Kubernetes 1.9集群使用traefik發布服務
在開始之前,需要先了解一下什麽是RBAC。RBAC(基於角色的訪問控制)使用?rbac.authorization.k8s.io? API 組來實現權限控制,RBAC 允許管理員通過 Kubernetes API 動態的配置權限策略。在 1.6 版本中 RBAC 還處於 Beat 階段,如果想要開啟 RBAC 授權模式需要在 apiserver 組件中指定?--authorization-mode=RBAC?選項。
在 RBAC API 的四個重要概念:
Role:是一系列的權限的集合,例如一個角色可以包含讀取 Pod 的權限和列出 Pod 的權限
ClusterRole: 跟 Role 類似,但是可以在集群中到處使用( Role 是 namespace 一級的)
RoloBinding:把角色映射到用戶,從而讓這些用戶繼承角色在 namespace 中的權限。
ClusterRoleBinding: 讓用戶繼承 ClusterRole 在整個集群中的權限。
簡單點說RBAC實現了在k8s集群中對api-server的鑒權,更多的RBAC知識點請查閱官方文檔:https://kubernetes.io/docs/admin/authorization/rbac/
一、給集群的節點打上label
因為選擇deployment方式部署,所以要給集群的節點打上label,後續選擇nodeSelector指定traefik=proxy,副本數和集群節點數一致的時候,所有的節點上都會運行一個pod
# kubectl get nodes --show-labels
# kubectl label node vm1 traefik=proxy
# kubectl label node vm2 traefik=proxy
# kubectl get nodes --show-labels
二、準備yaml文件
1、rbac文件
# cat traefik-rbac.yaml --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system
2、traefik的deployment文件
# cat traefik-deployment.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 2
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
hostNetwork: true
nodeSelector:
traefik: proxy
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: web
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8081
args:
- --web
- --web.address=:8081
- --kubernetes
3、traefik的service文件
# cat traefik-service.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8081
4、通過yaml文件創建clusterrole、clusterrolebinding、deployment、serviceaccount、service
# ls
# kubectl create -f traefik-rbac.yaml
# kubectl create -f traefik-deployment.yaml
# kubectl create -f traefik-service.yaml
# kubectl get pod -n kube-system
# kubectl get svc -n kube-system
# kubectl get svc
可以看到集群中default namespace中存在一個frontend服務。kube-system namespace中存在nginx-test、traefik-web-ui、kubernetes-dashboard三個服務。我們後續將創建4個ingress
通過web-ui可以看到在兩個節點上各運行了一個pod
三、通過yaml文件創建ingress
# cat ui.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- port: 80
targetPort: 8081
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
# cat webui-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-ingress
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: k8s.webui
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
# cat redis-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: k8s.frontend
http:
paths:
- backend:
serviceName: frontend
servicePort: 80
# cat nginx-ing.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-nginx-ingress
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: test.fjhb.cn
http:
paths:
- backend:
serviceName: nginx-test
servicePort: 80
# kubectl create -f ui.yaml
# kubectl create -f webui-ing.yaml
# kubectl create -f redis-ing.yaml
# kubectl get ingress
# kubectl get ingress -n kube-system
三、驗證
1、通過訪問traefik service對應的nodeport端口,4個ingress配置都加載到了
2、修改測試機hosts文件,將4個域名的解析分配到兩臺節點上
3、瀏覽器訪問測試
這裏出現500錯誤的原因是,後端的kubernetes-dashboard配置的是https協議
可以在health頁面看到http狀態碼的統計信息
Kubernetes 1.9集群使用traefik發布服務