Shulou(Shulou.com)06/02 Report--

About traefik

Refer to a previously written document:

Https://blog.51cto.com/michaelkang/1918192

Version introduction traefik:v1.7k8s:v1.15.1Ingress

Ingress is a resource type introduced since the kubernetes1.1 version. Ingress controller must be deployed to create Ingress resources, and Ingress controller is provided as a plug-in.

There are generally three components when using Ingress: reverse proxy load balancer Ingress ControllerIngress component introduces reverse proxy load balancer

Reverse proxy load balancer is very simple. Similar to nginx,haproxy; in cluster, reverse proxy load balancer can be deployed freely. You can use Replication Controller, Deployment, DaemonSet, etc. DaemonSet is recommended.

Ingress Controller

In essence, Ingress Controller can be understood as a monitor. By constantly dealing with kubernetes API, Ingress Controller perceives real-time changes in backend service and pod, such as adding and decreasing pod,service, etc. When getting these change information, Ingress Controller generates configuration combined with Ingress below, then updates the reverse proxy load balancer and refreshes its configuration to achieve the role of service discovery.

Ingress

Ingress is simply a definition of rules; for example, a domain name corresponds to a service, that is, when a request from a domain name is forwarded to a service;, the rule will be combined with Ingress Controller, and then Ingress Controller will dynamically write it to the load balancer configuration to achieve overall service discovery and load balancing.

Deploy traefik ingress services

If you are not familiar with Ingresses in Kubernetes, you may need to read the Kubernetes user Guide.

Deployment conditions

A working Kubernetes cluster. It can be a minikube cluster.

Cluster information introduction [root@kubm-02 traefik] # kubectl get nodes-o wideNAME STATUS ROLES AGE VERSION INTERNAL-IP kubm-01 Ready master 13d v1.15.1 172.20.101.157 kubm-02 Ready master 13d v1.15.1 172.20.101.164 kubm-03 Ready master 13d v1.15.1 172.20.101.165 kubnode-01 Ready 13d v1.15.1 172.20.101.160 kubnode-02 Ready 13d v1.15.1 172.20.101.166 kubnode-03 Ready 13d v1.15.1 172.20.101.167 create user access rules

Kubernetes introduced role-based access control (RBAC) in 1.6 + to allow fine-grained control of Kubernetes resources and API.

If your cluster is configured with RBAC, you need to authorize Traefik to use Kubernetes API. There are two ways to set the appropriate permissions: through a namespace-specific RoleBindings or a single global ClusterRoleBinding.

The RoleBinding for each namespace can restrict the grant of permissions and can only be used by the namespace that Traefik is monitoring, thus following the principle of minimum permissions. This is the preferred approach if Traefik should not monitor all namespaces and the namespace set does not change dynamically. Otherwise, a single ClusterRoleBinding must be used.

ClusterRoleBinding:---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: traefik-ingress-controllerrules:-apiGroups:-"" resources:-services-endpoints-secrets verbs:-get-list-watch- apiGroups:-extensions resources:-ingresses verbs:-get-list-watch---kind: ClusterRoleBindingapiVersion: rbac. Authorization.k8s.io/v1beta1metadata: name: traefik-ingress-controllerroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controllersubjects:- kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system

[root@kubm-02] # kubectl apply-f https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-rbac.yaml

Returns differences in clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller createdclusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created deployment mode

The replica Pod of the Deployment deployment is distributed across the Node, and each Node may run several copies.

The difference with DaemonSet is that at most one copy can be run on each Node.

This time, it is deployed in DaemonSet mode.

Deployment:kubectl apply-f https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-deployment.yamlDaemonSet: kubectl apply-f https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-ds.yaml verification service startup: view service information [root@kubm-02 traefik] # kubectl get rc Services-n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT (S) AGE...service/traefik-ingress-service ClusterIP 10.245.153.125 80/TCP 8080/TCP 3m42s check container startup status [root@kubm-02 ~] # kubectl get pods-- all-namespaces-o wide-- selector=k8s-app=traefik-ingress-lbNAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESkube-system traefik-ingress-controller-4d29d 1 Running 0 19m 10.244.3.107 Kubnode-01 kube-system traefik-ingress-controller-mgljm 1 Running 0 19m 10.244.5.143 kubnode-03 kube-system traefik-ingress-controller-wcd5z 1 Running 0 19m 10.244.126 kubnode-02 visit the traefik management page

The service will expose two NodePort that allow access to the portal and the Web interface.

80 business port. After the backend service starts to register to traefik, you can only access it by writing a hosts file or adding dns resolution. On the 8080 traefik management page, visit the IP address of the node node: 8080. For example: test access of http://172.20.101.167:8080 registration service:

First create a service and an Ingress that will expose the Traefik Web UI

Deployment Services:

ApiVersion: v1kind: Servicemetadata: name: traefik-web-ui namespace: kube-systemspec: selector: k8s-app: traefik-ingress-lb ports:-name: web port: 80 targetPort: 8080---apiVersion: extensions/v1beta1kind: Ingressmetadata: name: traefik-web-ui namespace: kube-systemspec: rules:-host: traefik-ui.minikube http: paths:-path: / backend: serviceName: traefik-web-ui ServicePort: webkubectl apply-f https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/ui.yaml

Task execution completed, point traefik-ui.minikube to a node node in the / etc/hosts file

IP address, and then the browser visits: http://traefik-ui.minikube

Or

Open the traefik management page first, and visit it through curl. You can see the request on the health page. The command is as follows:

[root@kubm-02] # curl http://172.20.101.166-- user-agent "Mozilla/5.0"-H "Host:traefik-ui.minikube" Found. Use basic verification to create secrets

A. htpasswd is used to create a file that contains a user name and MD5-encoded password:

Yum install httpd-y

Htpasswd-c. / auth myusername

You will be prompted for a password, and you must enter it twice. Htpasswd will create a file with the following:

[root@kubm-02 traefik] # more auth myusername:$apr1 $3yj4XbDF$4ekQISLfP8HyX9nYH3x9E.

b. Now use kubectl to create a file for monitoring to create a secret htpasswd in the namespace.

[root@kubm-02 traefik] # kubectl create namespace monitoringnamespace/monitoring created [root @ kubm-02 traefik] # kubectl create secret generic mysecret-- from-file auth-- namespace=monitoringsecret/mysecret created

Note: Secret must be in the same namespace as the Ingress object.

c. Attach the following comments to the Ingress object:

Traefik.ingress.kubernetes.io/auth-type: "basic" traefik.ingress.kubernetes.io/auth-secret: "mysecret"

They specify basic authentication and reference the Secret where the mysecret contains credentials.

The following is a complete example of Ingress based on Prometheus:

Cat > prometheus-ingress.yaml

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.