K8S 的DNS实现了服务在集群"内"被自动发现,那如何使得服务在K8S集群"外"被使用和访问呢? 使用NodePort 型的Service 注意:无法使用kube-proxy的ipvs模型,只能使用iptables模型 使用Ingress资源 注意:Ingress只能调度并暴露7层应用,特指http 和 https 协议 Ingress 是K8S API 的标准资源类型之一,也是一种核心资源 ,它其实就是一组基于域名和URL路径,把用户的请求转发至指定Service 资源的规则 可以将集群外部的请求流量,转发至集群内部,从而实现"服务暴露" Ingress 控制器是能够为Ingress资源 监听某套接字,然后根据Ingress规则匹配机制路由调度流量的一个组件 说白了,Ingress没啥神秘的,就是一个简化版的nginx(调度流量) + 一段 go 脚本(动态的识别Ingress 资源的资源配置清单[yaml文件])而已 常用的Ingress控制器的实现软件: Ingress-nginx HAProxy Traefik +++++++++++++++++++++++++++++== #######+++++++++++ 部署traefik(ingress控制器) 先准备 traefik 镜像,在hdss7-200.host.com(10.4.7.200)上面操作 mkdir -p /data/k8s-yaml/traefik traefik 官方地址:https://github.com/traefik/traefik 本次我们使用的版本是 1.7.2 docker pull traefik:v1.7.2-alpine docker tag add5fac61ae5 harbor.od.com/public/traefik:v1.7.2 docker login harbor.od.com docker push harbor.od.com/public/traefik:v1.7.2
我们要把traefik 镜像交付到k8s 里面,还需要一组资源配置清单。 cd /data/k8s-yaml/traefik vim rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system #############++++++++ vim ds.yaml apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: traefik-ingress namespace: kube-system labels: k8s-app: traefik-ingress spec: template: metadata: labels: k8s-app: traefik-ingress name: traefik-ingress spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 containers: - image: harbor.od.com/public/traefik:v1.7.2 name: traefik-ingress ports: - name: controller containerPort: 80 hostPort: 81 - name: admin-web containerPort: 8080 securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --api - --kubernetes - --logLevel=INFO - --insecureskipverify=true - --kubernetes.endpoint=https://10.4.7.10:7443 - --accesslog - --accesslog.filepath=/var/log/traefik_access.log - --traefiklog - --traefiklog.filepath=/var/log/traefik.log - --metrics.prometheus ######+++++++++ vim svc.yaml kind: Service apiVersion: v1 metadata: name: traefik-ingress-service namespace: kube-system spec: selector: k8s-app: traefik-ingress ports: - protocol: TCP port: 80 name: controller - protocol: TCP port: 8080 name: admin-web ######+++++++++++ vim ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-web-ui namespace: kube-system annotations: kubernetes.io/ingress.class: traefik spec: rules: - host: traefik.od.com http: paths: - path: / backend: serviceName: traefik-ingress-service servicePort: 8080 #########++++++++++++ hdss7-21.host.com(10.4.7.21) kubectl apply -f http://k8s-yaml.od.com/traefik/rbac.yaml kubectl apply -f http://k8s-yaml.od.com/traefik/ds.yaml kubectl apply -f http://k8s-yaml.od.com/traefik/svc.yaml kubectl apply -f http://k8s-yaml.od.com/traefik/ingress.yaml
############### 如果pod启动报如下错误:
重启docker ,两个节点(hdss7-21 hdss7-22)都重启docker 。 systemctl restart docker 稍等一下,再次查看pod 情况 kubectl get pod -n kube-system -o wide
#####++++ 配置反代 hdss7-11.host.com 和 hdss7-12.host.com 两台主机上的nginx 均要配置 vim /etc/nginx/conf.d/od.com.conf upstream default_backend_traefik { server 10.4.7.21:81 max_fails=3 fail_timeout=10s; server 10.4.7.22:81 max_fails=3 fail_timeout=10s; } server { server_name *.od.com; location / { proxy_pass http://default_backend_traefik; proxy_set_header Host $http_host; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; } } ##########+++++++++++ nginx -t nginx -s reload ############+++++++++++ 配置主机解析:在 hdss7-11.host.com(10.4.7.11)上面操作 vim /var/named/od.com.zone
systemctl restart named ###########++++++++++++ 浏览器访问:
