kubernetes使用Traefik暴露web服務
traefik 是一個前端負載均衡器,對於微服務架構尤其是 kubernetes 等編排工具具有良好的支持;同 nginx 等相比,traefik 能夠自動感知後端容器變化,從而實現自動服務發現。
traefix的架構如下:
Traefix的部署使用
部署環境:
k8s-node1(master):192.168.232.130
k8s-node2(node): 192.168.232.131
k8s-node2(node): 192.168.232.129
部署步驟:
一:創建ClusterRole以及ClusterRoleBinding。(在kubernets1.6之後啟用了RBAC鑒權機制,因此需配置ClusterRole以及ClusterRoleBinding來對api-server的進行相應權限的鑒權)
#vi traefik-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ingress
subjects:
- kind: ServiceAccount
name: ingress
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
# kubectl create -f traefik-rbac.yaml
serviceaccount "ingress" created
clusterrolebinding.rbac.authorization.k8s.io "ingress" created二:部署traefix,這裏使用Deployment方式,定義2個副本,使每個node都運行traefix服務。
# vi traefik-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: traefik-ingress-lb
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 2
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
terminationGracePeriodSeconds: 60
hostNetwork: true
restartPolicy: Always
serviceAccountName: ingress
containers:
- image: traefik
name: traefik-ingress-lb
resources:
limits:
cpu: 200m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8580
hostPort: 8580
args:
- --web
- --web.address=:8580
- --kubernetes
# kubectl create -f traefik-deployment.yaml
deployment.extensions "traefik-ingress-lb" created
# kubectl get deployment.extensions --all-namespaces
NAMESPACE NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
kube-system kube-dns 1 1 1 0 6d
kube-system kubernetes-dashboard 1 1 1 1 3d
kube-system traefik-ingress-lb 2 2 2 2 23s
# kubectl get pods -n kube-system -l k8s-app=traefik-ingress-lb -o wide
NAME READY STATUS RESTARTS AGE IP NODE
traefik-ingress-lb-756f5f956b-pmzlb 1/1 Running 0 6m 192.168.232.131 k8s-node2
traefik-ingress-lb-756f5f956b-xpmcl 1/1 Running 0 6m 192.168.232.129 k8s-node3 這裏創建了一個traefix的Deployment,設置了2個副本,使用hostport的方式在運行traefix的node上監聽了80(traefix服務端口)和8050(traefix-ui界面)端口,並且兩個node上都存在一個traefix的pod。
三:traefix ui界面。
部署完traefix之後,就可以使用node上的8050端口來訪問traefix的ui界面了,從兩個node都可以訪問,如下:
這裏我們可以發布一個traefix-web-ui的ingress,使我們可以通過域名的方式來訪問traefix ui界面:
# vi traefik-ui.yaml
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8580
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: traefik-ui.k8s
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
# kubectl create -f traefik-ui.yaml
service "traefik-web-ui" created
ingress.extensions "traefik-web-ui" created
# kubectl describe ingress traefik-web-ui -n kube-system
Name: traefik-web-ui
Namespace: kube-system
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
traefik-ui.k8s
/ traefik-web-ui:web (192.168.232.129:8580,192.168.232.131:8580)
Annotations:
Events: <none>我們發布了一個host,名為traefix-ui.k8s,後端traefix-web-ui的service,可以看到關聯到了pod地址192.168.232.129:8580和192.168.232.131:8580。
修改host,使我們可以通過traefix-ui.k8s域名來訪問traefix-ui:
192.168.232.129 traefik-ui.k8s 192.168.232.131 traefik-ui.k8s
四:發布其他web服務。
部署完traefix之後,就可以通過它來發布我們自己的web應用了。這裏我有兩個簡單的tomcat服務鏡像test1和test2。訪問他們,分別返回字符串tomcat_test1和tomcat_test2。首先,我先創建tomcat-test1和tomcat-test2的pod和service,其中8080為tomcat的http端口,8443為tomcat的https端口,本例中僅使用http端口測試。
# vi tomcat-test1.yaml
#-----Deployment----------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-test1
labels:
app: tomcat-test1
spec:
replicas: 1
selector:
matchLabels:
app: tomcat-test1
template:
metadata:
labels:
app: tomcat-test1
spec:
containers:
- name: tomcat-test1
image: tomcat_test1:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
- containerPort: 8080
---
#------service---------------
apiVersion: v1
kind: Service
metadata:
name: tomcat-test1
labels:
name: tomcat-test1
spec:
ports:
- port: 8443
targetPort: 8443
selector:
app: tomcat-test1
ports:
- port: 8080
targetPort: 8080
selector:
app: tomcat-test1
# more tomcat-test2.yaml
#-----Deployment----------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-test2
labels:
app: tomcat-test2
spec:
replicas: 1
selector:
matchLabels:
app: tomcat-test2
template:
metadata:
labels:
app: tomcat-test2
spec:
containers:
- name: tomcat-test2
image: tomcat_test2:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
- containerPort: 8080
---
#------service---------------
apiVersion: v1
kind: Service
metadata:
name: tomcat-test2
labels:
name: tomcat-test2
spec:
ports:
- port: 8443
targetPort: 8443
ports:
- port: 8080
targetPort: 8080
selector:
app: tomcat-test2
# kubectl create -f tomcat-test1.yaml
deployment.apps "tomcat-test1" created
service "tomcat-test1" created
# kubectl create -f tomcat-test2.yaml
deployment.apps "tomcat-test2" created
service "tomcat-test2" created
# kubectl get deployment
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
tomcat-test1 1 1 1 1 52m
tomcat-test2 1 1 1 1 47m
# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 6d
tomcat-test1 ClusterIP 10.103.134.175 <none> 8080/TCP 52m
tomcat-test2 ClusterIP 10.97.4.120 <none> 8080/TCP 47m創建test1的ingress,來發布tomcat-test1服務:
# vi ingress-tomcat1.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test1-web
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: tomcat.test1.k8s
http:
paths:
- path: /
backend:
serviceName: tomcat-test1
servicePort: 8080
# kubectl create -f ingress-tomcat.yaml
ingress.extensions "tomcat-test1-web" created從traefix-ui界面上,可以看到已經有了一個tomcat.test1.k8s的域名規則。
修改hosts,使用tomcat.test1.k8s來訪問tomcat-test1應用:
192.168.232.129 tomcat.test1.k8s 192.168.232.131 tomcat.test1.k8s
五:ingress配置之,同域名分路徑代理不同web應用。
很多使用我們不想配置太多的域名來區別應用,使用同域名分路徑的方式來區別應用就簡潔方便很多。ingress也提供了相關的配置。
從上文可以知道,我們有兩個應用tomcat-test1和tomcat-test2。這裏可配置域名tomcat.test.k8s,通過路徑test1、test2來分別代理兩個tomcat應用。其中,分路徑配置需添加配置:traefik.frontend.rule.type: PathPrefixStrip
# vi ingress-tomcat.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tomcat-test-web
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
rules:
- host: tomcat.test.k8s
http:
paths:
- path: /test1/
backend:
serviceName: tomcat-test1
servicePort: 8080
- path: /test2/
backend:
serviceName: tomcat-test2
servicePort: 8080
# kubectl create -f ingress-tomcat.yaml
ingress.extensions "tomcat-test-web" created
# kubectl describe ingress tomcat-test-web
Name: tomcat-test-web
Namespace: default
Address:
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
tomcat.test.k8s
/test1/ tomcat-test1:8080 (<none>)
/test2/ tomcat-test2:8080 (<none>)
Annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
Events: <none>
從describe信息和ui界面上可以看到,tomcat.test.k8s分別有了/test1/和/test2/的域名代理以及相對應的後端,可以修改hosts測試一下分路徑是否生效:
192.168.232.129 tomcat.test.k8s 192.168.232.131 tomcat.test.k8s
後記
本章只是初步實現了traefix的http訪問代理,如果開啟traefix的https代理以及怎麽對traefix進行更多的配置,將在後續的博文中來討論。
kubernetes使用Traefik暴露web服務