - host: httpd-svc.ingress
    http:
      paths:
      - path: /
        backend:
          serviceName: httpd-svc
          servicePort: 80
[root@kubernetes1 wp]#

执行ingress文件

ingress.extensions "wordpress-ingress" deleted
[root@kubernetes1 wp]# kubectl apply -f httpd-svc-ingress.yaml
ingress.extensions "httpd-svc-ingress" created
[root@kubernetes1 wp]# kubectl get ing
NAME                HOSTS               ADDRESS   PORTS     AGE
httpd-svc-ingress   httpd-svc.ingress             80        6s
[root@kubernetes1 wp]#

我在win7客户机做了httpd-svc-ingress的解析

但是并不能访问到httd-svc-ingress

报错:

Jul 26 02:17:28 kubernetes1 journal: 2018/07/26 06:17:28 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.
Jul 26 02:17:58 kubernetes1 journal: 2018/07/26 06:17:58 Metric client health check failed: the server could not find the requested resource (get services heapster). Retrying in 30 seconds.


5.暴露服务


接上,看了很多资料语焉不详的多。

为什么会访问不了?

用示意图分析下traefik的转发过程,见下:

image.png

简易分析:

k8s里有很多的service,我们通过traefik转发来访问service。

traefik我们已经部署后了,也能够发现后端service的了。

但是,我们怎么访问traefik呢?

这也就是上面访问不了服务的根本原因所在。


暴露traefik服务

对比ingress的暴露服务方法:1,创建个service,然后给这个service指定extIP。2,把pod配置hostNotwork: true模式,Pod中所有容器的端口号都将直接被映射到物理机上,访问物理机的端口就直接访问到了pod的容器的端口。


使用第2种方法暴露服务

同时修改资源类型kind为daemonset,让每个node都生成pod,见下:

修改后的traefik-deployment-yaml:

[root@kubernetes1 k8s]# cat traefik-deployment.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort

部署traefik-deployment.yaml

[root@kubernetes1 k8s]# kubectl apply -f traefik-deployment.yaml
serviceaccount "traefik-ingress-controller" created
daemonset.extensions "traefik-ingress-controller" created
service "traefik-ingress-service" created
[root@kubernetes1 k8s]# kubectl get svc,pod -n kube-system -owide
NAME                              TYPE        CLUSTER-IP      EXTERNAL-IP  PORT(S)                      AGE      SELECTOR
service/kube-dns                  ClusterIP  10.96.0.10      <none>        53/UDP,53/TCP                66d      k8s-app=kube-dns
service/kubernetes-dashboard      ClusterIP  10.111.97.40    <none>        443/TCP                      2d        k8s-app=kubernetes-dashboard
service/tiller-deploy            ClusterIP  10.97.252.140  <none>        44134/TCP                    24d      app=helm,name=tiller
service/traefik-ingress-service  NodePort    10.100.29.222  <none>        80:31751/TCP,8080:32101/TCP  1m        k8s-app=traefik-ingress-lb

NAME                                        READY    STATUS    RESTARTS  AGE      IP                NODE
pod/etcd-kubernetes1                        1/1      Running  35        66d      192.168.211.135  kubernetes1
pod/kube-apiserver-kubernetes1              1/1      Running  39        66d      192.168.211.135  kubernetes1
pod/kube-controller-manager-kubernetes1    1/1      Running  38        66d      192.168.211.135  kubernetes1
pod/kube-dns-b4bd9576-db5hh                3/3      Running  105        66d      10.244.0.58      kubernetes1
pod/kube-flannel-ds-27wrd                  1/1      Running  65        66d      192.168.211.135  kubernetes1
pod/kube-flannel-ds-6lnj9                  1/1      Running  58        66d      192.168.211.152  kubernetes3
pod/kube-flannel-ds-xz87r                  1/1      Running  56        66d      192.168.211.151  kubernetes2
pod/kube-proxy-hhghb                        1/1      Running  35        66d      192.168.211.151  kubernetes2
pod/kube-proxy-hwvs9                        1/1      Running  35        66d      192.168.211.135  kubernetes1
pod/kube-proxy-jcxbz                        1/1      Running  35        66d      192.168.211.152  kubernetes3
pod/kube-scheduler-kubernetes1              1/1      Running  36        66d      192.168.211.135  kubernetes1
pod/kubernetes-dashboard-7d5dcdb6d9-5zkkl  1/1      Running  2          2d        10.244.0.59      kubernetes1
pod/tiller-deploy-5c688d5f9b-kfqwx          1/1      Running  8          9d        10.244.1.244      kubernetes2
pod/traefik-ingress-controller-k5sv4        1/1      Running  0          1m        192.168.211.152  kubernetes3
pod/traefik-ingress-controller-v62t4        1/1      Running  0          1m        192.168.211.151  kubernetes2
[root@kubernetes1 k8s]#

可以看到:

pod/traefik-ingress-controller-k5sv4        1/1       Running   0          1m        192.168.211.152   kubernetes3
pod/traefik-ingress-controller-v62t4        1/1       Running   0          1m        192.168.211.151   kubernetes2

只要把要访问的host解析到这两个地址即可

最简单的traefik转发到这里就实现了。

相关文章
相关标签/搜索