本文共 4753 字,大约阅读时间需要 15 分钟。
用户需求是运行一个Node.js服务,先发布为Deployment,然后创建Service,让集群外可以访问旧报纸。这看起来是一个需要通过反向代理实现的场景。
部署Traefik作为反向代理服务,这是一个常用的选择。Traefik支持Kubernetes环境下的路由规则配置,能够很好地管理内部服务的外部访问。以下是具体的实现步骤。
Docker版本为19.03.5,Kubernetes版本为1.17.2。
选择Traefik作为反向代理主要是因为它支持Kubernetes的CRD(自定义资源定义),能够方便地配置路由规则和中间件。Traefik的最新版本2.1增加了灰色发布和流量复制功能,适合容器化和微服务架构。以下是详细的配置和部署步骤。
Traefik2.1版本后,推荐使用CRD来定义路由规则。以下是常用的CRD配置文件示例:
apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata: name: ingressroutes.traefik.containo.usspec scope: Namespaced group: traefik.containo.us version: v1alpha1names: kind: IngressRoute plural: ingressroutes singular: ingressroute
Traefik需要一定的权限来访问Kubernetes资源。以下是一个常用的RBAC配置示例:
apiVersion: v1kind: ServiceAccountmetadata: name: traefik-ingress-controller namespace: kube-system
并附加ClusterRole和ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata: name: traefik-ingress-controllersrules: - apiGroups: [""] resources: ["services","endpoints","secrets"] verbs: ["get","list","watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["get","list","watch"] - apiGroups: ["traefik.containo.us"] resources: ["middlewares","ingressroutes","ingressroutetcps","tlsoptions","traefikservices"] verbs: ["get","list","watch"]
部署Traefik服务时,建议使用DaemonSet方式,以确保Traefik始终运行。以下是一个示例配置文件:
apiVersion: v1kind: Servicemetadata: name: traefik namespace: kube-systemspec: type: NodePort ports: - name: web port: 80 - name: websecure port: 443 - name: admin port: 8080 - name: redis port: 6379 selector: app: traefik
以下是一个常用的Traefik Ingress Controller配置文件示例:
apiVersion: apps/v1kind: DaemonSetmetadata: name: traefik-ingress-controller namespace: kube-system labels: app: traefikspec: selector: matchLabels: app: traefik template: metadata: labels: app: traefik spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 1 containers: - image: traefik:v2.1.2 name: traefik-ingress-lb ports: - name: web containerPort: 80 hostPort: 80 - name: websecure containerPort: 443 hostPort: 443 - name: redis containerPort: 6379 hostPort: 6379 - name: admin containerPort: 8080 args: - --configfile=/config/traefik.yaml volumeMounts: - mountPath: "/config" name: config securityContext: capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"]
为了让外部访问Kubernetes内部服务,需要配置Traefik的路由规则。以下是一个常用的配置示例:
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata: name: traefik-dashboard-route namespace: kube-systemspec: entryPoints: - web routes: - match: Host: "traefik.linux.com" kind: Rule services: - name: traefik port: 8080
用户需求是代理一个Deployment Pod,端口为3009。以下是一个常用的实现方法:
假设使用Prometheus作为示例,以下是一个Prometheus的部署配置文件:
apiVersion: v1kind: ConfigMapmetadata: name: prometheus-config namespace: assemblydata: prometheus.yml: | global: scrape_interval: 15s scrape_timeout: 15s alerting: alertmanagers: - static_configs: - targets: ["alertmanager-svc:9093"] rule_files: - /etc/prometheus/rules.yaml scrape_configs: - job_name: 'prometheus' static_configs: - targets: ['localhost:9090'] - job_name: 'traefik' static_configs: - targets: ['traefik.kube-system.svc.cluster.local:8080'] - job_name: "kubernetes-nodes" kubernetes_sd_configs: - role: node relabel_configs: - source_labels: [__address__] regex: '(.*):10250' replacement: '${1}:9100' target_label: __address__ action: replace - action: labelmap regex: __meta_kubernetes_node_label_(.+) rules.yaml: | groups: - name: test-rule rules: - alert: NodeMemoryUsage expr: (sum(node_memory_MemTotal_bytes) - sum(node_memory_MemFree_bytes + node_memory_Buffers_bytes+node_memory_Cached_bytes)) / sum(node_memory_MemTotal_bytes) * 100 > 5 for: 2m labels: team: node annotations: summary: "{{$labels.instance}}: High Memory usage detected" description: "{{$labels.instance}}: Memory usage is above 80% (current value is: {{ $value }})" 验证Traefik是否成功代理内部服务,可以通过访问外部域名检查Traefik Dashboard和内部服务的访问情况。
转载地址:http://uxgbz.baihongyu.com/