k8s主流的ingress控制器之一,简洁,动态,高效,功能齐全,开源。

配置

traefik.toml

# traefik.toml
logLevel = "INFO"
## 跳过后端https证书验证,比如kubernetes-dashboard作为后端
InsecureSkipVerify = true
## 默认的入口
defaultEntryPoints = ["http","https"]
## 定义入口
[entryPoints]
  ## traefik
  [entryPoints.traefik]
  address = ":8080"
    ## 开启auth basic
    [entryPoints.traefik.auth]
      [entryPoints.traefik.auth.basic]
        users = ["admin:$apr1$mrDaKviI$B5AOi0GbfF/xxxxxxxxx0/",]
  ## metrics
  [entryPoints.metrics]
  address = ":9001"
  ## http
  [entryPoints.http]
  address = ":40080"
  compress = true
  ## https
  [entryPoints.https]
  address = ":40443"
  compress = true
    ## tls
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"
## 开启kubernetes作为发现存储
[kubernetes]
## label选择
labelselector = "traffic-type=devops"
## 配置更新ingress状态
[kubernetes.ingressEndpoint]
hostname = "traefik"
## 访问日志
[accessLog]
format = "json"
trafficType = "devops"
department = "k8s"
filePath = "/srv/kubernetes/log/traefik-devops-access.log"
logType = "traefik"
## 应用日志
[traefikLog]
  format = "common"
## traefik api配置
[api]
entryPoint = "traefik"
dashboard = true
## 指标配置
[metrics]
  [metrics.prometheus]
  entryPoint = "metrics"
  ## bucket配置
  buckets = [0.05,0.1,0.3,0.5,1,5.0,10.0,20]
## 健康监测接口,安置于traefik入口
[ping]
entryPoint = "traefik"
## 配置重试
[retry]
attempts = 5
## 各种超时
[respondingTimeouts]
readTimeout = "0s"
writeTimeout = "0s"
idleTimeout = "180s"
[forwardingTimeouts]
dialTimeout = "30s"
responseHeaderTimeout = "0s"

traefik-ds

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    app: traefik
    chart: traefik-1.30.0
    heritage: Tiller
    release: traefik-internal-wekube-prod
    type: traefik
  name: traefik-internal-wekube-prod
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: traefik
      release: traefik-internal-wekube-prod
  template:
    metadata:
      annotations:
        checksum/config: fbb92e7620b3fe644693c5023351e9547e22c41c31cd758de7d4f7b57614f403
      creationTimestamp: null
      labels:
        app: traefik
        chart: traefik-1.30.0
        heritage: Tiller
        release: traefik-internal-wekube-prod
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: department
                operator: In
                values:
                - devops
              - key: dedicated
                operator: In
                values:
                - edgenode
      containers:
      - args:
        - --configfile=/config/traefik.toml
        image: traefik:1.7.14
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          tcpSocket:
            port: 10080
          timeoutSeconds: 2
        name: traefik-internal-wekube-prod
        ports:
        - containerPort: 10080
          hostPort: 10080
          name: http
          protocol: TCP
        - containerPort: 10443
          hostPort: 10443
          name: https
          protocol: TCP
        - containerPort: 18080
          hostPort: 18080
          name: dash
          protocol: TCP
        - containerPort: 19001
          hostPort: 19001
          name: metrics
          protocol: TCP
        # 其实可以用/ping接口来做更稳妥
        readinessProbe:
          failureThreshold: 1
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          tcpSocket:
            port: 10080
          timeoutSeconds: 2
        resources:
          limits:
            cpu: "2"
            memory: 2000Mi
          requests:
            cpu: "1"
            memory: 1000Mi
        volumeMounts:
        - mountPath: /srv/kubernetes/log
          name: srvkuberneteslog
        - mountPath: /config
          name: config
        - mountPath: /ssl
          name: ssl
      dnsPolicy: ClusterFirst
      # 使用host模式
      hostNetwork: true
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik-internal-wekube-prod
      serviceAccountName: traefik-internal-wekube-prod
      terminationGracePeriodSeconds: 60
      # 边缘节点带taint,需要容忍
      tolerations:
      - effect: NoSchedule
        key: edgenode
        operator: Exists
      volumes:
      # 挂载宿主机目录,方便filebeat收集,不然两类日志mixed,无法区分
      - hostPath:
          path: /srv/kubernetes/log
          type: Directory
        name: srvkuberneteslog
      - configMap:
          defaultMode: 420
          name: traefik-internal-wekube-prod
        name: config
      - name: ssl
        secret:
          defaultMode: 420
          secretName: traefik-internal-wekube-prod-default-cert
  # 作为边缘节点,前方是slb,配置变更,通过slb权重调节,手动发布
  updateStrategy:
    type: OnDelete

使用

  1. 指定traefik的annotation
  2. ingress指定label,traefik会根据ingress的label进行过滤
  3. 编写规则
    • host
    • path
    • path改写策略通过annotation指定
    • tls证书可以指定secret资源
  4. 是否强制https
  5. 会话保持,在service资源上添加annotation开启

例子

待定

问题

1.极少量的502【未解决】

生产使用时,7天约10亿次调用,502出现3个,极个别,难以排查,需要开启traefik的debug模式看日志排查。

2.证书刷新的问题【未解决】

已经加载的证书,必须重启,才能够刷新,无法感知secret证书资源的变更

3. 后端5xx错误,无法后抛到其他backends【未解决】

默认retry策略是重试backends节点数,暂时没有测试