yum install -y http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install php72-php php72-php-cli php72-php-common php72-php-devel
php72-php-embedded php72-php-gd php72-php-mbstring php72-php-pdo
php72-php-xml php72-php-fpm php72-php-mysqlnd php72-php-opcache
php72-php-mcrypt php72-php-pecl-memcached php72-php-pecl-redis php72-php-pecl-zip -y
php72-php-intl
服务在K8S集群外被访问
使用NodePort型service
无法使用kube-proxy的ipvs模型,只能使用iptables模型
–proxy-mode=iptables
–ipvs-scheduler=rr
使用Ingress资源
Ingress只能调度并暴露7层应用,特指http和https协议
Ingress是K8S API的标准资源类型之一,也是一种核心资源,它其实就是一组基于域名和URL路径,把用户的请求转发至指定service资源的规则
可以将集群外部的请求流量转发只集群内部,从而实现服务暴露
Ingress控制器是能够为Ingress资源监听某套接字,然后根据Ingress规则匹配机制路由调度流量的一个组件
常用的Ingress控制器
Ingress-nginx
HAProxy
Traefix
部署traefix
https://github.com/containous/traefik
docker pull traefik:v1.7.2-alpine
docker tag add5fac61ae5 harbor.rongbiz.cn/public/traefik:v1.7.2
docker push harbor.rongbiz.cn/public/traefik:v1.7.2
vi rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
vi ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: traefik-ingress
namespace: kube-system
labels:
k8s-app: traefik-ingress
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress
name: traefik-ingress
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: harbor.rongbiz.cn/public/traefik:v1.7.2
name: traefik-ingress
ports:
- name: controller
containerPort: 80
hostPort: 81
- name: admin-web
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
- --insecureskipverify=true
- --kubernetes.endpoint=https://192.168.1.200:7443
- --accesslog
- --accesslog.filepath=/var/log/traefik_access.log
- --traefiklog
- --traefiklog.filepath=/var/log/traefik.log
- --metrics.prometheus
vi svc.yaml
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress
ports:
- protocol: TCP
port: 80
name: controller
- protocol: TCP
port: 8080
name: admin-web
vi ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik.rongbiz.cn
http:
paths:
- path: /
backend:
serviceName: traefik-ingress-service
servicePort: 8080
kubectl apply -f http://k8s-yaml.rongbiz.cn/traefik/rbac.yaml
kubectl apply -f http://k8s-yaml.rongbiz.cn/traefik/ds.yaml
kubectl apply -f http://k8s-yaml.rongbiz.cn/traefik/svc.yaml
kubectl apply -f http://k8s-yaml.rongbiz.cn/traefik/ingress.yaml
重启kubelet,重启docker
rstx-201和rstx-202上:
vim /etc/nginx/conf.d/rongbiz.cn.conf
upstream default_backend_traefik {
server 192.168.1.203:81 max_fails=3 fail_timeout=10s;
server 192.168.1.204:81 max_fails=3 fail_timeout=10s;
server 192.168.1.205:81 max_fails=3 fail_timeout=10s;
}
server {
server_name *.rongbiz.cn;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
nginx -s reload
配置dns解析
cat /var/named/rongbiz.cn.zone
$ORIGIN rongbiz.cn.
$TTL 600 ; 10 minutes
@ IN SOA dns.rongbiz.cn. dnsadmin.rongbiz.cn. (
2020053004 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.rongbiz.cn.
$TTL 60 ; 1 minute
dns A 10.4.7.11
harbor A 10.4.7.200
k8s-yaml A 10.4.7.200
traefik A 192.168.1.200
systemctl restart named
浏览器访问traefik:
http://traefik.rongbiz.cn