首页
技术小册
AIGC
面试刷题
技术文章
MAGENTO
云计算
视频课程
源码下载
PDF书籍
「涨薪秘籍」
登录
注册
1. Service
1.1. Service 介绍
1.1.1.userspace模式
1.1.2. iptables模式
1.1.3. ipvs模式
1.2. 模板
1.3. 案例
1.3.1. 不指定VIP的service
1.3.2. 指定VIP的service
1.3.3. 使用NodePort的service
1.3.4. Headless service
1.3.5. SVC代理集群外服务
2. Ingress
2.1. Ingress/IngressController
2.2. 安装IngressController
2.2.1. 选型
2.2.2. 安装Traefik
2.2.2.2. 使用helm部署
2.3. 模板
2.4. 案例
2.4.1. http请求
2.4.2. https请求
2.5. Traefik简单使用
2.5.1. 配置Dashboard
当前位置:
首页>>
技术小册>>
Kubernets合辑6-服务发现
小册名称:Kubernets合辑6-服务发现
1.安装 heml helm 安装方式可以参考官方文档。 2.安装traefik ``` # values.yaml image.tag: "v2.5.3" deployment: kind: DaemonSet additionalVolumes: - name: traefik-access-log hostPath: path: /data/logs/traefik type: DirectoryOrCreate # 初始化容器,用来修改日志目录的权限 initContainers: - name: volume-permissions image: busybox:1.31.1 command: ["sh", "-c", "chmod -Rv 755 /data/ && chown -R 65532.65532 /data/"] volumeMounts: - name: traefik-access-log mountPath: /data ingressClass: enabled: true isDefaultClass: true fallbackApiVersion: "v1" # 推荐使用域名访问 ingressRoute.dashboard.enabled: false additionalVolumeMounts: - name: traefik-access-log mountPath: /var/log/traefik logs: general.level: WARN # 访问日志配置 access: enabled: true # 缓冲的行数 bufferingSize: 100 # 指定哪些日志被记录 # 目前不支持过滤掉内部健康检查的日志,并且日志自定义能力很弱, # 如果前端有LB,那么还得通过 proxyprotocol 获取客户端IP,很麻烦 # 流量下,如果前端有一个Nginx作为LB,甚至可以考虑关闭traefik的日志 filters: statuscodes: "100,300-302,400-404,500-505" # 状态码范围 retryattempts: true # 是否重试 minduration: 10ms # 响应超过10ms globalArguments: - "--global.checknewversion" - "--global.sendanonymoususage" # 从traefik到后端pod的访问中,不校验pod中的TLS证书,这对自签证书的pod很管用 - "--serversTransport.insecureSkipVerify=true" # 指定访问日志的写入路径,可以用来让 filebeat 采集 # 日志轮转是需要cronjob定时发送 USR1 信号给traefik - "--accesslog.filepath=/var/log/traefik/access.log" # 访问日志中的时间戳以容器时区为准 - "--accesslog.fields.names.StartUTC=drop" env: # 指定traefik的时区 - name: TZ value: Asia/Shanghai # 想要性能更高,甚至可以直接使用节点的网络空间 ports: traefik: port: 9000 # 生产环境不推荐暴露9000端口 expose: false exposedPort: 9000 protocol: TCP web: port: 8000 hostPort: 80 expose: true exposedPort: 80 protocol: TCP # redirectTo: websecure websecure: port: 8443 hostPort: 443 expose: true exposedPort: 443 metrics: port: 9100 expose: false exposedPort: 9100 protocol: TCP service: type: ClusterIP resources: requests: cpu: "100m" memory: "512Mi" limits: cpu: "1000m" memory: "1024Mi" # 针对指定的 node 才部署 traefik nodeSelector: ingressControllerNode: "yes" ingressController: "traefik" ``` ``` [root@maxiaoke ~]# kubectl get node NAME STATUS ROLES AGE VERSION 10.0.160.10 Ready,SchedulingDisabled master 12d v1.20.10 10.0.160.13 Ready node 12d v1.20.10 10.0.160.30 Ready,SchedulingDisabled master 12d v1.20.10 10.0.160.32 Ready node 12d v1.20.10 10.0.160.50 Ready,SchedulingDisabled master 12d v1.20.10 10.0.160.51 Ready node 12d v1.20.10 # 标记作为IngressController的节点, 之所以增加IngressController=traefik,是后续可能会部署多个ingress controller [root@maxiaoke ~]# kubectl label nodes 10.0.160.10 ingressControllerNode=yes ingressController=traefik [root@maxiaoke ~]# kubectl label nodes 10.0.160.30 ingressControllerNode=yes ingressController=traefik [root@maxiaoke ~]# kubectl label nodes 10.0.160.50 ingressControllerNode=yes ingressController=traefik [root@maxiaoke ~]# kubectl create namespace traefik [root@maxiaoke ~]# helm repo add traefik https://helm.traefik.io/traefik [root@maxiaoke ~]# helm repo update [root@maxiaoke ~]# helm install -n traefik traefik traefik/traefik -f /tmp/values.yaml [root@maxiaoke ~]# kubectl get pod -n traefik -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES traefik-2mdzt 1/1 Running 0 13h 10.200.1.18 10.0.160.10 <none> <none> traefik-42k4f 1/1 Running 0 13h 10.200.2.17 10.0.160.50 <none> <none> traefik-kg7v6 1/1 Running 0 13h 10.200.0.17 10.0.160.30 <none> <none> ``` 3.配置负载均衡器 一般使用ingress controller监听在节点的80后者443端口,80负责HTTP流量,443负责HTTPS流量。用户从集群外面访问集群内业务的API,从安全角度考虑,建议强制走HTTPS协议到达负载均衡器,从负载均衡器到后端ingress controller,可以走HTTP或者HTTPS,推荐在做好安全工作的前提下,推荐走HTTP。针对需要走HTTPS的流量,在负载均衡器上使用更高优先级的虚拟机主机,将流量转发到 ingress controller 的https接口。 ``` # /etc/nginx/nginx.conf user nginx; worker_processes auto; pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf; events { worker_connections 65535; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; log_format access '$time_local|$http_x_real_ip|$remote_addr|$http_x_forwarded_for|$upstream_addr|$upstream_connect_time|$upstream_response_time|' '$request_method|$server_protocol|$host|$request_uri|$http_referer|$http_user_agent|$proxy_host|$status' ; access_log /var/log/nginx/http-access.log main; error_log /var/log/nginx/http-error.log error; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; include /etc/nginx/mime.types; default_type application/octet-stream; include /etc/nginx/conf.d/http/*.conf; } stream { log_format stream '$time_local|$remote_addr|$protocol|$bytes_sent|$bytes_received|$upstream_addr|$upstream_connect_time|$status' access_log /var/log/nginx/stream-access.log stream; error_log /var/log/nginx/stream-error.log error; include /etc/nginx/conf.d/stream/*.conf; } ``` ``` # 配置默认的转发规则 # /etc/nginx/conf.d/http/default.conf server { listen 0.0.0.0:80 backlog=2048 ; server_name *.huanle.com ; access_log /var/log/nginx/http-k8s-local-01.log access ; rewrite (.*) https://$host$1 redirect ; } server { listen 0.0.0.0:443 ssl backlog=2048 ; server_name *.huanle.com ; access_log /var/log/nginx/http-k8s-local-01.log access ; keepalive_timeout 100s ; keepalive_requests 200 ; ssl_certificate ssl_key/huanle.crt ; ssl_certificate_key ssl_key/huanle.key ; ssl_ciphers HIGH:!aNULL:!MD5 ; ssl_session_cache shared:SSL:30m ; ## 设置SSL session缓存 ssl_session_timeout 10m ; location / { proxy_pass http://k8s-local-01-http ; proxy_connect_timeout 3 ; proxy_read_timeout 10 ; proxy_send_timeout 10 ; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr ; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; } } ``` ``` # /etc/nginx/conf.d/http/upstream.conf upstream k8s-local-01-http { server 10.0.160.10:80 max_fails=2 fail_timeout=3s; server 10.0.160.30:80 max_fails=2 fail_timeout=3s; server 10.0.160.50:80 max_fails=2 fail_timeout=3s; } upstream k8s-local-01-https { server 10.0.160.10:443 max_fails=2 fail_timeout=3s; server 10.0.160.30:443 max_fails=2 fail_timeout=3s; server 10.0.160.50:443 max_fails=2 fail_timeout=3s; } ```
上一篇:
2.2.2. 安装Traefik
下一篇:
2.3. 模板
该分类下的相关小册推荐:
Kubernets合辑4-kubernetes入门
Kubernetes中文教程(三)
Kubernets合辑15-持续部署
Kubernets合辑9-资源约束
Kubernets合辑12-配置中心
Kubernetes中文教程(六)
Kubernets合辑14-日志收集
Kubernets合辑3-kubernetes介绍
Kubernetes合辑1-安装Kubernetes
云原生-K8S入门实战
Kubernets合辑7-存储
Kubernetes中文教程(四)
