基于traefik的kubernetes ingress访问

目标：在k8s集群中部署traefik服务，并暴露集群jupyter服务

环境：kubernetes 1.11

步骤：traefik简介->traefik部署->ingress文件配置->域名访问

1.traefik简介

Ingress为从kubernetes集群外访问集群的入口，负责将用户的URL请求转发到集群中不同的Service上。

早期Ingress使用nginx、haproxy等负载均衡器进行规则的定义、URL路由信息设定等操作，除了负载均衡器外，还需要一个ingress controller监视集群的信息。

Ingress Controller通过调用Kubernetes API的方式，实时感知后端service、pod的变化，结合ingress生成配置，并更新反向代理负载均衡器配置，实现服务发现功能。

Traefik

一款开源的反向代理与负载均衡工具，优点是能和微服务系统直接耦合，实现自动化动态配置

官方文档中的图片较为形象：

其本身为Go语言编写，与k8s原生集成，与早期nginx代理相比，自身即实现了负载均衡反向代理与访问k8s api的功能。

 

2.traefik部署

部署文件参考handbook中示例：https://github.com/rootsongjc/kubernetes-handbook/tree/master/manifests/traefik-ingress

使用ingress-rabc.yaml、traefik.yaml和ui.yaml三个文件，ingress文件自己编写，指定到k8s集群后端服务

(1)权限配置 - ingress-rabc.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress
  namespace: kube-system

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ingress
subjects:
  - kind: ServiceAccount
    name: ingress
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

新建serviceaccount：ingress，并与cluster-admin角色绑定，获取k8s集群各项资源的访问权限

(2)traefik服务 - traefik.yaml

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: traefik-ingress-lb
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      hostNetwork: true
      restartPolicy: Always
      serviceAccountName: ingress
      containers:
      - image: traefik
        name: traefik-ingress-lb
        resources:
          limits:
            cpu: 200m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: admin
          containerPort: 8580
          hostPort: 8580
        args:
        - --web
        - --web.address=:8580
        - --kubernetes
      nodeSelector:
        edgenode: "true"

部署文件中的nodeSelector标签需要打入需要部署trefik的节点：kubectl label node nodename edgenode=true

(3)web ui服务 - ui.yaml

apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8580
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  rules:
  - host: traefik-ui.io
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web

其中rules规则即为访问配置，此处指定外部访问ui的域名为traefik-ui.io，域名解析为任意节点即可。

 

3.ingress文件配置

集群中已部署jupyter notebook，此处将jupyter的web写入ingress

traefik-ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: kube-system
spec:
  rules:
  - host: traefik.jupyter.io
    http:
      paths:
      - path: /
        backend:
          serviceName: tf-notebook
          servicePort: 80

查看ui：ip+8580

 

4.域名访问

windows下修改/etc/hosts

加入ip traefik.jupyter.io域名解析

本地访问traefik.jupyter.io(确保网络通畅)