1. Understand the Ingress

Ingress typically has three components:

  • 1.1 Reverse Proxy Load Balancer: Distributes external traffic to the proxy load balancer. Now the reverse proxy load balancer and Ingress Controller have been merged into one component (1.1 and 1.2 you can think of as one, in the form of pods within the Kubernetes cluster)
  • 1.2 Ingress Controller: Ingress Controller interacts with Kubernetes API, senses the changes of back-end Service and POD in real time, generates configurations based on Ingress policy set, and then updates the configuration of reverse proxy load balancer to realize dynamic Service discovery and update.
  • 1.3 Ingress (Ingress Policy Set) : The Ingress policy set defines rules for traffic from outside the cluster to reach services in the cluster.

2. Introduce traefik

Traefik is an open source reverse proxy and load balancing tool. Its biggest advantage is that it can be directly integrated with common microservice systems to achieve automatic dynamic configuration. Traefik constantly interacts with the Kubernetes API to detect changes in back-end services and pods in real time, such as pod and service increases and decreases. When these changes are received, Ingress automatically updates the configuration and reloads it for service discovery.

3. Environment Introduction

3.1 Cluster Nodes

hostname ip address
k8s-master01 192.168.1.10
k8s-node01 192.168.1.20
k8s-node02 192.168.1.21
k8s-node03 192.168.1.23

3.2 Ingress rules

host traefik-service traefik-ingress-controller service pod
cheddar.minikube:30189 traefik-ingress-service:80 traefik-ingress-controller:80 cheddar:80 10.244.2.180:80, 10.244.2.183:80,10.244. 2.167:80
stilton.minikube:30189 traefik-ingress-service:80 traefik-ingress-controller:80 stilton:80 10.244.2.172 10.244.2.191:80:80, 10.244.2.189:80
wensleydale.minikube:30189 traefik-ingress-service:80 traefik-ingress-controller:80 wensleydale:80 10.244.2.177 10.244.2.166:80:80, 10.244.2.176:80

3.3 the topology

3.4 traefik dashboard

host traefik-service traefik-ingress-controller
traefik-ui.minikube:32092 traefik-ingress-service:8080 traefik-ingress-controller:8080

4. Set role-based Access Control (RBAC).

To make traefik have the appropriate permissions, the following Settings will be used:

  • 1. Create a ClusterRole for Traefik and grant it sufficient permissions
  • 2. Create a ServiceAccount for Traefik
  • 3. Associate The ClusterRole and ServiceAccount created in steps 1 and 2 by ClusterRoleBinding. Allow ServiceAccount users (traefik, which is associated with ServiceAccount when traefik-ingress-Controller is created) to have ClusterRole permissions.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:        1 # resources
      - services
      - endpoints
      - secrets
    verbs:           Permissions on resource 1
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses         2 # resources
    verbs:                Permissions on resource 2
      - get
      - list
      - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses/status
    verbs:
    - update
    
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: traefik-ingress-controller      
  namespace: traefik
  
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole               
  name: traefik-ingress-controller   # The name of the ClusterRole bound
subjects:
- kind: ServiceAccount          
  name: traefik-ingress-controller   The name of the bound ServiceAccount
  namespace: traefik

Copy the code
# View the ClusterRole created
[root@k8s-master01 ~]# kubectl describe clusterroles traefik-ingress-controller
Name:         traefik-ingress-controller
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources                    Non-Resource URLs  Resource Names  Verbs
  ---------                    -----------------  --------------  -----
  endpoints                    []                 []              [get list watch]
  secrets                      []                 []              [get list watch]
  services                     []                 []              [get list watch]
  ingresses.extensions         []                 []              [get list watch]
  ingresses.extensions/status  []                 []              [update]
  
# Check the created ServiceAccount
[root@k8s-master01 ~]# kubectl describe serviceaccount -n traefik traefik-ingress-controller
Name:                traefik-ingress-controller
Namespace:           traefik
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   traefik-ingress-controller-token-jml65
Tokens:              traefik-ingress-controller-token-jml65
Events:              <none>

# View the ClusterRoleBinding created
[root@k8s-master01 ~]# kubectl describe clusterrolebinding traefik-ingress-controller -n traefik
Name:         traefik-ingress-controller
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  traefik-ingress-controller
Subjects:
  Kind            Name                        Namespace
  ----            ----                        ---------
  ServiceAccount  traefik-ingress-controller  traefik
Copy the code

5. Create a Deployment

  • Respectively according to the back-end services, define three Deployment: cheddar, stilton, wensleydale.
  • ReplicaSet is created by defining Deployment, which creates pods with the desired number of replicas based on the tempalte defined in Deployment.
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  namespace: traefik
  name: stilton
  labels:
    app: cheese
    cheese: stilton
spec:
  replicas: 3
  selector:
    matchLabels:
      app: cheese
      task: stilton
  template:
    metadata:
      labels:
        app: cheese
        task: stilton
        version: v0.0.1
    spec:
      containers:
      - name: cheese
        image: errm/cheese:stilton
        ports:
        - containerPort: 80
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  namespace: traefik
  name: cheddar
  labels:
    app: cheese
    cheese: cheddar
spec:
  replicas: 3
  selector:
    matchLabels:
      app: cheese
      task: cheddar
  template:
    metadata:
      labels:
        app: cheese
        task: cheddar
        version: v0.0.1
    spec:
      containers:
      - name: cheese
        image: errm/cheese:cheddar
        ports:
        - containerPort: 80
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  namespace: traefik
  name: wensleydale
  labels:
    app: cheese
    cheese: wensleydale
spec:
  replicas: 3
  selector:
    matchLabels:
      app: cheese
      task: wensleydale
  template:
    metadata:
      labels:
        app: cheese
        task: wensleydale
        version: v0.0.1
    spec:
      containers:
      - name: cheese
        image: errm/cheese:wensleydale
        ports:
        - containerPort: 80

Copy the code
View the Deployment that was created
[root@k8s-master01 ~]# kubectl get deployments -n traefik -o wideNAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR cheddar 3/3 3 3 18h cheese errm/cheese:cheddar app=cheese,task=cheddar stilton 3/3 3 3 18h cheese errm/cheese:stilton app=cheese,task=stilton Traefik-ingress-controller 1/1 1 1 19h Traefik-ingress-lb Traefik: v1.7K8S-app = Traefik-Ingress-LB Wensleydale 3/3 3 3 18h cheese errm/cheese:wensleydale app=cheese,task=wensleydaleCreate ReplicaSet from Deployment
[root@k8s-master01 ~]# kubectl get replicasets -n traefik -o wide
NAME                                    DESIRED   CURRENT   READY   AGE   CONTAINERS           IMAGES                    SELECTOR
cheddar-845749dbd6                      3         3         3       18h   cheese               errm/cheese:cheddar       app=cheese,pod-template-hash=845749dbd6,task=cheddar
stilton-f89c97cdb                       3         3         3       18h   cheese               errm/cheese:stilton       app=cheese,pod-template-hash=f89c97cdb,task=stilton
traefik-ingress-controller-5c86bf9cd7 1 1 1 19h traefik-ingress-lb Traefik: v1.7k8s-app =traefik-ingress-lb,pod-template-hash= 5C86bf9cd7
wensleydale-7c5ff658b                   3         3         3       18h   cheese               errm/cheese:wensleydale   app=cheese,pod-template-hash=7c5ff658b,task=wensleydale

ReplicSet creates a pod
[root@k8s-master01 ~]# kubectl get pod -n traefik -o wide
NAME                                          READY   STATUS        RESTARTS   AGE   IP             NODE         NOMINATED NODE   READINESS GATES
cheddar-845749dbd6-hgpsg                      1/1     Running       0          16h   10.244.2.180   k8s-node02   <none>           <none>
cheddar-845749dbd6-kx8sx                      1/1     Running       0          16h   10.244.2.183   k8s-node02   <none>           <none>
cheddar-845749dbd6-v4nch                      1/1     Running       0          17h   10.244.2.167   k8s-node02   <none>           <none>
stilton-f89c97cdb-4wq79 1/1 Running 0 16h 10.244.2.19k8s-node02 <none> <none> stilton-f89c97cdb-772x5 1/1 Running 0 16h 10.244.2.172k8s-node02 <none> < None > stilton-f89c97cdb-gzwv9 1/1 Running 0 16h 10.244.2.189 k8s-node02 <none> <none> traefik-ingress-controller- 5C86bf9cd7-grgm5 1/1 Running 0 16h 10.244.2.173k8s-node02 <none> < None > WENsleyDALe-7C5FF658B-7plFX 1/1 Running 0 17h 10.244.2.176k8S-node02 <none> <none> WENsleyDALe-7C5FF658B-8gSPC 1/1 Running 0 16h 10.244.2.176k8s-node02 <none> <none> WENsleyDALe-7C5FF658B-LDZdp 1/1 Running 0 16h 10.244.2.176k8s-node02 <none> <none>Copy the code

6. Create the Service

Create three ClusterIP services (the default type) to load balance the traffic of the three pods created in Step 5.

---
apiVersion: v1
kind: Service
metadata:
  namespace: traefik
  name: stilton
spec:
  ports:
  - name: http
    targetPort: 80
    port: 80
  selector:
    app: cheese
    task: stilton
---
apiVersion: v1
kind: Service
metadata:
  namespace: traefik
  name: cheddar
spec:
  ports:
  - name: http
    targetPort: 80
    port: 80
  selector:
    app: cheese
    task: cheddar
---
apiVersion: v1
kind: Service
metadata:
  namespace: traefik
  name: wensleydale
spec:
  ports:
  - name: http
    targetPort: 80
    port: 80
  selector:
    app: cheese
    task: wensleydale

Copy the code
Viewing the created service [root@k8s-master01 ~]# kubectl get service -o wide -n traefikNAME TYPE cluster-ip external-ip PORT(S) AGE SELECTOR cheddar ClusterIP 10.101.171.243 < None > 80/TCP 25h App =cheese,task=stilton ClusterIP 10.106.215.138 <none> 80/TCP 25h app=cheese,task=stilton wensleydale ClusterIP 10.97.14.121 < None > 80/TCP 25h app=cheese,task=wensleydaleCopy the code

7. Create Ingress (Ingress policy set)

Create three Ingress rules that define which service the accessed domain name should be loaded to.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: traefik
  name: cheese
spec:
  rules:
  - host: stilton.minikube     Access the domain name of the backend service
    http:
      paths:
      - path: /
        backend:
          serviceName: stilton   Load the back-end service serivce
          servicePort: http
  - host: cheddar.minikube
    http:
      paths:
      - path: /
        backend:
          serviceName: cheddar
          servicePort: http
  - host: wensleydale.minikube
    http:
      paths:
      - path: /
        backend:
          serviceName: wensleydale
          servicePort: http

Copy the code

View the Ingress created

[root@k8s-master01 ~]# kubectl describe ingresses -n traefik cheeseName: cheese Namespace: traefik Address: Default backend: default-http-backend:80 (<none>) Rules: The Host Path Backends -- -- -- -- -- -- -- -- -- -- stilton. Minikube/stilton: HTTP (10.244.2.172:80,10.244. 2.189:80,10.244. 2.191:80). Cheddar. Minikube/cheddar: HTTP (10.244.2.167:80,10.244. 2.180:80,10.244. 2.183:80) wensleydale. Minikube / Wensleydale: HTTP (10.244.2.166:80,10.244. 2.176:80,10.244. 2.177:80) Annotations: Events: < none >Copy the code

8. The configuration traefik

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: traefik
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
    Traefik = Traefik-ingress-Controller = Traefik-Ingress-Controller = Traefik-Ingress-Controller = Traefik-Ingress-Controller Give ServiceAccount permissions)
      serviceAccountName: traefik-ingress-controller    
      terminationGracePeriodSeconds: 60
      containers:
      - image: Traefik: v1.7
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO

---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: traefik
spec:
  selector:
    k8s-app: traefik-ingress-lb    
  ports:
    - protocol: TCP
      port: 80    #traefik-ingress-controllert Provides an internal port for the load balancer
      name: web
    - protocol: TCP
      port: 8080    # traefik-ingress-Controllert Provides an internal port for Dashboard access
      name: admin
  type: NodePort   Traefik-ingress-controllert exposes the traefik-Ingress-Controllert service directly
  
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: traefik
spec:
  rules:
  - host: traefik-ui.minikube    # Access the traefik Dashboard domain name
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-ingress-service   Load Traefik Dashboard service service
          servicePort: web
Copy the code
# check the Deployment of the created traefik
[root@k8s-master01 ~]# kubectl get deployments -n traefik -o wideNAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR traefik-ingress-controller 1/1 1 1 19h traefik-ingress-lb Traefik: v1.7 k8s - app = traefik ingress - lb/root @ k8s - master01 ~# kubectl get replicaset -n traefik -o wide
NAME                                    DESIRED   CURRENT   READY   AGE   CONTAINERS           IMAGES                    SELECTOR
traefik-ingress-controller-5c86bf9cd7 1 1 1 19h traefik-ingress-lb Traefik: v1.7k8s-app =traefik-ingress-lb,pod-template-hash= 5C86bf9cd7

[root@k8s-master01 ~]# kubectl get pod -n traefik -o wide
NAME                                          READY   STATUS        RESTARTS   AGE   IP             NODE         NOMINATED NODE   READINESS GATES
traefik-ingress-controller-5c86bf9cd7-grgm5   1/1     Running       0          16h   10.244.2.173   k8s-node02   <none>           <none>

Traefik service created by traefik
[root@k8s-master01 ~]# kubectl get service -o wide -n traefik
NAME                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                       AGE   SELECTOR
traefik-ingress-service   NodePort    10.97.120.98     <none>        80:30189/TCP,8080:32092/TCP   19h   k8s-app=traefik-ingress-lb

# view the ingress created by Traefik
[root@k8s-master01 ~]# kubectl describe ingresses -n traefik traefik-web-uiName: traefik-web-ui Namespace: traefik Address: Default backend: default-http-backend:80 (<none>) Rules: Annotations: Host Path Backends -------- -------- traefik-ui. Minikube/Traefik-ingress-service :web (10.244.2.173:80) Annotations: kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"extensions/v1beta1"."kind":"Ingress"."metadata": {"annotations": {},"name":"traefik-web-ui"."namespace":"traefik"},"spec": {"rules": [{"host":"traefik-ui.minikube"."http": {"paths": [{"backend": {"serviceName":"traefik-ingress-service"."servicePort":"web"},"path":"/"}]}}]}}

Events:  <none>
Copy the code

9. Access authentication

9.1 Adding hosts records on the Client

It can be resolved to any node in the cluster.

Vim /etc/hosts Add the following four lines: 192.168.1.10 Traefik-ui. Minikube 192.168.1.10 Cheddar. Minikub 192.168.1.10 stilton wensleydale.minikubeCopy the code

9.2 Logging In to the Traefik Dashboard

Go to http://traefik-ui.minikube:32092

9.3 Accessing Three Services Using Domain Names

Go to http://cheddar.minikube:30189