如何正确配置 nginx ingress 后面的 kubernetes 仪表板访问权限

如何正确配置 nginx ingress 后面的 kubernetes 仪表板访问权限

我正在尝试配置 nginx ingress 来访问多项服务,如下所示:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-monit
spec:
  rules:
  - host: grafana.localhost
    http:
      paths:
      - path: /
        backend:
          serviceName: prometheus-grafana
          servicePort: 80
  - host: kubernetes-dashboard.localhost
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 80

我可以毫无问题地访问 grafana 服务,我的问题出在 kubernetes-dashboard 上。我已经配置了 kubernetes-dashboard 以允许 HTTP 流量

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: monit
spec:
  ports:
    - port: 80
      targetPort: 9090
  selector:
    k8s-app: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: monit
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.0-beta8
          imagePullPolicy: Always
          ports:
            - containerPort: 9090
              protocol: TCP
          args:
            - --namespace=monit
            - --insecure-bind-address=0.0.0.0
            - --insecure-port=9090
            - --enable-insecure-login
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 9090
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "beta.kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

我还有一个有效的令牌,当我使用 ClusterIP 时,我可以使用它来访问 kubernetes 仪表板。但是当我通过 ngress 访问它时,即使使用有效的令牌,我也无法访问登录页面(见屏幕截图)。

在此处输入图片描述

我查看了 Nginx 日志中的问题/错误,但一切似乎都很好

$ kubectl logs -n monit ingress-nginx-controller-bbdc786b4-6nl9h  -f
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/csrftoken/login HTTP/1.1" 200 85 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 479 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 85 0.001 200 59fc952888dfadf0223740c31e562ef8
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "POST /api/v1/login HTTP/1.1" 200 1508 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 1545 0.005 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 1508 0.005 200 241388246b11031765557475bea603ff
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/plugin/config HTTP/1.1" 200 185 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 477 0.003 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 185 0.003 200 45371469793ce4f35c45dec70530bea0
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 49171f5e9316a2d6da883d1c4f0b50df
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 c69b9d166f1527f00e7cd175696ec8c7
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 1f9c27ca407bca57dcc0c26bca65be58

我的入口配置缺少什么?

更新:我尝试使用此配置为仪表板设置 https 入口

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: https-ingress-monit
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  rules:
  - host: kubernetes-dashboard.localhost
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

但这似乎不起作用,没有配置端点

$ kubectl describe ingress https-ingress-monit -n monit
Name:             https-ingress-monit
Namespace:        monit
Address:          localhost
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host                            Path  Backends
  ----                            ----  --------
  kubernetes-dashboard.localhost  
                                  /   kubernetes-dashboard:443 (<error: endpoints "kubernetes-dashboard" not found>)
Annotations:                      nginx.ingress.kubernetes.io/backend-protocol: HTTPS
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  CREATE  87s   nginx-ingress-controller  Ingress monit/https-ingress-monit
  Normal  UPDATE  74s   nginx-ingress-controller  Ingress monit/https-ingress-monit

现在当我尝试访问http://kubernetes-dashboard.localhost/我懂了503 Service Temporarily Unavailable

答案1

总结

Sign In由于缺少 ,您无法通过验证(按下不执行任何操作) HTTPS

正如我在评论中所说:

无法登录

如果您的登录视图显示以下错误,则表示您正在尝试通过 HTTP 登录,但出于安全原因该功能已被禁用。

仅当用于访问仪表板的 URL 以以下内容开头时才可以登录:

  • http://localhost/...
  • http://127.0.0.1/...
  • https://<domain_name>/...

Github.com:Kubernetes:仪表板:无法登录

您可以登录Kubernetes Dashboard 没有 HTTPS只有:

  • http://localhost/...
  • http://127.0.0.1/...

您需要HTTPS使用以下方式登录Kubernetes Dashboard

  • https://IP.ADDRESS
  • https://DOMAIN.NAME

endpoints "kubernetes-dashboard" not found

但这似乎不起作用,没有配置端点

这意味着Ingress资源无法找到Endpoint要发送流量的目标。您的情况发生这种情况是因为:

  • Ingressdefault命名空间中
  • Service命名kubernetes-dashboard位于monit命名空间中

为了使其工作,您可以(其中一种方法)Ingress在命名空间中专门创建另一个资源monit

您可以调用以下命令来获取有关资源的更多信息:

  • $ kubectl get services -n monit
  • $ kubectl get endpoints -n monit

Kubernetes 中的资源与 紧密相关namespaces。你可以在这里阅读更多相关信息:Kubernetes.io:概念:使用对象:命名空间


您有多种部署方式Kubernetes Dashboard。这取决于您使用的解决方案(、、、minikube等)。bare metal kubeadm clustereksgke

部署Kubernetes Dashboard的一般步骤Nginx-ingress

  • 部署Nginx-ingress
  • 下载并修改Dashboard定义
  • Dashboard配置访问Ingress
  • 测试一下

部署Nginx-ingress

请遵循有关部署的官方文档Nginx-ingressKubernetes.github.io: Ingress-nginx: 部署

下载并修改Dashboard定义

Kubernetes 的安装DashboardKubernetes.io:Web UI 仪表板:部署

上面的链接可以用来部署Dashboard,但需要做一些调整。

假设以下情况:

  • kubernetes-dashboard命名空间中的每个资源
  • 支持的论点Dashboard
      - args:
        - --namespace=kubernetes-dashboard
        - --enable-insecure-login
        - --insecure-bind-address=0.0.0.0
    
  • Dashboard监听端口9090
  • Services以及与Dashboard设置为端口相关的健康检查9090/TCP/HTTP

争论的秘诀!

启用跳过登录 false 启用后,登录页面上将显示跳过按钮。

Github.com:Kubernetes:仪表板:参数

您的仪表板定义将需要Service公开到集群之外。您可以创建自己的定义(Service如下面的示例)或编辑YAML上面安装中包含的定义。

以下为示例:

kind: Service
apiVersion: v1
metadata:
  name: dashboard-service
  namespace: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
spec:
  selector:
    k8s-app: kubernetes-dashboard
  ports:
    - port: 80
      targetPort: 9090
      nodePort: 30001
      name: dashboard-port
  type: NodePort

请具体看以下部分:

  ports:
    - port: 80
      targetPort: 9090
      nodePort: 30001
      name: dashboard-port

流量将根据其自身参数的要求发送到Dashboard端口上的 pod 。 9090Dashboard

Dashboard配置访问Ingress

假设您的Ingress部署正确,您可以使用以下示例来公开Dashboard

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - secretName: tls-secret # NON-EXISTENT
  rules:
  - host:
    http:
      paths:
      - path: /
        backend:
          serviceName: dashboard-service
          servicePort: dashboard-port 

请具体查看以下部分:

  • - secretName: tls-secret # NON-EXISTENT- 它将配置控制器以使用假证书并允许HTTPS连接
  • namespace: kubernetes-dashboardDashboard- 命名空间与其他资源完全相同
  • serviceName: dashboard-service- 关联服务的名称Dashboard
  • servicePort: dashboard-port- 关联服务的端口名称Dashboard

测试一下

完成这些步骤后,您应该能够在您的网络浏览器中输入 IP 地址或域名并打开Dashboard面板。

请确保您已使用以下方式连接到Dashboardhttps://

如果您配置Dashboard为需要身份验证,则应提供身份验证令牌。您可以通过调用以下命令找到您的令牌:

  • $ kubectl describe secret NAME_OF_THE_SECRET -n NAMESPACE

相关内容