apiVersion: v1 kind: ConfigMap metadata: name: traefik-conf namespace: kube-system data: traefik.toml: | # 设置insecureSkipVerify = true,可以配置backend为443(比如dashboard)的ingress规则 insecureSkipVerify = true defaultEntryPoints = ["http", "https"] [entryPoints] [entryPoints.http] address = ":80" ### 配置http 强制跳转 https #[entryPoints.http.redirect] # entryPoint = "https" ### 配置只信任trustedIPs传递过来X-Forwarded-*,默认全部信任;为了防止客户端地址伪造,需开启这个 #[entryPoints.http.forwardedHeaders] # trustedIPs = ["10.1.0.0/16", "172.20.0.0/16", "192.168.1.3"] [entryPoints.https] address = ":443" [entryPoints.https.tls] [[entryPoints.https.tls.certificates]] CertFile = "/ssl/tls.crt" KeyFile = "/ssl/tls.key" --- kind: Deployment apiVersion: apps/v1 metadata: name: traefik-ingress-controller namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: replicas: 1 selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress-controller terminationGracePeriodSeconds: 60 volumes: - name: ssl secret: secretName: traefik-cert - name: config configMap: name: traefik-conf #nodeSelector: # node-role.kubernetes.io/traefik: "true" containers: - image: traefik:v1.7.12 imagePullPolicy: IfNotPresent name: traefik-ingress-lb volumeMounts: - mountPath: "/ssl" name: "ssl" - mountPath: "/config" name: "config" resources: limits: cpu: 1000m memory: 800Mi requests: cpu: 500m memory: 600Mi args: - --configfile=/config/traefik.toml - --api - --kubernetes - --logLevel=INFO securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE ports: - name: http containerPort: 80 hostPort: 80 - name: https containerPort: 443 hostPort: 443 --- kind: Service apiVersion: v1 metadata: name: traefik-ingress-service namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP # 该端口为 traefik ingress-controller的服务端口 port: 80 # 集群hosts文件中设置的 NODE_PORT_RANGE 作为 NodePort的可用范围 # 从默认20000~40000之间选一个可用端口,让ingress-controller暴露给外部的访问 nodePort: 23456 name: http - protocol: TCP # port: 443 nodePort: 23457 name: https - protocol: TCP # 该端口为 traefik 的管理WEB界面 port: 8080 name: admin type: NodePort --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: traefik-ingress-controller rules: - apiGroups: - "" resources: - pods - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: traefik-ingress-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress-controller subjects: - kind: ServiceAccount name: traefik-ingress-controller namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress-controller namespace: kube-system