1 ingress 介绍
1. Ingress 的核心概念
- 定义:Ingress 是 Kubernetes 的一个 API 对象,用于定义外部请求如何路由到集群内的 Service。它基于 L7(应用层)协议(如 HTTP/HTTPS),支持主机名、路径、头部等复杂路由规则[^1^][^3^]。
- 与 Service 的区别:
- Service:工作在 OSI 四层(传输层),基于 IP 和端口转发流量,用于集群内部服务发现与负载均衡。
- Ingress:工作在 OSI 七层(应用层),支持 HTTP/HTTPS 协议,提供外部流量的统一入口、SSL 终止、路径重写等功能[^1^][^5^]。
2. Ingress 的核心组件
-
Ingress 资源:
- 定义路由规则,包含主机名(Host)、路径(Path)、后端服务(Backend Service)等配置。
- 支持 TLS 配置(通过 Secret 存储证书),实现 HTTPS 加密
-
Ingress Controller:
- 负责实现 Ingress 规则的实际流量转发,相当于反向代理服务器(如 Nginx、Traefik 等)。
- 监听 Kubernetes API 动态更新配置,并将流量路由到对应的 Service[^2^][^5^]。
- 常见实现:
ingress-nginx、Traefik、Istio等[^3^][^4^]。
3. Ingress 工作流程
- 请求到达:外部流量通过 NodePort 或 LoadBalancer 进入 Ingress Controller。
- 规则匹配:Ingress Controller 根据 Ingress 资源定义的规则(主机名、路径等)决定后端服务。
- 流量转发:将请求转发到目标 Service,同时可执行 SSL 终止、路径重写等操作[^1^][^5^]。
4. 核心功能与特性
- SSL 终止:通过 Secret 存储 TLS 证书,在 Ingress 层解密 HTTPS 流量,减轻后端压力[^1^][^3^]。
- 七层负载均衡:基于主机名、路径、请求头等维度进行流量分发[^1^][^5^]。
- 动态配置:修改 Ingress 规则后,Controller 自动更新配置,无需重启[^2^]。
- 灰度发布:支持金丝雀发布、流量百分比拆分等高级场景[^3^]。
2 ingress-nginx
Ingress-Nginx是K8S官方写的一个Ingress Controller,而"nginx-Ingress"是Nginx官方写的资源清单。
<font color="#9bbb59">NodePort在暴露服务时,会监听一个NodePort端口,且多个服务无法使用同一个端口的情况。</font>
<font color="#9bbb59">因此我们说Service可以理解为四层代理。说白了,就是基于IP:PORT的方式进行代理。</font>
<font color="#9bbb59">假设"v1.cmy.com"的服务需要监听80端口,而"v2.cmy.com"和"v3.cmy.com"同时也需要监听80端口,svc就很难实现。</font>
<font color="#9bbb59">这个时候,我们可以借助Ingress来实现此功能,可以将Ingress看做七层代理,底层依旧基于svc进行路由。</font>
<font color="#9bbb59">而Ingress在K8S是内置的资源,表示主机到svc的解析规则,但具体实现需要安装附加组件(对应的是IngressClass),比如ingress-nginx,traefik等。</font>
<font color="#9bbb59">IngressClass和Ingress的关系优点类似于: nginx和nginx.conf的关系。</font>
注意,部署时要观察对比一下K8S和Ingress-Nginx对应的版本以来关系哟。
github地址:
https://github.com/kubernetes/ingress-nginx
安装文档:
https://kubernetes.github.io/ingress-nginx/deploy/#installation-guide
如上图所示,官方推荐了三种安装方式:
– 使用"helm"安装;
– 使用"kubectl apply"创建yaml资源清单的方式进行安装;
– 使用第三方插件的方式进行安装;
2.1 helm方式安装
添加第三方仓库
[root@master231 helm-Chart]# helm repo add cmy-ingress https://kubernetes.github.io/ingress-nginx
"cmy-ingress" has been added to your repositories
[root@master231 helm-Chart]#
[root@master231 helm-Chart]# helm repo list
NAME URL
azure http://mirror.azure.cn/kubernetes/charts/
cmy-ingress https://kubernetes.github.io/ingress-nginx
[root@master231 helm-Chart]#
3.搜索Ingress-nginx的Chart
[root@master231 helm-Chart]# helm search repo ingress-nginx
NAME CHART VERSION APP VERSION DESCRIPTION
cmy-ingress/ingress-nginx 4.12.3 1.12.3 Ingress controller for Kubernetes using NGINX a...
[root@master231 helm-Chart]#
[root@master231 helm-Chart]# helm search repo ingress-nginx -l
NAME CHART VERSION APP VERSION DESCRIPTION
cmy-ingress/ingress-nginx 4.12.3 1.12.3 Ingress controller for Kubernetes using NGINX a...
cmy-ingress/ingress-nginx 4.12.2 1.12.2 Ingress controller for Kubernetes using NGINX a...
cmy-ingress/ingress-nginx 4.12.1 1.12.1 Ingress controller for Kubernetes using NGINX a...
cmy-ingress/ingress-nginx 4.12.0 1.12.0 Ingress controller for Kubernetes using NGINX a...
cmy-ingress/ingress-nginx 4.11.7 1.11.7 Ingress controller for Kubernetes using NGINX a...
cmy-ingress/ingress-nginx 4.11.6 1.11.6 Ingress controller for Kubernetes using NGINX a...
cmy-ingress/ingress-nginx 4.11.5 1.11.5 Ingress controller for Kubernetes using NGINX a...
...
[root@master231 helm]#
4.下载指定的Chart
[root@master231 ingress-nginx]# helm pull cmy-ingress/ingress-nginx --version 4.2.5
[root@master231 ingress-nginx]#
[root@master231 ingress-nginx]# ll
total 52
drwxr-xr-x 2 root root 4096 Jun 10 11:40 ./
drwxr-xr-x 8 root root 4096 Jun 10 11:40 ../
-rw-r--r-- 1 root root 42132 Jun 10 11:40 ingress-nginx-4.2.5.tgz
[root@master231 ingress-nginx]#
[root@master231 ingress-nginx]#
svip:
[root@master231 helm]# wget http://192.168.15.253/Resources/Kubernetes/Add-ons/ingress-nginx/ingress-nginx-4.2.5.tgz
5.解压软件包并修改配置参数
[root@master231 helm]# tar xf ingress-nginx-4.2.5.tgz
[root@master231 helm]#
[root@master231 helm]# sed -i '/registry:/s#registry.k8s.io#registry.cn-hangzhou.aliyuncs.com#g' ingress-nginx/values.yaml
[root@master231 helm]# sed -i 's#ingress-nginx/controller#cmy-k8s/ingress-nginx#' ingress-nginx/values.yaml
[root@master231 helm]# sed -i 's#ingress-nginx/kube-webhook-certgen#cmy-k8s/ingress-nginx#' ingress-nginx/values.yaml
[root@master231 helm]# sed -i 's#v1.3.0#kube-webhook-certgen-v1.3.0#' ingress-nginx/values.yaml
[root@master231 helm]# sed -ri '/digest:/s@^@#@' ingress-nginx/values.yaml
[root@master231 helm]# sed -i '/hostNetwork:/s#false#true#' ingress-nginx/values.yaml
[root@master231 helm]# sed -i '/dnsPolicy/s#ClusterFirst#ClusterFirstWithHostNet#' ingress-nginx/values.yaml
[root@master231 helm]# sed -i '/kind/s#Deployment#DaemonSet#' ingress-nginx/values.yaml
[root@master231 helm]# sed -i '/default:/s#false#true#' ingress-nginx/values.yaml
温馨提示:
- 修改镜像为国内的镜像,否则无法下载海外镜像,除非你会FQ;
- 如果使用我提供的镜像需要将digest注释掉,因为我的镜像是从海外同步过来的,被重新构建过,其digest不一致;
- 建议大家使用宿主机网络效率最高,但是使用宿主机网络将来DNS解析策略会直接使用宿主机的解析;
- 如果还想要继续使用K8S内部的svc名称解析,则需要将默认的"ClusterFirst"的DNS解析策略修改为"ClusterFirstWithHostNet";
- 建议将Deployment类型改为DaemonSet类型,可以确保在各个节点部署一个Pod,也可以修改"nodeSelector"字段让其调度到指定节点;
- 如果仅有一个ingress controller,可以考虑将"ingressClassResource.default"设置为true,表示让其成为默认的ingress controller;
6.关闭 admissionWebhooks功能
[root@master231 ingress-nginx]# vim ingress-nginx/values.yaml
...
admissionWebhooks:
...
enabled: false # 关闭admissionWebhooks功能,避免后面使用Ingress时报错!
7.安装ingress-nginx
[root@master231 ingress-nginx]# helm upgrade --install ingress-server ingress-nginx -n ingress-nginx --create-namespace
Release "ingress-server" does not exist. Installing it now.
NAME: ingress-server
LAST DEPLOYED: Tue Jun 10 11:42:14 2025
NAMESPACE: ingress-nginx
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace ingress-nginx get services -o wide -w ingress-server-ingress-nginx-controller'
An example Ingress that makes use of the controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: foo
spec:
ingressClassName: nginx
rules:
- host: www.example.com
http:
paths:
- pathType: Prefix
backend:
service:
name: exampleService
port:
number: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
[root@master231 ingress-nginx]#
8.验证Ingress-nginx是否安装成功
[root@master231 ingress-nginx]# helm list -n ingress-nginx
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
ingress-server ingress-nginx 1 2025-06-10 11:42:14.508074807 +0800 CST deployed ingress-nginx-4.2.5 1.3.1
[root@master231 ingress-nginx]#
[root@master231 ingress-nginx]#
[root@master231 ingress-nginx]# kubectl get ingressclass,deploy,svc,po -n ingress-nginx -o wide
NAME CONTROLLER PARAMETERS AGE
ingressclass.networking.k8s.io/nginx k8s.io/ingress-nginx <none> 113s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/ingress-server-ingress-nginx-controller LoadBalancer 10.200.253.247 10.0.0.151 80:24928/TCP,443:3153/TCP 113s app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-server,app.kubernetes.io/name=ingress-nginx
service/ingress-server-ingress-nginx-controller-admission ClusterIP 10.200.164.218 <none> 443/TCP 113s app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-server,app.kubernetes.io/name=ingress-nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/ingress-server-ingress-nginx-controller-6r9b2 1/1 Running 0 113s 10.0.0.232 worker232 <none> <none>
pod/ingress-server-ingress-nginx-controller-jc8kg 1/1 Running 0 113s 10.0.0.233 worker233 <none> <none>
pod/ingress-server-ingress-nginx-controller-xwbz6 1/1 Running 0 113s 10.0.0.231 master231 <none> <none>
[root@master231 ingress-nginx]#
温馨提示:
如果镜像拉取失败,可以导入即可。
2.2 ingress的映射http案例
准备环境
[root@master231 ingresses]# cat > 01-deploy-svc-xiuxian.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-xiuxian-v1
spec:
replicas: 3
selector:
matchLabels:
apps: v1
template:
metadata:
labels:
apps: v1
spec:
containers:
- name: c1
image: registry.cn-hangzhou.aliyuncs.com/cmy-k8s/apps:v1
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-xiuxian-v2
spec:
replicas: 3
selector:
matchLabels:
apps: v2
template:
metadata:
labels:
apps: v2
spec:
containers:
- name: c1
image: registry.cn-hangzhou.aliyuncs.com/cmy-k8s/apps:v2
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-xiuxian-v3
spec:
replicas: 3
selector:
matchLabels:
apps: v3
template:
metadata:
labels:
apps: v3
spec:
containers:
- name: c1
image: registry.cn-hangzhou.aliyuncs.com/cmy-k8s/apps:v3
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-xiuxian-v1
spec:
type: ClusterIP
selector:
apps: v1
ports:
- port: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-xiuxian-v2
spec:
type: ClusterIP
selector:
apps: v2
ports:
- port: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-xiuxian-v3
spec:
type: ClusterIP
selector:
apps: v3
ports:
- port: 80
EOF
[root@master231 case-demo]# kubectl apply -f 01-deploy-svc-xiuxian.yaml
deployment.apps/deploy-xiuxian-v1 created
deployment.apps/deploy-xiuxian-v2 created
deployment.apps/deploy-xiuxian-v3 created
service/svc-xiuxian-v1 created
service/svc-xiuxian-v2 created
service/svc-xiuxian-v3 created
[root@master231 case-demo]#
[root@master231 case-demo]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deploy-xiuxian-v1-6bc556784f-k7h4j 1/1 Running 0 3s 10.100.160.153 master231 <none> <none>
deploy-xiuxian-v1-6bc556784f-l4x82 1/1 Running 0 3s 10.100.203.175 worker232 <none> <none>
deploy-xiuxian-v1-6bc556784f-vdnfc 1/1 Running 0 3s 10.100.140.103 worker233 <none> <none>
deploy-xiuxian-v2-64bb8c9785-5hjf9 1/1 Running 0 3s 10.100.140.96 worker233 <none> <none>
deploy-xiuxian-v2-64bb8c9785-psnmn 1/1 Running 0 3s 10.100.160.151 master231 <none> <none>
deploy-xiuxian-v2-64bb8c9785-z69km 1/1 Running 0 3s 10.100.203.159 worker232 <none> <none>
deploy-xiuxian-v3-698c86cf85-ntf7m 1/1 Running 0 3s 10.100.140.111 worker233 <none> <none>
deploy-xiuxian-v3-698c86cf85-rmcmf 1/1 Running 0 3s 10.100.203.168 worker232 <none> <none>
deploy-xiuxian-v3-698c86cf85-rpqqr 1/1 Running 0 3s 10.100.160.141 master231 <none> <none>
[root@master231 case-demo]#
[root@master231 case-demo]#
[root@master231 case-demo]# kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
deploy-xiuxian-v1-6bc556784f-k7h4j 1/1 Running 0 21s apps=v1,pod-template-hash=6bc556784f
deploy-xiuxian-v1-6bc556784f-l4x82 1/1 Running 0 21s apps=v1,pod-template-hash=6bc556784f
deploy-xiuxian-v1-6bc556784f-vdnfc 1/1 Running 0 21s apps=v1,pod-template-hash=6bc556784f
deploy-xiuxian-v2-64bb8c9785-5hjf9 1/1 Running 0 21s apps=v2,pod-template-hash=64bb8c9785
deploy-xiuxian-v2-64bb8c9785-psnmn 1/1 Running 0 21s apps=v2,pod-template-hash=64bb8c9785
deploy-xiuxian-v2-64bb8c9785-z69km 1/1 Running 0 21s apps=v2,pod-template-hash=64bb8c9785
deploy-xiuxian-v3-698c86cf85-ntf7m 1/1 Running 0 21s apps=v3,pod-template-hash=698c86cf85
deploy-xiuxian-v3-698c86cf85-rmcmf 1/1 Running 0 21s apps=v3,pod-template-hash=698c86cf85
deploy-xiuxian-v3-698c86cf85-rpqqr 1/1 Running 0 21s apps=v3,pod-template-hash=698c86cf85
[root@master231 case-demo]#
3.编写Ingress规则
[root@master231 ingresses]# cat > 02-ingress-xiuxian.yaml <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-xiuxian
spec:
ingressClassName: nginx
rules:
- host: v1.cmy.com
http:
paths:
- pathType: Prefix
backend:
service:
name: svc-xiuxian-v1
port:
number: 80
path: /
- host: v2.cmy.com
http:
paths:
- pathType: Prefix
backend:
service:
name: svc-xiuxian-v2
port:
number: 80
path: /
- host: v3.cmy.com
http:
paths:
- pathType: Prefix
backend:
service:
name: svc-xiuxian-v3
port:
number: 80
path: /
EOF
4.创建Ingress规则
[root@master231 case-demo]# kubectl apply -f 02-ingress-xiuxian.yaml
ingress.networking.k8s.io/ingress-xiuxian created
[root@master231 case-demo]#
[root@master231 case-demo]# kubectl describe -f 02-ingress-xiuxian.yaml
Name: ingress-xiuxian
Labels: <none>
Namespace: default
Address: 10.0.0.151
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
v1.cmy.com
/ svc-xiuxian-v1:80 (10.100.140.103:80,10.100.160.153:80,10.100.203.175:80)
v2.cmy.com
/ svc-xiuxian-v2:80 (10.100.140.96:80,10.100.160.151:80,10.100.203.159:80)
v3.cmy.com
/ svc-xiuxian-v3:80 (10.100.140.111:80,10.100.160.141:80,10.100.203.168:80)
Annotations: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 7s (x2 over 15s) nginx-ingress-controller Scheduled for sync
Normal Sync 7s (x2 over 15s) nginx-ingress-controller Scheduled for sync
Normal Sync 7s (x2 over 14s) nginx-ingress-controller Scheduled for sync
[root@master231 case-demo]#
5.windows添加解析记录
10.0.0.231 v2.cmy.com
10.0.0.232 v1.cmy.com
10.0.0.233 v3.cmy.com
或者:
10.0.0.151 v1.cmy.com v2.cmy.com v3.cmy.com
2.3 Ingress和Ingress class底层原理验证
[root@master231 ingresses]# kubectl get pods -o wide -n ingress-nginx
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
my-ingress-class-ingress-nginx-controller-6bnkr 1/1 Running 0 53m 10.0.0.233 worker233 <none> <none>
my-ingress-class-ingress-nginx-controller-gqg7g 1/1 Running 0 53m 10.0.0.232 worker232 <none> <none>
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl -it -n ingress-nginx exec my-ingress-class-ingress-nginx-controller-6bnkr -- bash
bash-5.1$ grep cmy.com /etc/nginx/nginx.conf
## start server v1.cmy.com
server_name v1.cmy.com ;
## end server v1.cmy.com
## start server v2.cmy.com
server_name v2.cmy.com ;
## end server v2.cmy.com
## start server v3.cmy.com
server_name v3.cmy.com ;
## end server v3.cmy.com
bash-5.1$
exit
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl get ing
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-xiuxian nginx v1.cmy.com,v2.cmy.com,v3.cmy.com 10.0.0.151 80 5m45s
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl delete -f 02-ingress-xiuxian.yaml
ingress.networking.k8s.io "ingress-xiuxian" deleted
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl get ing
No resources found in default namespace.
[root@master231 ingresses]#
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl -it -n ingress-nginx exec my-ingress-class-ingress-nginx-controller-6bnkr -- bash
bash-5.1$
bash-5.1$ grep cmy.com /etc/nginx/nginx.conf
bash-5.1$
2.4 ingress的映射https案例
1.生成证书文件
[root@master231 https]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=www.cmy.com"
[root@master231 https]# ll
total 16
drwxr-xr-x 2 root root 4096 Jun 10 14:31 ./
drwxr-xr-x 4 root root 4096 Jun 10 14:30 ../
-rw-r--r-- 1 root root 1139 Jun 10 14:31 tls.crt
-rw------- 1 root root 1704 Jun 10 14:31 tls.key
[root@master231 https]#
2.将证书文件以secrets形式存储
[root@master231 https]# kubectl create secret tls ca-secret --cert=tls.crt --key=tls.key
secret/ca-secret created
[root@master231 https]#
[root@master231 https]# kubectl get secrets ca-secret
NAME TYPE DATA AGE
ca-secret kubernetes.io/tls 2 8s
[root@master231 https]#
3.部署测试服务
[root@master231 02-casedemo-https]# cat > deploy-apple.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-apple
spec:
replicas: 3
selector:
matchLabels:
apps: apple
template:
metadata:
labels:
apps: apple
spec:
containers:
- name: apple
image: registry.cn-hangzhou.aliyuncs.com/cmy-k8s/apps:apple
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-apple
spec:
selector:
apps: apple
ports:
- protocol: TCP
port: 80
targetPort: 80
EOF
[root@master231 https]# kubectl apply -f deploy-apple.yaml
deployment.apps/deployment-apple created
service/svc-apple created
[root@master231 https]#
[root@master231 https]# kubectl get pods -l apps=apple -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deployment-apple-5496cd9b6c-cfjbz 1/1 Running 0 17s 10.100.140.107 worker233 <none> <none>
deployment-apple-5496cd9b6c-gsc5r 1/1 Running 0 17s 10.100.160.139 master231 <none> <none>
deployment-apple-5496cd9b6c-lgf5r 1/1 Running 0 17s 10.100.203.169 worker232 <none> <none>
[root@master231 https]#
4.配置Ingress添加TLS证书
[root@master231 02-casedemo-https]# cat > ingress-tls.yaml <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-tls-https
# 如果指定了"ingressClassName"参数,就不需要在这里重复声明啦。
# 如果你的K8S 1.22- 版本,则使用注解的方式进行传参即可。
#annotations:
# kubernetes.io/ingress.class: "nginx"
spec:
# 指定Ingress Class,要求你的K8S 1.22+
ingressClassName: nginx
rules:
- host: www.cmy.com
http:
paths:
- backend:
service:
name: svc-apple
port:
number: 80
path: /
pathType: ImplementationSpecific
# 配置https证书
tls:
- hosts:
- www.cmy.com
secretName: ca-secret
EOF
[root@master231 https]# kubectl apply -f ingress-tls.yaml
ingress.networking.k8s.io/ingress-tls-https created
[root@master231 https]#
[root@master231 https]# kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-tls-https nginx www.cmy.com 80, 443 5s
[root@master231 https]#
[root@master231 https]# kubectl describe -f ingress-tls.yaml
Name: ingress-tls-https
Labels: <none>
Namespace: default
Address:
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
ca-secret terminates www.cmy.com
Rules:
Host Path Backends
---- ---- --------
www.cmy.com
/ svc-apple:80 (10.100.140.107:80,10.100.160.139:80,10.100.203.169:80)
Annotations: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Sync 9s nginx-ingress-controller Scheduled for sync
Normal Sync 9s nginx-ingress-controller Scheduled for sync
Normal Sync 9s nginx-ingress-controller Scheduled for sync
[root@master231 https]#
5.windows添加解析
10.0.0.233 www.cmy.com
6.访问测试
https://www.cmy.com/
温馨提示:
如果google浏览器自建证书不认可,可以用鼠标在空白处单击左键,而后输入:"thisisunsafe",就会自动跳转。
当然,如果不想打这个代码,可以使用火狐浏览器打开即可。
3 trafik
Traefik所示一个边缘路由器,它会拦截外部的请求并根据逻辑规则选择不同的操作方式,这些规则决定着这些请求到底该如何处理。
Traefik提供自动发现能力,会实时检测服务,并自动更新路由规则。
3.1 组成
entrypoint(入口点):
请求在入口点处结束, 顾名思义, 它们是Træfɪk的网络入口(监听端口, SSL, 流量重定向…)。
Entrypoints是Traefik的网络入口,它定义接受请求的接口,以及是否监听TCP或者UDP。
frontends(前端):
之后流量会导向一个匹配的前端。 前端是定义入口点到后端之间的路由的地方。
路由是通过请求字段(Host, Path, Headers…) 来定义的,它可以匹配或否定一个请求。
backends(后端):
前端将会把请求发送到后端。后端可以由一台或一个通过负载均衡策略配置后的多台服务器组成。
最后, 服务器将转发请求到对应私有网络的微服务当中去。
3.2 helm安装
添加仓库
[root@master231 traefik]# helm repo add traefik https://traefik.github.io/charts
"traefik" has been added to your repositories
[root@master231 traefik]#
[root@master231 traefik]# helm repo list
NAME URL
azure http://mirror.azure.cn/kubernetes/charts/
cmy-ingress https://kubernetes.github.io/ingress-nginx
traefik https://traefik.github.io/charts
[root@master231 traefik]#
2.更新仓库信息
[root@master231 traefik]# helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "cmy-ingress" chart repository
...Successfully got an update from the "traefik" chart repository
...Successfully got an update from the "azure" chart repository
Update Complete. ⎈Happy Helming!⎈
[root@master231 traefik]#
3.安装traefik
[root@master231 traefik]# helm search repo traefik
NAME CHART VERSION APP VERSION DESCRIPTION
azure/traefik 1.87.7 1.7.26 DEPRECATED - A Traefik based Kubernetes ingress...
traefik/traefik 36.0.0 v3.4.1 A Traefik based Kubernetes ingress controller
traefik/traefik-crds 1.8.1 A Traefik based Kubernetes ingress controller
traefik/traefik-hub 4.2.0 v2.11.0 Traefik Hub Ingress Controller
traefik/traefik-mesh 4.1.1 v1.4.8 Traefik Mesh - Simpler Service Mesh
traefik/traefikee 4.2.3 v2.12.4 Traefik Enterprise is a unified cloud-native ne...
traefik/maesh 2.1.2 v1.3.2 Maesh - Simpler Service Mesh
[root@master231 traefik]#
[root@master231 traefik]# helm pull traefik/traefik
[root@master231 traefik]#
[root@master231 traefik]# ll
total 260
drwxr-xr-x 2 root root 4096 Jun 10 15:05 ./
drwxr-xr-x 9 root root 4096 Jun 10 15:03 ../
-rw-r--r-- 1 root root 254727 Jun 10 15:05 traefik-36.0.0.tgz
[root@master231 traefik]#
[root@master231 traefik]# tar xf traefik-36.0.0.tgz
[root@master231 traefik]# ll
total 264
drwxr-xr-x 3 root root 4096 Jun 10 15:06 ./
drwxr-xr-x 9 root root 4096 Jun 10 15:03 ../
drwxr-xr-x 4 root root 4096 Jun 10 15:06 traefik/
-rw-r--r-- 1 root root 254727 Jun 10 15:05 traefik-36.0.0.tgz
[root@master231 traefik]#
[root@master231 traefik]# helm install traefik-server traefik
NAME: traefik-server
LAST DEPLOYED: Tue Jun 10 15:06:44 2025
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
traefik-server with docker.io/traefik:v3.4.1 has been deployed successfully on default namespace !
[root@master231 traefik]#
[root@master231 traefik]#
[root@master231 traefik]# helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
traefik-server default 1 2025-06-10 15:06:44.316089074 +0800 CST deployed traefik-36.0.0 v3.4.1
[root@master231 traefik]#
4.查看服务
[root@master231 traefik]# kubectl get ingressclass,deploy,svc,po
NAME CONTROLLER PARAMETERS AGE
ingressclass.networking.k8s.io/nginx k8s.io/ingress-nginx <none> 3h19m
ingressclass.networking.k8s.io/traefik-server traefik.io/ingress-controller <none> 7m17s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/traefik-server 1/1 1 1 7m17s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.200.0.1 <none> 443/TCP 11d
service/traefik-server LoadBalancer 10.200.154.252 10.0.0.152 80:39119/TCP,443:12239/TCP 7m17s
NAME READY STATUS RESTARTS AGE
pod/traefik-server-74654b469d-zrh77 1/1 Running 0 7m16s
[root@master231 traefik]#
温馨提示:
如果无法下载镜像,则需要你手动下载。
开启Dashboard
1.开启Dashboard参数
[root@master231 helm]# vim traefik/values.yaml
...
187 ingressRoute:
188 dashboard:
189 # -- Create an IngressRoute for the dashboard
190 # enabled: false
191 enabled: true
2.重新安装traefik
[root@master231 traefik]# helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
traefik-server default 1 2025-06-10 15:06:44.316089074 +0800 CST deployed traefik-36.0.0 v3.4.1
[root@master231 traefik]#
[root@master231 traefik]#
[root@master231 traefik]# helm uninstall traefik-server
release "traefik-server" uninstalled
[root@master231 traefik]#
[root@master231 traefik]# helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
[root@master231 traefik]#
[root@master231 traefik]# helm install traefik-server traefik
NAME: traefik-server
LAST DEPLOYED: Tue Jun 10 16:05:00 2025
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
traefik-server with docker.io/traefik:v3.4.1 has been deployed successfully on default namespace !
[root@master231 traefik]#
[root@master231 traefik]# helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
traefik-server default 1 2025-06-10 16:05:00.170947202 +0800 CST deployed traefik-36.0.0 v3.4.1
[root@master231 traefik]#
3.创建svc关联Dashboard
[root@master231 traefik]# kubectl get pods -l app.kubernetes.io/name=traefik -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
traefik-server-74654b469d-zrx9c 1/1 Running 0 20s 10.100.203.156 worker232 <none> <none>
[root@master231 traefik]#
[root@master231 traefik]# cat 01-svc-traefik-dashboard.yaml
apiVersion: v1
kind: Service
metadata:
name: jiege-traefik-dashboard
spec:
ports:
- name: dashboard
port: 8080
selector:
app.kubernetes.io/name: traefik
type: LoadBalancer
[root@master231 traefik]#
[root@master231 traefik]# kubectl apply -f 01-svc-traefik-dashboard.yaml
service/jiege-traefik-dashboard created
[root@master231 traefik]#
[root@master231 traefik]# kubectl get -f 01-svc-traefik-dashboard.yaml
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
jiege-traefik-dashboard LoadBalancer 10.200.158.194 10.0.0.154 8080:45754/TCP 19s
[root@master231 traefik]#
4.访问traefik的WebUI
http://10.0.0.154:8080/dashboard/#/
3.3 Traefik支持的路由规则
Traefik提供了三种创建路由规则的方法:
原生Ingress
K8S原生支持的资源。
基于Ingress暴露Traefik的Dashboard
1.基于Ingress暴露Traefik的Dashboard
1.1 编写资源清单
[root@master231 ingresses]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
jiege-traefik-dashboard LoadBalancer 10.200.158.194 10.0.0.154 8080:45754/TCP 17h
...
traefik-server LoadBalancer 10.200.247.64 10.0.0.152 80:5760/TCP,443:37909/TCP 17h
[root@master231 ingresses]#
[root@master231 ingresses]# cat 01-ingress-traefik-dashboard.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-traefik
spec:
ingressClassName: traefik-server
rules:
- host: traefik.cmy.com
http:
paths:
- backend:
service:
name: jiege-traefik-dashboard
port:
number: 8080
path: /
pathType: Prefix
[root@master231 ingresses]#
1.2 创建资源
[root@master231 ingresses]# kubectl apply -f 01-ingress-traefik-dashboard.yaml
ingress.networking.k8s.io/ingress-traefik created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 01-ingress-traefik-dashboard.yaml
Name: ingress-traefik
Labels: <none>
Namespace: default
Address: 10.0.0.152
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
traefik.cmy.com
/ jiege-traefik-dashboard:8080 (10.100.203.152:8080)
Annotations: <none>
Events: <none>
[root@master231 ingresses]#
1.3 访问测试
http://traefik.cmy.com/dashboard/#/
记得在window添加Traefik server的解析记录:
10.0.0.152 traefik.cmy.com
CRD IngressRoute
部署Traefik时安装的自定义资源。
基于IngressRoute暴露Traefik的Dashboard
[root@master231 ingresses]# kubectl get ingress
No resources found in default namespace.
[root@master231 ingresses]#
2.2 编写资源清单
[root@master231 ingresses]# cat 02-ingressroutes-traefik-dashboard.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-traefik
spec:
entryPoints:
- web
routes:
- match: Host(`www.cmy.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: jiege-traefik-dashboard
port: 8080
[root@master231 ingresses]#
2.3 创建资源
[root@master231 ingresses]# kubectl apply -f 02-ingressroutes-traefik-dashboard.yaml
ingressroute.traefik.io/ingressroute-traefik created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 02-ingressroutes-traefik-dashboard.yaml
Name: ingressroute-traefik
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: IngressRoute
Metadata:
Creation Timestamp: 2025-06-11T01:37:06Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:entryPoints:
f:routes:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T01:37:06Z
Resource Version: 1553523
UID: 1b564086-9672-48ee-84c3-3a7ff458157f
Spec:
Entry Points:
web
Routes:
Kind: Rule
Match: Host(`www.cmy.com`) && PathPrefix(`/`)
Services:
Name: jiege-traefik-dashboard
Port: 8080
Events: <none>
[root@master231 ingresses]#
2.4 访问测试
http://www.cmy.com/dashboard/#/
记得在window添加Traefik server的解析记录:
10.0.0.152 www.cmy.com
配置https路由规则之whoami案例
1 配置https路由规则注意事项
如果我们需要使用https来访问我们这个应用的话,就需要监听websecure这个入口点,也就是通过443端口来访问。
用HTTPS访问应用必然就需要证书,这个证书可以是自签证书,也可以是权威机构颁发的证书。
2 创建证书并封装为secret资源
2.1.使用openssl自建证书
[root@master241 ingressroutes]# openssl req -x509 -nodes -days 365 --newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=whoamissl.cmy.com"
2.查看生成的证书文件
[root@master241 ingressroutes]# ll tls.*
-rw-r--r-- 1 root root 1155 Jun 4 15:15 tls.crt
-rw------- 1 root root 1704 Jun 4 15:15 tls.key
[root@master241 ingressroutes]#
3.将证书封装为secrets资源
[root@master241 ingressroutes]# kubectl create secret tls whoami-tls --cert=tls.crt --key=tls.key
secret/whoami-tls created
[root@master241 ingressroutes]#
[root@master241 ingressroutes]# kubectl get secrets whoami-tls
NAME TYPE DATA AGE
whoami-tls kubernetes.io/tls 2 5s
[root@master241 ingressroutes]#
环境准备
1.K8S所有节点导入镜像
wget http://192.168.14.253/Resources/Kubernetes/Add-ons/traefik/case-demo/cmy-traefik-whoamiudp-v0.2.tar.gz
wget http://192.168.14.253/Resources/Kubernetes/Add-ons/traefik/case-demo/cmy-traefik-whoamitcp-v0.3.tar.gz
wget http://192.168.14.253/Resources/Kubernetes/Add-ons/traefik/case-demo/cmy-traefik-whoami-v1.11.tar.gz
for i in `ls -1 cmy-traefik-whoami*` ; do docker load -i $i;done
2.编写资源清单
[root@master231 ingresses]# cat 03-traefik-whoami.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-whoami
spec:
replicas: 2
selector:
matchLabels:
apps: whoami
template:
metadata:
labels:
apps: whoami
spec:
containers:
- name: whoami
image: docker.io/traefik/whoami:v1.11
ports:
- containerPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-whoamitcp
spec:
replicas: 2
selector:
matchLabels:
apps: whoamitcp
template:
metadata:
labels:
apps: whoamitcp
spec:
containers:
- name: whoamitcp
image: docker.io/traefik/whoamitcp:v0.3
ports:
- containerPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-whoamiudp
spec:
replicas: 2
selector:
matchLabels:
apps: whoamiudp
template:
metadata:
labels:
apps: whoamiudp
spec:
containers:
- name: whoamiudp
image: docker.io/traefik/whoamiudp:v0.2
ports:
- containerPort: 8080
protocol: UDP
---
apiVersion: v1
kind: Service
metadata:
name: svc-whoami
spec:
ports:
- name: http
port: 80
selector:
apps: whoami
---
apiVersion: v1
kind: Service
metadata:
name: svc-whoamitcp
spec:
ports:
- name: tcp
port: 8080
selector:
apps: whoamitcp
---
apiVersion: v1
kind: Service
metadata:
name: svc-whoamiudp
spec:
ports:
- name: udp
port: 8080
protocol: UDP
selector:
apps: whoamiudp
4.创建https应用路由规则并访问测试
[root@master231 ingresses]# cat 05-ingressroutes-whoami-https.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-whoami-https
namespace: default
spec:
tls:
secretName: whoami-tls
entryPoints:
- websecure
routes:
- match: Host(`whoamissl.cmy.com`)
kind: Rule
services:
- name: svc-whoami
port: 80
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl apply -f 05-ingressroutes-whoami-https.yaml
ingressroute.traefik.io/ingressroute-whoami-https created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 05-ingressroutes-whoami-https.yaml
Name: ingressroute-whoami-https
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: IngressRoute
Metadata:
Creation Timestamp: 2025-06-11T02:56:32Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:entryPoints:
f:routes:
f:tls:
.:
f:secretName:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T02:56:32Z
Resource Version: 1566984
UID: 1a86ed71-b53b-4824-b078-f6b301d49513
Spec:
Entry Points:
websecure
Routes:
Kind: Rule
Match: Host(`whoamissl.cmy.com`)
Services:
Name: svc-whoami
Port: 80
Tls:
Secret Name: whoami-tls
Events: <none>
[root@master231 ingresses]#
5.访问测试
https://whoamissl.cmy.com/
温馨提示:
记得在window添加Traefik解析记录:
10.0.0.152 whoamissl.cmy.com
配置tcp路由规则之MySQL案例
1 配置tcp路由规则注意事项
SNI为服务名称标识,是TLS协议的扩展,因此,只有TLS路由才能使用该规则指定域名。
但是,非TLS路由必须带有"*"(所有域)的规则来声明每个非TLS请求都将由路由进行处理。
2 重新部署Traefik
2.1.修改values.yaml配置文件【目的是为了添加'entryPoints'】
[root@master231 ~]# cd /cmy/manifests/add-ons/traefik/
[root@master231 traefik]# vim traefik/values.yaml
...
ports:
mysql:
port: 3306
2.2.卸载Traefik服务
[root@master231 traefik]# helm uninstall traefik-server
release "traefik-server" uninstalled
[root@master231 traefik]#
2.3.安装Traefik服务
[root@master231 traefik]# helm install traefik-server traefik
NAME: traefik-server
LAST DEPLOYED: Wed Jun 11 11:03:22 2025
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
traefik-server with docker.io/traefik:v3.4.1 has been deployed successfully on default namespace !
[root@master231 traefik]#
3.部署MySQL
[root@master241 ingressroutes]# cat 06-deploy-mysql.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-mysql
spec:
replicas: 1
selector:
matchLabels:
apps: mysql
template:
metadata:
labels:
apps: mysql
spec:
containers:
- image: harbor250.cmy.com/cmy-db/mysql:8.0.36-oracle
name: db
ports:
- containerPort: 3306
env:
- name: MYSQL_DATABASE
value: wordpress
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "yes"
- name: MYSQL_USER
value: admin
- name: MYSQL_PASSWORD
value: cmy
args:
- --character-set-server=utf8
- --collation-server=utf8_bin
- --default-authentication-plugin=mysql_native_password
---
apiVersion: v1
kind: Service
metadata:
name: svc-mysql
spec:
ports:
- port: 3306
selector:
apps: mysql
[root@master241 ingressroutes]#
[root@master241 ingressroutes]# kubectl apply -f 06-deploy-mysql.yaml
deployment.apps/deploy-mysql created
service/svc-mysql created
[root@master241 ingressroutes]#
4 创建路由规则
[root@master231 ingresses]# cat 07-IngressRouteTCP-mysql.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcp-mysql
namespace: default
spec:
# 使用自己定义的entryPoint。
entryPoints:
- mysql
routes:
- match: HostSNI(`*`)
services:
- name: svc-mysql
port: 3306
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl apply -f 07-IngressRouteTCP-mysql.yaml
ingressroutetcp.traefik.io/ingressroutetcp-mysql created
[root@master231 ingresses]#
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 07-IngressRouteTCP-mysql.yaml
Name: ingressroutetcp-mysql
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: IngressRouteTCP
Metadata:
Creation Timestamp: 2025-06-11T03:08:38Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:entryPoints:
f:routes:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T03:08:38Z
Resource Version: 1569120
UID: 0ec2ced8-d63e-44e0-a0d0-d65022b8b180
Spec:
Entry Points:
mysql
Routes:
Match: HostSNI(`*`)
Services:
Name: svc-mysql
Port: 3306
Events: <none>
[root@master231 ingresses]#
5.查看Traefik的Dashboard验证
略,见视频。
6.修改Traefik的svc暴露端口
[root@master231 ingresses]# kubectl edit svc traefik-server
...
spec:
...
ports:
- name: mysql
port: 3306
...
[root@master231 ingresses]# kubectl get svc traefik-server
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik-server LoadBalancer 10.200.226.4 10.0.0.152 3306:44485/TCP,80:27127/TCP,443:29687/TCP 11m
[root@master231 ingresses]#
6.客户端访问测试
[root@harbor250 ~]# apt -y install mysql-client-core-8.0
[root@harbor250 ~]# echo 10.0.0.152 mysql.cmy.com >> /etc/hosts
[root@harbor250 ~]# tail -1 /etc/hosts
10.0.0.152 mysql.cmy.com
[root@harbor250 ~]#
[root@harbor250 ~]# mysql -h mysql.cmy.com
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.36 MySQL Community Server - GPL
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| wordpress |
+--------------------+
5 rows in set (0.01 sec)
mysql> USE wordpress
Database changed
mysql> SHOW TABLES;
Empty set (0.00 sec)
mysql>
mysql> CREATE TABLE student(id INT PRIMARY KEY AUTO_INCREMENT, name VARCHAR(255) NOT NULL, hobby VARCHAR(255) NOT NULL);
Query OK, 0 rows affected (0.01 sec)
mysql>
mysql> INSERT INTO student(name,hobby) VALUES ('YuWenZhi','Sleep');
Query OK, 1 row affected (0.01 sec)
mysql>
7.服务端测试验证
[root@master231 ingresses]# kubectl exec -it deploy-mysql-869f7867d8-svcml -- mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 8.0.36 MySQL Community Server - GPL
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SHOW DATABEASES;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DATABEASES' at line 1
mysql> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| wordpress |
+--------------------+
5 rows in set (0.00 sec)
mysql>
mysql> USE wordpress
Database changed
mysql>
mysql> SHOW TABLES;
+---------------------+
| Tables_in_wordpress |
+---------------------+
| student |
+---------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM student;
Empty set (0.01 sec)
mysql>
mysql> SELECT * FROM student;
+----+----------+-------+
| id | name | hobby |
+----+----------+-------+
| 1 | YuWenZhi | Sleep |
+----+----------+-------+
1 row in set (0.00 sec)
mysql>
配置tcp路由规则之Redis案例
1 部署Redis
[root@master231 ingresses]# cat 08-deploy-redis.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-redis
spec:
replicas: 1
selector:
matchLabels:
apps: redis
template:
metadata:
labels:
apps: redis
spec:
containers:
- image: harbor250.cmy.com/cmy-db/redis:7.2.8-alpine3.21
name: db
ports:
- containerPort: 6379
---
apiVersion: v1
kind: Service
metadata:
name: svc-redis
spec:
ports:
- port: 6379
selector:
apps: redis
[root@master231 ingresses]# kubectl apply -f 08-deploy-redis.yaml
deployment.apps/deploy-redis created
service/svc-redis created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 08-deploy-redis.yaml
Name: deploy-redis
Namespace: default
CreationTimestamp: Wed, 11 Jun 2025 12:11:23 +0800
Labels: <none>
Annotations: deployment.kubernetes.io/revision: 1
Selector: apps=redis
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: apps=redis
Containers:
db:
Image: harbor250.cmy.com/cmy-db/redis:7.2.8-alpine3.21
Port: 6379/TCP
Host Port: 0/TCP
Environment: <none>
Mounts: <none>
Volumes: <none>
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: <none>
NewReplicaSet: deploy-redis-67bff8cd67 (1/1 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScalingReplicaSet 3s deployment-controller Scaled up replica set deploy-redis-67bff8cd67 to 1
Name: svc-redis
Namespace: default
Labels: <none>
Annotations: <none>
Selector: apps=redis
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.200.63.207
IPs: 10.200.63.207
Port: <unset> 6379/TCP
TargetPort: 6379/TCP
Endpoints: 10.100.203.175:6379
Session Affinity: None
Events: <none>
[root@master231 ingresses]#
2 重新部署Traefik
2.1.修改values.yaml配置文件【目的是为了添加'entryPoints'】
[root@master231 ~]# cd /cmy/manifests/add-ons/traefik/
[root@master231 traefik]# vim traefik/values.yaml
[root@master231 traefik]#
...
ports:
redis:
port: 6379
2.2.卸载Traefik服务
[root@master231 traefik]# helm uninstall traefik-server
release "traefik-server" uninstalled
[root@master231 traefik]#
2.3.安装Traefik服务
[root@master241 traefik]# helm install traefik-server traefik
3 创建路由规则
[root@master231 ingresses]# cat 09-IngressRouteTCP-redis.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcp-redis
namespace: default
spec:
# 使用自己定义的entryPoint。
entryPoints:
- redis
routes:
- match: HostSNI(`*`)
services:
- name: svc-redis
port: 6379
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl apply -f 09-IngressRouteTCP-redis.yaml
ingressroutetcp.traefik.io/ingressroutetcp-redis created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 09-IngressRouteTCP-redis.yaml
Name: ingressroutetcp-redis
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: IngressRouteTCP
Metadata:
Creation Timestamp: 2025-06-11T04:14:38Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:entryPoints:
f:routes:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T04:14:38Z
Resource Version: 1580183
UID: a58e0691-2b7f-4ec3-9246-76f84bcdd305
Spec:
Entry Points:
redis
Routes:
Match: HostSNI(`*`)
Services:
Name: svc-redis
Port: 6379
Events: <none>
[root@master231 ingresses]#
4.访问traefki的WebUI
略,见视频。
5.k8s修改Traefik的svc解析记录
[root@master231 ingresses]# kubectl edit svc traefik-server
...
spec:
...
ports:
- name: redis
port: 6379
...
[root@master231 ingresses]# kubectl get svc traefik-server
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik-server LoadBalancer 10.200.175.68 10.0.0.152 6379:12332/TCP,80:13552/TCP,443:40307/TCP 3m30s
[root@master231 ingresses]#
6.客户端测试
6.1 安装redis客户端工具
[root@harbor250 ~]# apt -y install redis-server
6.2 添加解析记录
[root@harbor250 ~]# echo 10.0.0.152 redis.cmy.com >> /etc/hosts
[root@harbor250 ~]#
[root@harbor250 ~]# tail -1 /etc/hosts
10.0.0.152 redis.cmy.com
[root@harbor250 ~]#
6.3 写入测试数据
[root@harbor250 ~]# redis-cli --raw -n 5 -h redis.cmy.com
redis.cmy.com:6379[5]> KEYS *
redis.cmy.com:6379[5]> set school cmy
OK
redis.cmy.com:6379[5]> set class linux97
OK
redis.cmy.com:6379[5]>
redis.cmy.com:6379[5]> KEYS *
class
school
redis.cmy.com:6379[5]>
7.服务端查看数据并验证
[root@master231 ingresses]# kubectl get pods -o wide -l apps=redis
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deploy-redis-67bff8cd67-kxf6q 1/1 Running 0 8m49s 10.100.203.175 worker232 <none> <none>
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl exec -it deploy-redis-67bff8cd67-kxf6q -- redis-cli -n 5
127.0.0.1:6379[5]> KEYS *
1) "class"
2) "school"
127.0.0.1:6379[5]>
127.0.0.1:6379[5]> get school
"cmy"
127.0.0.1:6379[5]>
127.0.0.1:6379[5]> get class
"linux97"
127.0.0.1:6379[5]>
127.0.0.1:6379[5]>
配置UDP路由规则之whoamiudp
配置UDP路由规则之whoamiudp
1 重新部署Traefik
1.1 修改values.yaml配置文件【目的是为了添加'entryPoints'】
[root@master231 traefik]# vim traefik/values.yaml
...
ports:
udpcase:
port: 8081
protocol: UDP
...
1.2.卸载Traefik服务
[root@master231 traefik]# helm uninstall traefik-server
release "traefik-server" uninstalled
[root@master231 traefik]#
1.3.安装Traefik服务
[root@master231 traefik]# helm install traefik-server traefik
NAME: traefik-server
LAST DEPLOYED: Wed Jun 11 14:46:06 2025
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
traefik-server with docker.io/traefik:v3.4.1 has been deployed successfully on default namespace !
[root@master231 traefik]#
2.创建路由规则
[root@master231 traefik]# cat 11-IngressRouteUDP-whoamiudp.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: ingressroutetcp-whoamiudp
namespace: default
spec:
entryPoints:
- udpcase
routes:
- services:
- name: svc-whoamiudp
port: 8080
[root@master231 traefik]#
[root@master231 traefik]#
[root@master231 traefik]# kubectl apply -f 11-IngressRouteUDP-whoamiudp.yaml
ingressrouteudp.traefik.io/ingressroutetcp-whoamiudp created
[root@master231 traefik]#
[root@master231 traefik]# kubectl describe -f 11-IngressRouteUDP-whoamiudp.yaml
Name: ingressroutetcp-whoamiudp
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: IngressRouteUDP
Metadata:
Creation Timestamp: 2025-06-11T06:46:57Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:entryPoints:
f:routes:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T06:46:57Z
Resource Version: 1605615
UID: 699d904b-6695-43db-9dd4-784267065a92
Spec:
Entry Points:
udpcase
Routes:
Services:
Name: svc-whoamiudp
Port: 8080
Events: <none>
[root@master231 traefik]#
3.测试验证
3.1.查看whoamiudp的svc的ClusterIP
[root@master231 traefik]# kubectl get svc svc-whoamiudp -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
svc-whoamiudp ClusterIP 10.200.32.92 <none> 8080/UDP 4h5m apps=whoamiudp
[root@master231 traefik]#
[root@master231 traefik]# kubectl get pods -o wide -l apps=whoamiudp
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
deploy-whoamiudp-f7657cc98-65jw5 1/1 Running 0 4h5m 10.100.140.66 worker233 <none> <none>
deploy-whoamiudp-f7657cc98-tc4mx 1/1 Running 0 4h5m 10.100.203.166 worker232 <none> <none>
[root@master231 traefik]#
2.安装socat测试工具
[root@worker232 ~]# apt -y install socat
3.访问测试
[root@worker232 whoami]# echo "WHO" | socat - udp4-datagram:10.200.32.92:8080
Hostname: deploy-whoamiudp-f7657cc98-65jw5
IP: 127.0.0.1
IP: 10.100.140.66
[root@worker232 whoami]#
[root@worker232 whoami]# echo "https://www.cnblogs.com/cmy" | socat - udp4-datagram:10.200.32.92:8080
Received: https://www.cnblogs.com/cmy
[root@worker232 whoami]#
Gateway API
基于Gateway的API来实现暴露。是k8s官方基于Ingress的一种扩展实现。
参考
Kubernete Gateway API实战案例 – cmy – 博客园
3.4 Traefik中间件实战
连接到路由器的中间件是在将请求发送到您的服务之前(或在将服务的答案发送到客户端之前)调整请求的一种手段。
Traefik中有几个可用的中间件,有些可以修改请求、标头,有些负责重定向,有些添加身份验证等等。
使用相同协议的中间件可以组合成链,以适应每种情况。官方支持HTTP和TCP两种中间件。
ipallowlist中间件
2.1 部署测试服务
[root@master231 ingresses]# cat 12-deploy-xiuxian.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-xiuxian
spec:
replicas: 1
selector:
matchLabels:
apps: xiuxian
template:
metadata:
labels:
apps: xiuxian
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/cmy-k8s/apps:v1
name: c1
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: svc-xiuxian
spec:
ports:
- port: 80
selector:
apps: xiuxian
[root@master231 ingresses]#
2.2 测试验证
[root@master231 ingresses]# kubectl apply -f 12-deploy-xiuxian.yaml
deployment.apps/deploy-xiuxian created
service/svc-xiuxian created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl get -f 12-deploy-xiuxian.yaml
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/deploy-xiuxian 1/1 1 1 7s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/svc-xiuxian ClusterIP 10.200.211.45 <none> 80/TCP 7s
[root@master231 ingresses]#
[root@master231 ingresses]# curl 10.200.211.45
cat 13-ipAllowList-IngressRoute.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: xiuxian-ipallowlist
namespace: default
spec:
ipAllowList:
sourceRange:
- 127.0.0.1
- 10.0.0.0/24
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-xiuxian
spec:
entryPoints:
- web
routes:
- match: Host(`middleware.cmy.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: svc-xiuxian
port: 80
middlewares:
- name: xiuxian-ipallowlist
namespace: default
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl apply -f 13-ipAllowList-IngressRoute.yaml
middleware.traefik.io/xiuxian-ipallowlist created
ingressroute.traefik.io/ingressroute-xiuxian created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 13-ipAllowList-IngressRoute.yaml
Name: xiuxian-ipallowlist
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: Middleware
Metadata:
Creation Timestamp: 2025-06-11T07:22:52Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:ipAllowList:
.:
f:sourceRange:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T07:22:52Z
Resource Version: 1611594
UID: 001152de-4ec9-4901-b816-bfcaa3e413ad
Spec:
Ip Allow List:
Source Range:
127.0.0.1
10.0.0.0/24
Events: <none>
Name: ingressroute-xiuxian
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: IngressRoute
Metadata:
Creation Timestamp: 2025-06-11T07:22:52Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:entryPoints:
f:routes:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T07:22:52Z
Resource Version: 1611595
UID: 9c42171e-cb63-41da-be3f-90bffc867d84
Spec:
Entry Points:
web
Routes:
Kind: Rule
Match: Host(`middleware.cmy.com`) && PathPrefix(`/`)
Middlewares:
Name: xiuxian-ipallowlist
Namespace: default
Services:
Name: svc-xiuxian
Port: 80
Events: <none>
[root@master231 ingresses]#
2.4 测试访问
[root@harbor250 ~]# echo 10.0.0.152 middleware.cmy.com >> /etc/hosts
[root@harbor250 ~]#
[root@harbor250 ~]# tail -1 /etc/hosts
10.0.0.152 middleware.cmy.com
[root@harbor250 ~]#
[root@harbor250 ~]# curl middleware.cmy.com
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
[root@harbor250 ~]#
BasicAuth
3.1 编写资源清单
[root@master231 ingresses]# cat 14-basicAuth-secrets-IngressRoute.yaml
apiVersion: v1
kind: Secret
metadata:
name: login-info
namespace: default
type: kubernetes.io/basic-auth
stringData:
username: JasonYin
password: cmy
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: login-auth
spec:
basicAuth:
secret: login-info
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-xiuxian
spec:
entryPoints:
- web
routes:
- match: Host(`auth.cmy.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: svc-xiuxian
port: 80
middlewares:
- name: login-auth
namespace: default
[root@master231 ingresses]#
3.2 创建资源
[root@master231 ingresses]# kubectl apply -f 14-basicAuth-secrets-IngressRoute.yaml
secret/login-info created
middleware.traefik.io/login-auth created
ingressroute.traefik.io/ingressroute-xiuxian created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 14-basicAuth-secrets-IngressRoute.yaml
Name: login-info
Namespace: default
Labels: <none>
Annotations: <none>
Type: kubernetes.io/basic-auth
Data
====
password: 11 bytes
username: 8 bytes
Name: login-auth
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: Middleware
Metadata:
Creation Timestamp: 2025-06-11T07:33:00Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:basicAuth:
.:
f:secret:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T07:33:00Z
Resource Version: 1613277
UID: eecde528-832f-49d2-9877-d73e769bb372
Spec:
Basic Auth:
Secret: login-info
Events: <none>
Name: ingressroute-xiuxian
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: IngressRoute
Metadata:
Creation Timestamp: 2025-06-11T07:33:00Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:entryPoints:
f:routes:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T07:33:00Z
Resource Version: 1613278
UID: 7795dc7b-2a2a-4f41-9778-c74709ba6f71
Spec:
Entry Points:
web
Routes:
Kind: Rule
Match: Host(`auth.cmy.com`) && PathPrefix(`/`)
Middlewares:
Name: login-auth
Namespace: default
Services:
Name: svc-xiuxian
Port: 80
Events: <none>
[root@master231 ingresses]#
3.3 直接测试访问
[root@harbor250 ~]# echo 10.0.0.152 auth.cmy.com >> /etc/hosts
[root@harbor250 ~]# tail -1 /etc/hosts
10.0.0.152 auth.cmy.com
[root@harbor250 ~]#
[root@harbor250 ~]# curl auth.cmy.com
401 Unauthorized
[root@harbor250 ~]#
[root@harbor250 ~]# curl -u jasonyin:cmy auth.cmy.com
401 Unauthorized
[root@harbor250 ~]#
[root@harbor250 ~]# curl -u JasonYin:cmy auth.cmy.com
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<title>cmy apps v1</title>
<style>
div img {
width: 900px;
height: 600px;
margin: 0;
}
</style>
</head>
<body>
<h1 style="color: green">凡人修仙传 v1 </h1>
<div>
<img src="1.jpg">
<div>
</body>
</html>
[root@harbor250 ~]#
高级应用实战案例之负载均衡案例
2.1 创建资源
[root@master231 ingresses]# cat 16-IngressRoute-lb-xiuxian.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-lb
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`lb.cmy.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: svc-web01
port: 80
namespace: default
- name: svc-web02
port: 80
namespace: default
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl apply -f 16-IngressRoute-lb-xiuxian.yaml
ingressroute.traefik.io/ingressroute-lb created
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl describe -f 16-IngressRoute-lb-xiuxian.yaml
Name: ingressroute-lb
Namespace: default
Labels: <none>
Annotations: <none>
API Version: traefik.io/v1alpha1
Kind: IngressRoute
Metadata:
Creation Timestamp: 2025-06-11T08:39:44Z
Generation: 1
Managed Fields:
API Version: traefik.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:entryPoints:
f:routes:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2025-06-11T08:39:44Z
Resource Version: 1624413
UID: e9fd75ad-8964-470a-bc46-a1d34d09fdfb
Spec:
Entry Points:
web
Routes:
Kind: Rule
Match: Host(`lb.cmy.com`) && PathPrefix(`/`)
Services:
Name: svc-web01
Namespace: default
Port: 80
Name: svc-web02
Namespace: default
Port: 80
Events: <none>
[root@master231 ingresses]#
2.2 测试验证
[root@harbor250 ~]# echo 10.0.0.152 lb.cmy.com >> /etc/hosts
[root@harbor250 ~]#
[root@harbor250 ~]# tail -1 /etc/hosts
10.0.0.152 lb.cmy.com
[root@harbor250 ~]#
[root@harbor250 ~]# for i in `seq 10`; do curl -s lb.cmy.com;done
<h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
[root@harbor250 ~]#
[root@harbor250 ~]#
[root@harbor250 ~]# for i in `seq 10`; do curl -s lb.cmy.com;done | sort | uniq -c
5 <h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
5 <h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
[root@harbor250 ~]#
高级应用实战案例之灰度发布案例
3.1 创建资源
[root@master231 ingresses]# cat 17-TraefikService-weighted.yaml
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: traefikservices-wrr
namespace: default
spec:
# 基于权重调度
weighted:
services:
- name: svc-web01
port: 80
# 定义调度到该svc的权重
weight: 4
# 指定类型有效值为: Service(default), TraefikService
kind: Service
- name: svc-web02
port: 80
weight: 1
[root@master231 ingresses]#
[root@master231 ingresses]#
[root@master231 ingresses]# cat 18-IngressRoute-TraefikService.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-lb-wrr
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`lb.cmy.com`) && PathPrefix(`/`)
kind: Rule
services:
# 指定TraefikService的名称
- name: traefikservices-wrr
namespace: default
# 注意,类型不再是k8s的Service,而是Traefik自实现的TraefikService
kind: TraefikService
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl delete -f 16-IngressRoute-lb-xiuxian.yaml
ingressroute.traefik.io "ingressroute-lb" deleted
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl apply -f 17-TraefikService-weighted.yaml -f 18-IngressRoute-TraefikService.yaml
traefikservice.traefik.io/traefikservices-wrr created
ingressroute.traefik.io/ingressroute-lb-wrr created
[root@master231 ingresses]#
[root@master231 ingresses]#
3.2 测试验证
[root@harbor250 ~]# for i in `seq 10`; do curl -s lb.cmy.com; done
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
[root@harbor250 ~]#
[root@harbor250 ~]# for i in `seq 10`; do curl -s lb.cmy.com; done | sort | uniq -c
8 <h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
2 <h1> 【web02】 NameSpace: default, PodName: deploy-web02-6cf97565db-ksphq, PodIP:10.100.203.186</h1>
[root@harbor250 ~]#
3.3 删除测试案例
[root@master231 ingresses]# kubectl delete -f 17-TraefikService-weighted.yaml -f 18-IngressRoute-TraefikService.yaml
traefikservice.traefik.io "traefikservices-wrr" deleted
ingressroute.traefik.io "ingressroute-lb-wrr" deleted
[root@master231 ingresses]#
Traefik高级应用实战案例之流量镜像|影子流量
4.1 编写资源清单
[root@master231 ingresses]# cat 19-TraefikService-mirroring.yaml
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: traefikservices-mirroring
namespace: default
spec:
# 发送 100% 的请求到K8S名为"svc-web01"的Service。
mirroring:
kind: Service
name: svc-web01
port: 80
# 将其中20%的请求调度到k8s名为"svc-web02"的Service。
mirrors:
- name: svc-web02
port: 80
# 是指将20%请求的流量复制一份发送给其它'svc-web02'服务,并且会忽略这部分请求的响应,这个功能在做一些压测或者问题复现的时候很有用。
percent: 20
[root@master231 ingresses]#
[root@master231 ingresses]#
[root@master231 ingresses]# cat 20-IngressRoute-TraefikService.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-mirror
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`lb.cmy.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: traefikservices-mirroring
namespace: default
kind: TraefikService
[root@master231 ingresses]#
[root@master231 ingresses]#
[root@master231 ingresses]# kubectl apply -f 19-TraefikService-mirroring.yaml -f 20-IngressRoute-TraefikService.yaml
traefikservice.traefik.io/traefikservices-mirroring created
ingressroute.traefik.io/ingressroute-mirror created
[root@master231 ingresses]#
[root@master231 ingresses]#
4.2 测试验证
[root@harbor250 ~]# for i in `seq 10`; do curl -s lb.cmy.com; done
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
<h1> 【web01】 NameSpace: default, PodName: deploy-web01-6bc58b4f9c-s9b2t, PodIP:10.100.203.141</h1>
[root@harbor250 ~]#