一、創建Traefik CRD資源
traefik v2.0 版本后,開始使用CRD(Custom Resource Definition)來完成路由配置
# mkdir -p /opt/kubernetes/traefik/yaml # cd /opt/kubernetes/traefik/yaml # vi crd.yaml ## IngressRoute apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutetcps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteTCP plural: ingressroutetcps singular: ingressroutetcp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: middlewares.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: Middleware plural: middlewares singular: middleware scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsoptions.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSOption plural: tlsoptions singular: tlsoption scope: Namespaced
創建Rraefik CRD資源
# kubectl create -f crd.yaml customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
二、創建Traefik RBAC權限
# vi rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - middlewares verbs: - get - list - watch - apiGroups: - traefik.containo.us resources: - ingressroutes verbs: - get - list - watch - apiGroups: - traefik.containo.us resources: - ingressroutetcps verbs: - get - list - watch - apiGroups: - traefik.containo.us resources: - tlsoptions verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system
創建Traefik RBAC資源
# kubectl create -f rbac.yaml serviceaccount/traefik-ingress-controller created clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
三、創建Traefik配置文件
用DaemonSet方式部署,便於在多服務器間擴展
# vi traefik.yaml apiVersion: apps/v1 kind: DaemonSet metadata: name: traefik namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 restartPolicy: Always tolerations: - operator: "Exists" containers: - image: traefik:v2.0.7 name: traefik-ingress-lb resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 1000m memory: 1024Mi ports: - name: web containerPort: 80 hostPort: 80 - name: websecure containerPort: 443 hostPort: 443 - name: mysql containerPort: 3306 hostPort: 3306 - name: redis containerPort: 6379 hostPort: 6379 - name: admin containerPort: 8080 hostPort: 9999 securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --entrypoints.web.Address=:80 - --entrypoints.websecure.Address=:443 - --entrypoints.mysql.Address=:3306 - --entrypoints.redis.Address=:6379 - --providers.kubernetescrd - --api - --api.dashboard=true - --api.insecure=true - --metrics.prometheus=true - --tracing.zipkin=true - --accesslog - --accesslog.filepath=/var/log/access.log nodeSelector: edgenode: "true" --- kind: Service apiVersion: v1 metadata: name: traefik namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - name: admin port: 9999 protocol: TCP
創建Traefik資源
# kubectl create -f traefik.yaml daemonset.apps/traefik created service/traefik created
四、設置節點Label標簽
由於是使用Kubernetes DeamonSet這種方式部署traefik,所以需要提前給節點設置label,這樣當程序部署時pod會自動調度到設置label的點上
# kubectl get nodes --show-labels NAME STATUS ROLES AGE VERSION LABELS 192.168.168.3 Ready <none> 4d11h v1.16.2 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=192.168.168.3,kubernetes.io/os=linux 192.168.168.4 Ready <none> 4d11h v1.16.2 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=192.168.168.4,kubernetes.io/os=linux # kubectl label nodes 192.168.168.3 edgenode=true node/192.168.168.3 labeled
注:如想刪除label標簽使用如下命令
# kubectl label nodes 192.168.168.3 edgenode-
五、配置Traefik路由規則
想讓外部訪問Kubernetes內部服務,需要配置路由規則,這里配置Traefik Dashboard的路由規則,使外部能夠訪問Traefik Dashboard
# vi IngressRoute.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-webui namespace: kube-system spec: entryPoints: - web routes: - match: Host(`traefik.k8s.local`) kind: Rule services: - name: traefik port: 9999
注:Host(` `)中的內容也可為自定義域名,如配置為traefik.
創建Traefik Dashboard https協議路由規則對象
# kubectl create -f IngressRoute.yaml
ingressroute.traefik.containo.us/traefik-webui created
注:卸載Traefik時先卸載IngressRoute.yaml再卸載其它資源
在管理機hosts里配置映射192.168.168.3 traefik.k8s.local(或搭建內網DNS服務器),然后在瀏覽器中輸入http://traefik.k8s.local:9999
六、配置多邊緣節點高可用
1)在work-node01/02上安裝keepalived{安裝過程此文略過}
設置一個VIP IP指向自定義域名traefik.k8s.local,本文示例為192.168.168.100,這樣集群外部就可以通過service的DNS映射名稱來訪問服務。
2)設置節點Label標簽
# kubectl label nodes 192.168.168.3 edgenode=true # kubectl label nodes 192.168.168.4 edgenode=true
3)查看DaemonSet啟動情況
# kubectl -n kube-system get ds NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE traefik 2 2 2 2 2 edgenode=true 16m
4)配置keepalived
# vi $KEEPALIVED_HOME/keepalived.conf ! Configuration File for keepalived global_defs { notification_email { root@localhost } notification_email_from k8s_admin@localhost smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id LVS_DEVEL } vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 100 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 6666 } virtual_ipaddress { 192.168.168.100 } } virtual_server 192.168.168.100 9999{ delay_loop 6 lb_algo loadbalance lb_kind DR nat_mask 255.255.255.0 persistence_timeout 0 protocol TCP real_server 192.168.168.3 9999{ weight 1 TCP_CHECK { connect_timeout 3 } } real_server 192.168.168.4 9999{ weight 1 TCP_CHECK { connect_timeout 3 } } }
注:real_server的IP和端口即traefik供外網訪問的IP和端口
在管理機hosts里配置映射192.168.168.100 traefik.k8s.local,然后在在瀏覽器中輸入http://traefik.k8s.local