Use Traefik on Kubernetes

The content of this section:

• Traefik Introduction
• Two services deployed for testing
• Role Based Access Control configuration (Kubernetes 1.6+ only)
• Deploying Traefik
• Deploying Ingress
• Deploying the Traefik UI
• Access test
• Health Check

I. Introduction of Traefik

Traefik is a front-end load balancer with good support for orchestration tools such as MicroServices architecture, especially kubernetes, and Traefik can automatically perceive back-end container changes to realize automatic service discovery.

Since the microservices architecture and Docker technology and kubernetes orchestration tools have only begun to become popular in recent years, the first reverse proxy server such as Nginx, Apache did not provide their support, after all, they are not prophets; so it appears ingress Controller this thing to do kubernetes and front-end load balancer such as the connection between Nginx, that is, Ingress Controller is to be able to interact with kubernetes, and can write Nginx configuration, but also to reload it, which is a compromise, and Traefik is born to provide support for kubernetes, which means that Traefik itself can interact with the Kubernetes API, sensing the backend changes, so you can know: When using Traefik, ingress contro Ller is useless, the overall structure is as follows:

II. Two services for deployment testing

Deploy two services nginx1-7 and Nginx1-8, followed by a Traefik to load the two services:

ApiVersion:v1kind:Servicemetadata:  name:frontendspec:  ports:    -port:80      targetport:80  Selector:    app:nginx1-7---apiversion:apps/v1beta1kind:deploymentmetadata:  name:nginx1-7-deploymentspec:  replicas:2  Template:    metadata:      Labels:        app:nginx1-7    Spec:      containers:      - Name:nginx        image:nginx:1.7.9        ports:        -containerport:80

Nginx1-7.yaml

ApiVersion:v1kind:Servicemetadata:  name:my-nginxspec:  ports:    -port:80      targetport:80  Selector:    app:nginx1-8---apiversion:apps/v1beta1kind:deploymentmetadata:  name: Nginx1-8-deploymentspec:  replicas:2  Template:    metadata:      Labels:        app:nginx1-8    Spec:      containers:      -Name:nginx        image:nginx:1.8        ports:        -containerport:80

Nginx1-8.yaml

Run Two services:

[Email protected] nginx_ingress]# kubectl create-f nginx1-7"frontend"  "nginx1-7-deployment"-F nginx1-8" My-nginx "  "nginx1-8-deployment" created

Third, Role Based Access Control configuration (Kubernetes 1.6+ only)

What I'm deploying here is 1.6.0 clusters, which enabled RBAC to use roles and binding roles.

pwd/opt/traefik

[Email protected] traefik]# vim ingress-rbac.yamlapiversion:v1kind:serviceaccountmetadata:  name:ingress  Namespace:kube-system---kind:clusterrolebindingapiversion:rbac.authorization.k8s.io/v1beta1metadata:  name: Ingresssubjects:  -kind:serviceaccount    name:ingress    namespace:kube-systemroleref:  Kind: Clusterrole  name:cluster-admin  ApiGroup:rbac.authorization.k8s.io

Ingress-rbac.yaml

Iv. Deployment of Traefik

pwd/opt/traefik

 [[email protected] traefik]# vim traefik-deploy.yamlapiversion:extensions/ V1BETA1KIND:DEPLOYMENTMETADATA:NAME:TRAEFIK-INGRESS-LB Namespace:kube-system labels:k8s-app:traefik-ingress-lb      SPEC:TEMPLATE:METADATA:LABELS:K8S-APP:TRAEFIK-INGRESS-LB NAME:TRAEFIK-INGRESS-LB Spec:      Terminationgraceperiodseconds:60 hostnetwork:true restartpolicy:always serviceaccountname:ingress Containers:-Image:traefik name:traefik-ingress-lb resources:limits:cpu:200 M memory:30mi requests:cpu:100m memory:20mi ports:-Name:htt P containerport:80 hostport:80-name:admin containerport:8580 hostport:85 Args:---web---web.address=:8580---kubernetes  

Traefik-deploy.yaml

Where Traefik listen to node 80 and 8580 ports, 80 to provide normal service, 8580 is its own UI interface, originally the default is 8080, because the environment port conflict, so here to temporarily change.

"Note": Here is the deploy type, which does not qualify which host the pod is running on.

V. Deployment of Ingress

[email protected] traefik]# cat Traefik.yaml apiversion:extensions/v1beta1kind:ingressmetadata:  Name: Traefik-ingress  Namespace:defaultspec:  rules:  -Host:traefik.nginx.io    http:      paths:      - Path:/        backend:          servicename:my-nginx          serviceport:80  -Host:traefik.frontend.io    http:      paths:      -path:/        backend:          servicename:frontend          serviceport:80

Traefik.yaml

The backend in which to configure the service name started in the default namespace, if you do not configure namespace name, default namespace is used, If you create a service in another namespace you want to expose it to a kubernetes cluster, you can create a new Ingress.yaml file and specify that namespace in the file, with the same configuration as the file format above. Path is the URL after the address, such as Traefik.frontend.io/path,service will accept path, Host is best to use Service-name.filed1.filed2.domain-name, a similar hostname naming method, to facilitate differentiated services.

Depending on the name and port of the service deployed in the actual environment, when a new service is added, modifications to the file can be updated using Kubectl replace-f traefik.yaml.

Vi. deployment of the Traefik UI

Traefik itself also provides a set of UI for us to use, which is also exposed in a ingress way, just to create it.

[email protected] traefik]# cat Traefik-ui-service.yaml apiVersion:v1kind:Servicemetadata:  name:traefik-web-ui  namespace:kube-systemspec:  selector:    k8s-app:traefik-ingress-lb  ports:  -Name:web    Port :    targetport:8580---apiversion:extensions/v1beta1kind:ingressmetadata:  name:traefik-web-ui  Namespace:kube-systemspec:  rules:  -host:traefik-ui.local    http:      paths:      -path:/        Backend:          servicename:traefik-web-ui          Serviceport:web

Traefik-ui-service.yaml

Finally create together:

[Email protected] traefik]# Kubectl Create-F. ServiceAccount"Ingress"createdclusterrolebinding"Ingress"createddeployment"traefik-ingress-lb"Createdservice"Traefik-web-ui"createdingress"Traefik-web-ui"createdingress"traefik-ingress"Created

Vii. Access Testing

See which host the Traefik pod is assigned to:

[[email protected] traefik]# kubectl get pods-n kube-system-l k8s-app=traefik-ingress-lb-o wide                       NAME                                  ready     STATUS    Restarts   age       IP             Nodetraefik-ingress-lb-4237248072-1dg9n   1/1        Running   0          2m        172.16.  7.152   172.16.  7.152

Browser input http://172.16.7.152:8580/, you will see dashboard.

The yellow section on the left shows all the rule, and the green part on the right is all backend.

Executes on any node of the Kubernetes cluster. If I want to visit Nginx's "/" Path now.

Curl-h Host:traefik.nginx.io http://172.16.7.152/

If you need to access outside of the Kubernetes cluster, you need to set up DNS, or modify the native Hosts file.

172.16. 7.152 Traefik.nginx.io 172.16. 7.152 Traefik.frontend.io

All traffic that accesses these addresses is sent to 172.16.7.152, which is the host on which we started the Traefik.

traefik resolves the host parameter in the HTTP request header to forward traffic to the appropriate service in the ingress configuration.

After you modify the hosts, you can access the above two service outside of the Kubernetes cluster.

Viii. Health Check-up

For health checks, the test can be implemented using Kubernetes's liveness Probe, and Probe will automatically remove the pod if the liveness Traefik check fails.

"Example": we define a test-health deployment, the Health check method is Cat/tmp/health, the container starts 2 minutes after the deletion of this file, simulated health check failed.

Test-health's deployment:

[email protected] traefik]# cat Test-health-deploy.yaml apiversion:v1kind:deploymentapiversion:extensions/ V1beta1metadata:  name:test  namespace:default  Labels:    test:alpinespec:  replicas:1  Selector:    matchlabels:      test:alpine  Template:    metadata:      Labels:        test:alpine        Name:test    Spec:      containers:      -image:mritd/alpine:3.4        name:alpine        resources:          Limits:            cpu:200m            memory:30mi          requests:            cpu:100m            memory:20mi        ports:        -Name: HTTP          containerport:80        args:        command:        -"bash"        -"-C"        -"echo OK >/tmp/health;sleep 120;rm-f/tmp/health "        livenessprobe:          exec:            command:            -Cat            -/tmp/health          Initialdelayseconds:20

Test-health-deploy.yaml

Test-health's service:

[Email protected] traefik]# vim test-health-service.yamlapiversion:v1kind:servicemetadata:  name:test   Labels:    name:testspec:  ports:  -port:8123    targetport:80  selector:    name:test

Test-health-service.yaml

Test-health's ingress:

[Email protected] traefik]# vim Test-health-ingress.yamlapiversion:extensions/v1beta1kind:ingressmetadata:  Name:testspec:  rules:  -host:test.com    http:      paths:      -path:/        backend:          Servicename:test          serviceport:8123

Test-health-ingress.yaml

After all is created, go to the Traefik UI interface and observe that every 2 minutes after a health check fails, Kubernetes rebuilds the pod, and Traefik removes the pod from the back-end list.

Use Traefik on Kubernetes