<dl id="opymh"></dl>

<div id="opymh"></div>
      <div id="opymh"><tr id="opymh"></tr></div>

        <em id="opymh"><ins id="opymh"><mark id="opymh"></mark></ins></em><sup id="opymh"><menu id="opymh"></menu></sup>

        <em id="opymh"></em>

        <em id="opymh"><ol id="opymh"></ol></em>

              頻道欄目
              首頁 > 網絡 > 云計算 > 正文

              kubernetes之流量入口控制IngressController

              2019-03-08 10:26:48           
              收藏   我要投稿

              kubernetes之Ingress controller

              前言:

              traefik

              Traefik是一個用Golang開發的輕量級的Http反向代理和負載均衡器。由于可以自動配置和刷新backend節點,目前可以被絕大部分容器平臺支持,例如Kubernetes,Swarm,Rancher等。由于traefik會實時與Kubernetes API交互,所以對于Service的節點變化,traefik的反應會更加迅速。總體來說traefik可以在Kubernetes中完美的運行.
               

              Nginx-Ingress-Controller

              Nginx-Ingress-Controller對于絕大多數剛剛接觸k8s的人來說都比較熟悉,一個對外暴露service的7層反向代理。目前最新代號0.9.0-beta.15,可見目前nginx-ingress-control仍然處于beta版本。不過接觸過的人還是明白nginx-ingress-control強大的Annotate配置,可以為service提供豐富的個性化配置,這點對于traefik來說是目前還無法打到的地步。

              部署:

              要使用 traefik,我們同樣需要部署 traefik 的 Pod,由于我們演示的集群中只有 master 節點有外網網卡,所以我們這里只有 master 這一個邊緣節點,我們將 traefik 部署到該節點上即可。首先,為安全起見我們這里使用 RBAC 安全認證方式:(rbac.yaml):

              vim traefik-rbac.yaml

              ---
              apiVersion:v1
              kind:ServiceAccount
              metadata:
              name:traefik-ingress-controller
              namespace:kube-ops
              ---
              kind:ClusterRole
              apiVersion:rbac.authorization.k8s.io/v1beta1
              metadata:
              name:traefik-ingress-controller
              rules:
              -apiGroups:
              -""
              resources:
              -services
              -endpoints
              -secrets
              verbs:
              -get
              -list
              -watch
              -apiGroups:
              -extensions
              resources:
              -ingresses
              verbs:
              -get
              -list
              -watch
              ---
              kind:ClusterRoleBinding
              apiVersion:rbac.authorization.k8s.io/v1beta1
              metadata:
              name:traefik-ingress-controller
              roleRef:
              apiGroup:rbac.authorization.k8s.io
              kind:ClusterRole
              name:traefik-ingress-controller
              subjects:
              -kind:ServiceAccount
              name:traefik-ingress-controller
              namespace:kube-ops

              kubectl apply -f traefik-rbac.yaml

              [[email protected]]#kubectlgetClusterRole-nkube-ops|greptraefik
              traefik-ingress-controller11m
              [[email protected]]#kubectlgetClusterRoleBinding-nkube-ops|greptraefik
              traefik-ingress-controller2m36s
              [[email protected]]#kubectlgetsa-nkube-ops
              NAMESECRETSAGE
              default144h
              prometheus114h
              traefik-ingress-controller111m
              [[email protected]]#
              可以查看到SA、ClusterRole和ClusterRoleBinding資源

              vim traefik-deployment.yaml

              ---
              kind:Deployment
              apiVersion:extensions/v1beta1
              metadata:
              name:traefik-ingress-controller
              namespace:kube-ops
              labels:
              k8s-app:traefik-ingress-lb
              spec:
              replicas:1
              selector:
              matchLabels:
              k8s-app:traefik-ingress-lb
              template:
              metadata:
              labels:
              k8s-app:traefik-ingress-lb
              name:traefik-ingress-lb
              spec:
              serviceAccountName:traefik-ingress-controller
              terminationGracePeriodSeconds:60
              containers:
              -image:traefik
              name:traefik-ingress-lb
              ports:
              -name:http
              containerPort:80
              hostPort:80
              -name:admin
              containerPort:8080
              args:
              ---api
              ---kubernetes
              ---logLevel=INFO
              ---
              kind:Service
              apiVersion:v1
              metadata:
              name:traefik-ingress-service
              namespace:kube-ops
              spec:
              selector:
              k8s-app:traefik-ingress-lb
              ports:
              -protocol:TCP
              port:80
              name:web
              -protocol:TCP
              port:8080
              name:admin
              type:NodePort

              此處在containerPort里面的字段hostPort指定了,此容器的端口直接映射到宿主機的80端口,在創建Ingress資源之前,我們先需要創建一個演示的web應用

              我開始部署一個測試的app應用,vim traefik-backend-app.yaml 部署了一個deployment和service,然后測試訪問.這里我們部署的應用只能通過ClusterIP訪問,而且ClusterIP只能是K8S集群內部才能訪問的。如果需要從宿主機的外部訪問到這個app應用,就需要把Service修改成NodePort的類型。加入有上百個應用在一個宿主機上面運行,那么修改成NodePort的類型的Service,一個宿主機的Iptables防火墻需要增加上百條策略,而且每一個宿主機都需要這樣操作,勢必會帶來管理上的不便。這也就是為什么會產生Ingress資源的原因。客戶訪問k8s集群里面的web應用的流程應該是首先訪問到公司的外部SLB設備(可以是硬件的負載均衡器比如F5等,也可以是軟件比如LVS等。然后在從外部的LB設備到k8s集群的Ingress Controller。Ingress Controller就是k8s集群的訪問入口,相當于nginx服務器一樣。Ingress Controller既可以支持https協議,也可以通過虛擬主機或者URL映射的方式調用后端的upstream服務器。后端的upstream服務器就是真正運行的Pod.所以k8s集群只需要將Ingress Controller映射出去即可;

              traefik1.jpg

              [[email protected]]#kubectlgetpods-nkube-ops
              NAMEREADYSTATUSRESTARTSAGE
              myapp-deploy-6b56d98b6b-65jc91/1Running07m30s
              myapp-deploy-6b56d98b6b-r92p81/1Running07m30s
              myapp-deploy-6b56d98b6b-rrb5b1/1Running07m30s
              node-exporter-788bd1/1Running143h
              node-exporter-7vfs71/1Running143h
              node-exporter-xkj2b1/1Running143h
              prometheus-848d44c7bc-zwlb81/1Running015h
              redis-58c6c94968-qcq6p2/2Running244h
              traefik-ingress-controller-86d4b5fcbf-6pfm51/1Running025m
              traefik-ingress-controller-86d4b5fcbf-bs69c1/1Running025m
              [[email protected]]#kubectlgetsvc-nkube-ops
              NAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGE
              myappClusterIP10.98.239.15680/TCP8m47s
              prometheusNodePort10.109.108.379090:31312/TCP44h
              redisClusterIP10.100.225.1796379/TCP,9121/TCP44h
              traefik-ingress-serviceNodePort10.111.9.8880:30582/TCP,8080:30048/TCP25m
              
              [[email protected]]#curl10.98.239.156
              HelloMyApp|Version:v2|PodName
              ---
              apiVersion:v1
              kind:Service
              metadata:
              name:myapp
              namespace:kube-ops
              spec:
              selector:
              app:myapp
              release:canary
              ports:
              -name:http
              targetPort:80
              port:80
              ---
              apiVersion:apps/v1
              kind:Deployment
              metadata:
              name:myapp-deploy
              namespace:kube-ops
              spec:
              replicas:3
              selector:
              matchLabels:
              app:myapp
              release:canary
              template:
              metadata:
              labels:
              app:myapp
              release:canary
              spec:
              containers:
              -name:myapp
              image:ikubernetes/myapp:v2
              ports:
              -name:http

              現在我們開始創建一個Ingress對象資源,vim traefik-ingress.yaml

              apiVersion:extensions/v1beta1
              kind:Ingress
              metadata:
              name:ingress-app
              namespace:kube-ops
              annotations:
              kubernetes.io/ingress.class:traefik
              spec:
              rules:
              -host:myapp.maimaiti.cn
              http:
              paths:
              -backend:
              serviceName:myapp
              servicePort:80
              kubectlapply-ftraefik-ingress.yaml
              [[email protected]]#kubectlgetingress-nkube-ops
              NAMEHOSTSADDRESSPORTSAGE
              ingress-appmyapp.maimaiti.cn808s

              現在我們開始在自己的電腦的hosts文件上面增加A記錄,域名對應的IP地址就是運行traefik-ingress-controller的k8s node機器。由于我這邊有兩個node節點都運行了traefik-ingress-controller,所以綁定了連個地址

              10.83.32.146myapp.maimaiti.cn
              10.83.32.138myapp.maimaiti.cn

              瀏覽器頁面訪問http://myapp.maimaiti.cn,輸出的結果是
              Hello MyApp | Version: v2 | Pod Name


              我們除了通過Ingress Controller訪問k8s集群的應用的Pod之外,traefik Ingress還有一個管理界面可以訪問,現在我們再創建一個deployment,用于部署tomcat應用,然后也通過traefik Ingress Controller來提供流量訪問入口

              apiVersion:v1
              kind:Service
              metadata:
              name:tomcat
              namespace:kube-ops
              spec:
              selector:
              app:tomcat
              release:canary
              ports:
              -name:http
              targetPort:8080
              port:8080
              -name:ajp
              targetPort:8009
              port:8009
              ---
              apiVersion:apps/v1
              kind:Deployment
              metadata:
              name:tomcat-deploy
              namespace:kube-ops
              spec:
              replicas:3
              selector:
              matchLabels:
              app:tomcat
              release:canary
              template:
              metadata:
              labels:
              app:tomcat
              release:canary
              spec:
              containers:
              -name:tomcat
              image:tomcat:8.5.32-jre8-alpine
              ports:
              -name:http
              containerPort:8080
              -name:ajp
              containerPort:8009
              kubectlapply-ftraefik-backend-tomcat.yaml

              然后開始重新修改一下Ingress資源的配置,將tomcat應用對應一個域名tomcat.maimaiti.cn來訪問

              apiVersion:extensions/v1beta1
              kind:Ingress
              metadata:
              name:ingress-app
              namespace:kube-ops
              annotations:
              kubernetes.io/ingress.class:traefik
              spec:
              rules:
              -host:myapp.maimaiti.cn
              http:
              paths:
              -backend:
              serviceName:myapp
              servicePort:80
              -host:tomcat.maimaiti.cn
              http:
              paths:
              -backend:
              serviceName:tomcat
              servicePort:8080
              kubectlapply-ftreafik-ingress.yaml

              現在我們開始在自己的電腦的hosts文件上面增加A記錄,域名對應的IP地址就是運行traefik-ingress-controller的k8s node機器。由于我這邊有兩個node節點都運行了traefik-ingress-controller,所以綁定了連個地址

              10.83.32.146myapp.maimaiti.cntomcat.maimaiti.cn
              10.83.32.138myapp.maimaiti.cntomcat.maimaiti.cn

              traefik-1.png

              traefik-2.png

              2. traefik Ingress Controll https認證配置
              2.1. 配置traefik Ingress Controller的配置文件toml:
              vim traefik.toml

              defaultEntryPoints=["http","https"]
              [entryPoints]
              [entryPoints.http]
              address=":80"
              [entryPoints.https]
              address=":443"
              [entryPoints.https.tls]
              [[entryPoints.https.tls.certificates]]
              CertFile="/ssl/tls.crt"
              KeyFile="/ssl/tls.key"
              [metrics]
              [metrics.prometheus]
              entryPoint="traefik"
              buckets=[0.1,0.3,1.2,5.0]
              kubectlcreateconfigmaptraefik-conf--from-file=traefik.toml-nkube-ops
              
              [[email protected]]#kubectldescribecm-nkube-opstraefik-conf
              Name:traefik-conf
              Namespace:kube-ops
              Labels:
              Annotations:
              
              Data
              ====
              traefik.toml:
              ----
              defaultEntryPoints=["http","https"]
              [entryPoints]
              [entryPoints.http]
              address=":80"
              [entryPoints.https]
              address=":443"
              [entryPoints.https.tls]
              [[entryPoints.https.tls.certificates]]
              CertFile="/ssl/tls.crt"
              KeyFile="/ssl/tls.key"
              [metrics]
              [metrics.prometheus]
              entryPoint="traefik"
              buckets=[0.1,0.3,1.2,5.0]
              
              Events:
              [[email protected]]#

              配置文件主要包含了https接口訪問的證書位置和prometheus的監控配置,接下來創建自簽名證書

              opensslreq-newkeyrsa:2048-nodes-keyouttls.key-x509-days365-outtls.crt
              Generatinga2048bitRSAprivatekey
              ...........+++
              ................................................................+++
              writingnewprivatekeyto'tls.key'
              -----
              Youareabouttobeaskedtoenterinformationthatwillbeincorporated
              intoyourcertificaterequest.
              WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
              Therearequiteafewfieldsbutyoucanleavesomeblank
              Forsomefieldstherewillbeadefaultvalue,
              Ifyouenter'.',thefieldwillbeleftblank.
              -----
              CountryName(2lettercode)[XX]:CN
              StateorProvinceName(fullname)[]:GD
              LocalityName(eg,city)[DefaultCity]:SZ
              OrganizationName(eg,company)[DefaultCompanyLtd]:MMT
              OrganizationalUnitName(eg,section)[]:IT
              CommonName(eg,yournameoryourserver'shostname)[]:gaoyang
              EmailAddress[]:[email protected]
              [[email protected]]#ll
              total32
              -rw-r--r--1rootroot1367Mar714:55tls.crt
              -rw-r--r--1rootroot1708Mar714:55tls.key
              -rw-r--r--1rootroot601Mar710:55traefik-backend-app.yaml
              -rw-r--r--1rootroot718Mar713:44traefik-backend-tomcat.yaml
              -rw-r--r--1rootroot1028Mar711:02traefik-deployment.yaml
              -rw-r--r--1rootroot418Mar714:07traefik-ingress.yaml
              -rw-r--r--1rootroot800Mar710:28traefik-rbac.yaml
              -rw-r--r--1rootroot364Mar714:50traefik.toml
              #創建所需要的證書文件和Pod里面調用的secret資源
              kubectlcreatesecretgenerictraefik-cert--from-file=tls.crt--from-file=tls.key-nkube-ops

              接下來需要修改traefik Ingress Controll的deployment的配置,增加上讀取configmap和secret的參數,并暴露443端口提供https的訪問

              ---
              kind:Deployment
              apiVersion:extensions/v1beta1
              metadata:
              name:traefik-ingress-controller
              namespace:kube-ops
              labels:
              k8s-app:traefik-ingress-lb
              spec:
              replicas:2
              selector:
              matchLabels:
              k8s-app:traefik-ingress-lb
              template:
              metadata:
              labels:
              k8s-app:traefik-ingress-lb
              name:traefik-ingress-lb
              spec:
              serviceAccountName:traefik-ingress-controller
              terminationGracePeriodSeconds:60
              volumes:
              -name:ssl
              secret:
              secretName:traefik-cert
              -name:config
              configMap:
              name:traefik-conf
              containers:
              -image:traefik
              name:traefik-ingress-lb
              volumeMounts:
              -name:"ssl"
              mountPath:"/ssl"
              -name:"config"
              mountPath:"/config"
              
              ports:
              -name:http
              containerPort:80
              hostPort:80
              -name:https
              containerPort:443
              hostPort:443
              -name:admin
              containerPort:8080
              args:
              ---configfile=/config/traefik.toml
              ---api
              ---kubernetes
              ---logLevel=INFO
              ---
              kind:Service
              apiVersion:v1
              metadata:
              name:traefik-ingress-service
              namespace:kube-ops
              spec:
              selector:
              k8s-app:traefik-ingress-lb
              ports:
              -protocol:TCP
              port:80
              name:web
              -protocol:TCP
              port:8080
              name:admin
              type:NodePort
              #注意此處重新修改了deployment文件,增加了secret和configmap的掛載,增加了啟動讀取配置文件的參數

              接下來需要修改Ingress資源的配置,增加上https訪問

              apiVersion:extensions/v1beta1
              kind:Ingress
              metadata:
              name:ingress-app
              namespace:kube-ops
              annotations:
              kubernetes.io/ingress.class:traefik
              spec:
              tls:
              -hosts:
              -myapp.maimaiti.cn
              secretName:traefik-cert
              rules:
              -host:myapp.maimaiti.cn
              http:
              paths:
              -backend:
              serviceName:myapp
              servicePort:80
              -host:tomcat.maimaiti.cn
              http:
              paths:
              -backend:
              serviceName:tomcat
              servicePort:8080
              kubectlapply-ftraefik-ingress.yaml

              現在就可以用https訪問tomcat和app

              https1.png

              tomcat_https.png

              相關TAG標簽 kubernetes 流量入口
              上一篇:Veeam創建復制任務ReplicationJob
              下一篇:什么方法把文字轉語音
              相關文章
              圖文推薦

              關于我們 | 聯系我們 | 廣告服務 | 投資合作 | 版權申明 | 在線幫助 | 網站地圖 | 作品發布 | Vip技術培訓 | 舉報中心

              版權所有: 紅黑聯盟--致力于做實用的IT技術學習網站

              极速飞艇好假
              <dl id="opymh"></dl>

              <div id="opymh"></div>
                  <div id="opymh"><tr id="opymh"></tr></div>

                    <em id="opymh"><ins id="opymh"><mark id="opymh"></mark></ins></em><sup id="opymh"><menu id="opymh"></menu></sup>

                    <em id="opymh"></em>

                    <em id="opymh"><ol id="opymh"></ol></em>

                          <dl id="opymh"></dl>

                          <div id="opymh"></div>
                              <div id="opymh"><tr id="opymh"></tr></div>

                                <em id="opymh"><ins id="opymh"><mark id="opymh"></mark></ins></em><sup id="opymh"><menu id="opymh"></menu></sup>

                                <em id="opymh"></em>

                                <em id="opymh"><ol id="opymh"></ol></em>