Shulou(Shulou.com)06/01 Report--

This article shows you how to understand the simpler service grid Traefik mesh, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Traefik mesh is a lightweight service grid that is simple, easy to install, and easy to use.

Traefik mesh is built on Traefik and is suitable for Kubernetes clusters that conform to the latest network interface specification SMI.

The most important feature of Traefik mesh is that it is non-invasive, that is, using Traefik mesh does not change your existing Kubernetes objects.

Non-intrusive service grid

Traefik mesh does not use any sidecar mode, and its routing processing is done through proxy running on each node. The grid controller is also run through a separate Pod and is responsible for all configuration analysis and deployment of the agent node.

After using Traefik mesh, the logic is as follows.

Traefik mesh does not intercept or modify traffic in the form of sidecar, how is that achieved?

It is actually with the help of CoreDNS, which modifies a small amount of configuration of CoreDNS to allow the use of Mesh endpoints instead of standard Kubernetes endpoints, Mesh endpoints and services to run in parallel, and users can choose whether or not to use it.

Installation

Premise:

Kubernetes 1.11 +

CoreDNS 1.3 +

Helm v3

The installation of Traefik mesh is simple, and quick installation can be achieved by using Helm.

(1) add Helm repository

Helm repo add traefik-mesh https://helm.traefik.io/mesh helm repo update

(2) download Chart package

Helm pull traefik-mesh/traefik-mesh

(3) decompress the Chart package

Tar xf traefik-mesh-3.0.6.tgz

Traefik mesh deploys four services, which are:

Controller:Mesh controller, responsible for all configuration analysis and configuration of proxy nodes

Proxy:Mesh 's agent, which is responsible for handling the traffic proxy of each node

Tracing: tracking configuration

Metrics: monitoring configuration

(4) install traefik mesh

Helm install traefik-mesh.

Traefik mesh requires the cooperation of coredns. The main changes are as follows:

# Begin Maesh Block maesh:53 {errors rewrite continue {name regex ([a-zA-Z0-9mura _] *)\. ([a-zv0-9murf _] *)\ .maesh default- {1}-6d61657368-{2} .default.svc.cluster.local answer name default- ([a-zA-Z0-9murf _] *)-6d61657368-([a-zA-Z0-9mura _] *)\ .default\ .svc \ .cluster\ .local {1}. {2} .maesh} kubernetes cluster.local in-addr.arpa ip6.arpa {pods insecure upstream fallthrough in-addr.arpa ip6.arpa} forward. / etc/resolv.conf cache 30 loop reload loadbalance} # End Maesh Block # Begin Traefik Mesh Block traefik.mesh:53 {errors rewrite continue {name regex ([a-zv0-9murf _] *)\ .tra efik.mesh default- {1}-6d61657368-{2} .default.svc.cluster.local answer name default- ([a) -zA-Z0-9mura] *)-6d61657368-([a-zA-Z0-9murf] *)\ .default\ .svc\ .cluster\ .local {1}. {2} .traefik.mesh} kubernetes cluster.local in-addr.arpa ip6.arpa {pods insecure upstream fallthrough in-addr.arpa ip6.arpa} forward. / etc/resolv.conf cache 30 loop reload loadbalance} # End Traefik Mesh Block

If during deployment, coredns reports the following error:

Plugin/forward: this plugin can only be used once per Server Block

Please check the configMap configuration of coredns to see if there are two forward under DNS.

Configuration

The configuration of Traefik mesh is divided into static configuration and dynamic configuration.

Static configuration

You can specify controller image version and Traefik image version manually

You can configure the log level and format for controller and proxies

The mode of mesh can be configured. The default is HTTP.

You can turn on the tracing function

The ACL access control feature can be enabled, which configures the Traefik grid to run in ACL mode and forbids all traffic unless explicitly allowed through the SMI traffic destination.

Dynamic configuration

Use annotations and SMI objects on Kubernetes service to provide dynamic configuration to Traefik Mesh. The main supported dynamic configuration parameters are:

Traffic-Type

Scheme

Retry

Circuit-Breaker

Rate-Limit

Traffic-Split

Traffic-Targe

Here is a brief description of how to configure using annotations in the service of Kubernetes.

(1) Traffic-Type is mainly used to configure traffic types. You can configure three types of tcp,udp,http. If not, the http type is used by default. The configuration is as follows:

Mesh.traefik.io/traffic-type: "http"

(2) Scheme mainly configures the requested protocol. There are three types of http,https,h3c that can be configured as follows:

Mesh.traefik.io/scheme: "H3C"

(3) Retry mainly configures the number of retries. In case of network and other abnormal conditions, several retries will be initiated according to the user configuration. If it still fails, a failure will be returned. The configuration is as follows:

Mesh.traefik.io/retry-attempts: "2"

(4) Cricuit break is mainly used to configure disconnected traffic forwarding. When the system is healthy, it is disabled by default. If the system is abnormal, it will be turned on, and traffic will no longer be forwarded to the abnormal system. The configuration is as follows:

Mesh.traefik.io/circuit-breaker-expression: "Expression"

(5) Rate limit is mainly used to configure current limit (in number of requests per second). You can configure aPCge requests and burst requests as follows:

Mesh.traefik.io/ratelimit-average: "100s" mesh.traefik.io/ratelimit-burst: "200"

(6) Access control is mainly used to configure permission control, and you can configure which clients are allowed to access by the application. For example, the following routes are defined:

-apiVersion: specs.smi-spec.io/v1alpha3 kind: HTTPRouteGroup metadata: name: server-routes namespace: server spec: matches:-name: api pathRegex: / api methods: ["*"]-name: metrics pathRegex: / metrics methods: ["GET"]

It means that the / api path can be accessed by any method, and only the GET method is allowed to access the / metrics path. It is not enough to define a route. By default, all traffic will be denied access. If you want to grant client access, you need to configure TrafficTarget as follows:

-apiVersion: access.smi-spec.io/v1alpha2 kind: TrafficTarget metadata: name: client-server-target namespace: server spec: destination: kind: ServiceAccount name: server namespace: server rules:-kind: HTTPRouteGroup name: server-routes matches:-api sources:-kind: ServiceAccount name: client namespace: client

This configuration means that all pod running under client namespace with sa as client are allowed to access api routes.

(7) Traffic Split is mainly used to split traffic, especially when publishing canaries, such as the following configuration:

ApiVersion: split.smi-spec.io/v1alpha3 kind: TrafficSplit metadata: name: server-split namespace: server spec: service: server backends:-service: server-v1 weight: 80-service: server-v2 weight: 20

It means that 80% of the traffic forwarded to server-v1,20% is forwarded to server-v2.

Examples

Traefik mesh has been installed and deployed above, and the following is a simple test with an official example. (1) deploy applications

ApiVersion: v1 kind: Namespace metadata: name: whoami- apiVersion: V1 kind: ServiceAccount metadata: name: whoami-server namespace: whoami- apiVersion: V1 kind: ServiceAccount metadata: name: whoami-client namespace: whoami- kind: Deployment apiVersion: apps/v1 metadata: name: whoami namespace: whoami spec: replicas: 2 selector: matchLabels: app: whoami template: metadata: labels: app: whoami spec: ServiceAccount: whoami-server containers:-name: whoami image: traefik/whoami:v1.6.0 imagePullPolicy: IfNotPresent-kind: Deployment apiVersion: apps/v1 metadata: name: whoami-tcp namespace: whoami spec: replicas: 2 selector: matchLabels: app: whoami-tcp template: metadata: labels: app: whoami-tcp spec: serviceAccount: Whoami-server containers:-name: whoami-tcp image: traefik/whoamitcp:v0.1.0 imagePullPolicy: IfNotPresent-apiVersion: v1 kind: Service metadata: name: whoami namespace: whoami labels: app: whoami spec: type: ClusterIP ports:-port: 80 name: whoami selector: app: whoami- apiVersion: v1 kind: Service metadata: name: whoami-tcp Namespace: whoami labels: app: whoami-tcp spec: type: ClusterIP ports:-port: 8080 name: whoami-tcp selector: app: whoami-tcp-apiVersion: v1 kind: Pod metadata: name: whoami-client namespace: whoami spec: serviceAccountName: whoami-client containers:-name: whoami-client image: giantswarm/tiny-tools:3.9 command:-"sleep"-"3600"

Two applications are deployed above, one is a http type application and the other is a tcp type application.

You can view the application startup kubectl get all-n whoami by naming it as follows.

You can then test the connectivity of the following applications, as follows:

# kubectl-n whoami exec whoami-client-- curl-s whoami.whoami.svc.cluster.local Hostname: whoami-576cb59fd-qvnl7 IP: 127.0.0.1 IP: 172.16.235.193 RemoteAddr: 172.16.7.181 curl/7.64.0 Accept 33150 GET / HTTP/1.1 Host: whoami.whoami.svc.cluster.local User-Agent: curl/7.64.0 Accept: * / * # kubectl-n whoami exec-ti whoami-client-- nc whoami-tcp.whoami.svc.cluster.local 8080 my data Received: my data Received: eee Received: eee eee Received: eee

If you want to configure Traefik mesh for the above services, you only need to change the service plus mesh.traefik.io/traffic-type of the service,http type application of the two services: the service of the annotations,tcp type application of "http" plus the annotations of mesh.traefik.io/traffic-type: "tcp", as follows:

-apiVersion: v1 kind: Service metadata: name: whoami namespace: whoami labels: app: whoami annotations: mesh.traefik.io/traffic-type: "http" mesh.traefik.io/retry-attempts: "2" spec: type: ClusterIP ports:-port: 80 name: whoami selector: app: whoami- apiVersion: v1 kind: Service metadata: name: whoami-tcp namespace: whoami labels: app : whoami-tcp annotations: mesh.traefik.io/traffic-type: "tcp" spec: type: ClusterIP ports:-port: 8080 name: whoami-tcp selector: app: whoami-tcp

To access the service now, simply change svc.cluster.local to traefik.mesh. For example, the previous access method is as follows:

Kubectl-n whoami exec whoami-client-- curl-s whoami.whoami.svc.cluster.local

After adding traefik mesh, it is:

Kubectl-n whoami exec whoami-client-- curl-s whoami.whoami.traefik.mesh

Of course, the previous access method still exists, and it is up to the user to decide what kind of way to use.

The above is how to understand the simpler service grid Traefik mesh. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.