Install traefik ingress in Kubernetes
Keywords:
Linux
Kubernetes
firewall
network
vim
#Download Configuration List
wget https://github.com/containous/traefik/tree/v1.7/examples/k8s
#There are three files in the link that start with traefik-and you can see their names, of which traefik-deployment.yaml is not used here
# traefik-deployment.yaml is either traefik-ds.yaml or traefik-ds.yaml, which is recommended because the configuration below is based on traefik-ds.yaml
# ui.yaml is the svc and ingress that define the dashboard of traefik. This is not useful because port 8080 listens directly on the node
Download the following two files from the link above
traefik-rbac.yaml traefik-ds.yaml
#Since NodePort is used by default through svc and the port range can only be 30000-32767, you can customize the port range if kubernetes is compiled and installed
#This is a kubeadm installation, so only 30,000-32767 can be used
#Here's why it's not convenient to use port range 30000-32767, mainly because some internal projects need to call the domain name of other projects, while the domain name is through
# ingress to publish external services, if it is not port 80 then you need to add another nginx in front of ingress or traffic around the gateway firewall and come back
#This is extremely inconvenient and time consuming for internal access
#So what we need to do here is to use the traefik container (the resource defined in the traefik-ds.yaml file) to share the host's network space to listen on port 80 using the hostNetwork method
#Next, modify the list of resources defined in traefik-ds.yaml
vim traefik-ds.yaml
# Join under DaemonSet.spec.template.spec
# ...
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
# Add here
hostNetwork: true
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
# Port 8080 is traefik's dashboard and can be used to view some data
# If you don't want to use port 8080, you can modify the following port to be any other port. Note that the modified port is not listening on the node before you can
# Default here
hostPort: 8080
# ...
---
# Comment out the list of SVCS defined in this file altogether, since we share node's network namespace directly using hostNetwork, svc here is no longer necessary
#kind: Service
#apiVersion: v1
#metadata:
# name: traefik-ingress-service
# namespace: kube-system
#spec:
# selector:
# k8s-app: traefik-ingress-lb
# ports:
# - protocol: TCP
# port: 80
# name: web
# - protocol: TCP
# port: 8080
# name: admin
# end
# Apply Configuration List
kubectl apply -f ./
# Wait a few moments after the application finishes to see if port 80 and port 8080 of this machine are listening directly on non-master nodes
netstat -tnlp | grep 80
tcp6 0 0 :::8080 :::* LISTEN 7499/traefik
tcp6 0 0 :::80 :::* LISTEN 7499/traefik
# Since our traefik pod runs as a DaemonSet controller, the above two ports are listened on each node
# In a production environment, 80 ports can be forwarded on the firewall to 80 ports on any one or more node s for easy access to users outside the Internet
# It is not reasonable to assume that there are 20 Nodes and that you do not want to run traefik on each Node, and that each Node runs a traefik.
# So we can label some nodes so that the DaemonSet(deploy and other controller resources can also be defined) controller-controlled pod s run only on one or more Node s
# Then use ds.spec.template.spec.nodeSelector to select the node label you just defined so that the DaemonSet controller resource runs only on the node you defined
# Configuration is as follows. Assuming there are five nodes, just let traefik run as a DameonSet controller on two nodes, node1 and node2
kubectl get node
NAME STATUS ROLES AGE VERSION
kubernetes-master Ready master 37d v1.13.3
kubernetes-node1 Ready <none> 37d v1.13.3
kubernetes-node2 Ready <none> 37d v1.13.3
kubernetes-node3 Ready <none> 37d v1.13.3
kubernetes-node4 Ready <none> 37d v1.13.3
kubernetes-node5 Ready <none> 37d v1.13.3
1,Label,Tags are defined to suit your needs
kubectl label node kubernetes-node1 node_type=ingress
kubectl label node kubernetes-node2 node_type=ingress
2,modify traefik-ds.yaml Configuration list increase ds.spec.template.spec.nodeSelector Configuration Items
vim traefik-ds.yaml
# ...
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
# Add here
nodeSelector:
# Tag name and value should match the label defined above
node_type: ingress
# end
hostNetwork: true
# ...
3,Apply the modified configuration list
kubectl apply -f traefik-ds.yaml
4,Verification
# Check to see if traefik-ds has only two pod s
# It's important to understand that the DaemonSet controller resource runs one on each node by default, has five nodes on it, and then we only label node 1 2, so we only run two pod s
kubectl get pod -n kube-system | grep traefik
# Check to see if port 80,8080 is only listening on node1,2
# Because we modified above that pod uses hostNetwork to share the network namespace using node so it will listen on node
# View on node1 2
netstat -tnlp | grep 80
5,Firewall forwards port 80 to node1,2 Of both hosts IP Up to now we can publish services
# Ingress Resource Definition Example
---
apiVersion: examples/v1beata1
kind: Ingress
metadata:
# ingress name
name: ingress-tsp
namespace: default
annotations:
# Represents the type of ingress
kubernetes.io/ingress.class: traefik
# Root of Backend Application
traefik.ingress.kubernetes.io/app-root: /tsp
spec:
rules:
# domain name
- host: tsp.xxxxx.com
http:
paths:
# Mapped path This path is the front-end path
- path: /
backend:
# service name for backend pod
serviceName: tsp
# service port
servicePort: 8080
More Good Text Focus on Margo linux Operations and Maintenance
Posted by mj_23 on Sun, 29 Mar 2020 09:50:42 -0700