7.2.4 Traefik功能示例

Annotate的配置详解

通用配置

kubernetes.io/ingress.class: traefik
Ingress声明，这里声明了ingress后端采用traefik实现，而不是nginx的controller
ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"
配置访问白名单，支持ipv4和ipv6
ingress.kubernetes.io/auth-type: basic
http认证模式，此处为basic模式
ingress.kubernetes.io/auth-secret: mysecret
basic认证的对应的username和password，这里对应的traefik所在kubernetes命名空间里的secrets

前端配置

traefik.frontend.rule.type: PathPrefixStrip
对于在前端配置多个路径转发时，必须配置改选项。例如：
traefik.frontend.priority: "3"
配置前端的权重，值越高则优先匹配
traefik.frontend.passHostHeader: "false"
关闭传入Hearder
traefik.protocol=https
使用https协议
traefik.frontend.entryPoints=http,https
同时支持http和https

后端配置

traefik.backend.loadbalancer.method=drr
后端Service的负载均衡策略，目前traefik支持的策略包括：wrr（加权轮训调度算法）和drr（动态加权循环调度算法）
traefik.backend.loadbalancer.stickiness=true
是否开启负载均衡器的session亲和性
traefik.backend.loadbalancer.stickiness.cookieName=NAME
手动配置后端session亲和性的cookie名称
traefik.backend.loadbalancer.sticky=true
弃用

健康检查

traefik.backend.healthcheck.path=/health
traefik的监控检查路径
traefik.backend.healthcheck.interval=5s
健康检查的时间间隔
traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.5"
监测某台节点上的服务错误率达到50%时，自动下线该节点。
traefik.backend.circuitbreaker: "LatencyAtQuantileMS(50.0) > 50"
监测某台节点上服务的延时大于50ms时，自动下线该节点。
traefik.backend.circuitbreaker: "ResponseCodeRatio(500, 600, 0, 600) > 0.5"
监测某台节点上服务返回状态码为[500-600]在[0-600]区间占比超过50%时，自动下线该节点。

Traffik 自定义https证书

后期配置tls证书，此证书只允许具有相同namespace ingress使用

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik-ui.minikube
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80
  tls:
    - secretName: traefik-ui-tls-cert

在ingress 创建的空间内创建secert

kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt

定义后端的分发策略

这里支持多种负载均衡方法： wrr: 加权轮询 drr: 动态轮询: 这会为表现比其他服务器好的服务器增加权重。当服务器表现有变化的时，它也会会退到正常权重。

定义在service 资源中，不能定义在ingress资源中

kind: Service
apiVersion: v1
metadata:
  name: nginx
  annotations:
traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
  selector:
app: nginx
  ports:
- protocol: TCP
  port: 80
  targetPort: 80

session 粘滞

所有的负载平衡器都支持粘滞会话(sticky sessions)。当粘滞会话被开启时，会有一个名称叫做_TRAEFIK_BACKEND的cookie在请求被初始化时被设置在请求初始化时。在随后的请求中，客户端会被直接转发到这个cookie中存储的后端（当然它要是健康可用的），如果这个后端不可用，将会指定一个新的后端。开启的方法为添加traefik.ingress.kubernetes.io/affinity: "true" 的annotations

定义在service 资源中，不能定义在ingress资源中

kind: Service
apiVersion: v1
metadata:
  name: nginx
  annotations:
traefik.ingress.kubernetes.io/affinity: "true"
traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
  selector:
app: nginx
  ports:
- protocol: TCP
  port: 80
  targetPort: 80

请求header 如下

➜  ~ curl -H "Host: ngx09.gxd88.cn" http://internal/api/ -v
GET /api/ HTTP/1.1
Host: ngx09.gxd88.cn
User-Agent: curl/7.51.0
Accept: /
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 612
< Content-Type: text/html
< Date: Sun, 05 Aug 2018 04:07:11 GMT
< Etag: "54999765-264"
< Last-Modified: Tue, 23 Dec 2014 16:25:09 GMT
< Server: nginx/1.7.9
< Set-Cookie: _c43d4=http://172.20.0.162:80; Path=/.   cookie 记录后端服务IP
< Vary: Accept-Encoding

http 强制跳转https

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx05
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
  rules:
  - host: ngx05.gxd88.cn
http:
  paths:
  - backend:
  serviceName: nginx
  servicePort: 80

或者使用rewrite

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: redirectdomain
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
    traefik.ingress.kubernetes.io/redirect-regex: ^http://(.*)
    traefik.ingress.kubernetes.io/redirect-replacement: https://$1
spec:
  rules:
  - host: redirectdomain.gxd88.cn
    http:
      paths:
      - path: /image
        backend:
          serviceName: nginx
          servicePort: 80

自定义请求header

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: internal
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/custom-request-headers: traffic-type:internal||team:devops
spec:
  rules:
  - host: ngx-internal.gxd88.cn
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80

请求路径前添加路径

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: addpath
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    traefik.ingress.kubernetes.io/request-modifier: AddPrefix:/api
spec:
  rules:
  - host: ngx09.wecsh.net
    http:
      paths:
      - path: /a
        backend:
          serviceName: nginx
          servicePort: 80

请求ngx09.wecsh.net/a 到后端服务为/api/a

请求路径删除前缀

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: deletepath01
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
spec:
  rules:
  - host: del.gxd88.cn
    http:
      paths:
      - path: /api/v1
        backend:
          serviceName: nginx
          servicePort: 80

请求del.gxd88.cn/api/v1/1到后端为del.gxd88.cn/1

定义白名单

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx03
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik-external
    ingress.kubernetes.io/whitelist-x-forwarded-for: "false"
    traefik.ingress.kubernetes.io/whitelist-source-range: "10.40.0.227"
spec:
  rules:
  - host: ngx03.gxd88.cn
    http:
      paths: /api
      - backend:
          serviceName: nginx
          servicePort: 80

上一页7.2.3 分场景使用示例下一页7.2.5 Traefik日志收集

最后更新于5年前

这有帮助吗？

7.2.4 Traefik功能示例

Annotate的配置详解

通用配置

kubernetes.io/ingress.class: traefik
Ingress声明，这里声明了ingress后端采用traefik实现，而不是nginx的controller
ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"
配置访问白名单，支持ipv4和ipv6
ingress.kubernetes.io/auth-type: basic
http认证模式，此处为basic模式
ingress.kubernetes.io/auth-secret: mysecret
basic认证的对应的username和password，这里对应的traefik所在kubernetes命名空间里的secrets

前端配置

traefik.frontend.rule.type: PathPrefixStrip
对于在前端配置多个路径转发时，必须配置改选项。例如：
traefik.frontend.priority: "3"
配置前端的权重，值越高则优先匹配
traefik.frontend.passHostHeader: "false"
关闭传入Hearder
traefik.protocol=https
使用https协议
traefik.frontend.entryPoints=http,https
同时支持http和https

后端配置

traefik.backend.loadbalancer.method=drr
后端Service的负载均衡策略，目前traefik支持的策略包括：wrr（加权轮训调度算法）和drr（动态加权循环调度算法）
traefik.backend.loadbalancer.stickiness=true
是否开启负载均衡器的session亲和性
traefik.backend.loadbalancer.stickiness.cookieName=NAME
手动配置后端session亲和性的cookie名称
traefik.backend.loadbalancer.sticky=true
弃用

健康检查

traefik.backend.healthcheck.path=/health
traefik的监控检查路径
traefik.backend.healthcheck.interval=5s
健康检查的时间间隔
traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.5"
监测某台节点上的服务错误率达到50%时，自动下线该节点。
traefik.backend.circuitbreaker: "LatencyAtQuantileMS(50.0) > 50"
监测某台节点上服务的延时大于50ms时，自动下线该节点。
traefik.backend.circuitbreaker: "ResponseCodeRatio(500, 600, 0, 600) > 0.5"
监测某台节点上服务返回状态码为[500-600]在[0-600]区间占比超过50%时，自动下线该节点。

Traffik 自定义https证书

后期配置tls证书，此证书只允许具有相同namespace ingress使用

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik-ui.minikube
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80
  tls:
    - secretName: traefik-ui-tls-cert

在ingress 创建的空间内创建secert

kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt

定义后端的分发策略

定义在service 资源中，不能定义在ingress资源中

kind: Service
apiVersion: v1
metadata:
  name: nginx
  annotations:
traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
  selector:
app: nginx
  ports:
- protocol: TCP
  port: 80
  targetPort: 80

session 粘滞

定义在service 资源中，不能定义在ingress资源中

kind: Service
apiVersion: v1
metadata:
  name: nginx
  annotations:
traefik.ingress.kubernetes.io/affinity: "true"
traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
  selector:
app: nginx
  ports:
- protocol: TCP
  port: 80
  targetPort: 80

请求header 如下

➜  ~ curl -H "Host: ngx09.gxd88.cn" http://internal/api/ -v
GET /api/ HTTP/1.1
Host: ngx09.gxd88.cn
User-Agent: curl/7.51.0
Accept: /
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 612
< Content-Type: text/html
< Date: Sun, 05 Aug 2018 04:07:11 GMT
< Etag: "54999765-264"
< Last-Modified: Tue, 23 Dec 2014 16:25:09 GMT
< Server: nginx/1.7.9
< Set-Cookie: _c43d4=http://172.20.0.162:80; Path=/.   cookie 记录后端服务IP
< Vary: Accept-Encoding

http 强制跳转https

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx05
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
  rules:
  - host: ngx05.gxd88.cn
http:
  paths:
  - backend:
  serviceName: nginx
  servicePort: 80

或者使用rewrite

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: redirectdomain
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
    traefik.ingress.kubernetes.io/redirect-regex: ^http://(.*)
    traefik.ingress.kubernetes.io/redirect-replacement: https://$1
spec:
  rules:
  - host: redirectdomain.gxd88.cn
    http:
      paths:
      - path: /image
        backend:
          serviceName: nginx
          servicePort: 80

自定义请求header

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: internal
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/custom-request-headers: traffic-type:internal||team:devops
spec:
  rules:
  - host: ngx-internal.gxd88.cn
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80

请求路径前添加路径

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: addpath
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    traefik.ingress.kubernetes.io/request-modifier: AddPrefix:/api
spec:
  rules:
  - host: ngx09.wecsh.net
    http:
      paths:
      - path: /a
        backend:
          serviceName: nginx
          servicePort: 80

请求ngx09.wecsh.net/a 到后端服务为/api/a

请求路径删除前缀

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: deletepath01
  namespace: default
  labels:
    traffic-type: internal
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
spec:
  rules:
  - host: del.gxd88.cn
    http:
      paths:
      - path: /api/v1
        backend:
          serviceName: nginx
          servicePort: 80

请求del.gxd88.cn/api/v1/1到后端为del.gxd88.cn/1

定义白名单

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx03
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik-external
    ingress.kubernetes.io/whitelist-x-forwarded-for: "false"
    traefik.ingress.kubernetes.io/whitelist-source-range: "10.40.0.227"
spec:
  rules:
  - host: ngx03.gxd88.cn
    http:
      paths: /api
      - backend:
          serviceName: nginx
          servicePort: 80

上一页7.2.3 分场景使用示例下一页7.2.5 Traefik日志收集

最后更新于5年前

这有帮助吗？