如何让 kubernetes 仪表板通过普通 http 访问?
从基本上几周开始,我一直在为此苦苦挣扎...从字面上看,没有一个例子在整个互联网上做到这一点。它实际上是安静的搞笑。
我的仪表板部署:
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- args:
- --namespace=kube-system
- --enable-insecure-login
- --insecure-bind-address=0.0.0.0
image: kubernetesui/dashboard:v2.3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /
port: 9090
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
name: kubernetes-dashboard
ports:
- containerPort: 9090
name: http
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 2001
runAsUser: 1001
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: kubernetes-dashboard-certs
- mountPath: /tmp
请注意以下内容:
在官方仪表板参数文档
我将参数添加到仪表板部署中:
--enable-insecure-login
启用不安全的登录:意味着默认端口9090将在仪表板上可用(我猜是容器)。
如您所见,我进一步使该容器在Kubernetes Pod本身上
ports:
- containerPort: 9090
name: http
protocol: TCP
本身都可以访问。
这是我的服务。yaml:
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kube-system"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}}
creationTimestamp: "2022-04-05T13:11:22Z"
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
resourceVersion: "12795"
selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard
uid: 01bb1897-e18f-418e-949d-465069b561de
spec:
clusterIP: 10.152.183.208
clusterIPs:
- 10.152.183.208
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- nodePort: 30838
port: 9090
protocol: TCP
targetPort: 9090
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: NodePort
status:
loadBalancer: {}
这里我们可以很好地看到端口都正确分配了:
- nodePort: 30838
port: 443
protocol: TCP
targetPort: 9090
nodePort是可选的。.它将是服务将所有这些都展示到外界的端口(aka)浏览器等。)
端口是该服务将在群集内公开的端口。我选择将其留在其默认值中。
最后,targetPort必须匹配POD上最初暴露的端口。而且确实如此。
当然,我已经设置了- 不安全bind-address = 0.0.0.0在仪表板参数内,以允许在任何地址上提供不安全的端口。
当我尝试使用浏览器访问它时,它就死了。没有回应,什么都没有。
那我出了什么问题?
真的没有例子吗?如果我设法使它工作,那么,作为事实,我计划正式提出解决Kubernetes本身或一些主要辅导服务的解决方案。我看到数百人在为此挣扎,最终放弃等。
I am struggling with this since basically WEEKS now... There is literally not one single example how to do this on the whole internet. Its actually quiet hilarious.
My dashboard deployment:
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- args:
- --namespace=kube-system
- --enable-insecure-login
- --insecure-bind-address=0.0.0.0
image: kubernetesui/dashboard:v2.3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /
port: 9090
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
name: kubernetes-dashboard
ports:
- containerPort: 9090
name: http
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 2001
runAsUser: 1001
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: kubernetes-dashboard-certs
- mountPath: /tmp
NOTE THE FOLLOWING:
As of the official Dashboard arguments documentation
i added the arguments to the dashboard deployment :
--enable-insecure-login
which ENABLES INSECURE LOGIN: meaning a default port 9090 will available on the dashboard (the container i guess ).
As you can see i further made that very container accessible on the kubernetes pod itself
ports:
- containerPort: 9090
name: http
protocol: TCP
after that,.. of course i also routed that very port in the service for the dashboard itself.
here is my service.yaml:
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kube-system"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}}
creationTimestamp: "2022-04-05T13:11:22Z"
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
resourceVersion: "12795"
selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard
uid: 01bb1897-e18f-418e-949d-465069b561de
spec:
clusterIP: 10.152.183.208
clusterIPs:
- 10.152.183.208
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- nodePort: 30838
port: 9090
protocol: TCP
targetPort: 9090
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: NodePort
status:
loadBalancer: {}
Here we can see beautifully that the ports are all correctly assigned:
- nodePort: 30838
port: 443
protocol: TCP
targetPort: 9090
The nodePort is optional.. it will be the port the service exposes all of this to the outside world (aka a browser etc.)
The port is the port that the service will internally inside the cluster be exposed. I have chosen to leave it at its default value.
Finally the targetPort must match the initially exposed port on the pod. And it does.
Of course i have set --insecure-bind-address=0.0.0.0 inside the dashboard arguments to allow the insecure port to be served on any address.
When i try to access it with a browser, its just dead. No response, no nothing.
So where did i go wrong ?
Is there really no example ? If i manage to get this to work, i as a matter of fact plan to officially propose the SOLUTION to Kubernetes itself or some major tutorial services. I see literally hundreds of people struggling with this, giving up eventually etc. :D
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
查看 kubernetes-dashboard 源代码,它要么提供 HTTPS,要么提供 HTTP(但不能同时提供两者)。具有
--insecure-bind-address=0.0.0.0、insecure-port=9090并且没有有关 cert/TLS 的参数(即删除默认值--auto-generate-certificates)为我解决了这个问题。仍然存在身份验证问题 - 使用 HTTP,仪表板不提供登录机制 - 它将使用服务帐户进行 k8s 身份验证。请参阅 此 SO 线程 和 这篇文章了解更多详细信息。
Looking at kubernetes-dashboard source code, it either serves HTTPS or HTTP (but not both). Having
--insecure-bind-address=0.0.0.0,insecure-port=9090and no arguments regarding cert/TLS (i.e. removing the default--auto-generate-certificates) did the trick for me.There's still the matter of authentication - with HTTP, the dashboard doesn't offer login mechanism - it will use the service account for k8s authentication. See this SO thread and this post for some more details.