我正在尝试配置 nginx ingress 来访问多项服务,如下所示:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-monit
spec:
rules:
- host: grafana.localhost
http:
paths:
- path: /
backend:
serviceName: prometheus-grafana
servicePort: 80
- host: kubernetes-dashboard.localhost
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 80
我可以毫无问题地访问 grafana 服务,我的问题出在 kubernetes-dashboard 上。我已经配置了 kubernetes-dashboard 以允许 HTTP 流量
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: monit
spec:
ports:
- port: 80
targetPort: 9090
selector:
k8s-app: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: monit
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.0-beta8
imagePullPolicy: Always
ports:
- containerPort: 9090
protocol: TCP
args:
- --namespace=monit
- --insecure-bind-address=0.0.0.0
- --insecure-port=9090
- --enable-insecure-login
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
我还有一个有效的令牌,当我使用 ClusterIP 时,我可以使用它来访问 kubernetes 仪表板。但是当我通过 ngress 访问它时,即使使用有效的令牌,我也无法访问登录页面(见屏幕截图)。
我查看了 Nginx 日志中的问题/错误,但一切似乎都很好
$ kubectl logs -n monit ingress-nginx-controller-bbdc786b4-6nl9h -f
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/csrftoken/login HTTP/1.1" 200 85 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 479 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 85 0.001 200 59fc952888dfadf0223740c31e562ef8
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "POST /api/v1/login HTTP/1.1" 200 1508 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 1545 0.005 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 1508 0.005 200 241388246b11031765557475bea603ff
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/plugin/config HTTP/1.1" 200 185 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 477 0.003 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 185 0.003 200 45371469793ce4f35c45dec70530bea0
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 49171f5e9316a2d6da883d1c4f0b50df
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 c69b9d166f1527f00e7cd175696ec8c7
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 1f9c27ca407bca57dcc0c26bca65be58
我的入口配置缺少什么?
更新:我尝试使用此配置为仪表板设置 https 入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: https-ingress-monit
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: kubernetes-dashboard.localhost
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
但这似乎不起作用,没有配置端点
$ kubectl describe ingress https-ingress-monit -n monit
Name: https-ingress-monit
Namespace: monit
Address: localhost
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
kubernetes-dashboard.localhost
/ kubernetes-dashboard:443 (<error: endpoints "kubernetes-dashboard" not found>)
Annotations: nginx.ingress.kubernetes.io/backend-protocol: HTTPS
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 87s nginx-ingress-controller Ingress monit/https-ingress-monit
Normal UPDATE 74s nginx-ingress-controller Ingress monit/https-ingress-monit
现在当我尝试访问http://kubernetes-dashboard.localhost/我懂了503 Service Temporarily Unavailable
答案1
总结
Sign In
由于缺少 ,您无法通过验证(按下不执行任何操作) HTTPS
。
正如我在评论中所说:
无法登录
如果您的登录视图显示以下错误,则表示您正在尝试通过 HTTP 登录,但出于安全原因该功能已被禁用。
仅当用于访问仪表板的 URL 以以下内容开头时才可以登录:
http://localhost/...
http://127.0.0.1/...
https://<domain_name>/...
您可以登录Kubernetes Dashboard
没有 HTTPS只有:
http://localhost/...
http://127.0.0.1/...
您需要HTTPS
使用以下方式登录Kubernetes Dashboard
:
https://IP.ADDRESS
https://DOMAIN.NAME
endpoints "kubernetes-dashboard" not found
但这似乎不起作用,没有配置端点
这意味着Ingress
资源无法找到Endpoint
要发送流量的目标。您的情况发生这种情况是因为:
Ingress
在default
命名空间中Service
命名kubernetes-dashboard
位于monit
命名空间中
为了使其工作,您可以(其中一种方法)Ingress
在命名空间中专门创建另一个资源monit
。
您可以调用以下命令来获取有关资源的更多信息:
$ kubectl get services -n monit
$ kubectl get endpoints -n monit
Kubernetes 中的资源与 紧密相关namespaces
。你可以在这里阅读更多相关信息:Kubernetes.io:概念:使用对象:命名空间
您有多种部署方式Kubernetes Dashboard
。这取决于您使用的解决方案(、、、minikube
等)。bare metal kubeadm cluster
eks
gke
部署Kubernetes Dashboard
的一般步骤Nginx-ingress
:
- 部署
Nginx-ingress
- 下载并修改
Dashboard
定义 Dashboard
配置访问Ingress
- 测试一下
部署Nginx-ingress
请遵循有关部署的官方文档Nginx-ingress
:Kubernetes.github.io: Ingress-nginx: 部署
下载并修改Dashboard
定义
Kubernetes 的安装Dashboard
:Kubernetes.io:Web UI 仪表板:部署
上面的链接可以用来部署Dashboard
,但需要做一些调整。
假设以下情况:
kubernetes-dashboard
命名空间中的每个资源- 支持的论点
Dashboard
:- args: - --namespace=kubernetes-dashboard - --enable-insecure-login - --insecure-bind-address=0.0.0.0
Dashboard
监听端口9090
Services
以及与Dashboard
设置为端口相关的健康检查9090/TCP/HTTP
。
争论的秘诀!
启用跳过登录 false 启用后,登录页面上将显示跳过按钮。
您的仪表板定义将需要Service
公开到集群之外。您可以创建自己的定义(Service
如下面的示例)或编辑YAML
上面安装中包含的定义。
以下为示例:
kind: Service
apiVersion: v1
metadata:
name: dashboard-service
namespace: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 80
targetPort: 9090
nodePort: 30001
name: dashboard-port
type: NodePort
请具体看以下部分:
ports:
- port: 80
targetPort: 9090
nodePort: 30001
name: dashboard-port
流量将根据其自身参数的要求发送到Dashboard
端口上的 pod 。 9090
Dashboard
Dashboard
配置访问Ingress
假设您的Ingress
部署正确,您可以使用以下示例来公开Dashboard
:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-ingress
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- secretName: tls-secret # NON-EXISTENT
rules:
- host:
http:
paths:
- path: /
backend:
serviceName: dashboard-service
servicePort: dashboard-port
请具体查看以下部分:
- secretName: tls-secret # NON-EXISTENT
- 它将配置控制器以使用假证书并允许HTTPS
连接namespace: kubernetes-dashboard
Dashboard
- 命名空间与其他资源完全相同serviceName: dashboard-service
- 关联服务的名称Dashboard
servicePort: dashboard-port
- 关联服务的端口名称Dashboard
测试一下
完成这些步骤后,您应该能够在您的网络浏览器中输入 IP 地址或域名并打开Dashboard
面板。
请确保您已使用以下方式连接到Dashboard
:https://
。
如果您配置Dashboard
为需要身份验证,则应提供身份验证令牌。您可以通过调用以下命令找到您的令牌:
$ kubectl describe secret NAME_OF_THE_SECRET -n NAMESPACE