Shulou(Shulou.com)06/02 Report--

In order to release applications in pod, K8s supports two load balancing mechanisms

1. One is service, which is used to achieve four-layer TCP load balancing.

Service mainly implements intra-cluster communication, as well as internal and external communication based on four layers (such as ports).

2. The other is ingress, which allows users to achieve seven-tier HTTP load balancing

Ingress mainly implements internal and external communication based on seven layers (such as URL).

Ingress is just a collection of routing rules, and it needs an ingress controller to function.

The ingress controller is not managed by controller-manager and runs directly on the K8s cluster as an accessory

The ingress controller itself runs in the form of pod, which runs on the same network as the delegated pod

Unlike service, to use ingress, you must first create the pod of ingress-controller and the svc based on that pod

We may be able to meet our needs by using NodePort for small-scale applications, but when you have more and more applications, you will find it very troublesome to manage NodePort. At this time, it is very convenient to use ingress to avoid managing a large number of Port.

Igress Typ

1. Single service resource type

2. Forward based on URL path

3. Forwarding based on virtual host

4. TLS type

The ingress controller can be implemented by the following reverse proxy:

1 、 haproxy

2 、 nginx

3 、 envoy

4 、 traefik

5 、 Vulcand

Create a treafik-based ingress

1. Create rbac certification

ApiVersion: v1kind: ServiceAccountmetadata: name: traefik-ingress-controller namespace: kube-system---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: traefik-ingress-controllerrules:-apiGroups:-"" resources:-services-endpoints-secrets verbs:-get-list-watch-apiGroups:-extensions resources:-ingresses verbs:-get -list-watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: traefik-ingress-controllerroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controllersubjects:- kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system

$kubectl create-f rbac.yaml

Serviceaccount "traefik-ingress-controller" created

Clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created

Clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created

2. Create ingress controller pod and svc based on treafik.

Deploy the controller pod on master

$docker pull traefik

$vim traefik.yaml

Kind: DeploymentapiVersion: extensions/v1beta1metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lbspec: replicas: 1 selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lbspec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 tolerations:-operator: "Exists" # allows blemish nodeSelector: kubernetes.io/hostname: master # to be deployed on master containers:-image: traefik name: traefik-ingress-lb ports:-name: http containerPort: 80 hostPort: 80 # No nodePort port is required for public network access You can directly use the domain name-name: admin containerPort: 8080 args:-- api-kubernetes-- logLevel=INFO---kind: ServiceapiVersion: v1metadata: name: traefik-ingress-service namespace: kube-systemspec: selector: k8s-app: traefik-ingress-lb ports:-protocol: TCP port: 80 name: web-protocol: TCP port: 8080 name: admin type: NodePort

Because there are two ports in the traefik container, 80 and 8080 (management port), two ports 80 and 8080 are also required in the corresponding service.

$kubectl apply-f traefik.yaml

Deployment.extensions "traefik-ingress-controller" created

Service "traefik-ingress-service" created

$kubectl get svc-n kube-system

Traefik-ingress-service NodePort 10.100.222.78 80:31657/TCP,8080:31572/TCP 79d

Access the management interface of traefik through svc

Http://192.168.1.243:31572/

3. Create an ingress instance for the above ingress controller and its svc itself (8080)

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: traefik-web-ui namespace: kube-system annotations: kubernetes.io/ingress.class: traefikspec: rules:-host: traefik.example.com http: paths:-backend: serviceName: traefik-ingress-service servicePort: 8080

Analog dns parsing

$vim / etc/hosts

192.168.1.243 traefik.example.com

Because there is hostPort: 80 in pod, you can use the domain name to access the traefik management interface directly in the way of ingress

Https://traefik.example.com

If you have multiple master, you can deploy an ingress-controller service on each master, and then hang a load balancer, such as nginx, in front of the master, and use all master as the back end of this load balancer, so that you can achieve high availability and load balancing of ingress-controller.

4. Define the back-end common application pod and its svc

The type of svc is ClusterIP

Kind: DeploymentapiVersion: extensions/v1beta1metadata: name: svc1spec: replicas: 1 template: metadata: labels: app: svc1spec: containers:-name: svc1 image: cnych/example-web-service env:-name: APP_SVC value: svc1 ports:-containerPort: 8080 protocol: TCP---kind: DeploymentapiVersion: extensions/v1beta1metadata: name: svc2spec: Replicas: 1 template: metadata: labels: app: svc2 spec: containers:-name: svc2 image: cnych/example-web-service env:-name: APP_SVC value: svc2 ports:-containerPort: 8080 protocol: TCP---kind: DeploymentapiVersion: extensions/v1beta1metadata: name: svc3spec: replicas: 1 template: metadata: Labels: app: svc3 spec: containers:-name: svc3 image: cnych/example-web-service env:-name: APP_SVC value: svc3 ports:-containerPort: 8080 protocol: ServiceapiVersion: v1metadata: labels: app: svc1 name: svc1spec: type: ClusterIP ports:-port: 8080 name: http selector: app: Svc1---kind: ServiceapiVersion: v1metadata: labels: app: svc2 name: svc2spec: type:-port: 8080 name: http selector: app: svc2---kind: ServiceapiVersion: v1metadata: labels: app: svc3 name: svc3spec: type: ClusterIP ports:-port: 8080 name: http selector: app: svc3

$kubectl create-f backend.yaml

Deployment.extensions "svc1" created

Deployment.extensions "svc2" created

Deployment.extensions "svc3" created

Service "svc1" created

Service "svc2" created

Service "svc3" created

5. Define the ingress policy for the above common application pod and its svc

The back end of the ingress policy is the svc that applies pod.

ApiVersion: extensions/v1beta1kind: Ingressmetadata: name: example-web-app annotations: kubernetes.io/ingress.class: "traefik" spec: rules:-host: www.example.com http: paths:-path: / S1 backend: serviceName: svc1 servicePort: 8080-path: / S2 backend: serviceName: svc2 servicePort: 8080-path: / Backend: serviceName: svc3 servicePort: 8080

$kubectl create-f example-ingress.yaml

Ingress.extensions "example-web-app" created

$kubectl get ingress

$kubectl describe ingress example-web-app

Simulated dns

$vim / etc/hosts

192.168.1.243 www.example.com

Http://www.example.com-visit svc3

Http://www.example.com/s1-visit svc1

Http://www.example.com/s2-visit svc2

6. Make traefik ingress support TLS

Three aspects of support are needed to make it support tls.

First, generate ca certificates

$mkdir / ssl

$cd / ssl

$openssl req-newkey rsa:2048-nodes-keyout tls.key-x509-days 365-out tls.crt

$ls

Tls.crt tls.key

Then create a secret to store the certificate

$kubectl create secret generic traefik-cert-- from-file=tls.crt-- from-file=tls.key-n kube-system

$kubectl get secret-n kube-system | grep traefik

Second, add the default profile traefik.toml

The file is in the same directory as the traefik pod file

$vim traefik.toml

DefaultEntryPoints = ["http", "https"] [entryPoints] [entryPoints.http] address = ": 80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ": 443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] CertFile = "/ ssl/tls.crt" KeyFile = "/ ssl/tls.key"

Create a configmap to store the profile

$kubectl create configmap traefik-conf-- from-file=traefik.toml-n kube-system

$kubectl get configmap-n kube-system | grep traefik

Modify the yaml file of traefik pod in step 2

$vim traefik.yaml

Kind: DeploymentapiVersion: extensions/v1beta1metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lbspec: replicas: 1 selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lbspec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 volumes:-name: ssl Secret: secretName: traefik-cert-name: config configMap: name: traefik-conf tolerations:-operator: "Exists" nodeSelector: kubernetes.io/hostname: master containers:-image: traefik name: traefik-ingress-lb volumeMounts:-mountPath: "/ ssl" name: "ssl" -mountPath: "/ config" name: "config" ports:-name: http containerPort: 80 hostPort: 80-name: https containerPort: 443 hostPort: 443-name: admin containerPort: 8080 args:-- configfile=/config/traefik.toml-api-kubernetes-logLevel=INFO

$kubectl apply-f traefik.yaml

$kubectl logs-f traefik-ingress-controller-7dcfd9c6df-v58k7-n kube-system

Time= "2018-08-26T11:26:44Z" level=info msg= "Server configuration reloaded on: 80"

Time= "2018-08-26T11:26:44Z" level=info msg= "Server configuration reloaded on: 443"

Time= "2018-08-26T11:26:44Z" level=info msg= "Server configuration reloaded on: 8080"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.