Kubernetes 1.9 Cluster using Traefik Publishing Service

Last Update:2018-02-27 Source: Internet

Author: User

Tags k8s

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Ingress nginx kubernetes

The previous article describes the use of Traefik for service publishing in Kubernetes 1.5.2 cluster environments. Traefik is deployed in Daemonset mode, and the connection Api-server is the HTTP protocol, and RBAC is not configured. This article describes the deployment of Traefik for service publishing in the K8s 1.9 release using the deployment method.

Nginx ingress controller

Before you begin, you need to know what RBAC is. RBAC (role-based access control) using the Rbac.authorization.k8s.io? API Group for permission control, RBAC allows administrators to dynamically configure permission policies through the Kubernetes API. In version 1.6, RBAC is still in the Beat phase, and if you want to turn on RBAC licensing mode you need to specify the?--Authorization-mode=rbac in the Apiserver component.

Nginx ingress controller kubernetes

Four important concepts in the RBAC API: kubernetes ingress nginx master
Role: is a collection of permissions, such as a role that can contain permissions to read Pods and permissions to list pods
Clusterrole: Similar to role, but can be used everywhere in the cluster (role is namespace level)
Rolobinding: Maps roles to users, allowing these users to inherit permissions from roles in namespace.
Clusterrolebinding: Let the user inherit Clusterrole permissions throughout the cluster.

Nginx ingress controller setup

To put it simply, Rbac realizes the authentication of Api-server in the k8s cluster, and more RBAC knowledge points, please refer to the official documents: https://kubernetes.io/docs/admin/authorization/rbac/

First, label the nodes of the cluster
Because choose deployment way to deploy, so to the node of the cluster label, subsequent selection nodeselector specify Traefik=proxy, the number of replicas and the number of cluster nodes consistent, all nodes will run a pod

# kubectl get nodes --show-labels# kubectl label  node vm1 traefik=proxy# kubectl label  node vm2 traefik=proxy# kubectl get nodes --show-labels

Ii. Preparing Yaml files
1. rbac file

# cat traefik-rbac.yaml ---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: traefik-ingress-controllerrules:  - apiGroups:      - ""    resources:      - services      - endpoints      - secrets    verbs:      - get      - list      - watch  - apiGroups:      - extensions    resources:      - ingresses    verbs:      - get      - list      - watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: traefik-ingress-controllerroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: traefik-ingress-controllersubjects:- kind: ServiceAccount  name: traefik-ingress-controller  namespace: kube-system

2, Traefik's deployment file

# cat traefik-deployment.yaml   ---apiVersion: v1kind: ServiceAccountmetadata:  name: traefik-ingress-controller  namespace: kube-system---kind: DeploymentapiVersion: extensions/v1beta1metadata:  name: traefik-ingress-controller  namespace: kube-system  labels:    k8s-app: traefik-ingress-lbspec:  replicas: 2  selector:    matchLabels:      k8s-app: traefik-ingress-lb  template:    metadata:      labels:        k8s-app: traefik-ingress-lb        name: traefik-ingress-lb    spec:      serviceAccountName: traefik-ingress-controller      hostNetwork: true      nodeSelector:        traefik: proxy      terminationGracePeriodSeconds: 60      containers:      - image: traefik        name: traefik-ingress-lb        ports:        - name: web          containerPort: 80          hostPort: 80        - name: admin          containerPort: 8081        args:        - --web        - --web.address=:8081        - --kubernetes

3. Traefik Service File

# cat traefik-service.yamlapiVersion: v1kind: Servicemetadata:  name: traefik-web-ui  namespace: kube-systemspec:  selector:    k8s-app: traefik-ingress-lb  ports:  - port: 80targetPort: 8081

4. Create Clusterrole, clusterrolebinding, deployment, ServiceAccount, service through YAML files

You can see that a frontend service exists in the default namespace in the cluster. There are three services in Kube-system namespace, Nginx-test, Traefik-web-ui and Kubernetes-dashboard. We will create 4 ingress in a follow-up

With Web-ui, you can see that one pod is running on each of the two nodes.

Iii. creating ingress with Yaml files

# cat ui.yaml apiVersion: v1kind: Servicemetadata:  name: traefik-web-ui  namespace: kube-systemspec:  selector:    k8s-app: traefik-ingress-lb  ports:  - port: 80    targetPort: 8081---apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-web-ui  namespace: kube-system  annotations:    kubernetes.io/ingress.class: traefikspec:  rules:  - host: traefik-ui    http:      paths:      - backend:          serviceName: traefik-web-ui          servicePort: 80

# cat webui-ing.yaml                  apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-ingress  namespace: kube-system  annotations:    kubernetes.io/ingress.class: traefikspec:  rules:  - host: k8s.webui    http:      paths:      - backend:          serviceName: kubernetes-dashboard           servicePort: 443

# cat redis-ing.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-ingress  namespace: default  annotations:    kubernetes.io/ingress.class: traefikspec:  rules:  - host: k8s.frontend    http:      paths:      - backend:          serviceName: frontend           servicePort: 80

# cat nginx-ing.yaml apiVersion: extensions/v1beta1kind: Ingressmetadata:  name: traefik-nginx-ingress  namespace: kube-system  annotations:    kubernetes.io/ingress.class: traefikspec:  rules:  - host: test.fjhb.cn    http:      paths:      - backend:          serviceName: nginx-test          servicePort: 80

# kubectl create -f ui.yaml # kubectl create -f webui-ing.yaml # kubectl create -f redis-ing.yaml # kubectl get ingress # kubectl get ingress -n kube-system

Third, verification
1. By accessing the Nodeport port corresponding to the Traefik service, 4 ingress configurations are loaded into the

2, modify the test machine hosts file, the resolution of 4 domain names are assigned to two nodes

3. Browser Access test

The reason for the 500 error here is that the backend Kubernetes-dashboard is configured with the HTTPS protocol

You can see the statistics of the HTTP status code on the health page

Kubernetes 1.9 Cluster using Traefik Publishing Service

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More