Traefik & Kubernetes

Kubernetes入口控制器.

Traefik Ku​​bernetes Ingress提供程序是Kubernetes Ingress控制器; 也就是说,它通过支持Ingress规范来管理对群集服务的访问.

Enabling and using the provider

通常,通过静态配置启用提供程序:

[providers.kubernetesIngress]
providers:
  kubernetesIngress: {}
--providers.kubernetesingress=true

然后,提供程序监视传入的入口事件,例如下面的示例,并从中获得相应的动态配置,这将依次创建结果的路由器,服务,处理程序等.

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: "foo"
  namespace: production

spec:
  rules:
    - host: foo.com
      http:
        paths:
          - path: /bar
            backend:
              serviceName: service1
              servicePort: 80
          - path: /foo
            backend:
              serviceName: service1
              servicePort: 80

LetsEncrypt Support with the Ingress Provider

根据设计,Traefik是无状态的应用程序,这意味着它仅从其运行的环境中获取其配置,而无需其他配置. 因此,用户可以同时运行Traefik的多个实例以实现HA,这是kubernetes生态系统中的常见模式.

当将Traefik的单个实例与LetsEncrypt一起使用时,不会遇到任何问题,但是这可能是单点故障. 不幸的是,不可能在启用LetsEncrypt的情况下运行Traefik 2.0的多个实例,因为无法确保正确的Traefik实例将接收质询请求和后续响应. Traefik的早期版本使用KV商店来尝试实现此目的,但是由于次佳性能,2.0中的一项功能被删除.

如果您在kubernetes环境中需要带有HA的LetsEncrypt,我们建议使用TraefikEE ,其中分布式LetsEncrypt是受支持的功能.

如果您想继续运行Traefik Community Edition,可以使用证书控制器(例如Cert-Manager)来实现LetsEncrypt HA. 使用Cert-Manager管理证书时,它将在您的命名空间中创建秘密,这些秘密可以在您的入口对象中称为TLS秘密.

Provider Configuration

endpoint

可选,默认=空

[providers.kubernetesIngress]
  endpoint = "http://localhost:8080"
  # ...
providers:
  kubernetesIngress:
    endpoint = "http://localhost:8080"
    # ...
--providers.kubernetesingress.endpoint=http://localhost:8080

Kubernetes服务器端点作为URL,仅在以下基于环境变量的行为不适用时才使用.

当部署到Kubernetes中时,Traefik读取环境变量KUBERNETES_SERVICE_HOSTKUBERNETES_SERVICE_PORTKUBECONFIG来构造端点.

访问令牌在抬头/var/run/secrets/kubernetes.io/serviceaccount/token并在SSL CA证书/var/run/secrets/kubernetes.io/serviceaccount/ca.crt . 它们都是作为Traefik部署在吊舱中的支架自动提供的.

当找不到环境变量时,Traefik尝试使用外部集群客户端连接到Kubernetes API服务器. 在这种情况下,端点是必需的. 具体来说,可以将其设置为使用关联的kubeconfig的授予的身份验证和授权, kubectl proxy用来连接到Kubernetes集群的URL.

token

可选,默认=空

[providers.kubernetesIngress]
  token = "mytoken"
  # ...
providers:
  kubernetesIngress:
    token = "mytoken"
    # ...
--providers.kubernetesingress.token=mytoken

用于Kubernetes客户端配置的承载令牌.

certAuthFilePath

可选,默认=空

[providers.kubernetesIngress]
  certAuthFilePath = "/my/ca.crt"
  # ...
providers:
  kubernetesIngress:
    certAuthFilePath: "/my/ca.crt"
    # ...
--providers.kubernetesingress.certauthfilepath=/my/ca.crt

证书颁发机构文件的路径. 用于Kubernetes客户端配置.

disablePassHostHeaders

可选,默认= false

[providers.kubernetesIngress]
  disablePassHostHeaders = true
  # ...
providers:
  kubernetesIngress:
    disablePassHostHeaders: true
    # ...
--providers.kubernetesingress.disablepasshostheaders=true

是否禁用PassHost标头.

namespaces

可选,默认值:所有名称空间(空数组)

[providers.kubernetesIngress]
  namespaces = ["default", "production"]
  # ...
providers:
  kubernetesIngress:
    namespaces:
      - "default"
      - "production"
    # ...
--providers.kubernetesingress.namespaces=default,production

要监视的名称空间数组.

labelSelector

可选,默认值:空(处理所有入口)

[providers.kubernetesIngress]
  labelSelector = "A and not B"
  # ...
providers:
  kubernetesIngress:
    labelselector: "A and not B"
    # ...
--providers.kubernetesingress.labelselector="A and not B"

默认情况下,Traefik处理配置的名称空间中的所有Ingress对象. 可以将标签选择器定义为仅对特定的Ingress对象进行过滤.

有关详细信息,请参见标签选择器 .

ingressClass

可选,默认:空

[providers.kubernetesIngress]
  ingressClass = "traefik-internal"
  # ...
providers:
  kubernetesIngress:
    ingressClass: "traefik-internal"
    # ...
--providers.kubernetesingress.ingressclass=traefik-internal

kubernetes.io/ingress.class批注的值,该值标识要处理的Ingress对象.

如果参数为非空,则仅处理包含具有相同值的注释的Ingress. 否则,将处理缺少注释,值为空或值为traefik .

ingressEndpoint

hostname

可选,默认:空

[providers.kubernetesIngress.ingressEndpoint]
  hostname = "foo.com"
  # ...
providers:
  kubernetesIngress:
    ingressEndpoint:
      hostname: "foo.com"
    # ...
--providers.kubernetesingress.ingressendpoint.hostname=foo.com

用于Kubernetes Ingress端点的主机名.

ip

可选,默认:空

[providers.kubernetesIngress.ingressEndpoint]
  ip = "1.2.3.4"
  # ...
providers:
  kubernetesIngress:
    ingressEndpoint:
      ip: "1.2.3.4"
    # ...
--providers.kubernetesingress.ingressendpoint.ip=1.2.3.4

用于Kubernetes Ingress端点的IP.

publishedService

可选,默认:空

[providers.kubernetesIngress.ingressEndpoint]
  publishedService = "foo-service"
  # ...
providers:
  kubernetesIngress:
    ingressEndpoint:
      publishedService: "foo-service"
    # ...
--providers.kubernetesingress.ingressendpoint.publishedservice=foo-service

发布Kubernetes服务以复制状态.

throttleDuration

可选,默认值:0(无限制)

[providers.kubernetesIngress]
  throttleDuration = "10s"
  # ...
providers:
  kubernetesIngress:
    throttleDuration: "10s"
    # ...
--providers.kubernetesingress.throttleDuration=10s

Further

If one wants to know more about the various aspects of the Ingress spec that Traefik supports, many examples of Ingresses definitions are located in the tests data of the Traefik repository.