亚洲激情专区-91九色丨porny丨老师-久久久久久久女国产乱让韩-国产精品午夜小视频观看

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

k8s集群中的ingress---基于traefik

發布時間:2020-09-14 22:43:19 來源:網絡 閱讀:475 作者:dongyali521521 欄目:云計算

為了對外發布pod內的應用,k8s支持兩種負載均衡機制
1、一種是service,用于實現四層TCP負載均衡
service主要實現集群內部通信,以及基于四層的內外通信(如端口)
2、另一種是ingress,用戶實現七層HTTP負載均衡
ingress主要實現基于七層的內外通信(如URL)
ingress僅僅是一組路由規則的集合,它需要借助ingress控制器才能發揮作用
ingress控制器不受controller-manager管理,它作為一個附件直接運行在k8s集群上
ingress控制器本身也是以pod形式運行,它與被代理的pod運行在同一個網絡
和service不同的是,要使用ingress,必須先創建ingress-controller這個pod和基于該pod的svc
對于小規模的應用我們使用 NodePort 或許能夠滿足我們的需求,但是當你的應用越來越多的時候,你就會發現對于 NodePort 的管理就非常麻煩了,這個時候使用 ingress 就非常方便了,可以避免管理大量的 Port。

igress類型
1、單service資源型
2、基于URL路徑進行轉發
3、基于虛擬主機進行轉發
4、TLS類型
ingress控制器可以由如下反向代理程序實現:
1、haproxy
2、nginx
3、envoy
4、traefik
5、Vulcand

創建基于treafik的ingress
1、創建rbac認證

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

$ kubectl create -f rbac.yaml
serviceaccount "traefik-ingress-controller" created
clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created

2、創建基于treafik的ingress控制器pod及svc
將該控制器pod部署在master上
$ docker pull traefik
$ vim traefik.yaml

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      tolerations:
      - operator: "Exists"        #允許污點
      nodeSelector:
        kubernetes.io/hostname: master        #部署在master上
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
                    hostPort: 80        #外網訪問時不用使用nodePort端口,直接使用域名即可
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort

因為traefik容器中有兩個端口,80和8080(管理端口),所以其對應的服務中也需要兩個端口80和8080.
$ kubectl apply -f traefik.yaml
deployment.extensions "traefik-ingress-controller" created
service "traefik-ingress-service" created
$ kubectl get svc -n kube-system
traefik-ingress-service NodePort 10.100.222.78 <none> 80:31657/TCP,8080:31572/TCP 79d
通過svc訪問traefik的管理界面
http://192.168.1.243:31572/

3、為上述ingress控制器及其svc本身(8080)創建ingress實例

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.example.com
    http:
      paths:
      - backend:
          serviceName: traefik-ingress-service
          servicePort: 8080

模擬dns解析
$ vim /etc/hosts
192.168.1.243 traefik.example.com
因為pod中有hostPort: 80 ,所以能夠以ingress的方式直接使用域名訪問traefik的管理界面
https://traefik.example.com
如果你有多個master的話,可以在每個master上部署一個 ingress-controller 服務,然后在master前面掛一個負載均衡器,比如 nginx,將所有的master均作為這個負載均衡器的后端,這樣就可以實現 ingress-controller 的高可用和負載均衡了。

4、定義后端普通應用pod及其svc
svc的type為ClusterIP

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: svc1
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: svc1
    spec:
      containers:
      - name: svc1
        image: cnych/example-web-service
        env:
        - name: APP_SVC
          value: svc1
        ports:
        - containerPort: 8080
          protocol: TCP
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: svc2
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: svc2
    spec:
      containers:
      - name: svc2
        image: cnych/example-web-service
        env:
        - name: APP_SVC
          value: svc2
        ports:
        - containerPort: 8080
          protocol: TCP
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: svc3
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: svc3
    spec:
      containers:
      - name: svc3
        image: cnych/example-web-service
        env:
        - name: APP_SVC
          value: svc3
        ports:
        - containerPort: 8080
          protocol: TCP
---
kind: Service
apiVersion: v1
metadata:
  labels:
    app: svc1
  name: svc1
spec:
  type: ClusterIP
  ports:
  - port: 8080
    name: http
  selector:
    app: svc1
---
kind: Service
apiVersion: v1
metadata:
  labels:
    app: svc2
  name: svc2
spec:
  type: ClusterIP
  ports:
  - port: 8080
    name: http
  selector:
    app: svc2
---
kind: Service
apiVersion: v1
metadata:
  labels:
    app: svc3
  name: svc3
spec:
  type: ClusterIP
  ports:
  - port: 8080
    name: http
  selector:
    app: svc3

$ kubectl create -f backend.yaml
deployment.extensions "svc1" created
deployment.extensions "svc2" created
deployment.extensions "svc3" created
service "svc1" created
service "svc2" created
service "svc3" created

5、為上述普通應用pod及其svc定義ingress策略
ingress策略的后端是應用pod的svc

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-web-app
  annotations:
    kubernetes.io/ingress.class: "traefik"
spec:
  rules:
  - host: www.example.com
    http:
      paths:
      - path: /s1
        backend:
          serviceName: svc1
          servicePort: 8080
      - path: /s2
        backend:
          serviceName: svc2
          servicePort: 8080
      - path: /
        backend:
          serviceName: svc3
          servicePort: 8080

$ kubectl create -f example-ingress.yaml
ingress.extensions "example-web-app" created
$ kubectl get ingress
$ kubectl describe ingress example-web-app
模擬dns
$ vim /etc/hosts
192.168.1.243 www.example.com
http://www.example.com ---訪問svc3
http://www.example.com/s1 ---訪問svc1
http://www.example.com/s2 ---訪問svc2

6、使traefik ingress支持TLS
要使其支持tls需要三個方面的支持
一、生成ca證書
$ mkdir /ssl
$ cd /ssl
$ openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
$ ls
tls.crt tls.key
然后創建secret用于存儲證書
$ kubectl create secret generic traefik-cert --from-file=tls.crt --from-file=tls.key -n kube-system
$ kubectl get secret -n kube-system |grep traefik
二、增加默認配置文件traefik.toml
該文件和traefik pod文件在同一個目錄
$ vim traefik.toml

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

創建configmap用于存儲該配置文件
$ kubectl create configmap traefik-conf --from-file=traefik.toml -n kube-system
$ kubectl get configmap -n kube-system |grep traefik
三、修改第2步中的 traefik pod 的 yaml文件
$ vim traefik.yaml

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      tolerations:
      - operator: "Exists"
      nodeSelector:
        kubernetes.io/hostname: master
      containers:
      - image: traefik
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: "/ssl"
          name: "ssl"
        - mountPath: "/config"
          name: "config"
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 8080
        args:
        - --configfile=/config/traefik.toml
        - --api
        - --kubernetes
        - --logLevel=INFO

$ kubectl apply -f traefik.yaml
$ kubectl logs -f traefik-ingress-controller-7dcfd9c6df-v58k7 -n kube-system
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :80"
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :443"
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :8080"

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

建始县| 安乡县| 丘北县| 澳门| 上林县| 北票市| 墨竹工卡县| 锦屏县| 龙泉市| 绥江县| 辽宁省| 寻乌县| 吴堡县| 房产| 托克托县| 都兰县| 张北县| 双鸭山市| 新乡市| 项城市| 阳春市| 清涧县| 凤翔县| 汶川县| 巴东县| 句容市| 古交市| 绿春县| 海门市| 关岭| 红原县| 方正县| 镇康县| 杭锦旗| 江口县| 辉南县| 仁寿县| 绥中县| 襄樊市| 沐川县| 噶尔县|