traefik2 DaemonSet

For cloud native microservices we used TraefiK2 as our gateway, and of course we deployed to the Kubernetes cluster via DaemonSet(or deployment). Pod with DaemonSet deployment has the following characteristics

  • Every Work node in the Kubernetes cluster has this pod(Traefik2 instance)

  • There is only one such POD instance on each Work node

  • When a new Work node is added to the Kubernetes cluster, the pod is automatically created on the new work node, and when the old work node is deleted, the pod on it is deleted accordingly.

Such as our Traefik2 DaemonSet as follows

Note that args imports four variables from configMap with the following values:

Access the HTTP port
web_port=80

# Access HTTPS port
websecure_port=443

# Traefik Dashborad port (default)
traefik_port=8080

Monitor which namespace resource is available. If there are multiple namespace resources, connect them with commas. The default is all namespaces
watch_namespace=exmpale-beta
Copy the code

If you install two identical Traefiks using DaemonSet, each of the four variables mentioned above will be modified accordingly: one traefik provides access to internal services and one Traefik provides access to external services

With Kubernetes, the traffic is routed as follows

    internet
        |
   [ Ingress ]
   --|-----|--
   [ Services ]

Copy the code

Port 80/443 is defined as the two ports through which external requests are forwarded to Service(Kubernetes).

Specify the namespace of concern

If we do not specify which namespace resources Traefik2 monitors (the default is all), then we may access resources of other namespaces when we access them

curl -H 'Host: www.example-beta.com' www.example-rc.com
Copy the code

Example-beta.com is deployed in the example-beta namespace, and example-rc.com is deployed in the example-rc namespace. However, the above method of accessing the example-beta resource is obviously not secure.

The Traefik Ingress resolution rule is based on the Host header, and if we change the Host header, we will have access to another namespace resource.

I will mention more about Traefik Ingress Route below

Use Traefik2 IngressRoute instead of Kubernetes Ingress

Traefik2 not only acts as a gateway, it also acts as an ingress controller(another well-known Nginx), with which we need to configure our matching rules using the ingress route instead of using kubernetes’ ingress.

The previous Kubernetes Ingress rule looked like this

With the Ingress Route, this is the case

Why is CRD needed?

Kubernetes supports CRD(Custom Resource Definitions). IngressRoute is a Kind that traefik provides and kubernetes does not recognize. We just need to add CRD.

All about kubernetes CRD configuration please refer to the official document: docs. Traefik. IO/reference/d…

Accessing cluster Resources (RBAC)

RBAC is the configuration of role-based Access Control (ROLE-based Access Control)

RBAC is actually quite simple. If you think about your business system, you just need to know the following concepts.

Kubernetes service,ingress, configmap,secret, etc., are all resources, usually a single account. What role does this role belong to

For example, HR can check employees’ salary, while employees can only know their own salary

So there are also three basic concepts in Kubernetes

  1. Role: a set of rules that define a set of permissions on Kubernetes API objects
  2. Subject: the Subject can be either a “person” or a “machine” or a “user” as you defined in Kubernetes.
  3. RoleBinding: Defines the binding relationship between the “acted” and “role”

The rules field of a Role object is the permission rules it defines. In the example above, this rule allows the “treated” to perform GET, WATCH, and LIST operations on Pod objects under MyNamespace.

The RoleBinding object defines a subjects field, the subject. It is of type User, the User in Kubernetes. The name of this user is example-user.

The User here is actually Kubernetes’ built-in account ServiceAccount.

In Kubernetes, roles and RoleBinding objects are Namespaced objects, and their permissions are restricted only to their own Namespace. For non-Namespaced objects (such as Node), or when a single Role applies to all namespaces, a ClusterRole and a ClusterRoleBinding are used. (The configuration we posted above)

At this point, traeFIK2 has been installed.

conclusion

There is a fixed process for installing third-party components.

  1. Install using DaemonSet/Deployment
  2. Specify the CRD
  3. Specify the RBAC

For Traefik2 alone, if you want to install two Traefiks (one internal and one external) on a Work Node, you need to change at least three ports.