上章K8S的集群已经搭建完成,但是不同宿主机之间的容器不能相互通信,本篇继续讲解
一:在运算节点(192.168.6.94和192.168.6.95)上安装CNI网络插件-Flannel
Flannel官方下载地址:https://github.com/coreos/flannel/tags
1:下载软件,解压,做软链
在192.168.6.94部署为例:
[root@k8s-6-94 ~]# mkdir flannel-v0.11.0
[root@k8s-6-94 ~]# tar zxf flannel-v0.11.0-linux-amd64.tar.gz -C flannel-v0.11.0
[root@k8s-6-94 ~]# mv flannel-v0.11.0 /opt/
[root@k8s-6-94 ~]# ln -s /opt/flannel-v0.11.0 /opt/flannel
2:创建目录,拷贝证书到certs目录下
[root@k8s-6-94 ~]# mkdir /opt/flannel/certs
[root@k8s-6-94 ~]# cd /opt/flannel/certs/
[root@k8s-6-94 certs]# scp 192.168.6.96:/opt/certs/ca.pem .
[root@k8s-6-94 certs]# scp 192.168.6.96:/opt/certs/client.pem .
[root@k8s-6-94 certs]# scp 192.168.6.96:/opt/certs/client-key.pem .
3:创建配置
[root@k8s-6-94 certs]# cd /opt/flannel
[root@k8s-6-94 flannel]# vi subnet.env
FLANNEL_NETWORK=172.6.0.0/16
FLANNEL_SUBNET=172.6.94.1/24
FLANNEL_MTU=1500
FLANNEL_IPMASQ=false
# 集群其他服务器不同地方
// FLANNEL_NETWORK:容器集群网段
// FLANNEL_SUBNET: 本机容器的网关
4:创建启动脚本
[root@k8s-6-94 flannel]# vi /opt/flannel/flanneld.sh
#!/bin/sh
./flanneld \
--public-ip=192.168.6.94 \
--etcd-endpoints=https://192.168.6.93:2379,https://192.168.6.94:2379,https://192.168.6.95:2379 \
--etcd-keyfile=./certs/client-key.pem \
--etcd-certfile=./certs/client.pem \
--etcd-cafile=./certs/ca.pem \
--iface=ens192 \
--subnet-file=./subnet.env \
--healthz-port=2401
# 集群其他服务器不同地方
// --public-ip:本机IP地址
// --iface : 本机网卡名称
5:检查配置,权限,创建日志目录
[root@k8s-6-94 flannel]# chmod +x /opt/flannel/flanneld.sh
[root@k8s-6-94 flannel]# mkdir -p /data/logs/flanneld
6:创建supervisor配置
[root@k8s-6-94 flannel]# vi /etc/supervisord.d/flannel.ini
[program:flanneld-6-94]
command=/opt/flannel/flanneld.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/flannel ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/flanneld/flanneld.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
// 集群其他服务器不同地方
[program:flanneld-6-94]
7:操作etcd,增加host-gw
root@k8s-6-94 flannel]# cd /opt/etcd/
[root@k8s-6-94 etcd]# ./etcdctl set /coreos.com/network/config '{"Network": "172.6.0.0/16", "Backend": {"Type": "host-gw"}}'
返回结果
{"Network": "172.6.0.0/16", "Backend": {"Type": "host-gw"}}
# 验证查看
[root@k8s-6-94 etcd]# ./etcdctl get /coreos.com/network/config
返回结果
{"Network": "172.6.0.0/16", "Backend": {"Type": "host-gw"}}
8:启动服务并检查
root@k8s-6-94 etcd]# supervisorctl update
[root@k8s-6-94 etcd]# supervisorctl status
9:验证
[root@k8s-6-94 ~]# ping 172.6.95.2
PING 172.6.95.2 (172.6.95.2) 56(84) bytes of data.
64 bytes from 172.6.95.2: icmp_seq=1 ttl=63 time=0.350 ms
64 bytes from 172.6.95.2: icmp_seq=2 ttl=63 time=0.259 ms
64 bytes from 172.6.95.2: icmp_seq=3 ttl=63 time=0.286 ms
[root@k8s-6-95 ~]# ping 172.6.94.2
PING 172.6.94.2 (172.6.94.2) 56(84) bytes of data.
64 bytes from 172.6.94.2: icmp_seq=1 ttl=63 time=0.472 ms
64 bytes from 172.6.94.2: icmp_seq=2 ttl=63 time=0.293 ms
64 bytes from 172.6.94.2: icmp_seq=3 ttl=63 time=0.297 ms
二:在各运算节点上优化iptables规则
此时容器跨主机已经可以正常通信,但是各运算节点之间的容器通信需要进行SNAT转换,很不合理,需要进行优化
1:安装iptables-services并设置开机启动
[root@k8s-6-94 ~]# yum install iptables-services -y
[root@k8s-6-94 ~]# systemctl start iptables
[root@k8s-6-94 ~]# systemctl enable iptables
2:优化SNAT规则,各运算节点之间的各POD之间的网络通信不再出网
以:运算节点1(192.168.6.94)优化为例
[root@k8s-6-94 ~]# iptables -t nat -D POSTROUTING -s 172.6.94.0/24 ! -o docker0 -j MASQUERADE
[root@k8s-6-94 ~]# iptables -t nat -I POSTROUTING -s 172.6.94.0/24 ! -d 172.6.0.0/16 ! -o docker0 -j MASQUERADE
[root@k8s-6-94 ~]# iptables-save |grep -i postrouting
[root@k8s-6-94 ~]# iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
[root@k8s-6-94 ~]# iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited
3:各运算节点保存iptables规则
[root@k8s-6-94 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]
到此,容器之间已经网络互通,网络之间也进行了优化,现在开始安装K8S服务插件
三:K8S的服务发现插件-CoreDNS
实现k8s里的DNS功能的插件
- kube-dns-kebernetes-v1.2至v1.10
- Coredns-kubenetes-v1.11至今
注意k8s里的dns不是万能的!它应该只负责自动维护“服务名”-->“集群网络IP”之间的关系
1:在运维主机192.168.6.96上,配置一个nginx虚拟主机,用以提供k8s统一的资源访问清单入口
1.1:安装Nginx(略)
1.2:配置Nginx/vhosts
[root@k8s-6-96 ~]# vi /usr/local/nginx/conf/vhosts/k8s-yaml.auth.com.conf
server {
listen 80;
server_name k8s-yaml.auth.com;
location / {
autoindex on;
default_type text/plain;
root /data/k8s-yaml;
}
}
1.3:检查Nginx配置并启动服务
[root@k8s-6-96 ~]# /usr/local/nginx/sbin/nginx -t
[root@k8s-6-96 ~]# /usr/local/nginx/sbin/nginx -s reload
1.4:建立相应的目录
[root@k8s-6-96 ~]# mkdir /data/k8s-yaml
[root@k8s-6-96 ~]# mkdir /data/k8s-yaml/coredns
1.5:配置dns解析
在192.168.6.92服务器上解析域名:
[root@k8s-6-92 ~]# vi /var/named/auth.com.zone
# 添加一条A记录,并修改serial序列号,进行 + 1
k8s-yaml A 192.168.6.96
1.6:重启named服务,并验证
[root@k8s-6-92 ~]# systemctl restart named
[root@k8s-6-92 ~]# dig -t A k8s-yaml.auth.com @192.168.6.92 +short
192.168.6.96
1.7:浏览器访问k8s-yaml.auth.com
**可以看到所有的目录
2:部署coredns
官方github地址:
https://github.com/coredns/coredns/releases
2.1:在运维主机(192.168.6.96)上下载docker镜像并打包推到harbor仓库
[root@k8s-6-96 ~]# docker pull coredns/coredns:1.6.1
[root@k8s-6-96 ~]# docker tag c0f6e815079e harbor.auth.com/public/coredns:1.6.1
[root@k8s-6-96 ~]# docker push harbor.od.com/public/coredns:1.6.1
2.2:在运维主机(192.168.6.96)上准备资源配置清单
参考地址:https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/coredns/coredns.yaml.base
[root@k8s-6-96 ~]# vi /data/k8s-yaml/coredns/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: Reconcile
name: system:coredns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
- pods
- namespaces
verbs:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: EnsureExists
name: system:coredns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:coredns
subjects:
- kind: ServiceAccount
name: coredns
namespace: kube-system
[root@k8s-6-96 ~]# vi /data/k8s-yaml/coredns/cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
log
health
ready
kubernetes cluster.local 10.100.0.0/16
forward . 192.168.6.92
cache 30
loop
reload
loadbalance
}
=====================
注释:
kubernetes cluster.local 10.100.0.0/16 // 集群地址
forward . 192.168.6.92 // 上层DNS
[root@k8s-6-96 ~]# vi /data/k8s-yaml/coredns/dp.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/name: "CoreDNS"
spec:
replicas: 1
selector:
matchLabels:
k8s-app: coredns
template:
metadata:
labels:
k8s-app: coredns
spec:
priorityClassName: system-cluster-critical
serviceAccountName: coredns
containers:
- name: coredns
image: harbor.auth.com/public/coredns:1.6.1
args:
- -conf
- /etc/coredns/Corefile
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
[root@k8s-6-96 ~]# vi /data/k8s-yaml/coredns/svc.yaml
apiVersion: v1
kind: Service
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: coredns
clusterIP: 10.100.0.2
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
- name: metrics
port: 9153
protocol: TCP
2.3:应用资源配置清单
在任意运算节点上应用
[root@k8s-6-94 ~]# kubectl apply -f http://k8s-yaml.auth.com/coredns/rbac.yaml
serviceaccount/coredns created
clusterrole.rbac.authorization.k8s.io/system:coredns created
clusterrolebinding.rbac.authorization.k8s.io/system:coredns created
[root@k8s-6-94 ~]# kubectl apply -f http://k8s-yaml.auth.com/coredns/cm.yaml
configmap/coredns created
[root@k8s-6-94 ~]# kubectl apply -f http://k8s-yaml.auth.com/coredns/dp.yaml
deployment.apps/coredns created
[root@k8s-6-94 ~]# kubectl apply -f http://k8s-yaml.auth.com/coredns/svc.yaml
service/coredns created
2.4:查看创建的资源
[root@k8s-6-94 ~]# kubectl get all -n kube-system
NAME READY STATUS RESTARTS AGE
pod/coredns-6b6c4f9648-wrrbt 1/1 Running 0 111s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/coredns ClusterIP 10.100.0.2 <none> 53/UDP,53/TCP,9153/TCP 99s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/coredns 1/1 1 1 111s
NAME DESIRED CURRENT READY AGE
replicaset.apps/coredns-6b6c4f9648 1 1 1 111s
详细查看
[root@k8s-6-94 ~]# kubectl get all -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/coredns-6b6c4f9648-wrrbt 1/1 Running 0 4m56s 172.6.95.3 k8s-6-95.host.com <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/coredns ClusterIP 10.100.0.2 <none> 53/UDP,53/TCP,9153/TCP 4m44s k8s-app=coredns
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/coredns 1/1 1 1 4m56s coredns harbor.auth.com/public/coredns:1.6.1 k8s-app=coredns
NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
replicaset.apps/coredns-6b6c4f9648 1 1 1 4m56s coredns harbor.auth.com/public/coredns:1.6.1 k8s-app=coredns,pod-template-hash=6b6c4f9648
2.5:验证coredns
[root@k8s-6-94 ~]# dig -t A www.baidu.com @10.100.0.2 +short
www.a.shifen.com.
220.181.38.149
220.181.38.150
[root@k8s-6-94 ~]# dig -t A k8s-6-94.host.com @10.100.0.2 +short
192.168.6.94 //自建dns是coredns上级dns,所以差得到
[root@k8s-6-94 ~]# kubectl get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 7d <none>
[root@k8s-6-94 ~]# kubectl get pods -n kube-public
NAME READY STATUS RESTARTS AGE
nginx-dp-5dfc689474-ggsn2 1/1 Running 0 7h23m
nginx-dp-5dfc689474-hw6vm 1/1 Running 0 7h8m
查看:
[root@k8s-6-94 ~]# kubectl expose deployment nginx-dp --port=80 -n kube-public
[root@k8s-6-94 ~]# kubectl get svc -o wide -n kube-public
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
nginx-dp ClusterIP 10.100.95.151 <none> 80/TCP 7h21m app=nginx-dp
验证:
[root@k8s-6-94 ~]# dig -t A nginx-dp @10.100.0.2 +short
[root@k8s-6-94 ~]# dig -t A nginx-dp.kube-public.svc.cluster.local. @10.100.0.2 +short
10.100.95.151
找台宿主机验证
查看:
[root@k8s-6-94 ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ds-d5kl8 1/1 Running 0 120m 172.6.94.2 k8s-6-94.host.com <none> <none>
nginx-ds-jtn62 1/1 Running 0 120m 172.6.95.2 k8s-6-95.host.com <none> <none>
进入宿主机容器:
[root@k8s-6-94 ~]# kubectl exec -ti nginx-ds-jtn62 /bin/bash
root@nginx-ds-jtn62:/#
验证:
root@nginx-ds-jtn62:/# curl 10.100.95.151
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
root@nginx-ds-jtn62:/# curl nginx-dp.kube-public
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
为什么容器里不用加FQDN?
原因:
root@nginx-ds-jtn62:/# cat /etc/resolv.conf
nameserver 10.100.0.2
search default.svc.cluster.local svc.cluster.local cluster.local host.com
options ndots:5 //dns递归查询的层级,默认5层,效率低
四:K8S的服务暴露插件-Traefik
起因:其实此时外部无法解析到,coredns只对内部解析。k8s的dns实现了服务在集群"内"被自动发现,那如何是的服务在k8s集群 "外"被使用和访问呢?
部署traefik(ingress控制器)
注意:
- Ingress只能调度并爆露7层应用,特指http和https协议
- Ingress 是k8s API的标准资源类型之一,也是一种核心资源,它其实就是一组基于域名和URL路径,把用户的请求转发至指定Service资源的规则
- 可以将集群外部的请求流量,转发至集群内部,从而实现服务爆露
- Ingress控制器是能够为Igress资源监听某套接字,然后根据Ingress规则匹配机制路由调度流量的一个组件。
1:在运维主机(192.168.6.96)上准备traefik镜像,打包,并上传到harbor仓库
官方github地址:https://github.com/containous/traefik
[root@k8s-6-96 ~]# docker pull traefik:v1.7.2-alpine
[root@k8s-6-96 ~]# docker images|grep traefik
traefik v1.7.2-alpine add5fac61ae5 13 months ago 72.4MB
[root@k8s-6-96 ~]# docker tag add5fac61ae5 harbor.auth.com/public/traefik:v1.7.2
[root@k8s-6-96 ~]# docker push harbor.auth.com/public/traefik:v1.7.2
The push refers to repository [harbor.auth.com/public/traefik]
a02beb48577f: Pushed
ca22117205f4: Pushed
3563c211d861: Pushed
df64d3292fd6: Pushed
v1.7.2: digest: sha256:6115155b261707b642341b065cd3fac2b546559ba035d0262650b3b3bbdd10ea size: 1157
2:在运维主机(192.168.6.96)上准备资源配置清单
官方yaml文件:https://github.com/containous/traefik/tree/v1.7/examples/k8s
[root@k8s-6-96 ~]# mkdir /data/k8s-yaml/traefik
[root@k8s-6-96 ~]# cd /data/k8s-yaml/traefik/
[root@k8s-6-96 ~]# vi /data/k8s-yaml/traefik/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
[root@k8s-6-96 ~]# vi /data/k8s-yaml/traefik/ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: traefik-ingress
namespace: kube-system
labels:
k8s-app: traefik-ingress
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress
name: traefik-ingress
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: harbor.auth.com/public/traefik:v1.7.2
name: traefik-ingress
ports:
- name: controller
containerPort: 80
hostPort: 81
- name: admin-web
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
- --insecureskipverify=true
- --kubernetes.endpoint=https://192.168.6.89:7443
- --accesslog
- --accesslog.filepath=/var/log/traefik_access.log
- --traefiklog
- --traefiklog.filepath=/var/log/traefik.log
- --metrics.prometheus
[root@k8s-6-96 ~]# vi /data/k8s-yaml/traefik/svc.yaml
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress
ports:
- protocol: TCP
port: 80
name: controller
- protocol: TCP
port: 8080
name: admin-web
[root@k8s-6-96 ~]# vi /data/k8s-yaml/traefik/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik.auth.com
http:
paths:
- path: /
backend:
serviceName: traefik-ingress-service
servicePort: 8080
3:应用资源配置清单
任意一台运算节点上
[root@k8s-6-94 ~]# kubectl apply -f http://k8s-yaml.auth.com/traefik/rbac.yaml
serviceaccount/traefik-ingress-controller created
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
[root@k8s-6-94 ~]# kubectl apply -f http://k8s-yaml.auth.com/traefik/ds.yaml
daemonset.extensions/traefik-ingress created
[root@k8s-6-94 ~]# kubectl apply -f http://k8s-yaml.auth.com/traefik/svc.yaml
service/traefik-ingress-service created
[root@k8s-6-94 ~]# kubectl apply -f http://k8s-yaml.auth.com/traefik/ingress.yaml
ingress.extensions/traefik-web-ui created
4:检查创建的资源
[root@k8s-6-94 ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-6b6c4f9648-wrrbt 1/1 Running 0 108m
traefik-ingress-9z6wd 1/1 Running 0 10m
traefik-ingress-ksznv 1/1 Running 0 10m
报错:
[root@k8s-6-94 ~]# kubectl describe pods traefik-ingress-ksznv -n kube-system
Warning FailedCreatePodSandBox 6m23s kubelet, hdss7-21.host.com Failed create pod sandbox:
rpc error: code = Unknown desc = failed to start sandbox container for pod "traefik-ingress-ksznv": Error response from daemon: driver failed programming external
connectivity on endpoint k8s_POD_traefik-ingress-ksznv_kube-system_d1389546-d27b-47cd-92c1-f5a8963043fd_0 (2f032861a4eb0e5240554e388b8ae8a5efd9ead3c56e50840aacdf43570c434b)
: (iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.7.21.5 --dport 80 -j ACCEPT: iptables: No chain/target/match by that name.
解决:
systemctl restart docker.service
5:在DNS服务器(192.168.6.92)上解析域名
[root@k8s-6-92 ~]# vi /var/named/auth.com.zone
# 添加一条A记录,并修改serial序列号,进行 + 1
traefik A 192.168.6.89
重启named服务,并验证
[root@k8s-6-92 ~]# systemctl restart named
[root@k8s-6-92 ~]# dig -t A traefik.auth.com @192.168.6.92 +short
192.168.6.89
6:配置反向代理
注意:代理节点(192.168.6.92和192.168.6.93)上都需要配置
[root@k8s-6-92 ~]# vi /usr/local/nginx/conf/vhosts/auth.com.conf
upstream default_backend_traefik {
server 192.168.6.94:81 max_fails=3 fail_timeout=10s;
server 192.168.6.95:81 max_fails=3 fail_timeout=10s;
}
server {
server_name *.auth.com;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
[root@k8s-6-92 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@k8s-6-92 ~]# /usr/local/nginx/sbin/nginx -s reload
7:浏览器中输入:http://traefik.auth.com/,出现如下页面
下节讲解 k8S核心插件-仪表盘