我正在尝试配置 nginx 入口以访问多个服务,如下所示:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-monit
spec:
rules:
- host: grafana.localhost
http:
paths:
- path: /
backend:
serviceName: prometheus-grafana
servicePort: 80
- host: kubernetes-dashboard.localhost
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 80
我可以毫无问题地访问 grafana 服务,我的问题是 kubernetes-dashboard。我已经将 kubernetes-dashboard 配置为允许使用此配置的 HTTP 流量
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: monit
spec:
ports:
- port: 80
targetPort: 9090
selector:
k8s-app: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: monit
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.0-beta8
imagePullPolicy: Always
ports:
- containerPort: 9090
protocol: TCP
args:
- --namespace=monit
- --insecure-bind-address=0.0.0.0
- --insecure-port=9090
- --enable-insecure-login
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
我还有一个有效的令牌,当我使用 ClusterIP 时,我可以使用它来访问 kubernetes 仪表板。但是,当我通过 ngress 访问它时,即使使用有效令牌,我也无法浏览登录页面(参见屏幕截图)。
我查看了 Nginx 日志中的问题/错误,但一切似乎都很好
$ kubectl logs -n monit ingress-nginx-controller-bbdc786b4-6nl9h -f
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/csrftoken/login HTTP/1.1" 200 85 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 479 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 85 0.001 200 59fc952888dfadf0223740c31e562ef8
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "POST /api/v1/login HTTP/1.1" 200 1508 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 1545 0.005 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 1508 0.005 200 241388246b11031765557475bea603ff
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/plugin/config HTTP/1.1" 200 185 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 477 0.003 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 185 0.003 200 45371469793ce4f35c45dec70530bea0
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 49171f5e9316a2d6da883d1c4f0b50df
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 c69b9d166f1527f00e7cd175696ec8c7
192.168.65.3 - - [03/Jun/2020:02:03:13 +0000] "GET /api/v1/login/status HTTP/1.1" 200 108 "http://kubernetes-dashboard.localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 476 0.001 [monit-kubernetes-dashboard-80] [] 10.1.0.123:9090 108 0.001 200 1f9c27ca407bca57dcc0c26bca65be58
我的入口配置中缺少什么?
更新:我尝试使用此配置为仪表板设置 https 入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: https-ingress-monit
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: kubernetes-dashboard.localhost
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
但这似乎不起作用,没有配置端点
$ kubectl describe ingress https-ingress-monit -n monit
Name: https-ingress-monit
Namespace: monit
Address: localhost
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
kubernetes-dashboard.localhost
/ kubernetes-dashboard:443 (<error: endpoints "kubernetes-dashboard" not found>)
Annotations: nginx.ingress.kubernetes.io/backend-protocol: HTTPS
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 87s nginx-ingress-controller Ingress monit/https-ingress-monit
Normal UPDATE 74s nginx-ingress-controller Ingress monit/https-ingress-monit
现在,当我尝试访问http://kubernetes-dashboard.localhost/我看到503 Service Temporarily Unavailable
TL;博士
您无法通过
Sign In缺少HTTPS.正如我在评论中所说:
您只能通过以下方式登录
Kubernetes Dashboard而不使用 HTTPS:http://localhost/...http://127.0.0.1/...您需要
HTTPS登录到您Kubernetes Dashboard的:https://IP.ADDRESShttps://DOMAIN.NAMEendpoints "kubernetes-dashboard" not found这意味着
Ingress资源找不到Endpoint将流量发送到的资源。这发生在您的案例中,因为:Ingress在default命名空间中Service命名kubernetes-dashboard在monit命名空间中为了使其工作,您可以(其中一种方法)
Ingress专门在命名空间中创建另一个资源monit。您可以调用以下命令来获取有关您的资源的更多信息:
$ kubectl get services -n monit$ kubectl get endpoints -n monitKubernetes 中的资源严格连接到
namespaces. 您可以在此处了解更多信息:Kubernetes.io:概念:使用对象:命名空间您有多种部署方式
Kubernetes Dashboard。这取决于您使用的解决方案(minikube、bare metal kubeadm cluster、eks、gke等)。部署
Kubernetes Dashboard的一般步骤Nginx-ingress:Nginx-ingressDashboard定义Dashboard配置访问权限Ingress部署
Nginx-ingress请遵循有关部署的官方文档
Nginx-ingress:Kubernetes.github.io:Ingress-nginx:部署下载并修改
Dashboard定义Kubernetes 的安装
Dashboard:Kubernetes.io:Web ui 仪表板:部署上面的链接可用于部署
Dashboard,但需要进行少量调整。假设如下:
kubernetes-dashboard命名空间中的每个资源Dashboard:Dashboard监听端口9090Services以及与Dashboardset to port相关的健康检查9090/TCP/HTTP。您的仪表板定义需要
Service在集群外部公开。Service您可以为下面的类似示例创建自己的定义,也可以编辑YAML上面安装中包含的定义。下面的例子:
请具体看一下:
流量将根据自身 参数的要求发送到
Dashboard端口上的 pod 。9090DashboardDashboard配置访问权限Ingress假设您
Ingress的部署正确,您可以使用以下示例来公开Dashboard:请具体看零件:
- secretName: tls-secret # NON-EXISTENT- 它将配置控制器使用假证书并允许HTTPS连接namespace: kubernetes-dashboardDashboard- 命名空间与其他资源完全相同serviceName: dashboard-service- 相关服务的名称DashboardservicePort: dashboard-port- 相关服务的端口名称Dashboard测试一下
完成此步骤后,您应该能够在 Web 浏览器中输入 IP 地址或域名并打开
Dashboard面板。请确保您连接到
Dashboard:https://。如果您将您的配置
Dashboard为需要身份验证,则应提供身份验证令牌。您可以通过调用以下命令找到您的令牌:$ kubectl describe secret NAME_OF_THE_SECRET -n NAMESPACE