官方文档在此 https://docs.traefik.io/user-guide/kubernetes/
官方文档在配置 RBAC 时使用了 ClusterRoleBinding, 当你想用多命名空间时,官方给了你一个提示
For namespaced restrictions, one RoleBinding is required per watched namespace along with a corresponding configuration of Træfik's
kubernetes.namespacesparameter.
这就是坑人的地方了 !!!
traefik --help 这么显示的
默认值是一个"[]", 这到底是一个字符串还是列表
那么我是--kubernetes.namespaces="[env-a, env-b]" 还是 --kubernetes.namespaces=["env-a", "env-b"]
我们把帮助文档往上拉
好 有个说明,那么我们就认为是这么填 --kubernetes.namespaces='env-a,env-b'
还是报错
经过万能的 google 搜索,发现了这个页面 https://github.com/containous/traefik/issues/1153
看一下-- help 就知道这里这个参数是个 map, 那么变通一下 --kubernetes.namespaces=env-a,env-b 没有引号, 官方文档真的能坑死人
让我们来看一下完整的配置
RBAC 我们使用 Role 和 RoleBinding
这样就能在不同的 namespace 启动不同的 traefik 实例来指向不同的 ingress
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
namespace: default
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
deployment
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: default
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: default
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
args:
- --api
- --kubernetes
- --kubernetes.namespaces=default #### 就是这里
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: default
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: NodePort
ui
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: default
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: default
spec:
rules:
- host: traefik-ui.minikube
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web