Kubernetes 1.18 部署 Traefik2.0

Kubernetes 1.18部署 Traefik2.0

参考资料：

Traefik 2.0 官方文档：https://doc.traefik.io/traefik/v2.0/
Kubernetes 1.18.3 部署 Traefik2.0：https://www.cnblogs.com/heian99/p/14608414.html

1. Traefik 介绍

traefik 是一款反向代理、负载均衡服务，使用 golang 实现的。和 nginx 最大的不同是，它支持自动化更新反向代理和负载均衡配置。在微服务架构越来越流行的今天，一个业务恨不得有好几个数据库、后台服务和 webapp，开发团队拥有一款 “智能” 的反向代理服务，为他们简化服务配置。traefik 就是为了解决这个问题而诞生的。

2.部署 Traefik 2.0

我的K8S环境信息如下：

[root@k8s-master ~]# kubectl get node -o wide
NAME         STATUS   ROLES    AGE     VERSION   INTERNAL-IP    EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION                CONTAINER-RUNTIME
k8s-master   Ready    master   5d21h   v1.18.0   192.168.0.51   <none>        CentOS Linux 7 (Core)   3.10.0-1160.71.1.el7.x86_64   docker://20.10.6
k8s-node1    Ready    <none>   5d21h   v1.18.0   192.168.0.52   <none>        CentOS Linux 7 (Core)   3.10.0-1160.71.1.el7.x86_64   docker://20.10.6
k8s-node2    Ready    <none>   5d21h   v1.18.0   192.168.0.53   <none>        CentOS Linux 7 (Core)   3.10.0-1160.71.1.el7.x86_64   docker://20.10.6

2.1 创建命名空间

kubectl create ns ingress-traefik

2.2 创建CRD资源

Traefik 2.0版本后开始使用CRD来对资源进行管理配置，所以我们需要先创建CRD资源。

traefik-crd.yaml:

## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: ingressroutes.traefik.containo.us
spec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: IngressRouteplural: ingressroutessingular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: ingressroutetcps.traefik.containo.us
spec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: IngressRouteTCPplural: ingressroutetcpssingular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: middlewares.traefik.containo.us
spec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: Middlewareplural: middlewaressingular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: tlsoptions.traefik.containo.us
spec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: TLSOptionplural: tlsoptionssingular: tlsoption
---
## TraefikService
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: traefikservices.traefik.containo.us
spec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: TraefikServiceplural: traefikservicessingular: traefikservice---
## TraefikTLSStore
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: tlsstores.traefik.containo.us
spec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: TLSStoreplural: tlsstoressingular: tlsstore---
## IngressRouteUDP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:name: ingressrouteudps.traefik.containo.us 
spec:scope: Namespacedgroup: traefik.containo.usversion: v1alpha1names:kind: IngressRouteUDPplural: ingressrouteudpssingular: ingressrouteudp

部署 CRD 资源:

kubectl apply -f traefik-crd.yaml

2.3 创建 RBAC 权限

Kubernetes 在 1.6 以后的版本中引入了基于角色的访问控制（RBAC）策略，方便对 Kubernetes 资源和 API 进行细粒度控制。Traefik 需要一定的权限，所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。

traefik-rbac.yaml：

apiVersion: v1
kind: ServiceAccount
metadata:namespace: ingress-traefik name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:name: traefik-ingress-controller
rules:- apiGroups: [""]resources: ["services","endpoints","secrets"]verbs: ["get","list","watch"]- apiGroups: ["extensions"]resources: ["ingresses"]verbs: ["get","list","watch"]- apiGroups: ["extensions"]resources: ["ingresses/status"]verbs: ["update"]- apiGroups: ["traefik.containo.us"]resources: ["middlewares"]verbs: ["get","list","watch"]- apiGroups: ["traefik.containo.us"]resources: ["ingressroutes","traefikservices"]verbs: ["get","list","watch"]- apiGroups: ["traefik.containo.us"]resources: ["ingressroutetcps","ingressrouteudps"]verbs: ["get","list","watch"]- apiGroups: ["traefik.containo.us"]resources: ["tlsoptions","tlsstores"]verbs: ["get","list","watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:name: traefik-ingress-controller
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: traefik-ingress-controller
subjects:- kind: ServiceAccountname: traefik-ingress-controllernamespace: ingress-traefik

部署 Traefik RBAC 资源:

kubectl apply -f traefik-rbac.yaml

2.4 创建 Traefik 配置文件

由于 Traefik 配置很多，使用 CLI 定义操作过于繁琐，尽量使用将其配置选项放到配置文件中，然后存入 ConfigMap，将其挂入 traefik 中。

traefik-config.yaml:

kind: ConfigMap
apiVersion: v1
metadata:name: traefik-confignamespace: ingress-traefik
data:traefik.yaml: |-serversTransport:insecureSkipVerify: trueapi:insecure: truedashboard: truedebug: truemetrics:prometheus: ""entryPoints:web:address: ":80"websecure:address: ":443"providers:kubernetesCRD: ""kubernetesingress: ""log:filePath: ""level: errorformat: jsonaccessLog:filePath: ""format: jsonbufferingSize: 0filters:retryAttempts: trueminDuration: 20fields:defaultMode: keepnames:ClientUsername: dropheaders:defaultMode: keepnames:User-Agent: redactAuthorization: dropContent-Type: keep

部署 Traefik ConfigMap 资源:

kubectl apply -f traefik-config.yaml -n ingress-traefik

2.5 设置Label标签

由于使用的Kubernetes DeamonSet方式部署Traefik，所以需要提前给节点设置Label，当程序部署Pod会自动调度到设置 Label的node节点上。

节点设置 Label 标签:

kubectl label nodes k8s-node1 IngressProxy=true

验证是否成功

[root@k8s-master Traefik2.0]# kubectl get node --show-labels
NAME         STATUS   ROLES    AGE     VERSION   LABELS
k8s-master   Ready    master   2d20h   v1.18.0   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-master,kubernetes.io/os=linux,node-role.kubernetes.io/master=
k8s-node1    Ready    <none>   2d20h   v1.18.0   IngressProxy=true,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-node1,kubernetes.io/os=linux
k8s-node2    Ready    <none>   2d20h   v1.18.0   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-node2,kubernetes.io/os=linux

2.6 Kubernetes 部署 Traefik

使用DaemonSet类型部署，以便于在多服务器间扩展，使用 hostport 方式占用服务器 80、443 端口，方便流量进入。

traefik-deploy.yaml:

apiVersion: v1
kind: Service
metadata:name: traefiknamespace: ingress-traefik
spec:ports:- name: webport: 80- name: websecureport: 443- name: adminport: 8080selector:app: traefik
---
apiVersion: apps/v1
kind: DaemonSet
metadata:name: traefik-ingress-controllernamespace: ingress-traefiklabels:app: traefik
spec:selector:matchLabels:app: traefiktemplate:metadata:name: traefiklabels:app: traefikspec:serviceAccountName: traefik-ingress-controllerterminationGracePeriodSeconds: 1containers:- image: traefik:2.2.0name: traefik-ingress-lbports:- name: webcontainerPort: 80hostPort: 80           #hostPort方式，将端口暴露到集群节点- name: websecurecontainerPort: 443hostPort: 443          #hostPort方式，将端口暴露到集群节点- name: admincontainerPort: 8080resources:limits:cpu: 2000mmemory: 1024Mirequests:cpu: 1000mmemory: 1024MisecurityContext:capabilities:drop:- ALLadd:- NET_BIND_SERVICEargs:- --configfile=/config/traefik.yamlvolumeMounts:- mountPath: "/config"name: "config"volumes:- name: configconfigMap:name: traefik-configtolerations:              #设置容忍所有污点，防止节点被设置污点- operator: "Exists"nodeSelector:             #设置node筛选器，在特定label的节点上启动IngressProxy: "true"

部署 Traefik:

kubectl apply -f traefik-deploy.yaml

3.Traefik 路由规则基础配置

配置 HTTP 路由规则（Traefik Dashboard 为例）

Traefik 应用已经部署完成，但是想让外部访问 Kubernetes 内部服务，还需要配置路由规则，这里开启了 Traefik Dashboard 配置，所以首先配置 Traefik Dashboard 看板的路由规则，使外部能够访问 Traefik Dashboard。

traefik-dashboard-route.yaml:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:name: traefik-dashboard-routenamespace: ingress-traefik
spec:entryPoints:- webroutes:- match: Host(`traefik.test.com`)kind: Ruleservices:- name: traefikport: 8080

部署Traefik Dashboard 路由规则对象:

kubectl apply -f traefik-dashboard-route.yaml

查看路由规则：

[root@k8s-master ~]# kubectl get IngressRoute -n ingress-traefik
NAME                      AGE
traefik-dashboard-route   2d20h

在客户端或者dns设置域名解析，ip为traefik-ingress-controller容器所在的节点IP：

192.168.0.52 traefik.example.cn

浏览器访问http://traefik.example.cn/ 打开Traefik Dashboard：

在这里插入图片描述

说明：

traefik-ingress-controller使用hostport方式创建，可以使用iptables查看转发规则，netstat无法查询到监听80端口：

[root@k8s-node1 ~]# iptables -S -t nat | grep :80
-A CNI-DN-f9438f6c8e00bbdb80acd -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.244.1.65:80
-A KUBE-SEP-JUKVSVUESZJEP7XL -p tcp -m comment --comment "ingress-traefik/traefik:admin" -m tcp -j DNAT --to-destination 10.244.1.65:8080
-A KUBE-SEP-L5OLP67V7NUHNITG -p tcp -m comment --comment "ingress-traefik/traefik:web" -m tcp -j DNAT --to-destination 10.244.1.65:80

4. 配置 HTTPS 路由规则

使用Kubernetes 的 Dashboard测试，基于 https 协议方式访问，配置 https 的路由规则并指定证书。

关于dashboard部署方法，可以参考我的另外一篇文章《kubernetes部署dashboard》，部署后的资源信息如下：

[root@k8s-master ~]# kubectl get all -n kubernetes-dashboard
NAME                                             READY   STATUS    RESTARTS   AGE
pod/dashboard-metrics-scraper-7b59f7d4df-fw8zm   1/1     Running   4          3h26m
pod/kubernetes-dashboard-74d688b6bc-2jp9p        1/1     Running   12         3h26mNAME                                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
service/dashboard-metrics-scraper   ClusterIP   10.96.236.156   <none>        8000/TCP        3h26m
service/kubernetes-dashboard        NodePort    10.110.146.86   <none>        443:30372/TCP   3h26mNAME                                        READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/dashboard-metrics-scraper   1/1     1            1           3h26m
deployment.apps/kubernetes-dashboard        1/1     1            1           3h26mNAME                                                   DESIRED   CURRENT   READY   AGE
replicaset.apps/dashboard-metrics-scraper-7b59f7d4df   1         1         1       3h26m
replicaset.apps/kubernetes-dashboard-74d688b6bc        1         1         1       3h26m

测试域名：kubernetes-dashboard.test.com

说明

客户端hosts文件解析如下，域名指向ingress-traefik-controller所在的节点ip：
192.168.0.52 traefik.test.com
192.168.0.52 kubernetes-dashboard.test.com

创建证书文件：

# 创建自签名证书
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=kubernetes-dashboard.test.com"# 将证书存储到Kubernetes Secret中，新建的k8dash-sa-tls必须与k8dash-route中的tls: secretName一致。
kubectl create secret tls k8dash-sa-tls --key=tls.key --cert=tls.crt -n kubernetes-dashboard

创建规则文件k8s-dashboard-route.yaml，内容如下：

[root@k8s-master Traefik2.0]# cat k8s-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:name: k8dash-sa-routenamespace: kubernetes-dashboard
spec:entryPoints:- websecuretls:secretName: k8dash-sa-tlsroutes:- match: Host(`kubernetes-dashboard.test.com`)kind: Ruleservices:- name: kubernetes-dashboardport: 443

其中name和port根据部署的kubernetes-dashboard进行查询:

[root@k8s-master Traefik2.0]# kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
dashboard-metrics-scraper   ClusterIP   10.96.236.156   <none>        8000/TCP        3h24m
kubernetes-dashboard        NodePort    10.110.146.86   <none>        443:30372/TCP   3h24m