1.安装 heml
helm 安装方式可以参考官方文档。
2.安装traefik
# values.yaml
image.tag: "v2.5.3"
deployment:
kind: DaemonSet
additionalVolumes:
- name: traefik-access-log
hostPath:
path: /data/logs/traefik
type: DirectoryOrCreate
# 初始化容器,用来修改日志目录的权限
initContainers:
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 755 /data/ && chown -R 65532.65532 /data/"]
volumeMounts:
- name: traefik-access-log
mountPath: /data
ingressClass:
enabled: true
isDefaultClass: true
fallbackApiVersion: "v1"
# 推荐使用域名访问
ingressRoute.dashboard.enabled: false
additionalVolumeMounts:
- name: traefik-access-log
mountPath: /var/log/traefik
logs:
general.level: WARN
# 访问日志配置
access:
enabled: true
# 缓冲的行数
bufferingSize: 100
# 指定哪些日志被记录
# 目前不支持过滤掉内部健康检查的日志,并且日志自定义能力很弱,
# 如果前端有LB,那么还得通过 proxyprotocol 获取客户端IP,很麻烦
# 流量下,如果前端有一个Nginx作为LB,甚至可以考虑关闭traefik的日志
filters:
statuscodes: "100,300-302,400-404,500-505" # 状态码范围
retryattempts: true # 是否重试
minduration: 10ms # 响应超过10ms
globalArguments:
- "--global.checknewversion"
- "--global.sendanonymoususage"
# 从traefik到后端pod的访问中,不校验pod中的TLS证书,这对自签证书的pod很管用
- "--serversTransport.insecureSkipVerify=true"
# 指定访问日志的写入路径,可以用来让 filebeat 采集
# 日志轮转是需要cronjob定时发送 USR1 信号给traefik
- "--accesslog.filepath=/var/log/traefik/access.log"
# 访问日志中的时间戳以容器时区为准
- "--accesslog.fields.names.StartUTC=drop"
env:
# 指定traefik的时区
- name: TZ
value: Asia/Shanghai
# 想要性能更高,甚至可以直接使用节点的网络空间
ports:
traefik:
port: 9000
# 生产环境不推荐暴露9000端口
expose: false
exposedPort: 9000
protocol: TCP
web:
port: 8000
hostPort: 80
expose: true
exposedPort: 80
protocol: TCP
# redirectTo: websecure
websecure:
port: 8443
hostPort: 443
expose: true
exposedPort: 443
metrics:
port: 9100
expose: false
exposedPort: 9100
protocol: TCP
service:
type: ClusterIP
resources:
requests:
cpu: "100m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1024Mi"
# 针对指定的 node 才部署 traefik
nodeSelector:
ingressControllerNode: "yes"
ingressController: "traefik"
[root@maxiaoke ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
10.0.160.10 Ready,SchedulingDisabled master 12d v1.20.10
10.0.160.13 Ready node 12d v1.20.10
10.0.160.30 Ready,SchedulingDisabled master 12d v1.20.10
10.0.160.32 Ready node 12d v1.20.10
10.0.160.50 Ready,SchedulingDisabled master 12d v1.20.10
10.0.160.51 Ready node 12d v1.20.10
# 标记作为IngressController的节点, 之所以增加IngressController=traefik,是后续可能会部署多个ingress controller
[root@maxiaoke ~]# kubectl label nodes 10.0.160.10 ingressControllerNode=yes ingressController=traefik
[root@maxiaoke ~]# kubectl label nodes 10.0.160.30 ingressControllerNode=yes ingressController=traefik
[root@maxiaoke ~]# kubectl label nodes 10.0.160.50 ingressControllerNode=yes ingressController=traefik
[root@maxiaoke ~]# kubectl create namespace traefik
[root@maxiaoke ~]# helm repo add traefik https://helm.traefik.io/traefik
[root@maxiaoke ~]# helm repo update
[root@maxiaoke ~]# helm install -n traefik traefik traefik/traefik -f /tmp/values.yaml
[root@maxiaoke ~]# kubectl get pod -n traefik -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
traefik-2mdzt 1/1 Running 0 13h 10.200.1.18 10.0.160.10 <none> <none>
traefik-42k4f 1/1 Running 0 13h 10.200.2.17 10.0.160.50 <none> <none>
traefik-kg7v6 1/1 Running 0 13h 10.200.0.17 10.0.160.30 <none> <none>
3.配置负载均衡器
一般使用ingress controller监听在节点的80后者443端口,80负责HTTP流量,443负责HTTPS流量。用户从集群外面访问集群内业务的API,从安全角度考虑,建议强制走HTTPS协议到达负载均衡器,从负载均衡器到后端ingress controller,可以走HTTP或者HTTPS,推荐在做好安全工作的前提下,推荐走HTTP。针对需要走HTTPS的流量,在负载均衡器上使用更高优先级的虚拟机主机,将流量转发到 ingress controller 的https接口。
# /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 65535;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format access '$time_local|$http_x_real_ip|$remote_addr|$http_x_forwarded_for|$upstream_addr|$upstream_connect_time|$upstream_response_time|'
'$request_method|$server_protocol|$host|$request_uri|$http_referer|$http_user_agent|$proxy_host|$status' ;
access_log /var/log/nginx/http-access.log main;
error_log /var/log/nginx/http-error.log error;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/http/*.conf;
}
stream {
log_format stream '$time_local|$remote_addr|$protocol|$bytes_sent|$bytes_received|$upstream_addr|$upstream_connect_time|$status'
access_log /var/log/nginx/stream-access.log stream;
error_log /var/log/nginx/stream-error.log error;
include /etc/nginx/conf.d/stream/*.conf;
}
# 配置默认的转发规则
# /etc/nginx/conf.d/http/default.conf
server {
listen 0.0.0.0:80 backlog=2048 ;
server_name *.huanle.com ;
access_log /var/log/nginx/http-k8s-local-01.log access ;
rewrite (.*) https://$host$1 redirect ;
}
server {
listen 0.0.0.0:443 ssl backlog=2048 ;
server_name *.huanle.com ;
access_log /var/log/nginx/http-k8s-local-01.log access ;
keepalive_timeout 100s ;
keepalive_requests 200 ;
ssl_certificate ssl_key/huanle.crt ;
ssl_certificate_key ssl_key/huanle.key ;
ssl_ciphers HIGH:!aNULL:!MD5 ;
ssl_session_cache shared:SSL:30m ; ## 设置SSL session缓存
ssl_session_timeout 10m ;
location / {
proxy_pass http://k8s-local-01-http ;
proxy_connect_timeout 3 ;
proxy_read_timeout 10 ;
proxy_send_timeout 10 ;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
}
}
# /etc/nginx/conf.d/http/upstream.conf
upstream k8s-local-01-http {
server 10.0.160.10:80 max_fails=2 fail_timeout=3s;
server 10.0.160.30:80 max_fails=2 fail_timeout=3s;
server 10.0.160.50:80 max_fails=2 fail_timeout=3s;
}
upstream k8s-local-01-https {
server 10.0.160.10:443 max_fails=2 fail_timeout=3s;
server 10.0.160.30:443 max_fails=2 fail_timeout=3s;
server 10.0.160.50:443 max_fails=2 fail_timeout=3s;
}