gke 上的 traefik 设置不起作用
traefik setup on gke not working
我正在按照用户指南 (https://docs.traefik.io/user-guide/kubernetes/) 在 GKE 中获取 traefik 运行。
我没有看到仪表板,而是 404。我猜 RBAC 设置有问题,但我想不通。
如有任何帮助,我们将不胜感激。
入口控制器日志显示恒定流量(每秒一个):
E0714 12:19:56.665790 1 reflector.go:205]
github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86:
Failed to list *v1.Service: services is forbidden: User
"system:serviceaccount:kube-system:traefik-ingress-controller" cannot
list services at the cluster scope: Unknown user
"system:serviceaccount:kube-system:traefik-ingress-controller"
并且 traefik pod 本身不断喷出:
E0714 12:17:45.108356 1 reflector.go:205]
github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86:
Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden:
User "system:serviceaccount:default:default" cannot list
ingresses.extensions in the namespace "kube-system": Unknown user
"system:serviceaccount:default:default"
E0714 12:17:45.708160 1 reflector.go:205]
github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86:
Failed to list *v1.Service: services is forbidden: User
"system:serviceaccount:default:default" cannot list services in the
namespace "default": Unknown user
"system:serviceaccount:default:default"
E0714 12:17:45.714057 1 reflector.go:205]
github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86:
Failed to list *v1.Endpoints: endpoints is forbidden: User
"system:serviceaccount:default:default" cannot list endpoints in the
namespace "kube-system": Unknown user
"system:serviceaccount:default:default"
E0714 12:17:45.714829 1 reflector.go:205]
github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86:
Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden:
User "system:serviceaccount:default:default" cannot list
ingresses.extensions in the namespace "default": Unknown user
"system:serviceaccount:default:default"
E0714 12:17:45.715653 1 reflector.go:205]
github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86:
Failed to list *v1.Endpoints: endpoints is forbidden: User
"system:serviceaccount:default:default" cannot list endpoints in the
namespace "default": Unknown user
"system:serviceaccount:default:default"
E0714 12:17:45.716659 1 reflector.go:205]
github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86:
Failed to list *v1.Service: services is forbidden: User
"system:serviceaccount:default:default" cannot list services in the
namespace "kube-system": Unknown user
"system:serviceaccount:default:default"
我使用以下方法创建了 clusterrole:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups: [""]
resources: ["servies", "endpoints", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
然后将 traefik 部署为部署:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: LoadBalancer
在使用 helm 安装 traefik 时,我使用了以下值文件:
dashboard:
enabled: true
domain: traefik.example.com
kubernetes:
namespaces:
- default
- kube-system
最后,对于 UI 我使用了以下 yaml:
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: traefik.example.com
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
感谢观看!
(编辑:更正标题中的拼写错误)
由于命名空间 "kube-system" 由主节点处理,您将无法在该特定命名空间上部署任何内容。 GKE 中的主节点是一项托管服务,目前用户无法访问。
如果您想拥有此功能,那么我目前可以提供的唯一建议是创建您自己的 custom cluster from scratch。这将允许您访问主节点,并且您可以选择根据自己的喜好自定义集群。
编辑:我能够从 github 中找到关于如何使用 Traefik 作为 GKE 负载均衡器的说明。我建议先在您的生产集群中 运行 测试它。
我认为您的问题是您正在设置名称为 "traefik-ingress-controller" 和命名空间为 "kube-system" 的 ClusterRoleBinding,但 Traefik 在默认命名空间中为 运行,默认为 serviceaccount。
尝试将 ClusterRoleBinding 更改为:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: default
namespace: default
或者使用服务帐户 "traefik-ingress-controller" 和命名空间 "kube-system"
部署您的系统
我正在按照用户指南 (https://docs.traefik.io/user-guide/kubernetes/) 在 GKE 中获取 traefik 运行。
我没有看到仪表板,而是 404。我猜 RBAC 设置有问题,但我想不通。
如有任何帮助,我们将不胜感激。
入口控制器日志显示恒定流量(每秒一个):
E0714 12:19:56.665790 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list services at the cluster scope: Unknown user "system:serviceaccount:kube-system:traefik-ingress-controller"
并且 traefik pod 本身不断喷出:
E0714 12:17:45.108356 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:default:default" cannot list ingresses.extensions in the namespace "kube-system": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.708160 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:default" cannot list services in the namespace "default": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.714057 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:default:default" cannot list endpoints in the namespace "kube-system": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.714829 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:default:default" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.715653 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:default:default" cannot list endpoints in the namespace "default": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.716659 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:default" cannot list services in the namespace "kube-system": Unknown user "system:serviceaccount:default:default"
我使用以下方法创建了 clusterrole:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups: [""]
resources: ["servies", "endpoints", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
然后将 traefik 部署为部署:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: LoadBalancer
在使用 helm 安装 traefik 时,我使用了以下值文件:
dashboard:
enabled: true
domain: traefik.example.com
kubernetes:
namespaces:
- default
- kube-system
最后,对于 UI 我使用了以下 yaml:
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: traefik.example.com
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
感谢观看!
(编辑:更正标题中的拼写错误)
由于命名空间 "kube-system" 由主节点处理,您将无法在该特定命名空间上部署任何内容。 GKE 中的主节点是一项托管服务,目前用户无法访问。
如果您想拥有此功能,那么我目前可以提供的唯一建议是创建您自己的 custom cluster from scratch。这将允许您访问主节点,并且您可以选择根据自己的喜好自定义集群。
编辑:我能够从 github 中找到关于如何使用 Traefik 作为 GKE 负载均衡器的说明。我建议先在您的生产集群中 运行 测试它。
我认为您的问题是您正在设置名称为 "traefik-ingress-controller" 和命名空间为 "kube-system" 的 ClusterRoleBinding,但 Traefik 在默认命名空间中为 运行,默认为 serviceaccount。
尝试将 ClusterRoleBinding 更改为:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: default
namespace: default
或者使用服务帐户 "traefik-ingress-controller" 和命名空间 "kube-system"
部署您的系统