我的书签
添加书签
移除书签Examples
Here are some examples on how to easily deploy Traefik Mesh on your cluster.
Prerequisites
Before following those examples, make sure your cluster follows the prerequisites for deploying Traefik Mesh.
Simple Example
Deploy those two yaml files on your Kubernetes cluster in order to add a simple backend example, available through HTTP and TCP.
namespace.yaml
apiVersion: v1kind: Namespacemetadata:name: whoami---apiVersion: v1kind: ServiceAccountmetadata:name: whoami-servernamespace: whoami---apiVersion: v1kind: ServiceAccountmetadata:name: whoami-clientnamespace: whoami
deployment.yaml
---kind: DeploymentapiVersion: apps/v1metadata:name: whoaminamespace: whoamispec:replicas: 2selector:matchLabels:app: whoamitemplate:metadata:labels:app: whoamispec:serviceAccount: whoami-servercontainers:- name: whoamiimage: traefik/whoami:v1.6.0imagePullPolicy: IfNotPresent---kind: DeploymentapiVersion: apps/v1metadata:name: whoami-tcpnamespace: whoamispec:replicas: 2selector:matchLabels:app: whoami-tcptemplate:metadata:labels:app: whoami-tcpspec:serviceAccount: whoami-servercontainers:- name: whoami-tcpimage: traefik/whoamitcp:v0.1.0imagePullPolicy: IfNotPresent---apiVersion: v1kind: Servicemetadata:name: whoaminamespace: whoamilabels:app: whoamispec:type: ClusterIPports:- port: 80name: whoamiselector:app: whoami---apiVersion: v1kind: Servicemetadata:name: whoami-tcpnamespace: whoamilabels:app: whoami-tcpspec:type: ClusterIPports:- port: 8080name: whoami-tcpselector:app: whoami-tcp---apiVersion: v1kind: Podmetadata:name: whoami-clientnamespace: whoamispec:serviceAccountName: whoami-clientcontainers:- name: whoami-clientimage: giantswarm/tiny-tools:3.9command:- "sleep"- "3600"
You should now see the following when running kubectl get all -n whoami:
NAME READY STATUS RESTARTS AGEpod/whoami-client 1/1 Running 0 11spod/whoami-f4cbd7f9c-lddgq 1/1 Running 0 12spod/whoami-f4cbd7f9c-zk4rb 1/1 Running 0 12spod/whoami-tcp-7679bc465-ldlt2 1/1 Running 0 12spod/whoami-tcp-7679bc465-wf87n 1/1 Running 0 12sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/whoami ClusterIP 100.68.109.244 <none> 80/TCP 13sservice/whoami-tcp ClusterIP 100.68.73.211 <none> 8080/TCP 13sNAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGEdeployment.apps/whoami 2 2 2 2 13sdeployment.apps/whoami-tcp 2 2 2 2 13sNAME DESIRED CURRENT READY AGEreplicaset.apps/whoami-f4cbd7f9c 2 2 2 13sreplicaset.apps/whoami-tcp-7679bc465 2 2 2 13s
You should now be able to make direct requests on your whoami service through HTTP.
Command
kubectl -n whoami exec whoami-client -- curl -s whoami.whoami.svc.cluster.local
Expected Output
Hostname: whoami-84bdf87956-gvbm8IP: 127.0.0.1IP: 5.6.7.8RemoteAddr: 1.2.3.4:12345GET / HTTP/1.1Host: whoami.whoami.svc.cluster.localUser-Agent: curl/7.64.0Accept: */*
And through TCP, by executing the following netcat command and sending some data.
Command
kubectl -n whoami exec -ti whoami-client -- nc whoami-tcp.whoami.svc.cluster.local 8080my data
Expected Output
Received: my data
You can now install Traefik Mesh by following this documentation on your cluster.
Since Traefik Mesh is not intrusive, it has to be explicitly given access to services before it can be used. You can ensure that the HTTP endpoint of your service does not pass through Traefik Mesh since no X-Forwarded-For header should be added.
Now, in order to configure Traefik Mesh for your whoami service, you just need to update the whoami service specs, in order to add the appropriate annotations.
The HTTP service needs to have mesh.traefik.io/traffic-type: "http" and the TCP service, mesh.traefik.io/traffic-type: "tcp".
---apiVersion: v1kind: Servicemetadata:name: whoaminamespace: whoamilabels:app: whoamiannotations:mesh.traefik.io/traffic-type: "http"mesh.traefik.io/retry-attempts: "2"spec:type: ClusterIPports:- port: 80name: whoamiselector:app: whoami---apiVersion: v1kind: Servicemetadata:name: whoami-tcpnamespace: whoamilabels:app: whoami-tcpannotations:mesh.traefik.io/traffic-type: "tcp"spec:type: ClusterIPports:- port: 8080name: whoami-tcpselector:app: whoami-tcp
You should now be able to access your HTTP and TCP services through the Traefik Mesh endpoint:
Command
kubectl -n whoami exec whoami-client -- curl -s whoami.whoami.traefik.mesh
Expected Output
Hostname: whoami-84bdf87956-gvbm8IP: 127.0.0.1IP: 5.6.7.8RemoteAddr: 1.2.3.4:12345GET / HTTP/1.1Host: whoami.whoami.traefik.meshUser-Agent: curl/7.64.0Accept: */*X-Forwarded-For: 3.4.5.6
ACL Example
The ACL mode can be enabled when installing Traefik Mesh. Once activated, all traffic is forbidden unless explicitly authorized using the SMI TrafficTarget resource. This example will present the configuration required to allow the client pod to send traffic to the HTTP and TCP services defined in the previous example.
Each TrafficTarget defines that a set of source ServiceAccount is capable of sending traffic to a destination ServiceAccount. To authorize the whoami-client pod to send traffic to whoami.whoami.traefik.mesh, we need to explicitly allow it to hit the pods exposed by the whoami service.
---apiVersion: specs.smi-spec.io/v1alpha3kind: HTTPRouteGroupmetadata:name: http-everythingnamespace: whoamispec:matches:- name: everythingpathRegex: ".*"methods: ["*"]---kind: TrafficTargetapiVersion: access.smi-spec.io/v1alpha2metadata:name: whatevernamespace: whoamispec:destination:kind: ServiceAccountname: whoami-servernamespace: whoamiport: 80rules:- kind: HTTPRouteGroupname: http-everythingmatches:- everythingsources:- kind: ServiceAccountname: whoami-clientnamespace: whoami
Incoming traffic on a TCP service can also be authorized using a TrafficTarget and a TCPRoute.
---kind: TrafficTargetapiVersion: access.smi-spec.io/v1alpha2metadata:name: api-service-targetnamespace: defaultspec:destination:kind: ServiceAccountname: api-servicenamespace: defaultrules:- kind: TCPRoutename: my-tcp-routesources:- kind: ServiceAccountname: my-other-servicenamespace: default---apiVersion: specs.smi-spec.io/v1alpha3kind: TCPRoutemetadata:name: my-tcp-routespec: {}
