在k8s-60.host.com上

[root@k8s-60 k8s-yaml]# docker pull traefik:v1.7.2-alpine
[root@k8s-60 k8s-yaml]# docker images|grep traefik
[root@k8s-60 k8s-yaml]# docker tag add5fac61ae5 harbor.od.com/public/traefik:v1.7.2
[root@k8s-60 k8s-yaml]# docker push  harbor.od.com/public/traefik:v1.7.2

2.准备资源配置清单

在k8s-60.host.com上

[root@k8s-60 k8s-yaml]# mkdir traefik
[root@k8s-60 k8s-yaml]# cd traefik/

rbac.yaml

[root@k8s-60 traefik]# vi rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system

ds.yaml

[root@k8s-60 traefik]# vi ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: traefik-ingress
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress
        name: traefik-ingress
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: harbor.od.com/public/traefik:v1.7.2
        name: traefik-ingress
        ports:
        - name: controller
          containerPort: 80
          hostPort: 81        # 把容器内的80端口映射到宿主机的81端口
        - name: admin-web
          containerPort: 8080
        securityContext:
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
        - --insecureskipverify=true
        - --kubernetes.endpoint=https://192.168.10.10:7443        # VIP地址
        - --accesslog
        - --accesslog.filepath=/var/log/traefik_access.log
        - --traefiklog
        - --traefiklog.filepath=/var/log/traefik.log
        - --metrics.prometheus

svc.yaml

[root@k8s-60 traefik]# vi svc.yaml
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress
  ports:
    - protocol: TCP
      port: 80
      name: controller
    - protocol: TCP
      port: 8080
      name: admin-web

ingress.yaml

[root@k8s-60 traefik]# vi ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: traefik.od.com
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-ingress-service
          servicePort: 8080

3.应用资源配置清单

[root@k8s-40 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/rbac.yaml
[root@k8s-40 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/ds.yaml
[root@k8s-40 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/svc.yaml
[root@k8s-40 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/ingress.yaml

4.检查创建资源

[root@k8s-40 ~]# kubectl get pods -n kube-system
NAME                       READY   STATUS    RESTARTS   AGE
coredns-6b6c4f9648-8fzsf   1/1     Running   0          8m35s
traefik-ingress-96th7      1/1     Running   0          21s
traefik-ingress-b6rkv      1/1     Running   0          21s
[root@k8s-40 ~]# netstat -luntp | grep 81
tcp6       0      0 :::81                   :::*                    LISTEN      61367/docker-proxy

5.解析域名

[root@k8s-20 ~]# vi /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600        ; 10 minutes
@               IN SOA  dns.od.com. dnsadmin.od.com. (
                                2020042601 ; serial
                                10800      ; refresh (3 hours)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                                NS   dns.od.com.
$TTL 60 ; 1 minute
dns                A    192.168.10.20
harbor             A    192.168.10.60
k8s-yaml           A    192.168.10.60
traefik            A    192.168.10.10
[root@k8s-20 ~]# systemctl restart named

6.配置7层反向代理

泛域名的流量调度
k8s-20和k8s-30两台都要做
[root@k8s-20 ~]# vi /etc/nginx/conf.d/od.com.conf
upstream default_backend_traefik {
    server 192.168.10.40:81    max_fails=3 fail_timeout=10s;
    server 192.168.10.50:81    max_fails=3 fail_timeout=10s;
}
server {
    server_name *.od.com;
    location / {
        proxy_pass http://default_backend_traefik;
        proxy_set_header Host       $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}
[root@k8s-20 ~]# nginx -t
[root@k8s-20 ~]# nginx -s reload
# 把流量全部丢给ingress处理

7.浏览器访问

http://traefik.od.com/