k8s 安装traefik做集群内服务暴露
traefik 工作原理
参考:https://blog.csdn.net/weixin_38320674/article/details/106632320
1. 应用服务发布
1.1 自实现web服务myapp
服务是一个简单的springboot web服务,只提供一个对外的controller,具体的代码有:
@Slf4j
@Controller
public class TestController {
@GetMapping("/test")
@ResponseBody
public Response test() {
return new Response<>(0, "ok", "test return");
}
@GetMapping("/{path}/test")
@ResponseBody
public Response pathTest(@PathVariable String path) {
log.info("path variable is {}", path);
return new Response<>(0, "ok", path);
}
} @Data
public class Response {
private int code;
private String msg;
private T data;
public Response(int code, String msg, T data){
this.code = code;
this.msg = msg;
this.data = data;
}
} 因为服务器上灭有安装Java运行环境,所以构建镜像的时候,将jdk环境一同构建成一个可运行的镜像。 构建镜像的DockerFile
FROM adoptopenjdk/openjdk8-openj9:alpine-slim
ADD ./webdemon.jar webdemon.jar
ENTRYPOINT [ \
"java", \
"-XX:MetaspaceSize=256m", \
"-XX:MaxMetaspaceSize=256m", \
"-Xms512m", \
"-Xmx5128m", \
"-Xmn256m", \
"-Xss256k", \
"-XX:SurvivorRatio=8", \
"-XX:+UseConcMarkSweepGC", \
"-Duser.timezone=GMT+08", \
"-Djava.security.egd=file:/dev/./urandom", \
"-jar", \
"/webdemon.jar", \
"--spring.profiles.active=prod" \
]可运行的服务jar:镜像
发布服务:vim appdemon-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
env: test
spec:
containers:
- name: appdemon
image: myapp:v1.0
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8088vim appdemon-service.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp
namespace: kube-system
spec:
selector:
app: myapp
ports:
- name: http
protocol: TCP
port: 9088
targetPort: 8088执行kubectl apply -f 后,能看到服务应用正常启动:
2. 安装traefik
配置rabc.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system配置pod,这里将服务器的81端口映射到traefik controller的80端口,并且启动一个traefik-ui的服务,用于查看流量分发情况
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: traefik-ingress
namespace: kube-system
labels:
k8s-app: traefik-ingress
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress
name: traefik-ingress
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik:v1.7.2
name: traefik-ingress
ports:
- name: controller
containerPort: 80
hostPort: 81
- name: admin-web
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
- --insecureskipverify=true
- --kubernetes.endpoint=https://172.17.0.4:6443
- --accesslog
- --accesslog.filepath=/var/log/traefik_access.log
- --traefiklog
- --traefiklog.filepath=/var/log/traefik.log
- --metrics.prometheus
发布服务:
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress
ports:
- protocol: TCP
port: 80
name: controller
- protocol: TCP
port: 8080
name: admin-web
type: NodePort
3. 配置traefik流量转发
这里配置了3个转发路径,根路径访问的是traefik的ui界面,/test路径访问的是提供的demon服务。因为服务器直接IP访问,所以没有配置host,默认会放过所有的流量。这里流量进入会通过前端加载一个Nginx,所以controller上面的端口也是映射成81,80端口留给了Nginx。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host:
http:
paths:
- path: /
backend:
serviceName: traefik-ingress-service
servicePort: 8080
- path: /test
backend:
serviceName: myapp
servicePort: 9088
- path: /new
backend:
serviceName: myapp
servicePort: 9088
4. 验证
浏览器访问:ip:81/dashboard/
