服务介绍
Ingress
ngress可以给service提供集群外部访问的URL、负载均衡、SSL终止、HTTP路由等。为了配置这些Ingress规则,集群管理员需要部署一个Ingress controller,它监听Ingress和service的变化,并根据规则配置负载均衡并提供访问入口
TraeFik
Traefik是一个用Golang开发的轻量级的Http反向代理和负载均衡器。由于可以自动配置和刷新backend节点,目前可以被绝大部分容器平台支持,例如Kubernetes,Swarm,Rancher等。由于traefik会实时与Kubernetes API交互,所以对于Service的节点变化,traefik的反应会更加迅速。总体来说traefik可以在Kubernetes中完美的运行.

RBAC
基于角色的访问控制
RBAC引入了4个新的顶级资源对象:Role、ClusterRole、RoleBinding、ClusterRoleBinding。同其他API资源对象一样,用户可以使用kubectl或者API调用等方式操作这些资源对象。
- 角色(Role)和集群角色(ClusterRole)
一个角色就是一组权限的集合,这里的权限都是许可形式的,不存在拒绝的规则。在一个命名空间中,可以用角色来定义一个角色,如果是集群级别的,就需要使用ClusterRole了
- 角色绑定(RoleBinding)和集群角色绑定(ClusterRoleBinding)
角色绑定或集群角色绑定用来把一个角色绑定到一个目标上,绑定目标可以是User、Group或者Service Account。使用RoleBinding为某个命名空间授权,ClusterRoleBinding为集群范围内授权

部署traefik服务
官方主要定义了两种部署模式,分别是Daemonset和Deployment,它们之间的区别主要是:
- 相比一个节点只部署一个daemonset的traefik,采用deployment会更易于伸缩和扩展;
- 采用Daemonset方式,可以在任何节点上访问80和443端口,而使用deployment者必须依赖service里面定义的对象去访问。
DaemonSet保证在每个Node上都运行一个容器副本,常用来部署一些集群的日志、监控或者其他系统管理应用。典型的应用包括:
- 日志收集,比如fluentd,logstash等
- 系统监控,比如Prometheus Node Exporter,collectd,New Relic agent,Ganglia gmond等
- 系统程序,比如kube-proxy, kube-dns, glusterd, ceph等
这里是daemonset去部署的
# vim traefik_http.yml # 创建rbac集群角色 traefik-ingress-controller --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch # 创建serviceaccount用户 # Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的 --- apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system # 集群角色绑定 # traefik-ingress-controller用户与traefik-ingress-controller角色进行绑定,这就授予了traefik-ingress-controller能够访问kube-system命名空间下的Pod --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system # 创建traefik服务 --- kind: DaemonSet apiVersion: extensions/v1beta1 metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule terminationGracePeriodSeconds: 60 hostNetwork: true containers: - image: traefik:1.7.9 name: traefik-ingress-lb ports: - name: http containerPort: 80 hostPort: 80 - name: admin containerPort: 8080 securityContext: privileged: true args: - -d - --web - --kubernetes --- # traefik的ui服务 kind: Service apiVersion: v1 metadata: name: traefik-ingress-service spec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: web - protocol: TCP port: 8080 name: admin type: NodePort apiVersion: v1 kind: Service metadata: name: traefik-web-ui namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - port: 80 targetPort: 8080 --- # traefik的ui ingress apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: kube-system annotations: kubernetes.io/ingress.class: traefik spec: rules: - host: traefik.ui.com # 域名 http: paths: - backend: serviceName: traefik-web-ui # traefik服务名 servicePort: 80
|
创建服务
# kubectl apply -f traefik.yml clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller unchanged clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller unchanged serviceaccount/traefik-ingress-controller unchanged configmap/traefik-conf configured daemonset.extensions/traefik-ingress-controller configured service/traefik-web-ui unchanged ingress.extensions/traefik-web-ui configured
|
查看web服务
# kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE heapster ClusterIP 10.254.173.231 <none> 80/TCP 29h kube-dns ClusterIP 10.254.0.10 <none> 53/UDP,53/TCP,9153/TCP 4d5h kubernetes-dashboard NodePort 10.254.252.116 <none> 443:30195/TCP 4d3h monitoring-grafana ClusterIP 10.254.48.16 <none> 80/TCP 29h monitoring-influxdb ClusterIP 10.254.68.108 <none> 8086/TCP 29h traefik-web-ui ClusterIP 10.254.219.247 <none> 80/TCP 10m
|
