[英]Install two traefik ingress controller on same kubernetes Cluster
I have a situation, where I am planning to use two separate traefik ingress controller inside the Kubernetes cluster.我有一种情况,我计划在 Kubernetes 集群中使用两个单独的 traefik 入口控制器。
I have a few URLs which I want to be accessible through VPN only, and few which can be publicly accessible.我有一些 URL,我只想通过 VPN 访问,而很少可以公开访问。
In the current architecture, I have one traefik-ingress controller, and two separate ALBs, one internal and one internet-facing, both pointing to traefik.在当前的架构中,我有一个 traefik-ingress 控制器和两个独立的 ALB,一个是内部的,一个是面向互联网的,都指向 traefik。
Let's say, I have a URL public.example.com
and private.example.com
.假设,我有一个 URL
public.example.com
和private.example.com
。 public.example.com
is pointing to internet-facing ALB, and private.example.com
is pointing to internal ALB. public.example.com
指向面向 Internet 的 ALB,而private.example.com
指向内部 ALB。 But what if someone get to know the pointing of public.example.com
and points private.example.com
to same pointing in his /etc/hosts
, he will be able to access my private website.但是,如果有人知道
public.example.com
的指向并将private.example.com
指向他的/etc/hosts
相同指向,他将能够访问我的私人网站。
To avoid this, I am planning to run two separate traefik-ingress-controller, one which will be serving only private URL and one public URL.为了避免这种情况,我计划运行两个单独的 traefik-ingress-controller,一个只提供私有 URL 和一个公共 URL。 Can this be done?
这能做到吗? Or is there any other way to avoid this
或者有没有其他方法可以避免这种情况
You can achieve this with a single Ingress controller inside the cluster but by creating various Ingress
Kubernetes Objects.您可以使用集群内的单个 Ingress 控制器来实现这一点,但可以通过创建各种
Ingress
Kubernetes 对象来实现。
For Private site :- consider whitelist-source-range
annotation in the ingress resource.对于私有站点:- 考虑入口资源中的
whitelist-source-range
注释。
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/24,172.10.0.1
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /testpath
pathType: Prefix
backend:
serviceName: test
servicePort: 80
For Public site :-对于公共站点:-
https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource
https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /testpath
pathType: Prefix
backend:
serviceName: test
servicePort: 80
To deploy two separate traefik-ingress controller, to serve private and public traffic separately, I used kubernetes.ingressclass=traefik
args.为了部署两个单独的 traefik-ingress 控制器,分别为私有和公共流量提供服务,我使用了
kubernetes.ingressclass=traefik
args。
This is what documentation has to say for kubernetes.ingressclass
:这是文档对
kubernetes.ingressclass
:
--kubernetes.ingressclass Value of kubernetes.io/ingress.class annotation to watch for
I created two deployment, having separate value for kubernetes.ingressclass
.我创建了两个部署,分别为
kubernetes.ingressclass
值。
One with kubernetes.ingressclass=traefik
, which was behind a public ALB and kubernetes.ingressclass=traefik-internal
, which was behind a private/internal ALB一个带有
kubernetes.ingressclass=traefik
,它在公共 ALB 后面和kubernetes.ingressclass=traefik-internal
,它在私有/内部 ALB 后面
For services, which I want to serve privately, I use the following annotations in ingress objects :对于我想私下提供的服务,我在入口对象中使用以下注释:
annotations:
kubernetes.io/ingress.class: traefik-internal
and for public并为公众
annotations:
kubernetes.io/ingress.class: traefik
My deployment.yaml我的部署.yaml
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-internal-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-internal-ingress-lb
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-internal-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-internal-ingress-lb
spec:
serviceAccountName: traefik-internal-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik:v1.7
name: traefik-internal-ingress-lb
ports:
- name: http
containerPort: 80
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
- --accesslog=true
- --kubernetes.ingressclass=traefik-internal ##this makes it to watch only for ingress objects with annotaion "kubernetes.io/ingress.class: traefik-internal"
Hope this helps someone.希望这可以帮助某人。
Multiple Træfik Deployments can run concurrently in the same cluster.For instance, it is conceivable to have one Deployment deal with internal and another one with external traffic.多个 Træfik 部署可以在同一个集群中同时运行。例如,可以想象让一个部署处理内部流量,另一个部署处理外部流量。
For such cases, it is advisable to classify Ingress objects through a label and configure the labelSelector option per each Træfik Deployment accordingly.对于这种情况,建议通过标签对 Ingress 对象进行分类,并相应地为每个 Træfik 部署配置 labelSelector 选项。 To stick with the internal/external example above, all Ingress objects meant for internal traffic could receive a
traffic-type: internal
label while objects designated for external traffic receive a traffic-type: external
label.为了坚持上面的内部/外部示例,所有用于内部流量的 Ingress 对象都可以接收一个
traffic-type: internal
标签,而指定用于外部流量的对象接收一个traffic-type: external
标签。 The label selectors on the Træfik Deployments would then be traffic-type=interna
l and traffic-type=external
, respectively. Træfik 部署上的标签选择器将分别是
traffic-type=interna
internal 和traffic-type=external
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.