Annotate的配置详解
通用配置
kubernetes.io/ingress.class: traefik
Ingress声明,这里声明了ingress后端采用traefik实现,而不是nginx的controller
ingress.kubernetes.io/whitelist-source-range: "1.2.3.0/24, fe80::/16"
配置访问白名单,支持ipv4和ipv6
ingress.kubernetes.io/auth-type: basic
http认证模式,此处为basic模式
ingress.kubernetes.io/auth-secret: mysecret
basic认证的对应的username和password,这里对应的traefik所在kubernetes命名空间里的secrets
前端配置
traefik.frontend.rule.type: PathPrefixStrip
对于在前端配置多个路径转发时,必须配置改选项。例如:
traefik.frontend.priority: "3"
配置前端的权重,值越高则优先匹配
traefik.frontend.passHostHeader: "false"
关闭传入Hearder
traefik.protocol=https
使用https协议
traefik.frontend.entryPoints=http,https
同时支持http和https
后端配置
traefik.backend.loadbalancer.method=drr
后端Service的负载均衡策略,目前traefik支持的策略包括:wrr(加权轮训调度算法)和drr(动态加权循环调度算法)
traefik.backend.loadbalancer.stickiness=true
是否开启负载均衡器的session亲和性
traefik.backend.loadbalancer.stickiness.cookieName=NAME
手动配置后端session亲和性的cookie名称
traefik.backend.loadbalancer.sticky=true
弃用
健康检查
traefik.backend.healthcheck.path=/health
traefik的监控检查路径
traefik.backend.healthcheck.interval=5s
健康检查的时间间隔
traefik.backend.circuitbreaker: "NetworkErrorRatio() > 0.5"
监测某台节点上的服务错误率达到50%时,自动下线该节点。
traefik.backend.circuitbreaker: "LatencyAtQuantileMS(50.0) > 50"
监测某台节点上服务的延时大于50ms时,自动下线该节点。
traefik.backend.circuitbreaker: "ResponseCodeRatio(500, 600, 0, 600) > 0.5"
监测某台节点上服务返回状态码为[500-600]在[0-600]区间占比超过50%时,自动下线该节点。
Traffik 自定义https证书
后期配置tls证书, 此证书只允许具有相同namespace ingress使用
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik-ui.minikube
http:
paths:
- backend:
serviceName: traefik-web-ui
servicePort: 80
tls:
- secretName: traefik-ui-tls-cert
在ingress 创建的空间内创建secert
kubectl -n kube-system create secret tls traefik-ui-tls-cert --key=tls.key --cert=tls.crt
定义后端的分发策略
这里支持多种负载均衡方法:
wrr: 加权轮询
drr: 动态轮询: 这会为表现比其他服务器好的服务器增加权重。当服务器表现有变化的时,它也会会退到正常权重。
定义在service 资源中, 不能定义在ingress资源中
kind: Service
apiVersion: v1
metadata:
name: nginx
annotations:
traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
session 粘滞
所有的负载平衡器都支持粘滞会话(sticky sessions)。当粘滞会话被开启时,会有一个名称叫做_TRAEFIK_BACKEND的cookie在请求被初始化时被设置在请求初始化时。在随后的请求中,客户端会被直接转发到这个cookie中存储的后端(当然它要是健康可用的),如果这个后端不可用,将会指定一个新的后端。 开启的方法为添加traefik.ingress.kubernetes.io/affinity: "true" 的annotations
定义在service 资源中, 不能定义在ingress资源中
kind: Service
apiVersion: v1
metadata:
name: nginx
annotations:
traefik.ingress.kubernetes.io/affinity: "true"
traefik.ingress.kubernetes.io/load-balancer-method: drr
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
请求header 如下
➜ ~ curl -H "Host: ngx09.gxd88.cn" http://internal/api/ -v
GET /api/ HTTP/1.1
Host: ngx09.gxd88.cn
User-Agent: curl/7.51.0
Accept: /
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 612
< Content-Type: text/html
< Date: Sun, 05 Aug 2018 04:07:11 GMT
< Etag: "54999765-264"
< Last-Modified: Tue, 23 Dec 2014 16:25:09 GMT
< Server: nginx/1.7.9
< Set-Cookie: _c43d4=http://172.20.0.162:80; Path=/. cookie 记录后端服务IP
< Vary: Accept-Encoding
http 强制跳转https
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx05
namespace: default
labels:
traffic-type: internal
annotations:
traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
rules:
- host: ngx05.gxd88.cn
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
或者使用rewrite
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: redirectdomain
namespace: default
labels:
traffic-type: internal
annotations:
traefik.ingress.kubernetes.io/redirect-permanent: "true"
traefik.ingress.kubernetes.io/redirect-regex: ^http://(.*)
traefik.ingress.kubernetes.io/redirect-replacement: https://$1
spec:
rules:
- host: redirectdomain.gxd88.cn
http:
paths:
- path: /image
backend:
serviceName: nginx
servicePort: 80
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: internal
namespace: default
labels:
traffic-type: internal
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/custom-request-headers: traffic-type:internal||team:devops
spec:
rules:
- host: ngx-internal.gxd88.cn
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
请求路径前添加路径
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: addpath
namespace: default
labels:
traffic-type: internal
annotations:
traefik.ingress.kubernetes.io/request-modifier: AddPrefix:/api
spec:
rules:
- host: ngx09.wecsh.net
http:
paths:
- path: /a
backend:
serviceName: nginx
servicePort: 80
请求ngx09.wecsh.net/a 到后端服务为/api/a
请求路径删除前缀
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: deletepath01
namespace: default
labels:
traffic-type: internal
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
spec:
rules:
- host: del.gxd88.cn
http:
paths:
- path: /api/v1
backend:
serviceName: nginx
servicePort: 80
请求del.gxd88.cn/api/v1/1到后端为del.gxd88.cn/1
定义白名单
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx03
namespace: default
annotations:
kubernetes.io/ingress.class: traefik-external
ingress.kubernetes.io/whitelist-x-forwarded-for: "false"
traefik.ingress.kubernetes.io/whitelist-source-range: "10.40.0.227"
spec:
rules:
- host: ngx03.gxd88.cn
http:
paths: /api
- backend:
serviceName: nginx
servicePort: 80