0.集群环境
1. 创建Traefik CRD资源
traefik v2.0 版本后,开始使用CRD(Custom Resource Definition)来完成路由配置
文件名: traefik_crd.yaml
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced
$ kubectl apply -f traefik_crd.yaml
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
2.创建 RBAC 资源授权
文件名: traefik_rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
verbs:
- get
- list
- watch
- apiGroups:
- traefik.containo.us
resources:
- ingressroutes
verbs:
- get
- list
- watch
- apiGroups:
- traefik.containo.us
resources:
- ingressroutetcps
verbs:
- get
- list
- watch
- apiGroups:
- traefik.containo.us
resources:
- tlsoptions
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
$ kubectl apply -f traefik_rbac.yaml
serviceaccount/traefik-ingress-controller created
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
4.节点设置Label 标签
标签: ing: "traefik"
当前使用DeamonSet 的方式部署traefik,先给节点设置 label,当程序部署时pod会自动调度到对应的 label 的节点。
# 当前 lable
$ kubectl get node --show-labels
NAME STATUS ROLES AGE VERSION LABELS
linuxhub-k8s-n-51 Ready <none> 28h v1.16.6 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=linuxhub-k8s-n-51,kubernetes.io/os=linux
linuxhub-k8s-n-52 Ready <none> 29h v1.16.6 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=linuxhub-k8s-n-52,kubernetes.io/os=linux
linuxhub-k8s-n-53 Ready <none> 29h v1.16.6 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=linuxhub-k8s-n-53,kubernetes.io/os=linux
创建 label
# 创建 节点 label
$ kubectl label nodes linuxhub-k8s-n-51 ing=traefik
node/linuxhub-k8s-n-51 labeled
$ kubectl label nodes linuxhub-k8s-n-52 ing=traefik
node/linuxhub-k8s-n-52 labeled
$ kubectl label nodes linuxhub-k8s-n-53 ing=traefik
node/linuxhub-k8s-n-53 labeled
查看 label
$ kubectl get node --show-labels
NAME STATUS ROLES AGE VERSION LABELS
linuxhub-k8s-n-51 Ready <none> 28h v1.16.6 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ing=traefik,kubernetes.io/arch=amd64,kubernetes.io/hostname=linuxhub-k8s-n-51,kubernetes.io/os=linux
linuxhub-k8s-n-52 Ready <none> 29h v1.16.6 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ing=traefik,kubernetes.io/arch=amd64,kubernetes.io/hostname=linuxhub-k8s-n-52,kubernetes.io/os=linux
linuxhub-k8s-n-53 Ready <none> 29h v1.16.6 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ing=traefik,kubernetes.io/arch=amd64,kubernetes.io/hostname=linuxhub-k8s-n-53,kubernetes.io/os=linux
$ kubectl get node -l ing=traefik
NAME STATUS ROLES AGE VERSION
linuxhub-k8s-n-51 Ready <none> 28h v1.16.6
linuxhub-k8s-n-52 Ready <none> 29h v1.16.6
linuxhub-k8s-n-53 Ready <none> 29h v1.16.6
4.部署 traefik ingress 控制器
使用 DaemonSet 方式部署,便于在多服务器间扩展, 并使用 hostPort的方式让其监听每个 node 的 80 与 443 端口
文件名: traefik_ds.yaml
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
restartPolicy: Always
tolerations:
- operator: "Exists"
containers:
- image: traefik:v2.0.7
name: traefik-ingress-lb
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 1000m
memory: 1024Mi
ports:
- name: web
containerPort: 80
hostPort: 80
- name: websecure
containerPort: 443
hostPort: 443
- name: admin
containerPort: 8080
args:
- --entrypoints.web.Address=:80
- --entrypoints.websecure.Address=:443
- --api.insecure=true
- --metrics.prometheus=true
- --api.dashboard=true
- --providers.kubernetescrd
- --api
- --accesslog
nodeSelector:
ing: "traefik"
---
kind: Service
apiVersion: v1
metadata:
name: traefik
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 8080
name: admin
$ kubectl apply -f traefik_ds.yaml
daemonset.apps/traefik created
service/traefik created
查看部署状态
$ kubectl -n kube-system get all -l k8s-app=traefik-ingress-lb
NAME READY STATUS RESTARTS AGE
pod/traefik-3rxsp 1/1 Running 0 3m2s
pod/traefik-p8b6c 1/1 Running 0 3m2s
pod/traefik-sfbx9 1/1 Running 0 3m2s
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/traefik 3 3 3 3 3 ing=traefik 3m2s
4.配置 Traefik 路由规则
Traefik Dashboard 服务
$ kubectl -n kube-system get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik ClusterIP 10.254.115.210 <none> 8080/TCP 34m
配置通过域名对外暴露访问内部traefik服务8080端口
域名: k8s-traefik.linuxhub.cn
文件: traefik_ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-webui
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: Host(`k8s-traefik.linuxhub.cn`)
kind: Rule
services:
- name: traefik
port: 8080
$ kubectl apply -f traefik_ingressroute.yaml
ingressroute.traefik.containo.us/traefik-webui created
5.访问 Traefik Dashboard
通过域名访问 http://k8s-traefik.linuxhub.cn
image.png
image.png
