Kubernetes 1.9集群使用traefik发布服务
在前文中介绍了在kubernetes 1.5.2集群环境中使用traefik进行服务发布。Traefik采用daemonset方式部署,链接api-server走的是http协议,也未配置rbac。本文将介绍在k8s 1.9版本中使用deployment方式部署traefik来进行服务发布。node
在开始以前,须要先了解一下什么是RBAC。RBAC(基于角色的访问控制)使用 rbac.authorization.k8s.io API 组来实现权限控制,RBAC 容许管理员经过 Kubernetes API 动态的配置权限策略。在 1.6 版本中 RBAC 还处于 Beat 阶段,若是想要开启 RBAC 受权模式须要在 apiserver 组件中指定 --authorization-mode=RBAC 选项。nginx
在 RBAC API 的四个重要概念:
Role:是一系列的权限的集合,例如一个角色能够包含读取 Pod 的权限和列出 Pod 的权限
ClusterRole: 跟 Role 相似,可是能够在集群中处处使用( Role 是 namespace 一级的)
RoloBinding:把角色映射到用户,从而让这些用户继承角色在 namespace 中的权限。
ClusterRoleBinding: 让用户继承 ClusterRole 在整个集群中的权限。git
简单点说RBAC实现了在k8s集群中对api-server的鉴权,更多的RBAC知识点请查阅官方文档:https://kubernetes.io/docs/admin/authorization/rbac/github
1、给集群的节点打上label
由于选择deployment方式部署,因此要给集群的节点打上label,后续选择nodeSelector指定traefik=proxy,副本数和集群节点数一致的时候,全部的节点上都会运行一个podweb
# kubectl get nodes --show-labels # kubectl label node vm1 traefik=proxy # kubectl label node vm2 traefik=proxy # kubectl get nodes --show-labels
2、准备yaml文件
一、rbac文件redis
# cat traefik-rbac.yaml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
在启用rbac的环境下,若是鉴权未配置清楚,则traefik pod会报错以下后端
E0226 00:15:27.729832 1 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:default" cannot list services at the cluster scope E0226 00:15:29.013298 1 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:default" cannot list endpoints at the cluster scope E0226 00:15:29.213354 1 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:kube-system:default" cannot list secrets at the cluster scope E0226 00:15:29.698574 1 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:default" cannot list ingresses.extensions at the cluster scope E0226 00:15:30.411837 1 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:default" cannot list services at the cluster scope E0226 00:15:31.912887 1 reflector.go:199] github.com/containous/traefik/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:default" cannot list endpoints at the cluster scope
二、traefik的deployment文件api
# cat traefik-deployment.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 2
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
hostNetwork: true
nodeSelector:
traefik: proxy
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: web
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8081
args:
- --web
- --web.address=:8081
- --kubernetes
三、traefik的service文件浏览器
# cat traefik-service.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8081
四、经过yaml文件建立clusterrole、clusterrolebinding、deployment、serviceaccount、serviceapp
# ls # kubectl create -f traefik-rbac.yaml # kubectl create -f traefik-deployment.yaml # kubectl create -f traefik-service.yaml
# kubectl get pod -n kube-system # kubectl get svc -n kube-system # kubectl get svc
能够看到集群中default namespace中存在一个frontend服务。kube-system namespace中存在nginx-test、traefik-web-ui、kubernetes-dashboard三个服务。咱们后续将建立4个ingress
经过web-ui能够看到在两个节点上各运行了一个pod
3、经过yaml文件建立ingress
# cat ui.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8081
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
# cat webui-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-ingress
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: k8s.webui
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
# cat redis-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: k8s.frontend
http:
paths:
- backend:
serviceName: frontend
servicePort: 80
# cat nginx-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-nginx-ingress
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: test.fjhb.cn
http:
paths:
- backend:
serviceName: nginx-test
servicePort: 80
# kubectl create -f ui.yaml # kubectl create -f webui-ing.yaml # kubectl create -f redis-ing.yaml # kubectl get ingress # kubectl get ingress -n kube-system
3、验证
一、经过访问traefik service对应的nodeport端口,4个ingress配置都加载到了
二、修改测试机hosts文件,将4个域名的解析分配到两台节点上
三、浏览器访问测试
这里出现500错误的缘由是,后端的kubernetes-dashboard配置的是https协议
能够在health页面看到http状态码的统计信息
相关文章
- 1. kuberneters集群中使用traefik发布服务
- 2. Traefik实现Kubernetes集群服务外部https访问
- 3. Docker服务器集群聚合-Traefik
- 4. Kubernetes traefik ingress使用
- 5. 京东云Kubernetes集群+Traefik实战
- 6. 在Kubernetes上使用Traefik
- 7. Kubernetes 服务入口管理 Traefik Ingress Controller
- 8. kubernetes使用Traefik暴露web服务-转载51cto
- 9. was中间件发布集群应用was服务器发布集群
- 10. 利用Traefik+Docker构建可弹性扩展的微服务或服务集群
- 更多相关文章...
- • Swarm 集群管理 - Docker教程
- • 启动MySQL服务 - MySQL教程
- • Spring Cloud 微服务实战(三) - 服务注册与发现
- • 常用的分布式事务解决方案
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. No provider available from registry 127.0.0.1:2181 for service com.ddbuy.ser 解决方法
- 2. Qt5.7以上调用虚拟键盘(支持中文),以及源码修改(可拖动,水平缩放)
- 3. 软件测试面试- 购物车功能测试用例设计
- 4. ElasticSearch(概念篇):你知道的, 为了搜索…
- 5. redux理解
- 6. gitee创建第一个项目
- 7. 支持向量机之硬间隔(一步步推导,通俗易懂)
- 8. Mysql 异步复制延迟的原因及解决方案
- 9. 如何在运行SEPM配置向导时将不可认的复杂数据库密码改为简单密码
- 10. windows系统下tftp服务器使用
欢迎关注本站公众号,获取更多信息
相关文章
- 1. kuberneters集群中使用traefik发布服务
- 2. Traefik实现Kubernetes集群服务外部https访问
- 3. Docker服务器集群聚合-Traefik
- 4. Kubernetes traefik ingress使用
- 5. 京东云Kubernetes集群+Traefik实战
- 6. 在Kubernetes上使用Traefik
- 7. Kubernetes 服务入口管理 Traefik Ingress Controller
- 8. kubernetes使用Traefik暴露web服务-转载51cto
- 9. was中间件发布集群应用was服务器发布集群
- 10. 利用Traefik+Docker构建可弹性扩展的微服务或服务集群