天天看點
傳回

k8s容器雲架構之dubbo微服務—K8S(05)核心插件-ingress(服務暴露)控制器-traefik

1 K8S兩種服務暴露方法

前面通過coredns在k8s叢集内部做了serviceNAME和serviceIP之間的自動映射,使得不需要記錄service的IP位址,隻需要通過serviceNAME就能通路POD

但是在K8S叢集外部,顯然是不能通過serviceNAME或serviceIP來解析服務的

要在K8S叢集外部來通路叢集内部的資源,需要用到服務暴露功能

1.1 K8S常用的兩種服務暴露方法

  1. 使用NodePort型的Service

    nodeport型的service原理相當于端口映射,将容器内的端口映射到主控端上的某個端口。

    K8S叢集不能使用ipvs的方式排程,必須使用iptables,且隻支援rr模式

  2. 使用Ingress資源

    Ingress是K8S API标準資源之一,也是核心資源

    是一組基于域名和URL路徑的規則,把使用者的請求轉發至指定的service資源

    可以将叢集外部的請求流量,轉發至叢集内部,進而實作'服務暴露'

1.2 Ingress控制器是什麼

可以了解為一個簡化版本的nginx

Ingress控制器是能夠為Ingress資源健康某套接字,然後根據ingress規則比對機制路由排程流量的一個元件

隻能工作在七層網絡下,建議暴露http, https可以使用前端nginx來做證書方面的解除安裝

我們使用的ingress控制器為

Traefik

traefik:

GITHUB官方位址

2 部署traefik

同樣的,現在

7.200

完成docker鏡像拉取和配置清單建立,然後再到任意master節點執行配置清單

2.1 準備docker鏡像 

docker pull traefik:v1.7.2-alpine
docker tag  traefik:v1.7.2-alpine harbor.zq.com/public/traefik:v1.7.2
docker push harbor.zq.com/public/traefik:v1.7.2

2.2 建立資源清單 

mkdir -p /data/k8s-yaml/traefik

2.2.1 rbac授權清單 

cat >/data/k8s-yaml/traefik/rbac.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
EOF

2.2.2 delepoly資源清單 

cat >/data/k8s-yaml/traefik/ds.yaml <<EOF
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: traefik-ingress
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress
        name: traefik-ingress
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: harbor.zq.com/public/traefik:v1.7.2
        name: traefik-ingress
        ports:
        - name: controller
          containerPort: 80
          hostPort: 81
        - name: admin-web
          containerPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
        - --insecureskipverify=true
        - --kubernetes.endpoint=https://10.4.7.10:7443
        - --accesslog
        - --accesslog.filepath=/var/log/traefik_access.log
        - --traefiklog
        - --traefiklog.filepath=/var/log/traefik.log
        - --metrics.prometheus
EOF

2.2.3 service清單 

cat >/data/k8s-yaml/traefik/svc.yaml <<EOF
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress
  ports:
    - protocol: TCP
      port: 80
      name: controller
    - protocol: TCP
      port: 8080
      name: admin-web
EOF

2.2.4 ingress清單 

cat >/data/k8s-yaml/traefik/ingress.yaml <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.zq.com
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-ingress-service
          servicePort: 8080
EOF

2.3 建立資源

2.3.1 任意節點上建立資源 

kubectl create -f http://k8s-yaml.zq.com/traefik/rbac.yaml
kubectl create -f http://k8s-yaml.zq.com/traefik/ds.yaml
kubectl create -f http://k8s-yaml.zq.com/traefik/svc.yaml
kubectl create -f http://k8s-yaml.zq.com/traefik/ingress.yaml

2.3.2 在前端nginx上做反向代理

7.11

7.12

上,都做反向代理,将泛域名的解析都轉發到

traefik

上去

cat >/etc/nginx/conf.d/zq.com.conf <<'EOF'
upstream default_backend_traefik {
    server 10.4.7.21:81    max_fails=3 fail_timeout=10s;
    server 10.4.7.22:81    max_fails=3 fail_timeout=10s;
}
server {
    server_name *.zq.com;
  
    location / {
        proxy_pass http://default_backend_traefik;
        proxy_set_header Host       $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}
EOF
# 重新開機nginx服務
nginx -t
nginx -s reload

2.3.3 在bind9中添加域名解析

需要将traefik 服務的解析記錄添加的DNS解析中,注意是綁定到VIP上

vi /var/named/zq.com.zone
........
traefik            A    10.4.7.10

注意前滾serial編号

重新開機named服務

systemctl restart named
#dig驗證解析結果
[root@hdss7-11 ~]# dig -t A traefik.zq.com +short
10.4.7.10

2.3.4 在叢集外通路驗證

在叢集外,通路

http://traefik.zq.com

,如果能正常顯示web頁面.說明我們已經暴露服務成功

域名解析 kubernetes 前端開發 應用服務中間件 排程 nginx Docker 微服務 容器 perl k8s容器服務ingress k8s安裝traefik 彈性web托管安裝跳轉背景 web mybatis微服務雲架構 k8s控制器ingress
上一篇: 檢視Centos版本
下一篇: ganglia通路時出現"You don't have permission to access /ganglia/ on this server"

繼續閱讀