Kubernetes 1.9集群使用traefik發布服務

阿新 • • 發佈：2018-02-28

k8s rbac traefik deployment

在前文中介紹了在kubernetes 1.5.2集群環境中使用traefik進行服務發布。Traefik采用daemonset方式部署，連接api-server走的是http協議，也未配置rbac。本文將介紹在k8s 1.9版本中使用deployment方式部署traefik來進行服務發布。

在開始之前，需要先了解一下什麽是RBAC。RBAC（基於角色的訪問控制）使用?rbac.authorization.k8s.io? API 組來實現權限控制，RBAC 允許管理員通過 Kubernetes API 動態的配置權限策略。在 1.6 版本中 RBAC 還處於 Beat 階段，如果想要開啟 RBAC 授權模式需要在 apiserver 組件中指定?--authorization-mode=RBAC?選項。

在 RBAC API 的四個重要概念：
Role：是一系列的權限的集合，例如一個角色可以包含讀取 Pod 的權限和列出 Pod 的權限
ClusterRole：跟 Role 類似，但是可以在集群中到處使用（ Role 是 namespace 一級的）
RoloBinding：把角色映射到用戶，從而讓這些用戶繼承角色在 namespace 中的權限。
ClusterRoleBinding：讓用戶繼承 ClusterRole 在整個集群中的權限。

簡單點說RBAC實現了在k8s集群中對api-server的鑒權，更多的RBAC知識點請查閱官方文檔：https://kubernetes.io/docs/admin/authorization/rbac/

一、給集群的節點打上label
因為選擇deployment方式部署，所以要給集群的節點打上label，後續選擇nodeSelector指定traefik=proxy，副本數和集群節點數一致的時候，所有的節點上都會運行一個pod

# kubectl get nodes --show-labels
# kubectl label  node vm1 traefik=proxy
# kubectl label  node vm2 traefik=proxy
# kubectl get nodes --show-labels

技術分享圖片
二、準備yaml文件
1、rbac文件

# cat traefik-rbac.yaml 
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

2、traefik的deployment文件

# cat traefik-deployment.yaml   
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 2
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      hostNetwork: true
      nodeSelector:
        traefik: proxy
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: web
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8081
        args:
        - --web
        - --web.address=:8081
        - --kubernetes

3、traefik的service文件

# cat traefik-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - port: 80
targetPort: 8081

4、通過yaml文件創建clusterrole、clusterrolebinding、deployment、serviceaccount、service

# ls
# kubectl create -f traefik-rbac.yaml 
# kubectl create -f traefik-deployment.yaml 
# kubectl create -f traefik-service.yaml

技術分享圖片

# kubectl get pod -n kube-system
# kubectl get svc -n kube-system
# kubectl get svc

技術分享圖片
可以看到集群中default namespace中存在一個frontend服務。kube-system namespace中存在nginx-test、traefik-web-ui、kubernetes-dashboard三個服務。我們後續將創建4個ingress

通過web-ui可以看到在兩個節點上各運行了一個pod

三、通過yaml文件創建ingress

# cat ui.yaml 
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - port: 80
    targetPort: 8081
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik-ui
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80

# cat webui-ing.yaml                  
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: k8s.webui
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard 
          servicePort: 443

# cat redis-ing.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: k8s.frontend
    http:
      paths:
      - backend:
          serviceName: frontend 
          servicePort: 80

# cat nginx-ing.yaml 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-nginx-ingress
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: test.fjhb.cn
    http:
      paths:
      - backend:
          serviceName: nginx-test
          servicePort: 80

# kubectl create -f ui.yaml 
# kubectl create -f webui-ing.yaml 
# kubectl create -f redis-ing.yaml 
# kubectl get ingress 
# kubectl get ingress -n kube-system

技術分享圖片
三、驗證
1、通過訪問traefik service對應的nodeport端口，4個ingress配置都加載到了

2、修改測試機hosts文件，將4個域名的解析分配到兩臺節點上

3、瀏覽器訪問測試

這裏出現500錯誤的原因是，後端的kubernetes-dashboard配置的是https協議
技術分享圖片

可以在health頁面看到http狀態碼的統計信息