version
kube: 1.19.2
traefik: 2.3.1
# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master-node1 Ready master 156m v1.19.2
k8s-master-node2 Ready master 156m v1.19.2
k8s-master-node3 Ready master 155m v1.19.2
k8s-worker-node1 Ready worker 155m v1.19.2
k8s-worker-node2 Ready worker 154m v1.19.2
install traefik
cat <<EOF | kubectl apply -f -
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ingress-traefik-controller
rules:
- apiGroups:
- ''
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ingress-traefik-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-traefik-controller
subjects:
- kind: ServiceAccount
name: ingress-traefik-controller
namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-traefik-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: ingress-traefik-controller
labels:
app: ingress-traefik-controller
spec:
replicas: 1
selector:
matchLabels:
app: ingress-traefik-controller
template:
metadata:
labels:
app: ingress-traefik-controller
spec:
serviceAccountName: ingress-traefik-controller
containers:
- name: traefik
image: traefik:v2.3.1
args:
- --api.debug=true
- --api.insecure=true
- --log=true
- --log.level=debug
- --ping=true
- --accesslog=true
- --entrypoints.http.Address=:80
- --entrypoints.https.Address=:443
- --entrypoints.traefik.Address=:8080
- --providers.kubernetesingress
- --serverstransport.insecureskipverify=true
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: admin
containerPort: 8080
protocol: TCP
livenessProbe:
failureThreshold: 2
httpGet:
path: /ping
port: admin
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /ping
port: admin
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
restartPolicy: Always
serviceAccount: ingress-traefik-controller
serviceAccountName: ingress-traefik-controller
---
apiVersion: v1
kind: Service
metadata:
name: ingress-traefik-controller
spec:
type: NodePort
selector:
app: ingress-traefik-controller
ports:
- protocol: TCP
port: 80
name: http
targetPort: 80
- protocol: TCP
port: 443
name: https
targetPort: 443
- protocol: TCP
port: 8080
name: admin
targetPort: 8080
EOF
install kubernetes-dashboard
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=kubernetes-dashboard.cluster.local"
kubectl create ns kubernetes-dashboard
kubectl create secret tls kubernetes-dashboard-certs --key tls.key --cert tls.crt -n kubernetes-dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended.yaml
apply kubernetes-dashboard ingress
cat <<EOF | kubectl apply -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: traefik
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
tls:
- hosts:
- kubernetes-dashboard.cluster.local
secretName: kubernetes-dashboard-certs
rules:
- host: kubernetes-dashboard.cluster.local
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
EOF
status
# kubectl describe svc ingress-traefik-controller
Name: ingress-traefik-controller
Namespace: default
Labels: <none>
Annotations: <none>
Selector: app=ingress-traefik-controller
Type: NodePort
IP: 10.96.234.16
Port: http 80/TCP
TargetPort: 80/TCP
NodePort: http 30615/TCP
Endpoints: 10.244.3.6:80
Port: https 443/TCP
TargetPort: 443/TCP
NodePort: https 31678/TCP
Endpoints: 10.244.3.6:443
Port: admin 8080/TCP
TargetPort: 8080/TCP
NodePort: admin 31648/TCP
Endpoints: 10.244.3.6:8080
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
# kubectl get all -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
pod/dashboard-metrics-scraper-7b59f7d4df-9kfqq 1/1 Running 0 167m
pod/kubernetes-dashboard-665f4c5ff-zfzcr 1/1 Running 0 167m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dashboard-metrics-scraper ClusterIP 10.96.8.248 <none> 8000/TCP 167m
service/kubernetes-dashboard ClusterIP 10.96.154.232 <none> 443/TCP 167m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/dashboard-metrics-scraper 1/1 1 1 167m
deployment.apps/kubernetes-dashboard 1/1 1 1 167m
NAME DESIRED CURRENT READY AGE
replicaset.apps/dashboard-metrics-scraper-7b59f7d4df 1 1 1 167m
replicaset.apps/kubernetes-dashboard-665f4c5ff 1 1 1 167m
result
http://kubernetes-dashboard.cluster.local:31678/#/login ok
https://kubernetes-dashboard.cluster.local:31678/#/login 404 page not found
ingress-traefik-controller log
time="2020-10-09T08:25:26Z" level=debug msg="http: TLS handshake error from 10.244.0.0:1349: remote error: tls: unknown certificate"
time="2020-10-09T08:25:26Z" level=debug msg="http: TLS handshake error from 10.244.0.0:24982: remote error: tls: unknown certificate"