bureaucraten, interfacemoderatoren, Beheerders (Semantic MediaWiki), Curatoren (Semantic MediaWiki), Redacteuren (Semantic MediaWiki), toezichthouders, beheerders
205
bewerkingen
Geen bewerkingssamenvatting |
|||
Regel 658: | Regel 658: | ||
== Accessing a Deployment using an Ingress == | == Accessing a Deployment using an Ingress == | ||
[https://kubernetes.io/docs/concepts/services-networking/ingress/ Ingresses] are like Services, but for HTTP only. This specialisation allows adding a number of additional features, such as having multiple applications behind one URL or hostname (micro-services), SSL termination and splitting load between different versions of the same service (canarying). | [https://kubernetes.io/docs/concepts/services-networking/ingress/ Ingresses] are like Services, but for HTTP only. This specialisation allows adding a number of additional features, such as having multiple applications behind one URL or hostname (e.g. micro-services), SSL termination and splitting load between different versions of the same service (canarying). | ||
Ingress is currently in beta (v1beta1), meaning that the feature is well-tested and will continue to exist, but details may change. Consider this before using it in production. | Ingress is currently in beta (v1beta1), meaning that the feature is well-tested and will continue to exist, but details may change. Consider this before using it in production. | ||
Regel 664: | Regel 664: | ||
Like LoadBalancer Services, creating an Ingress does not immediately change anything in the cluster. You need to have an Ingress Controller for anything to change in the cluster after you create an Ingress. There's many [https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ Ingress Controller plugins] to choose from; I will try [https://github.com/containous/traefik Traefik] since it supports Let's Encrypt out of the box. (Some cloud providers may provide an Ingress Controller out of the box.) | Like LoadBalancer Services, creating an Ingress does not immediately change anything in the cluster. You need to have an Ingress Controller for anything to change in the cluster after you create an Ingress. There's many [https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/ Ingress Controller plugins] to choose from; I will try [https://github.com/containous/traefik Traefik] since it supports Let's Encrypt out of the box. (Some cloud providers may provide an Ingress Controller out of the box.) | ||
First of all, we | First of all, we set up Traefik. For this, we'll need to create some service types we haven't seen before: service accounts, cluster role bindings and config maps. Bear with me for a bit while we set up Traefik: | ||
<pre> | |||
$ cat traefik-account.yaml | |||
apiVersion: v1 | |||
kind: ServiceAccount | |||
metadata: | |||
name: traefik-ingress-controller | |||
namespace: kube-system | |||
--- | |||
kind: ClusterRole | |||
apiVersion: rbac.authorization.k8s.io/v1beta1 | |||
metadata: | |||
name: traefik-ingress-controller | |||
rules: | |||
- apiGroups: | |||
- "" | |||
resources: | |||
- services | |||
- endpoints | |||
- secrets | |||
verbs: | |||
- get | |||
- list | |||
- watch | |||
- apiGroups: | |||
- extensions | |||
resources: | |||
- ingresses | |||
verbs: | |||
- get | |||
- list | |||
- watch | |||
--- | |||
kind: ClusterRoleBinding | |||
apiVersion: rbac.authorization.k8s.io/v1beta1 | |||
metadata: | |||
name: traefik-ingress-controller | |||
roleRef: | |||
apiGroup: rbac.authorization.k8s.io | |||
kind: ClusterRole | |||
name: traefik-ingress-controller | |||
subjects: | |||
- kind: ServiceAccount | |||
name: traefik-ingress-controller | |||
namespace: kube-system | |||
$ kubectl apply -f traefik-account.yaml | |||
serviceaccount/traefik-ingress-controller created | |||
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created | |||
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created | |||
</pre> | |||
Now we create a ConfigMap for Traefik's configuration: | |||
<pre> | |||
$ cat traefik-configmap.yaml | |||
apiVersion: v1 | |||
kind: ConfigMap | |||
metadata: | |||
name: traefik-configmap | |||
namespace: kube-system | |||
data: | |||
traefik.toml: | | |||
defaultEntryPoints = ["http", "https"] | |||
insecureSkipVerify = true | |||
[entryPoints] | |||
[entryPoints.http] | |||
address = ":80" | |||
[entryPoints.https] | |||
address = ":443" | |||
[entryPoints.https.tls] | |||
[entryPoints.admin] | |||
address = ":8080" | |||
[kubernetes] | |||
[kubernetes.ingressEndpoint] | |||
publishedService = "kube-system/traefik-ingress-service-external" | |||
[api] | |||
entryPoint = "admin" | |||
$ kubectl apply -f traefik-configmap.yaml | |||
configmap/traefik-configmap created | |||
</pre> | |||
That being done, we now start the Traefik deployment: | |||
<pre> | |||
$ cat traefik.yaml | |||
apiVersion: extensions/v1beta1 | |||
kind: Deployment | |||
metadata: | |||
name: traefik-ingress | |||
namespace: kube-system | |||
labels: | |||
k8s-app: traefik-ingress-lb | |||
spec: | |||
replicas: 1 | |||
selector: | |||
matchLabels: | |||
k8s-app: traefik-ingress-lb | |||
template: | |||
metadata: | |||
labels: | |||
k8s-app: traefik-ingress-lb | |||
name: traefik-ingress-lb | |||
spec: | |||
volumes: | |||
- name: traefik-configmap | |||
configMap: | |||
name: traefik-configmap | |||
serviceAccountName: traefik-ingress-controller | |||
terminationGracePeriodSeconds: 60 | |||
containers: | |||
- image: traefik | |||
name: traefik-ingress-lb | |||
ports: | |||
- name: web | |||
containerPort: 80 | |||
- name: https | |||
containerPort: 443 | |||
- name: admin | |||
containerPort: 8080 | |||
volumeMounts: | |||
- mountPath: "/config" | |||
name: "traefik-configmap" | |||
args: | |||
- --loglevel=INFO | |||
- --configfile=/config/traefik.toml | |||
$ kubectl apply -f traefik.yaml | |||
deployment.extensions/traefik-ingress created | |||
</pre> | |||
What did this do? | |||
* We created the service account and privileges Traefik needs to find Ingresses, Services and Endpoints. | |||
* We created a ConfigMap, a hard-coded type of Volume that is commonly used to supply configuration inside Pods. This ConfigMap causes Traefik to listen on ports 80, 443 and 8080. | |||
* Then, we created a Deployment that runs the Traefik image with the given configmap and service account. | |||
* Note that you won't find these deployments and pods using the normal <code>kubectl get pods</code> (etc) commands unless you give <code>-n kube-system</code> to select the kube-system namespace. | |||
You should see a <code>traefik-ingress-...</code> pod with status <code>Running</code> when you run <code>kubectl get pods -n kube-system</code>; if that's not the case, you should stop here and investigate what's wrong. | |||
To use Traefik, we'll configure two things: | |||
* External connections end up at it | |||
* It reads the hostname and path of requests, and sends them onwards to the correct Service | |||
The first thing we've already discussed before: it requires setting up a LoadBalancer Service if you're running on a cloud provider; if you're not, like me, you can set up a ClusterIP Service with an ExternalIP and the side-note of a single-point-of-failure applies here as well. (Note that we expose only ports 80 and 443, not 8080; this is the administrator port of Traefik.) | |||
<pre> | |||
$ cat traefik-service-external.yaml | |||
apiVersion: v1 | |||
kind: Service | |||
metadata: | |||
name: traefik-ingress-service-external | |||
namespace: kube-system | |||
spec: | |||
selector: | |||
k8s-app: traefik-ingress-lb | |||
ports: | |||
- protocol: TCP | |||
port: 80 | |||
name: web | |||
- protocol: TCP | |||
port: 443 | |||
name: https | |||
externalIPs: | |||
- "145.131.8.75" | |||
</pre> | |||
The <code>externalIPs</code> mentioned here should be the external IP of one of your Nodes. At this point you can also create a record in DNS to point to this IP address if you want; I created <code>kubetest.sjorsgielen.nl IN A 145.131.8.75</code>. | |||
Having this set up should cause <code>http://kubetest.sjorsgielen.nl/</code> to end up within Traefik. It will give a "404 page not found" result, as Traefik doesn't know about any Ingresses yet to forward your request to. | |||
= Creating your own images = | = Creating your own images = |