官方公告:Ingress NGINX 将在 2026 年3月停止维护,之后不会再有新 bug 修复或安全补丁。
这次官方宣布停止维护Ingress NGINX主要原因还是因为项目长期依赖少数维护者、并且今年暴露过严重安全事件,还有一个原因是大量 NGINX 自定义配置、各种注解(annotations)、自定义模板,使得开发者几乎"被锁定"在老旧架构中。
"停止维护"并不等于服务立即停止或失效:目前系统继续运行不会因为公告立即宕掉。但风险增加:未来若有新漏洞或安全事件,使用者将无法获得官方补丁,自行承担风险。
所以短期内还可以继续使用,后期就需要考虑替代品了
大部分公司如果用了K8S,把服务暴露给外网,大概率都使用了Ingress NGINX。所以它宣布即将停止维护,大家还是捏了一把汗,还好在2026年3月才停止维护,这就给企业留了缓冲时间。
Kubernetes 的新方向是 Gateway API,行业趋势已经不再是 "Ingress + NGINX",而是标准化的 Gateway API。
Kubernetes 1.34 中 Gateway API 已进入 GA(通用可用) 阶段(v1.0.0),替代传统 Ingress 成为更灵活的流量管理方案。以下主流流量组件都支持 Gateway API。
- Istio:https://istio.io/latest/
- Traefik:https://doc.traefik.io/traefik/
- Kong:https://developer.konghq.com/
- HAProxy:https://www.haproxy.com/blog
本次实现在新搭建的kubernetes1.34集群尝试安装Traefik,经过官网对比,Traefik 3.x 是适配 Gateway API v1 的最佳选择。
1.部署 Gateway API CRDs(K8s 1.34 必备)
# 部署 Gateway API v1.0.0 CRDs(官方源)
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
# 验证 CRDs 部署成功
kubectl get crds | grep gateway.networking.k8s.io
# 输出包含 gatewayclasses.gateway.networking.k8s.io、gateways.gateway.networking.k8s.io、httproutes.gateway.networking.k8s.io 等即正常2.创建 Traefik 命名空间
kubectl create namespace traefik- 部署 Traefik RBAC 权限(适配 Gateway API)
Traefik 需要访问 Gateway API 资源(GatewayClass/Gateway/HTTPRoute 等),创建 traefik-rbac.yaml:
---
# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik
namespace: traefik
---
# ClusterRole:包含 Gateway API 资源权限 + 基础 K8s 资源权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik
rules:
# 基础网络资源
- apiGroups: [""]
resources: ["services", "endpoints", "secrets"]
verbs: ["get", "list", "watch"]
# Gateway API v1 资源(核心)
- apiGroups: ["gateway.networking.k8s.io"]
resources:
- gatewayclasses
- gateways
- httproutes
- tcproutes
- tlsroutes
- referencegrants
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# 节点信息(用于 DaemonSet 模式)
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
# Pod 信息(用于端点发现)
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik
subjects:
- kind: ServiceAccount
name: traefik
namespace: traefik4.部署 Traefik 3.1(DaemonSet 模式,生产推荐)
---
# ConfigMap:Traefik 基础配置
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-config
namespace: traefik
data:
traefik.yaml: |
api:
insecure: true # 测试阶段开启仪表盘(生产关闭)
dashboard: true
entryPoints:
web:
address: ":80" # HTTP 入口
websecure:
address: ":443" # HTTPS 入口
traefik:
address: ":8080" # 仪表盘入口
providers:
kubernetesGateway: # 启用 Gateway API 提供者(核心)
enabled: true
namespace: "*" # 监听所有命名空间的 Gateway 资源
kubernetesIngress: # 可选:保留 Ingress 兼容(如需双模式)
enabled: false
log:
level: "INFO" # 生产可改为 WARN
accessLog:
filePath: "/dev/stdout" # 访问日志输出到标准输出,便于日志收集
---
# DaemonSet:每个节点部署 Traefik,使用 HostPort 暴露端口
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: traefik
namespace: traefik
labels:
app: traefik
spec:
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik
hostNetwork: true # 使用主机网络,确保 HostPort 生效
terminationGracePeriodSeconds: 60
containers:
- name: traefik
image: traefik:v3.1.0 # 适配 K8s 1.34 + Gateway API v1,镜像下载可参考官网
args:
- --configfile=/etc/traefik/traefik.yaml
ports:
- name: web
containerPort: 80
hostPort: 80 # 主机 HTTP 端口
- name: websecure
containerPort: 443
hostPort: 443 # 主机 HTTPS 端口
- name: traefik
containerPort: 8080
hostPort: 8080 # 仪表盘端口
volumeMounts:
- name: config
mountPath: /etc/traefik
securityContext:
capabilities:
drop: ["ALL"]
add: ["NET_BIND_SERVICE"] # 允许绑定 80/443 端口
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 100m
memory: 64Mi
# 健康检查(生产必备)
livenessProbe:
httpGet:
path: /ping
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
httpGet:
path: /ping
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: config
configMap:
name: traefik-config
# 允许运行在控制平面节点(按需开启)
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
---
# Service:暴露仪表盘(测试用,生产建议删除)
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard
namespace: traefik
spec:
selector:
app: traefik
ports:
- name: traefik
port: 8080
targetPort: 8080
nodePort: 30800
type: NodePort5.执行部署
kubectl apply -f traefik-rbac.yaml
kubectl apply -f traefik-daemonset.yaml6.验证 Traefik 部署
# 检查 Traefik Pod 状态(每个节点一个 Pod,Running 状态)
kubectl get pods -n traefik
# 检查 Traefik 日志,确认 Gateway API 提供者加载成功
kubectl logs -f <traefik-pod-name> -n traefik
# 日志中包含 "Provider kubernetesGateway started" 即表示 Gateway API 适配成功
# 访问仪表盘验证(测试用)
curl http://<节点IP>:30800/dashboard/
# 能看到 Traefik 仪表盘界面即正常7.配置 Gateway API 资源(核心验证)
Gateway API 核心资源关系:GatewayClass(网关类)→ Gateway(网关实例)→ HTTPRoute(路由规则)。以下创建完整示例,实现 Nginx 服务的流量转发。
- 创建 GatewayClass(绑定 Traefik 控制器)
GatewayClass 是集群级资源,定义网关的「类型」,绑定 Traefik 控制器
# traefik-gatewayclass.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: traefik-gateway-class
spec:
controllerName: traefik.io/gateway-controller # Traefik 3.x 固定标识
description: "Traefik GatewayClass for K8s 1.34"kubectl apply -f traefik-gatewayclass.yaml
验证 GatewayClass
kubectl get gatewayclass
输出 traefik-gateway-class,STATUS 为 Accepted 即正常
- 创建 Gateway(网关实例,暴露 80/443 端口)
Gateway 是命名空间级资源,对应 Traefik 的入口端口,绑定上述 GatewayClass:
# traefik-gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: traefik-gateway
namespace: default # 可自定义命名空间
spec:
gatewayClassName: traefik-gateway-class # 关联上述 GatewayClass
listeners: # 监听端口配置(对应 Traefik 的 entryPoints)
- name: web
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All # 允许所有命名空间的 HTTPRoute 关联
- name: websecure
protocol: HTTPS
port: 443
allowedRoutes:
namespaces:
from: All
# 可选:配置默认 TLS 证书(需提前创建 Secret)
# tls:
# certificateRefs:
# - name: https-tls-secret
# kind: Secretkubectl apply -f traefik-gateway.yaml # 验证 Gateway
kubectl get gateway # 输出 traefik-gateway,
STATUS 为 Ready 即正常(需等待 Traefik 识别)
- 创建测试服务 + HTTPRoute(路由规则)
先部署 Nginx 测试服务,再创建 HTTPRoute 关联 Gateway,实现流量转发:
# nginx-test.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-test
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nginx-test
template:
metadata:
labels:
app: nginx-test
spec:
containers:
- name: nginx
image: nginx:1.22
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-test
namespace: default
spec:
selector:
app: nginx-test
ports:
- port: 80
targetPort: 80
type: ClusterIP
---
# HTTPRoute:路由规则,关联 Gateway 和测试服务
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: nginx-httproute
namespace: default
spec:
parentRefs: # 关联上述 Gateway
- name: traefik-gateway
namespace: default
sectionName: web # 关联 Gateway 的 web 监听器(80 端口)
hostnames: # 自定义域名(需配置 hosts 解析到节点 IP)
- "nginx.test.com"
rules: # 路由规则
- matches:
- path:
type: PathPrefix
value: /
backendRefs: # 转发到测试服务
- name: nginx-test
port: 80kubectl apply -f nginx-test.yaml
验证 HTTPRoute
kubectl get httproutes
输出 nginx-httproute,STATUS 为 Accepted 即正常
-
验证 Gateway API 转发
1. 配置本地 hosts(示例)
echo "<节点IP> nginx.test.com" >> /etc/hosts
2. 访问测试(通过 Traefik 网关 80 端口)
输出 Nginx 默认页面 → 路由转发成功
3. 验证 Traefik 路由识别
kubectl logs -f <traefik-pod-name> -n traefik
日志中包含 "Added HTTPRoute default/nginx-httproute" 即表示路由加载成功
关键点回顾
- K8s 1.34 需手动部署 Gateway API v1.0.0 CRDs(GA 版本,无需特性门控);
- Traefik 3.x 是适配 Gateway API v1 的核心版本,需配置
kubernetesGateway提供者; - Gateway API 核心资源流程:
GatewayClass(集群级)→Gateway(命名空间级,暴露端口)→HTTPRoute(路由规则,关联服务); - 生产环境需关闭 Traefik 仪表盘、启用 TLS 加密、配置资源限制和监控,确保稳定性。