当前位置:  首页>> 技术小册>> Kubernets合辑6-服务发现

1.安装 heml
helm 安装方式可以参考官方文档。

2.安装traefik

  1. # values.yaml
  2. image.tag: "v2.5.3"
  3. deployment:
  4. kind: DaemonSet
  5. additionalVolumes:
  6. - name: traefik-access-log
  7. hostPath:
  8. path: /data/logs/traefik
  9. type: DirectoryOrCreate
  10. # 初始化容器,用来修改日志目录的权限
  11. initContainers:
  12. - name: volume-permissions
  13. image: busybox:1.31.1
  14. command: ["sh", "-c", "chmod -Rv 755 /data/ && chown -R 65532.65532 /data/"]
  15. volumeMounts:
  16. - name: traefik-access-log
  17. mountPath: /data
  18. ingressClass:
  19. enabled: true
  20. isDefaultClass: true
  21. fallbackApiVersion: "v1"
  22. # 推荐使用域名访问
  23. ingressRoute.dashboard.enabled: false
  24. additionalVolumeMounts:
  25. - name: traefik-access-log
  26. mountPath: /var/log/traefik
  27. logs:
  28. general.level: WARN
  29. # 访问日志配置
  30. access:
  31. enabled: true
  32. # 缓冲的行数
  33. bufferingSize: 100
  34. # 指定哪些日志被记录
  35. # 目前不支持过滤掉内部健康检查的日志,并且日志自定义能力很弱,
  36. # 如果前端有LB,那么还得通过 proxyprotocol 获取客户端IP,很麻烦
  37. # 流量下,如果前端有一个Nginx作为LB,甚至可以考虑关闭traefik的日志
  38. filters:
  39. statuscodes: "100,300-302,400-404,500-505" # 状态码范围
  40. retryattempts: true # 是否重试
  41. minduration: 10ms # 响应超过10ms
  42. globalArguments:
  43. - "--global.checknewversion"
  44. - "--global.sendanonymoususage"
  45. # 从traefik到后端pod的访问中,不校验pod中的TLS证书,这对自签证书的pod很管用
  46. - "--serversTransport.insecureSkipVerify=true"
  47. # 指定访问日志的写入路径,可以用来让 filebeat 采集
  48. # 日志轮转是需要cronjob定时发送 USR1 信号给traefik
  49. - "--accesslog.filepath=/var/log/traefik/access.log"
  50. # 访问日志中的时间戳以容器时区为准
  51. - "--accesslog.fields.names.StartUTC=drop"
  52. env:
  53. # 指定traefik的时区
  54. - name: TZ
  55. value: Asia/Shanghai
  56. # 想要性能更高,甚至可以直接使用节点的网络空间
  57. ports:
  58. traefik:
  59. port: 9000
  60. # 生产环境不推荐暴露9000端口
  61. expose: false
  62. exposedPort: 9000
  63. protocol: TCP
  64. web:
  65. port: 8000
  66. hostPort: 80
  67. expose: true
  68. exposedPort: 80
  69. protocol: TCP
  70. # redirectTo: websecure
  71. websecure:
  72. port: 8443
  73. hostPort: 443
  74. expose: true
  75. exposedPort: 443
  76. metrics:
  77. port: 9100
  78. expose: false
  79. exposedPort: 9100
  80. protocol: TCP
  81. service:
  82. type: ClusterIP
  83. resources:
  84. requests:
  85. cpu: "100m"
  86. memory: "512Mi"
  87. limits:
  88. cpu: "1000m"
  89. memory: "1024Mi"
  90. # 针对指定的 node 才部署 traefik
  91. nodeSelector:
  92. ingressControllerNode: "yes"
  93. ingressController: "traefik"
  1. [root@maxiaoke ~]# kubectl get node
  2. NAME STATUS ROLES AGE VERSION
  3. 10.0.160.10 Ready,SchedulingDisabled master 12d v1.20.10
  4. 10.0.160.13 Ready node 12d v1.20.10
  5. 10.0.160.30 Ready,SchedulingDisabled master 12d v1.20.10
  6. 10.0.160.32 Ready node 12d v1.20.10
  7. 10.0.160.50 Ready,SchedulingDisabled master 12d v1.20.10
  8. 10.0.160.51 Ready node 12d v1.20.10
  9. # 标记作为IngressController的节点, 之所以增加IngressController=traefik,是后续可能会部署多个ingress controller
  10. [root@maxiaoke ~]# kubectl label nodes 10.0.160.10 ingressControllerNode=yes ingressController=traefik
  11. [root@maxiaoke ~]# kubectl label nodes 10.0.160.30 ingressControllerNode=yes ingressController=traefik
  12. [root@maxiaoke ~]# kubectl label nodes 10.0.160.50 ingressControllerNode=yes ingressController=traefik
  13. [root@maxiaoke ~]# kubectl create namespace traefik
  14. [root@maxiaoke ~]# helm repo add traefik https://helm.traefik.io/traefik
  15. [root@maxiaoke ~]# helm repo update
  16. [root@maxiaoke ~]# helm install -n traefik traefik traefik/traefik -f /tmp/values.yaml
  17. [root@maxiaoke ~]# kubectl get pod -n traefik -o wide
  18. NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
  19. traefik-2mdzt 1/1 Running 0 13h 10.200.1.18 10.0.160.10 <none> <none>
  20. traefik-42k4f 1/1 Running 0 13h 10.200.2.17 10.0.160.50 <none> <none>
  21. traefik-kg7v6 1/1 Running 0 13h 10.200.0.17 10.0.160.30 <none> <none>

3.配置负载均衡器
一般使用ingress controller监听在节点的80后者443端口,80负责HTTP流量,443负责HTTPS流量。用户从集群外面访问集群内业务的API,从安全角度考虑,建议强制走HTTPS协议到达负载均衡器,从负载均衡器到后端ingress controller,可以走HTTP或者HTTPS,推荐在做好安全工作的前提下,推荐走HTTP。针对需要走HTTPS的流量,在负载均衡器上使用更高优先级的虚拟机主机,将流量转发到 ingress controller 的https接口。

  1. # /etc/nginx/nginx.conf
  2. user nginx;
  3. worker_processes auto;
  4. pid /run/nginx.pid;
  5. include /usr/share/nginx/modules/*.conf;
  6. events {
  7. worker_connections 65535;
  8. }
  9. http {
  10. log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  11. '$status $body_bytes_sent "$http_referer" '
  12. '"$http_user_agent" "$http_x_forwarded_for"';
  13. log_format access '$time_local|$http_x_real_ip|$remote_addr|$http_x_forwarded_for|$upstream_addr|$upstream_connect_time|$upstream_response_time|'
  14. '$request_method|$server_protocol|$host|$request_uri|$http_referer|$http_user_agent|$proxy_host|$status' ;
  15. access_log /var/log/nginx/http-access.log main;
  16. error_log /var/log/nginx/http-error.log error;
  17. sendfile on;
  18. tcp_nopush on;
  19. tcp_nodelay on;
  20. keepalive_timeout 65;
  21. types_hash_max_size 4096;
  22. include /etc/nginx/mime.types;
  23. default_type application/octet-stream;
  24. include /etc/nginx/conf.d/http/*.conf;
  25. }
  26. stream {
  27. log_format stream '$time_local|$remote_addr|$protocol|$bytes_sent|$bytes_received|$upstream_addr|$upstream_connect_time|$status'
  28. access_log /var/log/nginx/stream-access.log stream;
  29. error_log /var/log/nginx/stream-error.log error;
  30. include /etc/nginx/conf.d/stream/*.conf;
  31. }
  1. # 配置默认的转发规则
  2. # /etc/nginx/conf.d/http/default.conf
  3. server {
  4. listen 0.0.0.0:80 backlog=2048 ;
  5. server_name *.huanle.com ;
  6. access_log /var/log/nginx/http-k8s-local-01.log access ;
  7. rewrite (.*) https://$host$1 redirect ;
  8. }
  9. server {
  10. listen 0.0.0.0:443 ssl backlog=2048 ;
  11. server_name *.huanle.com ;
  12. access_log /var/log/nginx/http-k8s-local-01.log access ;
  13. keepalive_timeout 100s ;
  14. keepalive_requests 200 ;
  15. ssl_certificate ssl_key/huanle.crt ;
  16. ssl_certificate_key ssl_key/huanle.key ;
  17. ssl_ciphers HIGH:!aNULL:!MD5 ;
  18. ssl_session_cache shared:SSL:30m ; ## 设置SSL session缓存
  19. ssl_session_timeout 10m ;
  20. location / {
  21. proxy_pass http://k8s-local-01-http ;
  22. proxy_connect_timeout 3 ;
  23. proxy_read_timeout 10 ;
  24. proxy_send_timeout 10 ;
  25. proxy_set_header Host $host;
  26. proxy_set_header X-Real-IP $remote_addr ;
  27. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
  28. }
  29. }
  1. # /etc/nginx/conf.d/http/upstream.conf
  2. upstream k8s-local-01-http {
  3. server 10.0.160.10:80 max_fails=2 fail_timeout=3s;
  4. server 10.0.160.30:80 max_fails=2 fail_timeout=3s;
  5. server 10.0.160.50:80 max_fails=2 fail_timeout=3s;
  6. }
  7. upstream k8s-local-01-https {
  8. server 10.0.160.10:443 max_fails=2 fail_timeout=3s;
  9. server 10.0.160.30:443 max_fails=2 fail_timeout=3s;
  10. server 10.0.160.50:443 max_fails=2 fail_timeout=3s;
  11. }

该分类下的相关小册推荐: