traefik部署
创建Traefik CRD 资源
# Install Traefik Resource Definitions:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
创建Traefik RBAC权限
- 创建命名空间
kubectl create ns traefik
- 修改RBAC配置
# Install RBAC for Traefik:
wget https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
kubernetes-crd-rbac.yml(官方文件修改,添加ServiceAccount)
# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: traefik
---
# ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
namespace: traefik #添加命名空间
rules:
- apiGroups:
- ""
resources:
- services
- secrets
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
---
# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: traefik #修改命名空间
- 创建rbac权限
kubectl apply -f kubernetes-crd-rbac.yml
创建traefik配置文件
在 Traefik 中有三种方式定义静态配置:在配置文件中、在命令行参数中、通过环境变量传递,由于 Traefik 配置很多,通过 CLI 定义不是很方便,一般时候选择将其配置选项放到配置文件中,然后存入 ConfigMap,将其挂入 traefik 中。
- 创建 traefik-config.yaml 文件
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
namespace: traefik
data:
traefik.yaml: |-
serversTransport:
insecureSkipVerify: true ## Traefik 忽略验证代理服务的 TLS 证书
api:
insecure: true ## 允许 HTTP 方式访问 API
dashboard: true ## 启用 Dashboard
debug: false ## 启用 Debug 调试模式
metrics:
prometheus: metrics ## 配置 Prometheus 监控指标数据,并使用默认配置
entryPoints:
web:
address: ":80" ## 配置 80 端口,并设置入口名称为 web
websecure:
address: ":443" ## 配置 443 端口,并设置入口名称为websecure
traefik:
address: ":8080" ## 配置 8080 端口,并设置入口名称为 dashboard
metrics:
address: ":8082" ## 配置 8082 端口,作为metrics收集入口
tcpep:
address: ":8000" ## 配置 8000 端口,作为tcp入口
udpep:
address: ":9000/udp" ## 配置 9000 端口,作为udp入口
providers:
kubernetescrd: ## 启用 Kubernetes CRD 方式来配置路由规则
ingressclass: ""
kubernetesingress: ## 启动 Kubernetes Ingress 方式来配置路由规则
ingressclass: ""
log:
filePath: "/etc/traefik/logs/traefik.log" ## 设置调试日志文件存储路径,如果为空则输出到控制台
level: error ## 设置调试日志级别
format: "" ## 设置调试日志格式
accessLog:
filePath: "/etc/traefik/logs/access.log" ## 设置访问日志文件存储路径,如果为空则输出到控制台
format: "" ## 设置访问调试日志格式
bufferingSize: 0 ## 设置访问日志缓存行数
filters:
#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志
retryAttempts: true ## 设置代理访问重试失败时,保留访问日志
minDuration: 20 ## 设置保留请求时间超过指定持续时间的访问日志
fields: ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
defaultMode: keep ## 设置默认保留访问日志字段
names: ## 针对访问日志特别字段特别配置保留模式
ClientUsername: drop
headers: ## 设置 Header 中字段是否保留
defaultMode: keep ## 设置默认保留 Header 中字段
names: ## 针对 Header 中特别字段特别配置保留模式
User-Agent: redact
Authorization: drop
Content-Type: keep
- 创建 Traefik ConfigMap 资源
kubectl apply -f traefik-config.yaml
- 给节点设置标签(Deployment部署方式,固定在标签节点,使用DeamonSet则不用,不依靠标签固定)
kubectl label nodes k8s-worker01 IngressProxy=true
Deployment部署traefik
# Deployment
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik
namespace: traefik
labels:
app: traefik
spec:
replicas: 1 #副本数为1,因为集群只设置一台worker1为边缘节点
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 1
containers:
- name: traefik
image: traefik:v3.1.2
args:
- --configfile=/config/traefik.yaml
ports:
- name: web
containerPort: 80
- name: admin
containerPort: 8080
- name: tcpep
containerPort: 8000
- name: udpep
containerPort: 9000
securityContext:
capabilities: ## 只开放网络权限
drop:
- ALL
add:
- NET_BIND_SERVICE
volumeMounts:
- mountPath: "/config"
name: "config"
- mountPath: /etc/traefik/logs
name: logdir
- mountPath: /etc/localtime
name: timezone
readOnly: true
env:
- name: TZ
value: "Asia/Shanghai"
volumes:
- name: config
configMap:
name: traefik-config
- name: logdir
hostPath:
path: /data/traefik/logs
type: "DirectoryOrCreate"
- name: timezone
hostPath:
path: /etc/localtime
type: File
tolerations:
- operator: "Exists" ## 设置容忍所有污点,防止节点被设置污点
hostNetwork: true ## 开启host网络,提高网络入口的网络性能
nodeSelector: ## 设置node筛选器,在特定label的节点上启动
IngressProxy: "true" ## 调度至IngressProxy: "true"的节点
---
# Service
apiVersion: v1
kind: Service
metadata:
name: traefik
namespace: traefik
spec:
type: NodePort ## 官网示例为LB,由于没有条件,所有改为NodePort
selector:
app: traefik
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
- protocol: TCP
port: 8080
name: admin
targetPort: 8080
- protocol: TCP
port: 8000
name: tcpep
targetPort: 8000
- protocol: UDP
port: 9000
name: udpep
targetPort: 9000
- Kubernetes 部署 Traefik
kubectl apply -f traefik-deploy.yaml
dashboard配置http域名访问
Traefik 应用已经部署完成,treafik的Dashboard为svc类型是ClusterIP,接下来配置域名规则,通过traefik.local.com访问dashboard
- 创建 Traefik Dashboard 路由规则文件 traefik-dashboard-route.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
namespace: traefik
spec:
routes:
- match: Host(`traefik.lin-w.top`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
- 创建 Traefik Dashboard 路由规则对象
kubectl apply -f traefik-dashboard-route.yaml
- 编辑host文件就可以通过域名访问了,如果有公网IP可以解析到公网使用
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 运维小林
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果