什么是Ingress
简单的说,Ingress就是从Kubernetes集群外访问集群的入口,通过HTTP协议暴露Kubernetes内部服务的Api对象,将用户的URL请求转发到不同的Service上。Ingress相当于Nginx、Apache等负载均衡方向代理服务器,其中还包括规则定义,即URL的路由信息,路由信息得的刷新由Ingress Controller来提供。
理解Ingress Controller
Ingress Controller 实质上可以理解为是个监视器,Ingress Controller 通过不断地跟 kubernetes API 打交道,实时的感知后端 Service、Pod 等变化,比如新增和减少 Pod,Service 增加与减少等;当得到这些变化信息后,Ingress Controller 再结合下文的 Ingress 生成配置,然后更新反向代理负载均衡器,并刷新其配置,达到服务发现的作用。
Nginx In Kubernetes
使用nginx作为前端负载均衡,通过ingress controller不断的和kubernetes api交互,实时获取后端service,pod等的变化,然后动态更新nginx配置,并刷新使配置生效,达到服务发现的目的。
Traefik In Kubernetes
Traefik是一款开源的反向代理与负载均衡工具。它最大的优点是能够与常见的微服务系统直接整合,可以实现自动化动态配置。目前支持Docker, Swarm, Mesos/Marathon, Mesos, Kubernetes, Consul, Etcd, Zookeeper, BoltDB, Rest API等等后端模型。
Nginx-ingress对比Traefik-ingress
Ingress分类 | Nginx Ingress | Traefik Ingress |
协议 | http https htt2 grpc tcp udp | http https htt2 grpc tcp+tls |
路由匹配 | host path | host、path、headers、query、path prefix、method |
命名空间支持 | - | 共用或指定命名空间 |
部署策略 | - | 金丝雀部署、蓝绿部署、灰度部署 |
upstream探测 | 重试、超时、心跳探测 | 重试、超时、心跳探测、熔断 |
负载均衡算法 | RR、会话保持、最小连接、最短时间、一致性hash | WRR、动态RR、会话保持 |
优点 | 简单易用,易接入 | Golang编写,部署容易,支持众多的后端,内置WebUI |
缺点 | 没有解决nginx reload,插件多,但是扩展性能查差 | 没什么缺点,新版本支持UDP |
安装Ingress For Traefik
Traefik使用Kubernetes API来发现正在运行的服务,为了能使用Kubernetes API发现正在运行的服务,Traefik需要一些权限。此权限机制基于群集管理员定义的角色。然后将角色绑定到应用程序使用的帐户,在本例中为Traefik Proxy。
创建ClusterRole资源枚举角色可用的资源和操作。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update为Traefik创建一个专用服务帐户
apiVersion: v1
kind: Namespace
metadata:
name: traefik
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
namespace: traefik把上面创建的账户和ClusterRole进行关联,把权限授予 traefik-account 这个账户
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: traefik部署traefik的Deployment
注意:我把Traefik镜像已经上传到Harbor仓库了
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
namespace: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: 192.168.56.102:80/traefik/traefik:v2.9
args:
- --api.insecure
- --providers.kubernetesingress
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
# 创建Deployment
[root@master traefik]# kubectl apply -f deployment.yaml
deployment.apps/traefik-deployment created
[root@master traefik]# kubectl get pod -n traefik -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
traefik-deployment-7fb97bcc5-k86gb 1/1 Running 0 25s 10.244.0.121 master <none> <none>给Traefik配置Service
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard-service
namespace: traefik
spec:
type: NodePort
ports:
- port: 8080
targetPort: dashboard
name: admin
protocol: TCP
- port: 80
targetPort: web
nodePort: 30000
name: web
protocol: TCP
selector:
app: traefik查看Service
[root@master traefik]# kubectl get svc -n traefik
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik-dashboard-service NodePort 10.0.0.223 <none> 8080:44794/TCP,80:30000/TCP 163m访问 http://master:44794
配置一个ingress去访问Tomcat服务
#前提是要有一个tomcat服务
[root@master traefik]# kubectl get svc -n app
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
tomcat-nodeport ClusterIP 10.0.0.193 <none> 8005/TCP 7d19h
[root@master traefik]# kubectl describe svc tomcat-nodeport -n app
Name: tomcat-nodeport
Namespace: app
Labels: app=tomcat-service
Annotations: <none>
Selector: app=tomcat-app
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.0.0.193
IPs: 10.0.0.193
Port: manager 8005/TCP
TargetPort: 8005/TCP
Endpoints: 10.244.0.119:8005
Session Affinity: None
Events: <none>
[root@master traefik]# curl 10.0.0.193:8005/test/
hello,world!
#我这里配置的是ClusterIP,在集群外部是无法访问的下面我通过Traefik去访问Tomcat服务
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-tomcat-ingress
namespace: app
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: tomcat.aaabbb.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-nodeport
port:
name: manager
#应用一下这个配置
[root@master traefik]# kubectl apply -f tomcat-ingress.yaml
ingress.networking.k8s.io/traefik-tomcat-ingress created
[root@master traefik]# kubectl get ingress -n app
NAME CLASS HOSTS ADDRESS PORTS AGE
traefik-tomcat-ingress <none> tomcat.aaabbb.io 80 6s
[root@master traefik]# kubectl describe ingress traefik-tomcat-ingress -n app
Name: traefik-tomcat-ingress
Labels: <none>
Namespace: app
Address:
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
tomcat.aaabbb.io
/ tomcat-nodeport:manager (10.244.0.119:8005)
Annotations: kubernetes.io/ingress.class: traefik
Events: <none>OK,可以看到上面已经把Ingress配置配好,在集群外的电脑上配置好hosts
192.168.56.101 tomcat.aaabbb.io访问 http://tomcat.aaabbb.io:30000/test/
可以正常访问了。这里为啥要访问30000端口呢?
在安装Traefik的时候把Traefik的开放端口配置成了30000,当然配置成80就不用输入端口了。
上面Traefik的Dashboard是通过NodePort方式访问的,我们来配置一下让它可以通过域名去访问。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-ingress
namespace: traefik
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik.aaabbb.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: traefik-dashboard-service
port:
name: admin
[root@master traefik]# kubectl apply -f traefik-ingress.yaml
ingress.networking.k8s.io/traefik-ingress created
[root@master traefik]# kubectl get ingress -n traefik
NAME CLASS HOSTS ADDRESS PORTS AGE
traefik-ingress <none> traefik.aaabbb.io 80 18s
[root@master traefik]# kubectl describe -n traefik ingress traefik-ingress
Name: traefik-ingress
Labels: <none>
Namespace: traefik
Address:
Ingress Class: <none>
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
traefik.aaabbb.io
/ traefik-dashboard-service:admin (10.244.0.122:8080)
Annotations: kubernetes.io/ingress.class: traefik
Events: <none>
现在访问Traefik的Dashboard就可以通过traefik.aaabbb.io:30000访问了
本文暂时没有评论,来添加一个吧(●'◡'●)