Traefik & Kubernetes

Kubernetes入口控制器,自定义资源方式.

Traefik过去仅通过Kubernetes Ingress提供程序来支持Kubernetes,从严格意义上讲,它是Kubernetes Ingress控制器.

但是,由于社区表示有必要在不借助(很多)注释的情况下受益于Traefik功能,因此我们最终为下面定义的IngressRoute类型编写了自定义资源定义 (以下称为别名CRD),以便提供配置对Kubernetes集群的访问权限的更好方法.

Configuration Requirements

成功部署的所有步骤

  • 添加/更新所有 Traefik资源定义
  • 为Traefik自定义资源添加/更新RBAC
  • 使用头盔图表或使用自定义Traefik部署
    • 启用kubernetesCRD提供程序
    • 应用所需的kubernetesCRD提供程序配置
  • 添加所有需要的traefik自定义资源
初始化资源定义和RBAC
# All resources definition must be declared
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
    verbs:
      - get
      - list
      - watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default

Resource Configuration

将KubernetesCRD用作提供程序时,Traefik使用自定义资源定义来检索其路由配置. Traefik自定义资源定义是Traefik概念的Kubernetes实现. 主要特点是:

  • name namespace的用法,用于引用另一个Kubernetes资源.
  • 机密数据对敏感数据的使用,例如:
    • TLS证书.
    • 认证数据.
  • 配置的结构.
  • 声明所有定义的义务.

Traefik CRD是构建块,您可以根据需要进行组装. 请参阅"专用路由"部分中的CRD列表.

LetsEncrypt Support with the Custom Resource Definition Provider

按照设计,Traefik是无状态的应用程序,这意味着它仅从其运行的环境中获取其配置,而无需其他配置. 因此,用户可以同时运行Traefik的多个实例以实现HA,这是kubernetes生态系统中的常见模式.

当将Traefik的单个实例与LetsEncrypt一起使用时,不会遇到任何问题,但是这可能是单点故障. 不幸的是,不可能在启用LetsEncrypt的情况下运行Traefik 2.0的多个实例,因为无法确保正确的Traefik实例将接收质询请求和后续响应. Traefik的早期版本使用KV商店来尝试实现此目的,但是由于次优性能而已在2.0中成为一项功能.

如果您在kubernetes环境中需要带有HA的LetsEncrypt,我们建议使用TraefikEE ,其中分布式LetsEncrypt是受支持的功能.

如果您想继续运行Traefik Community Edition,可以使用证书控制器(例如Cert-Manager)来实现LetsEncrypt HA. 使用Cert-Manager管理证书时,它将在您的命名空间中创建秘密,这些秘密可以称为入口对象中的 TLS秘密. 使用Traefik Ku​​bernetes CRD Provider时,不幸的是Cert-Manager 不能直接与CRD交互,但这正在由我们的团队进行处理. 一种解决方法是使Kubernetes Ingress提供程序能够允许Cert-Manager创建入口对象来完成挑战. 请注意,这仍然需要手动干预才能通过Cert-Manager创建证书,但是一旦创建,Cert-Manager将保持证书的续订.

Provider Configuration

endpoint

可选,默认=空

[providers.kubernetesCRD]
  endpoint = "http://localhost:8080"
  # ...
providers:
  kubernetesCRD:
    endpoint = "http://localhost:8080"
    # ...
--providers.kubernetescrd.endpoint=http://localhost:8080

Kubernetes服务器端点作为URL.

当部署到Kubernetes中时,Traefik将读取环境变量KUBERNETES_SERVICE_HOSTKUBERNETES_SERVICE_PORTKUBECONFIG来构造端点.

访问令牌将在/var/run/secrets/kubernetes.io/serviceaccount/token查找,SSL CA证书将在/var/run/secrets/kubernetes.io/serviceaccount/ca.crt查找. 两者都部署在Kubernetes内部时会自动安装.

可以指定端点以覆盖集群内部的环境变量值.

当找不到环境变量时,Traefik将尝试使用外部集群客户端连接到Kubernetes API服务器. 在这种情况下,端点是必需的. 具体来说,可以将其设置为kubectl proxy使用关联的kubeconfig的授予的身份验证和授权使用的URL,以连接到Kubernetes集群.

token

可选,默认=空

[providers.kubernetesCRD]
  token = "mytoken"
  # ...
providers:
  kubernetesCRD:
    token = "mytoken"
    # ...
--providers.kubernetescrd.token=mytoken

用于Kubernetes客户端配置的承载令牌.

certAuthFilePath

可选,默认=空

[providers.kubernetesCRD]
  certAuthFilePath = "/my/ca.crt"
  # ...
providers:
  kubernetesCRD:
    certAuthFilePath: "/my/ca.crt"
    # ...
--providers.kubernetescrd.certauthfilepath=/my/ca.crt

证书颁发机构文件的路径. 用于Kubernetes客户端配置.

namespaces

可选,默认值:所有名称空间(空数组)

[providers.kubernetesCRD]
  namespaces = ["default", "production"]
  # ...
providers:
  kubernetesCRD:
    namespaces:
    - "default"
    - "production"
    # ...
--providers.kubernetescrd.namespaces=default,production

要监视的名称空间数组.

labelselector

可选,默认值:空(处理所有资源)

[providers.kubernetesCRD]
  labelselector = "A and not B"
  # ...
providers:
  kubernetesCRD:
    labelselector: "A and not B"
    # ...
--providers.kubernetescrd.labelselector="A and not B"

默认情况下,Traefik处理配置的名称空间中的所有资源对象. 可以将标签选择器定义为仅对特定资源对象进行过滤.

有关详细信息,请参见标签选择器 .

ingressClass

可选,默认:空

[providers.kubernetesCRD]
  ingressClass = "traefik-internal"
  # ...
providers:
  kubernetesCRD:
    ingressClass: "traefik-internal"
    # ...
--providers.kubernetescrd.ingressclass=traefik-internal

kubernetes.io/ingress.class批注的值,用于标识要处理的资源对象.

如果参数为非空,则仅处理包含具有相同值的注释的资源. 否则,将处理缺少注释,具有空值或值traefik资源.

throttleDuration

可选,默认值:0(无限制)

[providers.kubernetesCRD]
  throttleDuration = "10s"
  # ...
providers:
  kubernetesCRD:
    throttleDuration: "10s"
    # ...
--providers.kubernetescrd.throttleDuration=10s

Further

另请参阅"加密"的完整示例 .