我正在尝试配置 nginx ingress 来访问多项服务,如下所示:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-monit
spec:
rules:
- host: grafana.localhost
http:
paths:
- path: /
backend:
serviceName: prometheus-grafana
servicePort: 80
- host: kubernetes-dashboard.localhost
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 80
我可以毫无问题地访问 grafana 服务,我的问题出在 kubernetes-dashboard 上。我已经配置了 kubernetes-dashboard 以允许 HTTP 流量
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: monit
spec:
ports:
- port: 80
targetPort: 9090
selector:
k8s-app: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: monit
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.0-beta8
imagePullPolicy: Always
ports:
- containerPort: 9090
protocol: TCP
args:
- --namespace=monit
- --insecure-bind-address=0.0.0.0
- --insecure-port=9090
- --enable-insecure-login
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
我还有一个有效的令牌,当我使用 ClusterIP 时,我可以使用它来访问 kubernetes 仪表板。但是当我通过 ngress 访问它时,即使使用有效的令牌,我也无法访问登录页面(见屏幕截图)。
我查看了 Nginx 日志中的问题/错误,但一切似乎都很好
$ kubectl logs -n monit ingress-nginx-controller-bbdc786b4-6nl9h -f
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/csrftoken/login HTTP/1.1" 200 85 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 479 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 85 0.001 200 59fc952888dfadf0223740c31e562ef8
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "POST /api/v1/login HTTP/1.1" 200 1508 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 1545 0.005 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 1508 0.005 200 241388246b11031765557475bea603ff
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/plugin/config HTTP/1.1" 200 185 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 477 0.003 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 185 0.003 200 45371469793ce4f35c45dec70530bea0
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 49171f5e9316a2d6da883d1c4f0b50df
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 c69b9d166f1527f00e7cd175696ec8c7
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 1f9c27ca407bca57dcc0c26bca65be58
我的入口配置缺少什么?
更新:我尝试使用此配置为仪表板设置 https 入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: https-ingress-monit
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: kubernetes-dashboard.localhost
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
但这似乎不起作用,没有配置端点
$ kubectl describe ingress https-ingress-monit -n monit
Name: https-ingress-monit
Namespace: monit
Address: localhost
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
kubernetes-dashboard.localhost
/ kubernetes-dashboard:443 (<error: endpoints "kubernetes-dashboard" not found>)
Annotations: nginx.ingress.kubernetes.io/backend-protocol: HTTPS
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 87s nginx-ingress-controller Ingress monit/https-ingress-monit
Normal UPDATE 74s nginx-ingress-controller Ingress monit/https-ingress-monit
现在当我尝试访问http://kubernetes-dashboard.localhost/我懂了503 Service Temporarily Unavailable
答案1
总结
Sign In由于缺少 ,您无法通过验证(按下不执行任何操作) HTTPS。
正如我在评论中所说:
无法登录
如果您的登录视图显示以下错误,则表示您正在尝试通过 HTTP 登录,但出于安全原因该功能已被禁用。
仅当用于访问仪表板的 URL 以以下内容开头时才可以登录:
http://localhost/...http://127.0.0.1/...https://<domain_name>/...
您可以登录Kubernetes Dashboard 没有 HTTPS只有:
http://localhost/...http://127.0.0.1/...
您需要HTTPS使用以下方式登录Kubernetes Dashboard:
https://IP.ADDRESShttps://DOMAIN.NAME
endpoints "kubernetes-dashboard" not found
但这似乎不起作用,没有配置端点
这意味着Ingress资源无法找到Endpoint要发送流量的目标。您的情况发生这种情况是因为:
Ingress在default命名空间中Service命名kubernetes-dashboard位于monit命名空间中
为了使其工作,您可以(其中一种方法)Ingress在命名空间中专门创建另一个资源monit。
您可以调用以下命令来获取有关资源的更多信息:
$ kubectl get services -n monit$ kubectl get endpoints -n monit
Kubernetes 中的资源与 紧密相关namespaces。你可以在这里阅读更多相关信息:Kubernetes.io:概念:使用对象:命名空间
您有多种部署方式Kubernetes Dashboard。这取决于您使用的解决方案(、、、minikube等)。bare metal kubeadm clustereksgke
部署Kubernetes Dashboard的一般步骤Nginx-ingress:
- 部署
Nginx-ingress - 下载并修改
Dashboard定义 Dashboard配置访问Ingress- 测试一下
部署Nginx-ingress
请遵循有关部署的官方文档Nginx-ingress:Kubernetes.github.io: Ingress-nginx: 部署
下载并修改Dashboard定义
Kubernetes 的安装Dashboard:Kubernetes.io:Web UI 仪表板:部署
上面的链接可以用来部署Dashboard,但需要做一些调整。
假设以下情况:
kubernetes-dashboard命名空间中的每个资源- 支持的论点
Dashboard:- args: - --namespace=kubernetes-dashboard - --enable-insecure-login - --insecure-bind-address=0.0.0.0 Dashboard监听端口9090Services以及与Dashboard设置为端口相关的健康检查9090/TCP/HTTP。
争论的秘诀!
启用跳过登录 false 启用后,登录页面上将显示跳过按钮。
您的仪表板定义将需要Service公开到集群之外。您可以创建自己的定义(Service如下面的示例)或编辑YAML上面安装中包含的定义。
以下为示例:
kind: Service
apiVersion: v1
metadata:
name: dashboard-service
namespace: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 80
targetPort: 9090
nodePort: 30001
name: dashboard-port
type: NodePort
请具体看以下部分:
ports:
- port: 80
targetPort: 9090
nodePort: 30001
name: dashboard-port
流量将根据其自身参数的要求发送到Dashboard端口上的 pod 。 9090Dashboard
Dashboard配置访问Ingress
假设您的Ingress部署正确,您可以使用以下示例来公开Dashboard:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-ingress
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- secretName: tls-secret # NON-EXISTENT
rules:
- host:
http:
paths:
- path: /
backend:
serviceName: dashboard-service
servicePort: dashboard-port
请具体查看以下部分:
- secretName: tls-secret # NON-EXISTENT- 它将配置控制器以使用假证书并允许HTTPS连接namespace: kubernetes-dashboardDashboard- 命名空间与其他资源完全相同serviceName: dashboard-service- 关联服务的名称DashboardservicePort: dashboard-port- 关联服务的端口名称Dashboard
测试一下
完成这些步骤后,您应该能够在您的网络浏览器中输入 IP 地址或域名并打开Dashboard面板。
请确保您已使用以下方式连接到Dashboard:https://。
如果您配置Dashboard为需要身份验证,则应提供身份验证令牌。您可以通过调用以下命令找到您的令牌:
$ kubectl describe secret NAME_OF_THE_SECRET -n NAMESPACE