Kubernetes的Ingress控制器比较(Traefik)
Kubernetes的Ingress控制器比较(Traefik)
公众号: 云原生生态圈
发布于 2021-11-15 08:35:42
发布于 2021-11-15 08:35:42
代码可运行
运行总次数:0
代码可运行
这是一张kubernetes ingress之间功能对比
Traefik支持动态配置和静态配置,因此在实践的过程中,我们将Traefik运行的端口配置在静态配置文件中,Traefik因为功能的丰富性得到很多的人的青睐,尤其是它的弹性功能,从大量的技术博客上观察来看,现在很多人在使用并且很稳定,对于ingress-nginx来说,能动态配置的Traefik显然略胜一筹,这是一个非常大且好的升级。更多的功能点可以在官方文档(https://docs.traefik.io/)详细查阅:
在另外一方面,Traefik支持的协议也越来越丰富,从traefik1.0到2.0的发展,traefik支持http,https,grpc和tcp协议,当然你可以尝试一下Traefik tcp协议的使用。
我们实践一下Kubernetes1.16中安装Traefik2.0,并且体验一下在Traefik中使用TCP协议,首先我们准备一下
CRD yaml
## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoptionServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups: [""]
resources: ["services","endpoints","secrets"]
verbs: ["get","list","watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get","list","watch"]
- apiGroups: ["extensions"]
resources: ["ingresses/status"]
verbs: ["update"]
- apiGroups: ["traefik.containo.us"]
resources: ["middlewares"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutes"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutetcps"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["tlsoptions"]
verbs: ["get","list","watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-systemConfigMap
因考虑到我们会在后面使用traefik的tcp协议,因此我们在配置文件中增加了
- tcp端口
- http端口
- https端口
- traefik metrics端口
- 以及提供Prometheus监控指标的配置
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
namespace: kube-system
data:
traefik.yaml: |-
serversTransport:
insecureSkipVerify: true
api:
insecure: true
dashboard: true
debug: true
metrics:
prometheus:
buckets:
- 0.1
- 0.3
- 1.2
- 5.0
addEntryPointsLabels: true
addServicesLabels: true
entryPoint: metrics
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
tcp:
address: ":8081"
metrics:
address: ":8082"
providers:
kubernetesCRD: ""
log:
filePath: ""
level: error
format: json
accessLog:
filePath: ""
format: json
bufferingSize: 0
filters:
retryAttempts: true
minDuration: 20
fields:
defaultMode: keep
names:
ClientUsername: drop
headers:
defaultMode: keep
names:
User-Agent: redact
Authorization: drop
Content-Type: keeptraefik deployment
apiVersion: v1
kind: Service
metadata:
name: traefik
namespace: kube-system
spec:
ports:
- name: web
port: 80
- name: websecure
port: 443
- name: admin
port: 8080
- name: metrics
port: 8082
- name: tcp
port: 8081
selector:
app: traefik
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
app: traefik
spec:
selector:
matchLabels:
app: traefik
template:
metadata:
name: traefik
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 1
containers:
- image: traefik:v2.0.5
name: traefik-ingress-lb
ports:
- name: web
containerPort: 80
hostPort: 80 #hostPort方式,将端口暴露到集群节点
- name: websecure
containerPort: 443
hostPort: 443 #hostPort方式,将端口暴露到集群节点
- name: admin
containerPort: 8080
- name: tcp
containerPort: 8081
hostPort: 8081 #hostPort方式,将端口暴露到集群节点
- name: metrics
containerPort: 8082
resources:
limits:
cpu: 2000m
memory: 2048Mi
requests:
cpu: 1000m
memory: 2048Mi
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --configfile=/config/traefik.yaml
volumeMounts:
- mountPath: "/config"
name: "config"
volumes:
- name: config
configMap:
name: traefik-config
tolerations: #设置容忍所有污点,防止节点被设置污点
- operator: "Exists"
nodeSelector: #设置node筛选器,在特定label的节点上启动
kubernetes.io/hostname: dev-k8s-01.kubemaster.topTraefik BasicAuth
cat << EOF > ./htpasswd
admin:$apr1$aeCGHgL4$.wj7Y7BP1HrHL5MsPsRW1.
EOF
kubectl create secret generic basic-auth --from-file=./htpasswd --namespace=kube-systemTraefik ingress Rules和Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.kubemaster.top`)
kind: Rule
middlewares:
- name: traefik-auth
services:
- name: traefik
port: 8080
---
# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-auth
namespace: kube-system
spec:
basicAuth:
secret: basic-auth准备完成资源配置文件之后,我们就可以应用这些文件,部署Traefik2.0
kubectl apply -f .我们来看一下效果图:
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2020-03-07,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
