Traefik Ingress 控制器配置
当前状态
K3s 默认已安装 Traefik 作为 Ingress 控制器。
- 命名空间: kube-system
- 服务类型: ClusterIP
- 端口: 80 (HTTP), 443 (HTTPS)
Traefik 配置信息
查看 Traefik 配置:
kubectl get deployment traefik -n kube-system -o yaml
查看 Traefik 服务:
kubectl get svc traefik -n kube-system
使用 Ingress
基本 HTTP Ingress 示例
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
HTTPS Ingress 示例(使用 TLS)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress-tls
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- example.com
secretName: example-tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
创建 TLS 证书
使用 Let's Encrypt (cert-manager)
- 安装 cert-manager:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
- 创建 ClusterIssuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefik
使用自签名证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key -out tls.crt \
-subj "/CN=example.com/O=example"
kubectl create secret tls example-tls-secret \
--key tls.key --cert tls.crt -n default
Traefik Dashboard
访问 Traefik Dashboard:
kubectl port-forward -n kube-system $(kubectl get pods -n kube-system -l app.kubernetes.io/name=traefik -o name) 9000:9000
然后访问: http://localhost:9000/dashboard/
常用注解
重定向 HTTP 到 HTTPS
annotations:
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: "true"
设置超时
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-timeout@kubernetescrd
启用 CORS
annotations:
traefik.ingress.kubernetes.io/router.middlewares: default-cors@kubernetescrd
中间件示例
创建超时中间件
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: timeout
namespace: default
spec:
forwardAuth:
address: http://auth-service
trustForwardHeader: true
监控和日志
查看 Traefik 日志:
kubectl logs -n kube-system -l app.kubernetes.io/name=traefik -f
故障排查
检查 Ingress 状态
kubectl get ingress -A
kubectl describe ingress <ingress-name> -n <namespace>
检查 Traefik 配置
kubectl get ingressroute -A
kubectl get middleware -A
外部访问配置
如果需要从外部访问,可以:
- 使用 NodePort:
kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"NodePort"}}'
- 使用 LoadBalancer(需要云环境或 MetalLB):
kubectl patch svc traefik -n kube-system -p '{"spec":{"type":"LoadBalancer"}}'
- 使用 HostPort(直接绑定到节点端口 80/443)
参考资源
- Traefik 官方文档: https://doc.traefik.io/traefik/
- K3s Traefik 配置: https://docs.k3s.io/networking#traefik-ingress-controller