1. Understand the Ingress
Ingress typically has three components:
- 1.1 Reverse Proxy Load Balancer: Distributes external traffic to the proxy load balancer. Now the reverse proxy load balancer and Ingress Controller have been merged into one component (1.1 and 1.2 you can think of as one, in the form of pods within the Kubernetes cluster)
- 1.2 Ingress Controller: Ingress Controller interacts with Kubernetes API, senses the changes of back-end Service and POD in real time, generates configurations based on Ingress policy set, and then updates the configuration of reverse proxy load balancer to realize dynamic Service discovery and update.
- 1.3 Ingress (Ingress Policy Set) : The Ingress policy set defines rules for traffic from outside the cluster to reach services in the cluster.
2. Introduce traefik
Traefik is an open source reverse proxy and load balancing tool. Its biggest advantage is that it can be directly integrated with common microservice systems to achieve automatic dynamic configuration. Traefik constantly interacts with the Kubernetes API to detect changes in back-end services and pods in real time, such as pod and service increases and decreases. When these changes are received, Ingress automatically updates the configuration and reloads it for service discovery.
3. Environment Introduction
3.1 Cluster Nodes
hostname | ip address |
---|---|
k8s-master01 | 192.168.1.10 |
k8s-node01 | 192.168.1.20 |
k8s-node02 | 192.168.1.21 |
k8s-node03 | 192.168.1.23 |
3.2 Ingress rules
host | traefik-service | traefik-ingress-controller | service | pod |
---|---|---|---|---|
cheddar.minikube:30189 | traefik-ingress-service:80 | traefik-ingress-controller:80 | cheddar:80 | 10.244.2.180:80, 10.244.2.183:80,10.244. 2.167:80 |
stilton.minikube:30189 | traefik-ingress-service:80 | traefik-ingress-controller:80 | stilton:80 | 10.244.2.172 10.244.2.191:80:80, 10.244.2.189:80 |
wensleydale.minikube:30189 | traefik-ingress-service:80 | traefik-ingress-controller:80 | wensleydale:80 | 10.244.2.177 10.244.2.166:80:80, 10.244.2.176:80 |
3.3 the topology
3.4 traefik dashboard
host | traefik-service | traefik-ingress-controller |
---|---|---|
traefik-ui.minikube:32092 | traefik-ingress-service:8080 | traefik-ingress-controller:8080 |
4. Set role-based Access Control (RBAC).
To make traefik have the appropriate permissions, the following Settings will be used:
- 1. Create a ClusterRole for Traefik and grant it sufficient permissions
- 2. Create a ServiceAccount for Traefik
- 3. Associate The ClusterRole and ServiceAccount created in steps 1 and 2 by ClusterRoleBinding. Allow ServiceAccount users (traefik, which is associated with ServiceAccount when traefik-ingress-Controller is created) to have ClusterRole permissions.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources: 1 # resources
- services
- endpoints
- secrets
verbs: Permissions on resource 1
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses 2 # resources
verbs: Permissions on resource 2
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: traefik-ingress-controller
namespace: traefik
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller # The name of the ClusterRole bound
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller The name of the bound ServiceAccount
namespace: traefik
Copy the code
# View the ClusterRole created
[root@k8s-master01 ~]# kubectl describe clusterroles traefik-ingress-controller
Name: traefik-ingress-controller
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
endpoints [] [] [get list watch]
secrets [] [] [get list watch]
services [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
ingresses.extensions/status [] [] [update]
# Check the created ServiceAccount
[root@k8s-master01 ~]# kubectl describe serviceaccount -n traefik traefik-ingress-controller
Name: traefik-ingress-controller
Namespace: traefik
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: traefik-ingress-controller-token-jml65
Tokens: traefik-ingress-controller-token-jml65
Events: <none>
# View the ClusterRoleBinding created
[root@k8s-master01 ~]# kubectl describe clusterrolebinding traefik-ingress-controller -n traefik
Name: traefik-ingress-controller
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: traefik-ingress-controller
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount traefik-ingress-controller traefik
Copy the code
5. Create a Deployment
- Respectively according to the back-end services, define three Deployment: cheddar, stilton, wensleydale.
- ReplicaSet is created by defining Deployment, which creates pods with the desired number of replicas based on the tempalte defined in Deployment.
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
namespace: traefik
name: stilton
labels:
app: cheese
cheese: stilton
spec:
replicas: 3
selector:
matchLabels:
app: cheese
task: stilton
template:
metadata:
labels:
app: cheese
task: stilton
version: v0.0.1
spec:
containers:
- name: cheese
image: errm/cheese:stilton
ports:
- containerPort: 80
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
namespace: traefik
name: cheddar
labels:
app: cheese
cheese: cheddar
spec:
replicas: 3
selector:
matchLabels:
app: cheese
task: cheddar
template:
metadata:
labels:
app: cheese
task: cheddar
version: v0.0.1
spec:
containers:
- name: cheese
image: errm/cheese:cheddar
ports:
- containerPort: 80
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
namespace: traefik
name: wensleydale
labels:
app: cheese
cheese: wensleydale
spec:
replicas: 3
selector:
matchLabels:
app: cheese
task: wensleydale
template:
metadata:
labels:
app: cheese
task: wensleydale
version: v0.0.1
spec:
containers:
- name: cheese
image: errm/cheese:wensleydale
ports:
- containerPort: 80
Copy the code
View the Deployment that was created
[root@k8s-master01 ~]# kubectl get deployments -n traefik -o wideNAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR cheddar 3/3 3 3 18h cheese errm/cheese:cheddar app=cheese,task=cheddar stilton 3/3 3 3 18h cheese errm/cheese:stilton app=cheese,task=stilton Traefik-ingress-controller 1/1 1 1 19h Traefik-ingress-lb Traefik: v1.7K8S-app = Traefik-Ingress-LB Wensleydale 3/3 3 3 18h cheese errm/cheese:wensleydale app=cheese,task=wensleydaleCreate ReplicaSet from Deployment
[root@k8s-master01 ~]# kubectl get replicasets -n traefik -o wide
NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
cheddar-845749dbd6 3 3 3 18h cheese errm/cheese:cheddar app=cheese,pod-template-hash=845749dbd6,task=cheddar
stilton-f89c97cdb 3 3 3 18h cheese errm/cheese:stilton app=cheese,pod-template-hash=f89c97cdb,task=stilton
traefik-ingress-controller-5c86bf9cd7 1 1 1 19h traefik-ingress-lb Traefik: v1.7k8s-app =traefik-ingress-lb,pod-template-hash= 5C86bf9cd7
wensleydale-7c5ff658b 3 3 3 18h cheese errm/cheese:wensleydale app=cheese,pod-template-hash=7c5ff658b,task=wensleydale
ReplicSet creates a pod
[root@k8s-master01 ~]# kubectl get pod -n traefik -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cheddar-845749dbd6-hgpsg 1/1 Running 0 16h 10.244.2.180 k8s-node02 <none> <none>
cheddar-845749dbd6-kx8sx 1/1 Running 0 16h 10.244.2.183 k8s-node02 <none> <none>
cheddar-845749dbd6-v4nch 1/1 Running 0 17h 10.244.2.167 k8s-node02 <none> <none>
stilton-f89c97cdb-4wq79 1/1 Running 0 16h 10.244.2.19k8s-node02 <none> <none> stilton-f89c97cdb-772x5 1/1 Running 0 16h 10.244.2.172k8s-node02 <none> < None > stilton-f89c97cdb-gzwv9 1/1 Running 0 16h 10.244.2.189 k8s-node02 <none> <none> traefik-ingress-controller- 5C86bf9cd7-grgm5 1/1 Running 0 16h 10.244.2.173k8s-node02 <none> < None > WENsleyDALe-7C5FF658B-7plFX 1/1 Running 0 17h 10.244.2.176k8S-node02 <none> <none> WENsleyDALe-7C5FF658B-8gSPC 1/1 Running 0 16h 10.244.2.176k8s-node02 <none> <none> WENsleyDALe-7C5FF658B-LDZdp 1/1 Running 0 16h 10.244.2.176k8s-node02 <none> <none>Copy the code
6. Create the Service
Create three ClusterIP services (the default type) to load balance the traffic of the three pods created in Step 5.
---
apiVersion: v1
kind: Service
metadata:
namespace: traefik
name: stilton
spec:
ports:
- name: http
targetPort: 80
port: 80
selector:
app: cheese
task: stilton
---
apiVersion: v1
kind: Service
metadata:
namespace: traefik
name: cheddar
spec:
ports:
- name: http
targetPort: 80
port: 80
selector:
app: cheese
task: cheddar
---
apiVersion: v1
kind: Service
metadata:
namespace: traefik
name: wensleydale
spec:
ports:
- name: http
targetPort: 80
port: 80
selector:
app: cheese
task: wensleydale
Copy the code
Viewing the created service [root@k8s-master01 ~]# kubectl get service -o wide -n traefikNAME TYPE cluster-ip external-ip PORT(S) AGE SELECTOR cheddar ClusterIP 10.101.171.243 < None > 80/TCP 25h App =cheese,task=stilton ClusterIP 10.106.215.138 <none> 80/TCP 25h app=cheese,task=stilton wensleydale ClusterIP 10.97.14.121 < None > 80/TCP 25h app=cheese,task=wensleydaleCopy the code
7. Create Ingress (Ingress policy set)
Create three Ingress rules that define which service the accessed domain name should be loaded to.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: traefik
name: cheese
spec:
rules:
- host: stilton.minikube Access the domain name of the backend service
http:
paths:
- path: /
backend:
serviceName: stilton Load the back-end service serivce
servicePort: http
- host: cheddar.minikube
http:
paths:
- path: /
backend:
serviceName: cheddar
servicePort: http
- host: wensleydale.minikube
http:
paths:
- path: /
backend:
serviceName: wensleydale
servicePort: http
Copy the code
View the Ingress created
[root@k8s-master01 ~]# kubectl describe ingresses -n traefik cheeseName: cheese Namespace: traefik Address: Default backend: default-http-backend:80 (<none>) Rules: The Host Path Backends -- -- -- -- -- -- -- -- -- -- stilton. Minikube/stilton: HTTP (10.244.2.172:80,10.244. 2.189:80,10.244. 2.191:80). Cheddar. Minikube/cheddar: HTTP (10.244.2.167:80,10.244. 2.180:80,10.244. 2.183:80) wensleydale. Minikube / Wensleydale: HTTP (10.244.2.166:80,10.244. 2.176:80,10.244. 2.177:80) Annotations: Events: < none >Copy the code
8. The configuration traefik
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: traefik
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
Traefik = Traefik-ingress-Controller = Traefik-Ingress-Controller = Traefik-Ingress-Controller = Traefik-Ingress-Controller Give ServiceAccount permissions)
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: Traefik: v1.7
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: traefik
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80 #traefik-ingress-controllert Provides an internal port for the load balancer
name: web
- protocol: TCP
port: 8080 # traefik-ingress-Controllert Provides an internal port for Dashboard access
name: admin
type: NodePort Traefik-ingress-controllert exposes the traefik-Ingress-Controllert service directly
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: traefik
spec:
rules:
- host: traefik-ui.minikube # Access the traefik Dashboard domain name
http:
paths:
- path: /
backend:
serviceName: traefik-ingress-service Load Traefik Dashboard service service
servicePort: web
Copy the code
# check the Deployment of the created traefik
[root@k8s-master01 ~]# kubectl get deployments -n traefik -o wideNAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR traefik-ingress-controller 1/1 1 1 19h traefik-ingress-lb Traefik: v1.7 k8s - app = traefik ingress - lb/root @ k8s - master01 ~# kubectl get replicaset -n traefik -o wide
NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
traefik-ingress-controller-5c86bf9cd7 1 1 1 19h traefik-ingress-lb Traefik: v1.7k8s-app =traefik-ingress-lb,pod-template-hash= 5C86bf9cd7
[root@k8s-master01 ~]# kubectl get pod -n traefik -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
traefik-ingress-controller-5c86bf9cd7-grgm5 1/1 Running 0 16h 10.244.2.173 k8s-node02 <none> <none>
Traefik service created by traefik
[root@k8s-master01 ~]# kubectl get service -o wide -n traefik
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
traefik-ingress-service NodePort 10.97.120.98 <none> 80:30189/TCP,8080:32092/TCP 19h k8s-app=traefik-ingress-lb
# view the ingress created by Traefik
[root@k8s-master01 ~]# kubectl describe ingresses -n traefik traefik-web-uiName: traefik-web-ui Namespace: traefik Address: Default backend: default-http-backend:80 (<none>) Rules: Annotations: Host Path Backends -------- -------- traefik-ui. Minikube/Traefik-ingress-service :web (10.244.2.173:80) Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1"."kind":"Ingress"."metadata": {"annotations": {},"name":"traefik-web-ui"."namespace":"traefik"},"spec": {"rules": [{"host":"traefik-ui.minikube"."http": {"paths": [{"backend": {"serviceName":"traefik-ingress-service"."servicePort":"web"},"path":"/"}]}}]}}
Events: <none>
Copy the code
9. Access authentication
9.1 Adding hosts records on the Client
It can be resolved to any node in the cluster.
Vim /etc/hosts Add the following four lines: 192.168.1.10 Traefik-ui. Minikube 192.168.1.10 Cheddar. Minikub 192.168.1.10 stilton wensleydale.minikubeCopy the code
9.2 Logging In to the Traefik Dashboard
Go to http://traefik-ui.minikube:32092
9.3 Accessing Three Services Using Domain Names
Go to http://cheddar.minikube:30189