Press Ctrl+ and K to search
目录
一、概念
Ingress 是 Kubernetes 中的一种 API 对象,它管理对集群中服务的外部访问,通常是 HTTP/HTTPS。Ingress 可以提供负载均衡、SSL 终止和基于名称的虚拟主机等功能。它充当集群入口点,将外部请求路由到集群内部的服务。
二、使用Traefik Ingress(官方样列)
Traefik Ingress CRD (Custom Resource Definition) 是 Traefik 代理提供的一种扩展 Kubernetes Ingress 资源的方式。它允许使用自定义资源来配置 Traefik 的路由规则,比标准 Ingress 资源提供更多功能和灵活性。
jsvi kubernetes-crd-definition-v1.yml
http://songxuan.vip:5212/s/Y5Ub
jsvi kubernetes-crd-rbac.yml
http://songxuan.vip:5212/s/npIX
jsvi services.yml
ymlapiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- protocol: TCP
name: web
port: 8000
- protocol: TCP
name: admin
port: 8080
- protocol: TCP
name: websecure
port: 4443
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami
jsTraefik服务:
暴露三个端口:8000(web)、8080(admin)和4443(websecure)
使用TCP协议
选择标签为app=traefik的Pod作为后端
whoami服务:
暴露80端口(web)
使用TCP协议
选择标签为app=whoami的Pod作为后端
jsapiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
hostNetwork: true #设置成虚拟机的网络,也就是本机服务器ip
nodeName: k8s-node03 #亲和性运行到指定的 节点
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v3.5
args:
- --api.insecure
- --accesslog
- --entryPoints.web.Address=:8000
- --entryPoints.websecure.Address=:4443
- --providers.kubernetescrd
- --certificatesresolvers.myresolver.acme.tlschallenge
- --certificatesresolvers.myresolver.acme.email=foo@you.com
- --certificatesresolvers.myresolver.acme.storage=acme.json
# Please note that this is the staging Let's Encrypt server.
# Once you get things working, you should remove that whole line altogether.
- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- name: web
containerPort: 8000
- name: websecure
containerPort: 4443
- name: admin
containerPort: 8080
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: whoami
labels:
app: whoami
spec:
replicas: 2
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- name: web
containerPort: 80
js这是一个完整的Kubernetes部署配置,包含三个主要部分:
ServiceAccount、Traefik Ingress Controller部署和whoami应用部署。以下是详细分析:
一、ServiceAccount配置
创建名为"traefik-ingress-controller"的ServiceAccount
位于default命名空间
二、Traefik Ingress Controller部署
基本信息
部署名称:traefik
副本数:1
使用标签选择器app=traefik
指定运行在 k8s-node03节点
启用hostNetwork模式(使用主机网络)
容器配置
使用traefik.10镜像
端口配置:
web: 8000
websecure: 4443
admin: 8080
参数配置
启用不安全API(--api.insecure)
启用访问日志(--accesslog)
定义入口点:
web(8000)
websecure(4443)
使用Kubernetes CRD提供者
配置ACME证书解析器:
使用TLS挑战方式
注册邮箱foo@you.com
证书存储文件acme.json
使用Lets Encrypt的staging环境
三、whoami应用部署
基本信息
部署名称:whoami
副本数:2
使用标签选择器app=whoami
亲和性配置
确保Pod不会调度到k8s-node03节点
容器配置
使用traefik/whoami镜像
暴露80端口(web)
jsvi ingressroutes.yml
ymlapiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: simpleingressroute
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`your.example.com`) && PathPrefix(`/notls`)
kind: Rule
services:
- name: whoami
port: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`your.example.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: myresolver
全部机器配置本地域名,看该pod跑在哪个节点上就把 配进域名
jsvi /etc/hosts
三、
jsvi ngixn-deployment.yml
ymlapiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
replicas: 1
template:
metadata:
name: nginx
labels:
app: nginx
spec:
hostNetwork: true
containers:
- name: nginx
image: nginx:1.19
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
restartPolicy: Always
selector:
matchLabels:
app: nginx
js使用nginx:1.19官方镜像
通过hostNetwork: true直接共享宿主机网络(非标准生产用法,通常用于调试)
单副本运行(replicas: 1)
容器暴露80端口
作用:
在Kubernetes集群中生成一个运行Nginx的Pod,处理HTTP请求。
jsvi nginx-service.yml
ymlapiVersion: v1
kind: Service
metadata:
name: nginx
spec:
selector:
app: nginx
ports:
- port: 80
targetPort: 80
type: ClusterIP
yml核心功能:提供集群内部访问入口
关键配置:
类型为ClusterIP(默认服务类型)
通过标签选择器app: nginx关联Deployment创建的Pod
将Service的80端口映射到Pod的80端口
作用:
为Nginx Pod提供稳定的虚拟IP和DNS名称(如nginx.default.svc.cluster.local),
实现集群内其他服务对Nginx的访问。
jsvi nginx-ing.yml
ymlapiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx-web-route
spec:
entryPoints:
- web
routes:
- match: Host(`songxuan,com`)
kind: Rule
services:
- name: nginx
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nginx-websecure-route
spec:
entryPoints:
- websecure
routes:
- match: Host(`songxuan.com`)
kind: Rule
services:
- name: nginx
port: 80
tls:
certResolver: myresolver
js核心功能:管理外部流量入口(通过Traefik Ingress Controller)
包含两部分配置:
(1) HTTP路由 (nginx-web-route)
监听Traefik的web入口点(默认80端口)
将域名nginx.com的请求路由到后端nginx服务的80端口
(2) HTTPS路由 (nginx-websecure-route)
监听Traefik的websecure入口点(默认443端口)
相同域名路由规则,但启用TLS加密
使用certResolver: myresolver自动申请/续签SSL证书
用户访问http://songxuan.com 时候,就走Traefik web入口,https就是走websecure入口
然后走到内部的Service,Service会把deployment暴露的80端口进行映射
yml---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.13.0
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
names:
kind: IngressRoute
listKind: IngressRouteList
plural: ingressroutes
singular: ingressroute
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: IngressRouteSpec defines the desired state of IngressRoute.
properties:
entryPoints:
description: 'EntryPoints defines the list of entry point names to
bind to. Entry points have to be configured in the static configuration.
More info: https://doc.traefik.io/traefik/v2.10/routing/entrypoints/
Default: all.'
items:
type: string
type: array
routes:
description: Routes defines the list of routes.
items:
description: Route holds the HTTP route configuration.
properties:
kind:
description: Kind defines the kind of the route. Rule is the
only supported kind.
enum:
- Rule
type: string
match:
description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#rule'
type: string
middlewares:
description: 'Middlewares defines the list of references to
Middleware resources. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-middleware'
items:
description: MiddlewareRef is a reference to a Middleware
resource.
properties:
name:
description: Name defines the name of the referenced Middleware
resource.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Middleware resource.
type: string
required:
- name
type: object
type: array
priority:
description: 'Priority defines the router''s priority. More
info: https://doc.traefik.io/traefik/v2.10/routing/routers/#priority'
type: integer
services:
description: Services defines the list of Service. It can contain
any combination of TraefikService and/or reference to a Kubernetes
Service.
items:
description: Service defines an upstream HTTP service to proxy
traffic to.
properties:
kind:
description: Kind defines the kind of the Service.
enum:
- Service
- TraefikService
type: string
name:
description: Name defines the name of the referenced Kubernetes
Service or TraefikService. The differentiation between
the two is specified in the Kind field.
type: string
namespace:
description: Namespace defines the namespace of the referenced
Kubernetes Service or TraefikService.
type: string
nativeLB:
description: NativeLB controls, when creating the load-balancer,
whether the LB's children are directly the pods IPs
or if the only child is the Kubernetes Service clusterIP.
The Kubernetes Service itself does load-balance to the
pods. By default, NativeLB is false.
type: boolean
passHostHeader:
description: PassHostHeader defines whether the client
Host header is forwarded to the upstream Kubernetes
Service. By default, passHostHeader is true.
type: boolean
port:
anyOf:
- type: integer
- type: string
description: Port defines the port of a Kubernetes Service.
This can be a reference to a named port.
x-kubernetes-int-or-string: true
responseForwarding:
description: ResponseForwarding defines how Traefik forwards
the response from the upstream Kubernetes Service to
the client.
properties:
flushInterval:
description: 'FlushInterval defines the interval,
in milliseconds, in between flushes to the client
while copying the response body. A negative value
means to flush immediately after each write to the
client. This configuration is ignored when ReverseProxy
recognizes a response as a streaming response; for
such responses, writes are flushed to the client
immediately. Default: 100ms'
type: string
type: object
scheme:
description: Scheme defines the scheme to use for the
request to the upstream Kubernetes Service. It defaults
to https when Kubernetes Service port is 443, http otherwise.
type: string
serversTransport:
description: ServersTransport defines the name of ServersTransport
resource to use. It allows to configure the transport
between Traefik and your servers. Can only be used on
a Kubernetes Service.
type: string
sticky:
description: 'Sticky defines the sticky sessions configuration.
More info: https://doc.traefik.io/traefik/v2.10/routing/services/#sticky-sessions'
properties:
cookie:
description: Cookie defines the sticky cookie configuration.
properties:
httpOnly:
description: HTTPOnly defines whether the cookie
can be accessed by client-side APIs, such as
JavaScript.
type: boolean
name:
description: Name defines the Cookie name.
type: string
sameSite:
description: 'SameSite defines the same site policy.
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
type: string
secure:
description: Secure defines whether the cookie
can only be transmitted over an encrypted connection
(i.e. HTTPS).
type: boolean
type: object
type: object
strategy:
description: Strategy defines the load balancing strategy
between the servers. RoundRobin is the only supported
value at the moment.
type: string
weight:
description: Weight defines the weight and should only
be specified when Name references a TraefikService object
(and to be precise, one that embeds a Weighted Round
Robin).
type: integer
required:
- name
type: object
type: array
required:
- kind
- match
type: object
type: array
tls:
description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#tls'
properties:
certResolver:
description: 'CertResolver defines the name of the certificate
resolver to use. Cert resolvers have to be configured in the
static configuration. More info: https://doc.traefik.io/traefik/v2.10/https/acme/#certificate-resolvers'
type: string
domains:
description: 'Domains defines the list of domains that will be
used to issue certificates. More info: https://doc.traefik.io/traefik/v2.10/routing/routers/#domains'
items:
description: Domain holds a domain name with SANs.
properties:
main:
description: Main defines the main domain name.
type: string
sans:
description: SANs defines the subject alternative domain
names.
items:
type: string
type: array
type: object
type: array
options:
description: 'Options defines the reference to a TLSOption, that
specifies the parameters of the TLS connection. If not defined,
the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.10/https/tls/#tls-options'
properties:
name:
description: 'Name defines the name of the referenced TLSOption.
More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsoption'
type: string
namespace:
description: 'Namespace defines the namespace of the referenced
TLSOption. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsoption'
type: string
required:
- name
type: object
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
store:
description: Store defines the reference to the TLSStore, that
will be used to store certificates. Please note that only `default`
TLSStore can be used.
properties:
name:
description: 'Name defines the name of the referenced TLSStore.
More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsstore'
type: string
namespace:
description: 'Namespace defines the namespace of the referenced
TLSStore. More info: https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-crd/#kind-tlsstore'
type: string
required:
- name
type: object
type: object
required:
- routes
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
本文作者:松轩(^U^)
本文链接:
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
目录