久久亚洲中文字幕伊人久久大 ,午夜福利国产精品视频,亚洲欧美中文日韩v在线97

1、一種是service，用于實(shí)現(xiàn)四層TCP負(fù)載均衡
service主要實(shí)現(xiàn)集群內(nèi)部通信，以及基于四層的內(nèi)外通信（如端口）
2、另一種是ingress，用戶實(shí)現(xiàn)七層HTTP負(fù)載均衡
ingress主要實(shí)現(xiàn)基于七層的內(nèi)外通信（如URL）
ingress僅僅是一組路由規(guī)則的集合，它需要借助ingress控制器才能發(fā)揮作用
ingress控制器不受controller-manager管理，它作為一個(gè)附件直接運(yùn)行在k8s集群上
ingress控制器本身也是以pod形式運(yùn)行，它與被代理的pod運(yùn)行在同一個(gè)網(wǎng)絡(luò)
和service不同的是，要使用ingress，必須先創(chuàng)建ingress-controller這個(gè)pod和基于該pod的svc
對(duì)于小規(guī)模的應(yīng)用我們使用 NodePort 或許能夠滿足我們的需求，但是當(dāng)你的應(yīng)用越來(lái)越多的時(shí)候，你就會(huì)發(fā)現(xiàn)對(duì)于 NodePort 的管理就非常麻煩了，這個(gè)時(shí)候使用 ingress 就非常方便了，可以避免管理大量的 Port。

igress類型
1、單service資源型
2、基于URL路徑進(jìn)行轉(zhuǎn)發(fā)
3、基于虛擬主機(jī)進(jìn)行轉(zhuǎn)發(fā)
4、TLS類型
ingress控制器可以由如下反向代理程序?qū)崿F(xiàn)：
1、haproxy
2、nginx
3、envoy
4、traefik
5、Vulcand

創(chuàng)建基于treafik的ingress
1、創(chuàng)建rbac認(rèn)證

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - 
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

$ kubectl create -f rbac.yaml
serviceaccount "traefik-ingress-controller" created
clusterrole.rbac.authorization.k8s.io "traefik-ingress-controller" created
clusterrolebinding.rbac.authorization.k8s.io "traefik-ingress-controller" created

2、創(chuàng)建基于treafik的ingress控制器pod及svc
將該控制器pod部署在master上
$ docker pull traefik
$ vim traefik.yaml

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      tolerations:
      - operator: Exists        #允許污點(diǎn)
      nodeSelector:
        kubernetes.io/hostname: master        #部署在master上
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
                    hostPort: 80        #外網(wǎng)訪問(wèn)時(shí)不用使用nodePort端口，直接使用域名即可
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: NodePort

因?yàn)閠raefik容器中有兩個(gè)端口，80和8080（管理端口），所以其對(duì)應(yīng)的服務(wù)中也需要兩個(gè)端口80和8080.
$ kubectl apply -f traefik.yaml
deployment.extensions "traefik-ingress-controller" created
service "traefik-ingress-service" created
$ kubectl get svc -n kube-system
traefik-ingress-service NodePort 10.100.222.78 <none> 80:31657/TCP,8080:31572/TCP 79d
通過(guò)svc訪問(wèn)traefik的管理界面
http://192.168.1.243:31572/

3、為上述ingress控制器及其svc本身（8080）創(chuàng)建ingress實(shí)例

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.example.com
    http:
      paths:
      - backend:
          serviceName: traefik-ingress-service
          servicePort: 8080

模擬dns解析
$ vim /etc/hosts
192.168.1.243 traefik.example.com
因?yàn)閜od中有hostPort: 80 ，所以能夠以ingress的方式直接使用域名訪問(wèn)traefik的管理界面
https://traefik.example.com
如果你有多個(gè)master的話，可以在每個(gè)master上部署一個(gè) ingress-controller 服務(wù)，然后在master前面掛一個(gè)負(fù)載均衡器，比如 nginx，將所有的master均作為這個(gè)負(fù)載均衡器的后端，這樣就可以實(shí)現(xiàn) ingress-controller 的高可用和負(fù)載均衡了。

4、定義后端普通應(yīng)用pod及其svc
svc的type為ClusterIP

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: svc1
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: svc1
    spec:
      containers:
      - name: svc1
        image: cnych/example-web-service
        env:
        - name: APP_SVC
          value: svc1
        ports:
        - containerPort: 8080
          protocol: TCP
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: svc2
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: svc2
    spec:
      containers:
      - name: svc2
        image: cnych/example-web-service
        env:
        - name: APP_SVC
          value: svc2
        ports:
        - containerPort: 8080
          protocol: TCP
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: svc3
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: svc3
    spec:
      containers:
      - name: svc3
        image: cnych/example-web-service
        env:
        - name: APP_SVC
          value: svc3
        ports:
        - containerPort: 8080
          protocol: TCP
---
kind: Service
apiVersion: v1
metadata:
  labels:
    app: svc1
  name: svc1
spec:
  type: ClusterIP
  ports:
  - port: 8080
    name: http
  selector:
    app: svc1
---
kind: Service
apiVersion: v1
metadata:
  labels:
    app: svc2
  name: svc2
spec:
  type: ClusterIP
  ports:
  - port: 8080
    name: http
  selector:
    app: svc2
---
kind: Service
apiVersion: v1
metadata:
  labels:
    app: svc3
  name: svc3
spec:
  type: ClusterIP
  ports:
  - port: 8080
    name: http
  selector:
    app: svc3

$ kubectl create -f backend.yaml
deployment.extensions "svc1" created
deployment.extensions "svc2" created
deployment.extensions "svc3" created
service "svc1" created
service "svc2" created
service "svc3" created

5、為上述普通應(yīng)用pod及其svc定義ingress策略
ingress策略的后端是應(yīng)用pod的svc

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-web-app
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: www.example.com
    http:
      paths:
      - path: /s1
        backend:
          serviceName: svc1
          servicePort: 8080
      - path: /s2
        backend:
          serviceName: svc2
          servicePort: 8080
      - path: /
        backend:
          serviceName: svc3
          servicePort: 8080

$ kubectl create -f example-ingress.yaml
ingress.extensions "example-web-app" created
$ kubectl get ingress
$ kubectl describe ingress example-web-app
模擬dns
$ vim /etc/hosts
192.168.1.243 www.example.com
http://www.example.com —訪問(wèn)svc3
http://www.example.com/s1 —訪問(wèn)svc1
http://www.example.com/s2 —訪問(wèn)svc2

6、使traefik ingress支持TLS
要使其支持tls需要三個(gè)方面的支持
一、生成ca證書
$ mkdir /ssl
$ cd /ssl
$ openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 365 -out tls.crt
$ ls
tls.crt tls.key
然后創(chuàng)建secret用于存儲(chǔ)證書
$ kubectl create secret generic traefik-cert –from-file=tls.crt –from-file=tls.key -n kube-system
$ kubectl get secret -n kube-system |grep traefik
二、增加默認(rèn)配置文件traefik.toml
該文件和traefik pod文件在同一個(gè)目錄
$ vim traefik.toml

defaultEntryPoints = [http, https]

[entryPoints]
  [entryPoints.http]
  address = :80
    [entryPoints.http.redirect]
      entryPoint = https
  [entryPoints.https]
  address = :443
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = /ssl/tls.crt
      KeyFile = /ssl/tls.key

創(chuàng)建configmap用于存儲(chǔ)該配置文件
$ kubectl create configmap traefik-conf –from-file=traefik.toml -n kube-system
$ kubectl get configmap -n kube-system |grep traefik
三、修改第2步中的 traefik pod 的 yaml文件
$ vim traefik.yaml

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf
      tolerations:
      - operator: Exists
      nodeSelector:
        kubernetes.io/hostname: master
      containers:
      - image: traefik
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: /ssl
          name: ssl
        - mountPath: /config
          name: config
        ports:
        - name: http
          containerPort: 80
          hostPort: 80
        - name: https
          containerPort: 443
          hostPort: 443
        - name: admin
          containerPort: 8080
        args:
        - --configfile=/config/traefik.toml
        - --api
        - --kubernetes
        - --logLevel=INFO

$ kubectl apply -f traefik.yaml
$ kubectl logs -f traefik-ingress-controller-7dcfd9c6df-v58k7 -n kube-system
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :80"
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :443"
time="2018-08-26T11:26:44Z" level=info msg="Server configuration reloaded on :8080"

更多關(guān)于云服務(wù)器，域名注冊(cè)，虛擬主機(jī)的問(wèn)題，請(qǐng)?jiān)L問(wèn)三五互聯(lián)官網(wǎng)：m.shinetop.cn

贊(0)

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以原創(chuàng)、轉(zhuǎn)載和分享網(wǎng)絡(luò)內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。郵箱：3140448839@qq.com。本站原創(chuàng)內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明出處：三五互聯(lián)知識(shí)庫(kù) » k8s集群中的ingress---基于traefik

熱門搶注
查看更多>>
熱門競(jìng)價(jià)
查看更多>>
推薦一口價(jià)
查看更多>>

熱門搶注

熱門競(jìng)價(jià)

推薦一口價(jià)

猜你還會(huì)喜歡下面的內(nèi)容

熱門標(biāo)簽

切換注冊(cè)登錄

切換登錄注冊(cè)