在gke上的traefik设置不起作用
[英]traefik setup on gke not working
问题描述
I'm trying to get traefik running in GKE, following the user guide ( https://docs.traefik.io/user-guide/kubernetes/ ). 
我正在按照用户指南( https://docs.traefik.io/user-guide/kubernetes/ )来使traefik在GKE中运行。
Instead of seeing the dashboard, I get a 404 . 我没有看到仪表板,而是得到了404 。 I guess there's a problem with the RBAC setup somewhere but I can't figure it out. 我想RBAC设置在某处有问题,但我无法弄清楚。
Any help would be greatly appreciated. 任何帮助将不胜感激。
The ingress controller log shows a constant flow of (one each second): 入口控制器日志显示恒定流(每秒1个):
E0714 12:19:56.665790 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list services at the cluster scope: Unknown user "system:serviceaccount:kube-system:traefik-ingress-controller"
and the traefik pod itself constantly spews: traefik吊舱本身不断喷涌而出:
E0714 12:17:45.108356 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:default:default" cannot list ingresses.extensions in the namespace "kube-system": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.708160 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:default" cannot list services in the namespace "default": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.714057 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:default:default" cannot list endpoints in the namespace "kube-system": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.714829 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:default:default" cannot list ingresses.extensions in the namespace "default": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.715653 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:default:default" cannot list endpoints in the namespace "default": Unknown user "system:serviceaccount:default:default"
E0714 12:17:45.716659 1 reflector.go:205] github.com/containous/traefik/vendor/k8s.io/client-go/informers/factory.go:86: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:default:default" cannot list services in the namespace "kube-system": Unknown user "system:serviceaccount:default:default"
I created the clusterrole using: 我使用以下命令创建了clusterrole:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups: [""]
resources: ["servies", "endpoints", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
and then deployed traefik as deployment: 然后将traefik部署为部署:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: LoadBalancer
when using helm to install traefik I used the following values file: 使用头盔安装traefik时,我使用了以下值文件:
dashboard:
enabled: true
domain: traefik.example.com
kubernetes:
namespaces:
- default
- kube-system
and finally, for the UI I used the following yaml: 最后,对于UI,我使用了以下yaml:
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: traefik.example.com
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: web
thanks for looking! 感谢您的光临!
(edit: corrected typo in title) (编辑:标题中的错字)
2 个解决方案
解决方案1
2 已采纳 2018-07-17 14:30:34
Since the namespace "kube-system" is handled by the Master node, you will not be able to deploy anything on that specific namespace. 由于名称空间“ kube-system”是由主节点处理的,因此您将无法在该特定名称空间上部署任何内容。 The Master node within GKE is a managed service and is not accessible to users at this time. GKE内的“主”节点是一项托管服务,目前用户无法访问。
If you would like to have this functionality, then the only suggestion I can provide at this time is to create your own custom cluster from scratch . 如果您想拥有此功能,那么我目前只能提供的建议是从头开始创建自己的自定义集群 。 This will allow you to have access to the Master Node and you would have the option to customize your cluster to your liking. 这将允许您访问主节点,并且可以选择根据自己的喜好自定义集群。
Edit: I was able to find instructions from github on how to use Traefik as a GKE loadbalancer. 编辑:我能够从github找到有关如何使用Traefik作为GKE负载平衡器的说明。 I would suggest testing this first before running it in your production cluster. 我建议先在生产集群中运行它之前对其进行测试。
解决方案2
1 2018-10-20 17:57:45
I think your problem is that you're setting up a ClusterRoleBinding with name "traefik-ingress-controller" and namespace "kube-system" but Traefik is running in namespace default with serviceaccount default. 我认为您的问题是您正在使用名称“ traefik-ingress-controller”和名称空间“ kube-system”设置ClusterRoleBinding,但是Traefik在默认的名称空间中使用serviceaccount默认运行。
Try changing your ClusterRoleBinding to: 尝试将您的ClusterRoleBinding更改为:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: default
namespace: default
Or deploy your system with serviceaccount "traefik-ingress-controller" and in namespace "kube-system" 或使用服务帐户“ traefik-ingress-controller”和名称空间“ kube-system”部署系统
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.