Kubernetes的Ingress控制器比较(Traefik)

Kubernetes的Ingress控制器比较(Traefik)

Traefik支持动态配置和静态配置，因此在实践的过程中，我们将Traefik运行的端口配置在静态配置文件中，Traefik因为功能的丰富性得到很多的人的青睐，尤其是它的弹性功能，从大量的技术博客上观察来看，现在很多人在使用并且很稳定，对于ingress-nginx来说，能动态配置的Traefik显然略胜一筹，这是一个非常大且好的升级。更多的功能点可以在官方文档(https://docs.traefik.io/)详细查阅:

在另外一方面，Traefik支持的协议也越来越丰富，从traefik1.0到2.0的发展，traefik支持http,https,grpc和tcp协议，当然你可以尝试一下Traefik tcp协议的使用。

我们实践一下Kubernetes1.16中安装Traefik2.0，并且体验一下在Traefik中使用TCP协议，首先我们准备一下

CRD yaml

## IngressRouteapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata: name: ingressroutes.traefik.containo.usspec: scope: Namespaced group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute---## IngressRouteTCPapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata: name: ingressroutetcps.traefik.containo.usspec: scope: Namespaced group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteTCP plural: ingressroutetcps singular: ingressroutetcp---## MiddlewareapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata: name: middlewares.traefik.containo.usspec: scope: Namespaced group: traefik.containo.us version: v1alpha1 names: kind: Middleware plural: middlewares singular: middleware---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata: name: tlsoptions.traefik.containo.usspec: scope: Namespaced group: traefik.containo.us version: v1alpha1 names: kind: TLSOption plural: tlsoptions singular: tlsoption

ServiceAccount

apiVersion: v1kind: ServiceAccountmetadata: namespace: kube-system name: traefik-ingress-controller---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: traefik-ingress-controllerrules: - apiGroups: [""] resources: ["services","endpoints","secrets"] verbs: ["get","list","watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["get","list","watch"] - apiGroups: ["extensions"] resources: ["ingresses/status"] verbs: ["update"] - apiGroups: ["traefik.containo.us"] resources: ["middlewares"] verbs: ["get","list","watch"] - apiGroups: ["traefik.containo.us"] resources: ["ingressroutes"] verbs: ["get","list","watch"] - apiGroups: ["traefik.containo.us"] resources: ["ingressroutetcps"] verbs: ["get","list","watch"] - apiGroups: ["traefik.containo.us"] resources: ["tlsoptions"] verbs: ["get","list","watch"]---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: traefik-ingress-controllerroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controllersubjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system

ConfigMap

因考虑到我们会在后面使用traefik的tcp协议，因此我们在配置文件中增加了

tcp端口http端口https端口traefik metrics端口以及提供Prometheus监控指标的配置

kind: ConfigMapapiVersion: v1metadata: name: traefik-config namespace: kube-systemdata: traefik.yaml: |- serversTransport: insecureSkipVerify: true api: insecure: true dashboard: true debug: true metrics: prometheus: buckets: - 0.1 - 0.3 - 1.2 - 5.0 addEntryPointsLabels: true addServicesLabels: true entryPoint: metrics entryPoints: web: address: ":80" websecure: address: ":443" tcp: address: ":8081" metrics: address: ":8082" providers: kubernetesCRD: "" log: filePath: "" level: error format: json accessLog: filePath: "" format: json bufferingSize: 0 filters: retryAttempts: true minDuration: 20 fields: defaultMode: keep names: ClientUsername: drop headers: defaultMode: keep names: User-Agent: redact Authorization: drop Content-Type: keep

traefik deployment

apiVersion: v1kind: Servicemetadata: name: traefik namespace: kube-systemspec: ports: - name: web port: 80 - name: websecure port: 443 - name: admin port: 8080 - name: metrics port: 8082 - name: tcp port: 8081 selector: app: traefik---apiVersion: apps/v1kind: Deploymentmetadata: name: traefik-ingress-controller namespace: kube-system labels: app: traefikspec: selector: matchLabels: app: traefik template: metadata: name: traefik labels: app: traefik spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 1 containers: - image: traefik:v2.0.5 name: traefik-ingress-lb ports: - name: web containerPort: 80 hostPort: 80 #hostPort方式，将端口暴露到集群节点 - name: websecure containerPort: 443 hostPort: 443 #hostPort方式，将端口暴露到集群节点 - name: admin containerPort: 8080 - name: tcp containerPort: 8081 hostPort: 8081 #hostPort方式，将端口暴露到集群节点 - name: metrics containerPort: 8082 resources: limits: cpu: 2000m memory: 2048Mi requests: cpu: 1000m memory: 2048Mi securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE args: - --configfile=/config/traefik.yaml volumeMounts: - mountPath: "/config" name: "config" volumes: - name: config configMap: name: traefik-config tolerations: #设置容忍所有污点，防止节点被设置污点 - operator: "Exists" nodeSelector: #设置node筛选器，在特定label的节点上启动 kubernetes.io/hostname: dev-k8s-01.kubemaster.top

Traefik BasicAuth

cat << EOF > ./htpasswdadmin:$apr1$aeCGHgL4$.wj7Y7BP1HrHL5MsPsRW1.EOFkubectl create secret generic basic-auth --from-file=./htpasswd --namespace=kube-system

Traefik ingress Rules和Middleware

apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata: name: traefik-dashboard-route namespace: kube-systemspec: entryPoints: - web routes: - match: Host(`traefik.kubemaster.top`) kind: Rule middlewares: - name: traefik-auth services: - name: traefik port: 8080---# Declaring the user listapiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata: name: traefik-auth namespace: kube-systemspec: basicAuth: secret: basic-auth

准备完成资源配置文件之后，我们就可以应用这些文件，部署Traefik2.0

kubectl apply -f .

我们来看一下效果图: