Operation development story public account member: Jock
Traefik Mesh is a lightweight service grid that is simple, easy to install and easy to use.
Traefik Mesh is built on Traefik [1] and is suitable for Kubernetes cluster that conforms to the latest network interface specification SMI [2].
Traefik Mesh is non-invasive, meaning that using Traefik Mesh does not change your existing Kubernetes objects.
Non-invasive service grid
Traefik Mesh does not use any sidecar mode and its routing is done through a proxy running on each node. The grid controller also runs through a separate Pod and is responsible for handling all configuration analysis and deployment of the agent nodes.
useTraefik meshAfter that, the logic is as follows.
Traefik Mesh does not intercept or modify traffic in the form of sidecar. How does this work?
It is actually using CoreDNS [3]. By modifying a small amount of configuration of CoreDNS to allow the use of Mesh endpoints instead of standard Kubernetes endpoints, Mesh endpoints run in parallel with the use of services, and users can choose whether to use it or not.
The installation
Prerequisite: Kubernetes 1.11+ CoreDNS 1.3+ Helm v3
The installation of Traefik Mesh is simple and quick with Helm.
(1) Add Helm warehouse
helm repo add traefik-mesh https://helm.traefik.io/mesh
helm repo update
Copy the code(2) Download Chart package
helm pull traefik-mesh/traefik-mesh
Copy the code(3) Decompress the Chart package
tar xf Traefik - mesh - 3.0.6 TGZ
Copy the codeTraefik Mesh deploises four services. They are:
- Controller: Controller of the Mesh. It is responsible for all configuration analysis and configuration of agent nodes
- Proxy: A Mesh proxy that processes the traffic of each node
- Tracing: Tracing configuration
- Metrics: Monitoring configuration
(4) Install Traefik Mesh
helm install traefik-mesh .
Copy the codeTraefik Mesh requires the cooperation of CoreDNS. The major changes are as follows:
#### Begin Maesh Block
maesh:53 {
errors
rewrite continue {
name regex ([a-zA-Z0-9-_](*) \.[a-zv0-9-_]*)\.maesh default-{1}-6d61657368-{2}.default.svc.cluster.local
answer name default-([a-zA-Z0-9-_]*)-6d61657368-([a-zA-Z0-9-_]*)\.default\.svc\.cluster\.local {1}.{2}.maesh
}
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
upstream
fallthrough in-addr.arpa ip6.arpa
}
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
#### End Maesh Block
#### Begin Traefik Mesh Block
traefik.mesh:53 {
errors
rewrite continue {
name regex ([a-zA-Z0-9-_](*) \.[a-zv0-9-_]*)\.traefik.mesh default-{1}-6d61657368-{2}.default.svc.cluster.local
answer name default-([a-zA-Z0-9-_]*)-6d61657368-([a-zA-Z0-9-_]*)\.default\.svc\.cluster\.local {1}.{2}.traefik.mesh
}
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
upstream
fallthrough in-addr.arpa ip6.arpa
}
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
#### End Traefik Mesh Block
Copy the codeIf during deployment, coreDNS reports the following error:
plugin/forward: this plugin can only be used once per Server Block
Copy the codeCheck the configMap configuration of coreDNS to see whether there are two forwards under DNS.
configuration
Traefik Mesh configurations include static configuration and dynamic configuration.
Static configuration
- You can specify it manually
controllerMirror version andTraefikThe mirror version - You can configure the
controllerandproxiesLog level and format - You can configure the
meshThe default isHTTP - You can open
tracingfunction - You can open
ACLThe permission control function, which configures the Traefik grid to run in ACL mode except through SMITraffic targetExplicitly allow, otherwise disable all traffic
Dynamic configuration
Using Annotations and SMI objects on the Kubernetes Service, you can provide dynamic configuration for Traefik Mesh. Dynamic configuration parameters are as follows:
- Traffic-Type
- Scheme
- Retry
- Circuit-Breaker
- Rate-Limit
- Traffic-Split
- Traffic-Targe
This section briefly describes how to configure annotations in a Kubernetes service.
(1) traffic-type Is used to configure the Traffic Type. TCP, UDP, and HTTP can be configured. If no Traffic Type is configured, HTTP is used by default.
mesh.traefik.io/traffic-type: "http"
Copy the code(2) Scheme mainly configurates the request protocol, including HTTP, HTTPS, and H2C. The configuration is as follows:
mesh.traefik.io/scheme: "h2c"
Copy the code(3) Retry number of retries. If the network is abnormal, the system will Retry several times based on the configuration. If the Retry still fails, the system will return a failure.
mesh.traefik.io/retry-attempts: "2"
Copy the code(4) Cricuit Break is used to disconnect traffic forwarding. When the system is healthy, it is disabled by default. If the system is abnormal, it is enabled and no traffic is forwarded to the abnormal system.
mesh.traefik.io/circuit-breaker-expression: "Expression"
Copy the code(5) Rate limit is mainly used to configure traffic limiting. The unit is the number of requests per second. You can configure average request and burst request as follows:
mesh.traefik.io/ratelimit-average: "100"
mesh.traefik.io/ratelimit-burst: "200"
Copy the code(6) Access Control Is used to configure permission control. You can configure which clients are allowed to Access the application. For example, define the following route:
---
apiVersion: specs.smi-spec.io/v1alpha3
kind: HTTPRouteGroup
metadata:
name: server-routes
namespace: server
spec:
matches:
- name: api
pathRegex: /api
methods: ["*"]
- name: metrics
pathRegex: /metrics
methods: ["GET"]
Copy the codeIt means that the/API path can be accessed from any method, except the GET method for the /metrics path. By default, all traffic is denied. To grant access to clients, you need to configure TrafficTarget as follows:
---
apiVersion: access.smi-spec.io/v1alpha2
kind: TrafficTarget
metadata:
name: client-server-target
namespace: server
spec:
destination:
kind: ServiceAccount
name: server
namespace: server
rules:
- kind: HTTPRouteGroup
name: server-routes
matches:
- api
sources:
- kind: ServiceAccount
name: client
namespace: client
Copy the codeThis configuration allows all PODS running in the client namespace with SA as the client to access API routes.
(7) Traffic Split is mainly used for Traffic Split, especially useful when doing canary release, such as the following configuration:
apiVersion: split.smi-spec.io/v1alpha3
kind: TrafficSplit
metadata:
name: server-split
namespace: server
spec:
service: server
backends:
- service: server-v1
weight: 80
- service: server-v2
weight: 20
Copy the code80% of the traffic is forwarded to server-V1 and 20% to server-V2.
example
With Traefik Mesh installed and deployed, the following is an official example for simple testing. (1) Deploy an application
apiVersion: v1
kind: Namespace
metadata:
name: whoami
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: whoami-server
namespace: whoami
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: whoami-client
namespace: whoami
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
namespace: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
serviceAccount: whoami-server
containers:
- name: whoami
image: Traefik/whoami: v1.6.0
imagePullPolicy: IfNotPresent
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami-tcp
namespace: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami-tcp
template:
metadata:
labels:
app: whoami-tcp
spec:
serviceAccount: whoami-server
containers:
- name: whoami-tcp
image: Traefik/whoamitcp: v0.1.0
imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: whoami
labels:
app: whoami
spec:
type: ClusterIP
ports:
- port: 80
name: whoami
selector:
app: whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami-tcp
namespace: whoami
labels:
app: whoami-tcp
spec:
type: ClusterIP
ports:
- port: 8080
name: whoami-tcp
selector:
app: whoami-tcp
---
apiVersion: v1
kind: Pod
metadata:
name: whoami-client
namespace: whoami
spec:
serviceAccountName: whoami-client
containers:
- name: whoami-client
image: Giantswarm/tiny - tools: 3.9
command:
- "sleep"
- "3600"
Copy the codeTwo applications are deployed, one HTTP application and the other TCP application.
You can view the startup status of the application by naming it as followskubectl get all -n whoami.
You can then test the following application connectivity as follows:
# kubectl -n whoami exec whoami-client -- curl -s whoami.whoami.svc.cluster.local
Hostname: whoami-576cb59fd-qvnl7
IP: 127.0. 01.
IP: 172.16235.193.
RemoteAddr: 172.167.181.: 33150
GET / HTTP / 1.1
Host: whoami.whoami.svc.cluster.local
User-Agent: The curl / 7.64.0
Accept: * / *
# kubectl -n whoami exec -ti whoami-client -- nc whoami-tcp.whoami.svc.cluster.local 8080
my data
Received: my data
Received:
eee
Received: eee
eee
Received: eee
Copy the codeTraefik. IO /traffic-type for HTTP applications: Traefik. IO /traffic-type: “TCP” annotations
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: whoami
labels:
app: whoami
annotations:
mesh.traefik.io/traffic-type: "http"
mesh.traefik.io/retry-attempts: "2"
spec:
type: ClusterIP
ports:
- port: 80
name: whoami
selector:
app: whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami-tcp
namespace: whoami
labels:
app: whoami-tcp
annotations:
mesh.traefik.io/traffic-type: "tcp"
spec:
type: ClusterIP
ports:
- port: 8080
name: whoami-tcp
selector:
app: whoami-tcp
Copy the codeTo access the service now, simply change svc.cluster.local to traefik.mesh. For example, the previous access mode is as follows:
kubectl -n whoami exec whoami-client -- curl -s whoami.whoami.svc.cluster.local
Copy the codeAfter traefik mesh is added, it is:
kubectl -n whoami exec whoami-client -- curl -s whoami.whoami.traefik.mesh
Copy the codeOf course, the previous access mode still exists, which way is up to the user.
footnotes
[1] traefik.io/traefik/ [2] smi-spec. IO / [3] coredns.io/