204 lines
5.3 KiB
Markdown
204 lines
5.3 KiB
Markdown
---
|
||
title: Traefik Ingress Controller 部署与 RBAC 配置指南
|
||
description: 完整的 Kubernetes Traefik v2.10 部署教程,包含 RBAC 权限配置、ServiceAccount、ClusterRole、ClusterRoleBinding 设置,解决 ingresses.networking.k8s.io forbidden 权限问题,使用 NodePort 暴露服务
|
||
tags:
|
||
- kubernetes
|
||
- traefik
|
||
- ingress-controller
|
||
- rbac
|
||
- clusterrole
|
||
- clusterrolebinding
|
||
- serviceaccount
|
||
- deployment
|
||
- nodeport
|
||
- permissions
|
||
- networking
|
||
createdAt: 2025-11-26T04:30:00Z
|
||
---
|
||
|
||
# Traefik Ingress Controller 部署
|
||
|
||
本文档介绍如何使用 YAML 清单在 Kubernetes 集群中部署 Traefik Ingress Controller,包含完整的 RBAC 权限配置。
|
||
|
||
## 部署步骤
|
||
|
||
### 1. 创建 Traefik 命名空间
|
||
|
||
```bash
|
||
kubectl create namespace traefik
|
||
```
|
||
|
||
### 2. 应用 Traefik CRDs
|
||
|
||
```bash
|
||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
|
||
```
|
||
|
||
### 3. 配置 RBAC 权限(重要)
|
||
|
||
创建 `traefik-rbac.yaml` 文件,配置必要的权限:
|
||
|
||
```bash
|
||
kubectl apply -f /Users/xion/kevisual/k8s-docs/k8s/xiongxiao.me/traefik/traefik-rbac.yaml
|
||
```
|
||
|
||
RBAC 配置包含:
|
||
|
||
- **ServiceAccount**:traefik 服务账户
|
||
- **ClusterRole**:定义访问 Kubernetes 资源的权限
|
||
- 读取 Services、Endpoints、Secrets
|
||
- 读取和监听 Ingresses、IngressClasses
|
||
- 更新 Ingress 状态
|
||
- 访问 Traefik CRDs
|
||
- **ClusterRoleBinding**:将 ClusterRole 绑定到 ServiceAccount
|
||
|
||
### 4. 部署 Traefik
|
||
|
||
使用 `traefik-deployment.yaml` 配置文件部署 Traefik:
|
||
|
||
```bash
|
||
kubectl apply -f /Users/xion/kevisual/k8s-docs/k8s/xiongxiao.me/traefik/traefik-deployment.yaml
|
||
```
|
||
|
||
配置文件内容说明:
|
||
|
||
**Deployment**:
|
||
- 使用 Traefik v2.10 镜像
|
||
- 引用前面创建的 ServiceAccount:`traefik`
|
||
- 配置参数:
|
||
- `--api.insecure=true`:启用管理 API(生产环境建议禁用)
|
||
- `--providers.kubernetesingress=true`:启用 Kubernetes Ingress 支持
|
||
- `--entrypoints.web.address=:80`:HTTP 入口点
|
||
- `--entrypoints.websecure.address=:443`:HTTPS 入口点
|
||
- 暴露端口:80、443、8080(管理界面)
|
||
|
||
**Service**:
|
||
- 类型:NodePort
|
||
- 端口映射:
|
||
- HTTP: 80 → NodePort 30080
|
||
- HTTPS: 443 → NodePort 30443
|
||
- Admin: 8080 → 集群内部访问
|
||
|
||
**IngressClass**:
|
||
- 名称:traefik
|
||
- Controller:traefik.io/ingress-controller
|
||
|
||
### 5. 验证部署
|
||
|
||
```bash
|
||
# 查看 RBAC 配置
|
||
kubectl get serviceaccount traefik -n traefik
|
||
kubectl get clusterrole traefik-ingress-controller
|
||
kubectl get clusterrolebinding traefik-ingress-controller
|
||
|
||
# 查看 Pod 状态
|
||
kubectl get pods -n traefik
|
||
|
||
# 查看 Service
|
||
kubectl get svc -n traefik
|
||
|
||
# 查看 IngressClass
|
||
kubectl get ingressclass
|
||
|
||
# 查看日志(确认没有权限错误)
|
||
kubectl logs -n traefik -l app=traefik
|
||
```
|
||
|
||
预期日志中不应出现类似错误:
|
||
```
|
||
Failed to watch *v1.Ingress: ingresses.networking.k8s.io is forbidden
|
||
```
|
||
|
||
## 访问方式
|
||
|
||
部署完成后,Traefik 通过 NodePort 方式暴露服务:
|
||
|
||
- **HTTP 访问**:`http://<任意Node-IP>:30080`
|
||
- **HTTPS 访问**:`https://<任意Node-IP>:30443`
|
||
- **管理界面**:通过端口转发访问
|
||
|
||
```bash
|
||
# 访问 Traefik Dashboard
|
||
kubectl port-forward -n traefik svc/traefik 8080:8080
|
||
# 浏览器打开 http://localhost:8080/dashboard/
|
||
```
|
||
|
||
## 配置 Ingress
|
||
|
||
创建 Ingress 资源时,指定 `ingressClassName: traefik`:
|
||
|
||
```yaml
|
||
apiVersion: networking.k8s.io/v1
|
||
kind: Ingress
|
||
metadata:
|
||
name: verdaccio-ingress
|
||
annotations:
|
||
traefik.ingress.kubernetes.io/router.entrypoints: web
|
||
spec:
|
||
ingressClassName: traefik
|
||
rules:
|
||
- host: npm.xiongxiao.me
|
||
http:
|
||
paths:
|
||
- path: /
|
||
pathType: Prefix
|
||
backend:
|
||
service:
|
||
name: verdaccio-service
|
||
port:
|
||
number: 82
|
||
```
|
||
|
||
访问应用时需要使用 NodePort 端口,例如:`http://npm.xiongxiao.me:30080`
|
||
|
||
## 常见问题
|
||
|
||
### 1. 权限错误:ingresses.networking.k8s.io is forbidden
|
||
|
||
**症状**:Traefik 日志中出现权限错误
|
||
|
||
**解决**:确保已正确应用 `traefik-rbac.yaml` 配置,包含 ClusterRole 和 ClusterRoleBinding
|
||
|
||
### 2. 404 Page Not Found
|
||
|
||
**排查步骤**:
|
||
```bash
|
||
# 检查 Ingress 是否被识别
|
||
kubectl describe ingress verdaccio-ingress
|
||
|
||
# 查看 Traefik 路由
|
||
kubectl port-forward -n traefik svc/traefik 8080:8080
|
||
# 访问 http://localhost:8080/dashboard/ 查看路由配置
|
||
|
||
# 确认 Service 正常
|
||
kubectl get svc verdaccio-service
|
||
kubectl get endpoints verdaccio-service
|
||
```
|
||
|
||
## 注意事项
|
||
|
||
1. **生产环境建议**:
|
||
- 关闭 `--api.insecure=true`,使用安全的方式访问 Dashboard
|
||
- 使用 LoadBalancer 类型的 Service(如果云环境支持)
|
||
- 配置 TLS 证书和 HTTPS
|
||
- 限制 ServiceAccount 权限范围(使用 Role 而非 ClusterRole)
|
||
|
||
2. **DNS 配置**:
|
||
- 将域名解析到任意一个 Node 节点的 IP
|
||
- 确保防火墙开放 30080 和 30443 端口
|
||
|
||
3. **高可用性**:
|
||
- 增加 Traefik 副本数(修改 `replicas`)
|
||
- 使用 DaemonSet 在每个节点运行 Traefik
|
||
- 配置外部负载均衡器
|
||
|
||
4. **命名空间隔离**:
|
||
- 当前配置使用 ClusterRole,可以访问所有命名空间的 Ingress
|
||
- 如需限制访问范围,改用 Role 和 RoleBinding
|
||
|
||
|
||
##
|
||
|
||
wget http://verdaccio-service.default.svc.cluster.local:4873
|
||
|
||
wget http://10.43.17.172:4873 |