Kubernetes 1.9 Cluster using Traefik Publishing Service

Source: Internet
Author: User
Tags k8s

Ingress nginx kubernetes

The previous article describes the use of Traefik for service publishing in Kubernetes 1.5.2 cluster environments. Traefik is deployed in Daemonset mode, and the connection Api-server is the HTTP protocol, and RBAC is not configured. This article describes the deployment of Traefik for service publishing in the K8s 1.9 release using the deployment method.

Nginx ingress controller




Before you begin, you need to know what RBAC is. RBAC (role-based access control) using the Rbac.authorization.k8s.io? API Group for permission control, RBAC allows administrators to dynamically configure permission policies through the Kubernetes API. In version 1.6, RBAC is still in the Beat phase, and if you want to turn on RBAC licensing mode you need to specify the?--Authorization-mode=rbac in the Apiserver component.

Nginx ingress controller kubernetes


Four important concepts in the RBAC API: kubernetes ingress nginx master
Role: is a collection of permissions, such as a role that can contain permissions to read Pods and permissions to list pods
Clusterrole: Similar to role, but can be used everywhere in the cluster (role is namespace level)
Rolobinding: Maps roles to users, allowing these users to inherit permissions from roles in namespace.
Clusterrolebinding: Let the user inherit Clusterrole permissions throughout the cluster.


Nginx ingress controller setup 

To put it simply, Rbac realizes the authentication of Api-server in the k8s cluster, and more RBAC knowledge points, please refer to the official documents: https://kubernetes.io/docs/admin/authorization/rbac/



First, label the nodes of the cluster
Because choose deployment way to deploy, so to the node of the cluster label, subsequent selection nodeselector specify Traefik=proxy, the number of replicas and the number of cluster nodes consistent, all nodes will run a pod


# kubectl get nodes --show-labels# kubectl label  node vm1 traefik=proxy# kubectl label  node vm2 traefik=proxy# kubectl get nodes --show-labels



Ii. Preparing Yaml files
1. rbac file


# cat traefik-rbac.yaml ---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: traefik-ingress-controllerrules:  - apiGroups:      - ""    resources:      - services      - endpoints      - secrets    verbs:      - get      - list      - watch  - apiGroups:      - extensions    resources:      - ingresses    verbs:      - get      - list      - watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: traefik-ingress-controllerroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: traefik-ingress-controllersubjects:- kind: ServiceAccount  name: traefik-ingress-controller  namespace: kube-system


2, Traefik's deployment file


# cat traefik-deployment.yaml   ---apiVersion: v1kind: ServiceAccountmetadata:  name: traefik-ingress-controller  namespace: kube-system---kind: DeploymentapiVersion: extensions/v1beta1metadata:  name: traefik-ingress-controller  namespace: kube-system  labels:    k8s-app: traefik-ingress-lbspec:  replicas: 2  selector:    matchLabels:      k8s-app: traefik-ingress-lb  template:    metadata:      labels:        k8s-app: traefik-ingress-lb        name: traefik-ingress-lb    spec:      serviceAccountName: traefik-ingress-controller      hostNetwork: true      nodeSelector:        traefik: proxy      terminationGracePeriodSeconds: 60      containers:      - image: traefik        name: traefik-ingress-lb        ports:        - name: web          containerPort: 80          hostPort: 80        - name: admin          containerPort: 8081        args:        - --web        - --web.address=:8081        - --kubernetes


3. Traefik Service File


# cat traefik-service.yamlapiVersion: v1kind: Servicemetadata:  name: traefik-web-ui  namespace: kube-systemspec:  selector:    k8s-app: traefik-ingress-lb  ports:  - port: 80targetPort: 8081


4. Create Clusterrole, clusterrolebinding, deployment, ServiceAccount, service through YAML files









You can see that a frontend service exists in the default namespace in the cluster. There are three services in Kube-system namespace, Nginx-test, Traefik-web-ui and Kubernetes-dashboard. We will create 4 ingress in a follow-up

With Web-ui, you can see that one pod is running on each of the two nodes.



Iii. creating ingress with Yaml files


# cat ui.yaml apiVersion: v1kind: Servicemetadata:  name: traefik-web-ui  namespace: kube-systemspec:  selector:    k8s-app: traefik-ingress-lb  ports:  - port: 80    targetPort: 8081---apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-web-ui  namespace: kube-system  annotations:    kubernetes.io/ingress.class: traefikspec:  rules:  - host: traefik-ui    http:      paths:      - backend:          serviceName: traefik-web-ui          servicePort: 80
# cat webui-ing.yaml                  apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-ingress  namespace: kube-system  annotations:    kubernetes.io/ingress.class: traefikspec:  rules:  - host: k8s.webui    http:      paths:      - backend:          serviceName: kubernetes-dashboard           servicePort: 443
# cat redis-ing.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-ingress  namespace: default  annotations:    kubernetes.io/ingress.class: traefikspec:  rules:  - host: k8s.frontend    http:      paths:      - backend:          serviceName: frontend           servicePort: 80
# cat nginx-ing.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-nginx-ingress  namespace: kube-system  annotations:    kubernetes.io/ingress.class: traefikspec:  rules:  - host: test.fjhb.cn    http:      paths:      - backend:          serviceName: nginx-test          servicePort: 80
# kubectl create -f ui.yaml # kubectl create -f webui-ing.yaml # kubectl create -f redis-ing.yaml # kubectl get ingress # kubectl get ingress -n kube-system



Third, verification
1. By accessing the Nodeport port corresponding to the Traefik service, 4 ingress configurations are loaded into the

2, modify the test machine hosts file, the resolution of 4 domain names are assigned to two nodes

3. Browser Access test

The reason for the 500 error here is that the backend Kubernetes-dashboard is configured with the HTTPS protocol



You can see the statistics of the HTTP status code on the health page



Kubernetes 1.9 Cluster using Traefik Publishing Service


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.