Kubernetes 1.9 clusters use traefik to publish services
This section describes how to use traefik to publish services in the kubernetes 1.5.2 cluster environment. Traefik is deployed in the daemonset mode. The http protocol is used to connect to the api-server, and rbac is not configured. This article describes how to deploy traefik in k8s 1.9 using deployment for service release.
Before starting, You Need To Know What RBAC is. RBAC uses rbac. authorization. k8s. io API group to implement permission control. RBAC allows administrators to dynamically configure permission policies through Kubernetes APIs. In analyticdb 1.6, RBAC is still in the Beat stage. To enable the RBAC authorization mode, you must specify the -- authorization-mode = RBAC option in the apiserver component.
There are four important concepts in RBAC APIs:
Role: a set of permissions. For example, a Role can contain the permission to read pods and to list pods.
ClusterRole: similar to Role, but can be used everywhere in the cluster (Role is at the namespace level)
RoloBinding: maps roles to users so that these users can inherit the permissions of roles in namespace.
ClusterRoleBinding: allows users to inherit the permissions of ClusterRole in the entire cluster.
Simply put, RBAC implements the authentication of api-server in the k8s cluster, more RBAC knowledge point please refer to the official documentation: https://kubernetes.io/docs/admin/authorization/rbac/
1. label nodes in the Cluster
Because deployment is selected for deployment, you need to add a label to the cluster node, and then select nodeSelector to specify traefik = proxy. When the number of copies is the same as the number of cluster nodes, A pod is run on all nodes.
# Kubectl get nodes -- show-labels
# Kubectl label node vm1 traefik = proxy
# Kubectl label node vm2 traefik = proxy
# Kubectl get nodes -- show-labels
2. Prepare the yaml File
1. rbac File
# Cat traefik-rbac.yaml
---
Kind: ClusterRole
ApiVersion: rbac. authorization. k8s. io/v1beta1
Metadata:
Name: traefik-ingress-controller
Rules:
-ApiGroups:
-""
Resources:
-Services
-Endpoints
-Secrets
Verbs:
-Get
-List
-Watch
-ApiGroups:
-Extensions
Resources:
-Ingresses
Verbs:
-Get
-List
-Watch
---
Kind: ClusterRoleBinding
ApiVersion: rbac. authorization. k8s. io/v1beta1
Metadata:
Name: traefik-ingress-controller
RoleRef:
ApiGroup: rbac. authorization. k8s. io
Kind: ClusterRole
Name: traefik-ingress-controller
Subjects:
-Kind: ServiceAccount
Name: traefik-ingress-controller
Namespace: kube-system
In an environment where rbac is enabled, if authentication is not clearly configured, The traefik pod reports the following error:
E0226 00:15:27. 729832 1 reflector. go: 199] Failed to list * v1.Service: services is forbidden: User "system: serviceaccount: kube-system: default" cannot list services at the cluster scope
E0226 00:15:29. 013298 1 reflector. go: 199] Failed to list * v1.Endpoints: endpoints is forbidden: User "system: serviceaccount: kube-system: default" cannot list endpoints at the cluster scope
E0226 00:15:29. 213354 1 reflector. go: 199] Failed to list * v1.Secret: secrets is forbidden: User "system: serviceaccount: kube-system: default" cannot list secrets at the cluster scope
E0226 00:15:29. 698574 1 reflector. go: 199] Failed to list * v1beta1. ingress: ingresses. extensions is forbidden: User "system: serviceaccount: kube-system: default" cannot list ingresses. extensions at the cluster scope
E0226 00:15:30. 411837 1 reflector. go: 199] Failed to list * v1.Service: services is forbidden: User "system: serviceaccount: kube-system: default" cannot list services at the cluster scope
E0226 00:15:31. 912887 1 reflector. go: 199] Failed to list * v1.Endpoints: endpoints is forbidden: User "system: serviceaccount: kube-system: default" cannot list endpoints at the cluster scope
2. deployment file of traefik
# Cat traefik-deployment.yaml
---
ApiVersion: v1
Kind: ServiceAccount
Metadata:
Name: traefik-ingress-controller
Namespace: kube-system
---
Kind: Deployment
ApiVersion: extensions/v1beta1
Metadata:
Name: traefik-ingress-controller
Namespace: kube-system
Labels:
K8s-app: traefik-ingress-lb
Spec:
Replicas: 2
Selector:
MatchLabels:
K8s-app: traefik-ingress-lb
Template:
Metadata:
Labels:
K8s-app: traefik-ingress-lb
Name: traefik-ingress-lb
Spec:
ServiceAccountName: traefik-ingress-controller
HostNetwork: true
NodeSelector:
Traefik: proxy
TerminationGracePeriodSeconds: 60
Containers:
-Image: traefik
Name: traefik-ingress-lb
Ports:
-Name: web
ContainerPort: 80
HostPort: 80
-Name: admin
Container Port: 8081
Args:
--- Web
--- Web. address =: 8081
--- Kubernetes
3. traefik service file
# Cat traefik-service.yaml
ApiVersion: v1
Kind: Service
Metadata:
Name: traefik-web-ui
Namespace: kube-system
Spec:
Selector:
K8s-app: traefik-ingress-lb
Ports:
-Port: 80
TargetPort: 8081
4. Create clusterrole, clusterrolebinding, deployment, serviceaccount, and service through the yaml File
# Ls
# Kubectl create-f traefik-rbac.yaml
# Kubectl create-f traefik-deployment.yaml
# Kubectl create-f traefik-service.yaml
# Kubectl get pod-n kube-system
# Kubectl get svc-n kube-system
# Kubectl get svc
The default namespace in the cluster contains a frontend service. Kube-system namespace contains three services: nginx-test, traefik-web-ui, and kubernetes-dashboard. Four ingress will be created in the future.
The web-ui shows that a pod is run on each of the two nodes.
3. Create an ingress instance using the yaml File
# Cat ui. yaml
ApiVersion: v1
Kind: Service
Metadata:
Name: traefik-web-ui
Namespace: kube-system
Spec:
Selector:
K8s-app: traefik-ingress-lb
Ports:
-Port: 80
TargetPort: 8081
---
ApiVersion: extensions/v1beta1
Kind: Ingress
Metadata:
Name: traefik-web-ui
Namespace: kube-system
Annotations:
Kubernetes. io/ingress. class: traefik
Spec:
Rules:
-Host: traefik-ui
Http:
Paths:
-Backend:
ServiceName: traefik-web-ui
ServicePort: 80 # catwebui-ing.yaml
ApiVersion: extensions/v1beta1
Kind: Ingress
Metadata:
Name: traefik-ingress
Namespace: kube-system
Annotations:
Kubernetes. io/ingress. class: traefik
Spec:
Rules:
-Host: k8s. webui
Http:
Paths:
-Backend:
ServiceName: kubernetes-dashboard
ServicePort: 443 # cat redis-ing.yaml
ApiVersion: extensions/v1beta1
Kind: Ingress
Metadata:
Name: traefik-ingress
Namespace: default
Annotations:
Kubernetes. io/ingress. class: traefik
Spec:
Rules:
-Host: k8s. frontend
Http:
Paths:
-Backend:
ServiceName: frontend
ServicePort: 80 # catnginx-ing.yaml
ApiVersion: extensions/v1beta1
Kind: Ingress
Metadata:
Name: traefik-nginx-ingress
Namespace: kube-system
Annotations:
Kubernetes. io/ingress. class: traefik
Spec:
Rules:
-Host: test.fjhb.cn
Http:
Paths:
-Backend:
ServiceName: nginx-test
ServicePort: 80 # kubectl create-f ui. yaml
# Kubectl create-f webui-ing.yaml
# Kubectl create-f redis-ing.yaml
# Kubectl get ingress
# Kubectl get ingress-n kube-system
Iii. Verification
1. Access the nodeport corresponding to the traefik service and load the four ingress configurations
2. Modify the hosts file of the test machine and allocate the resolution of the four domain names to the two nodes.
3. browser access test
The cause of the 500 error is that the backend kubernetes-dashboard is configured with the https protocol.
You can view the http status code statistics on the health page.
This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151337.htm