如果是跨云/跨境/跨账号部署集群，在所有节点都运行Traefik实例，可以充分利用每个节点的外网IP，对特定流量进行分组，避免通过LB转发数据浪费带宽及流量。

# 证书邮箱
export MY_ACME_EMAIL=acme@example.org

# 创建命名空间
cat <<EOF | kubectl apply -f -
kind: Namespace
apiVersion: v1
metadata:
  name: traefik-system
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: traefik-ingress-controller
  namespace: traefik-system
EOF

# 创建 RBAC 授权
wget -qO- https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml | \
    sed 's/\(^metadata:\)/\1\n  namespace: traefik-system/g' | \
    sed 's/namespace: default/namespace: traefik-system/g' | \
    kubectl apply -f -

# 创建自定义资源
wget -qO- https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml | \
    sed 's/\(^metadata:\)/\1\n  namespace: traefik-system/g' | \
    sed 's/namespace: default/namespace: traefik-system/g' | \
    kubectl apply -f -

# 部署服务（使用主机网络）
cat <<EOF | kubectl apply -f -
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: traefik-system
  labels:
    app: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      namespace: traefik-system
      labels:
        app: traefik
    spec:
      hostNetwork: true
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.9
          args:
            - --api=true
            - --api.insecure=true
            - --api.dashboard=true
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.Address=:443
            - --certificatesresolvers.default.acme.tlschallenge
            - --certificatesresolvers.default.acme.storage=/data/acme.json
            - --certificatesresolvers.default.acme.email=$MY_ACME_EMAIL
            - --providers.kubernetesingress
            - --providers.kubernetescrd
            - --log.level=ERROR
          volumeMounts:
            - name: data
              mountPath: /data
      volumes:
        - name: data
          hostPath:
            type: DirectoryOrCreate
            path: /var/lib/traefik
EOF

执行完上述命令，已经可以使用IP:8080来访问控制面板。不过，为了安全，我们还是应该使用防火墙禁用8080端口，并设置为通过自定义域名的方式访问控制面板。

# 访问域名
export MY_TRAEFIK_HOST=traefik.example.org

# 认证信息
export MY_AUTH_USERNAME=admin
export MY_AUTH_PASSWORD=PASSW0RD

# 生成密钥
export MY_SECRET_CODE=`echo $MY_AUTH_USERNAME:$(echo $MY_AUTH_PASSWORD | openssl passwd -stdin -apr1) | base64`

# 应用变更
cat <<EOF | kubectl apply -f -
kind: Secret
apiVersion: v1
metadata:
  name: basic-auth
  namespace: traefik-system
data:
  auth: $MY_SECRET_CODE
---
kind: Middleware
apiVersion: traefik.containo.us/v1alpha1
metadata:
  name: basic-auth
  namespace: traefik-system
spec:
  basicAuth:
    secret: basic-auth
---
apiVersion: v1
kind: Service
metadata:
  name: dashboard-service
  namespace: traefik-system
spec:
  ports:
    - name: dashboard
      port: 8080
  selector:
    app: traefik
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: dashboard-ingress
  namespace: traefik-system
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
    traefik.ingress.kubernetes.io/router.middlewares: traefik-system-basic-auth@kubernetescrd
spec:
  rules:
    - host: $MY_TRAEFIK_HOST
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: dashboard-service
                port:
                  name: dashboard
EOF