Kubernetes-v1.19.3安装dashboard与ingress
1、kubernetes dashboard安装
1.1、准备好所依赖的镜像及配置文件
下载配置文件recmomended.yaml
依赖镜像如下
- kubernetesui/dashboard:v2.0.4
- kubernetesui/metrics-scraper:v1.0.4
导入已下载好的镜像
docker load < kubernetesui+dashboard:v2.0.4.tar
docker tag 46d0a29c3f61 kubernetesui/dashboard:v2.0.4
docker load < kubernetesui+metrics-scraper:v1.0.4.tar
docker tag 86262685d9ab kubernetesui/metrics-scraper:v1.0.4
1.2、部署dashboard
部署应用
[root@kubernetes-master ~]# kubectl apply -f recommended.yaml
[root@kubernetes-master ~]# kubectl get po -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-7b59f7d4df-62w9d 1/1 Running 0 42s
kubernetes-dashboard-665f4c5ff-qgk8k 1/1 Running 0 42s
查看dashboard对应的service配置,可以看到Type为ClusterIP,没有映射出端口外部无法访问,可通过kubeproxy访问
[root@kubernetes-master ~]# kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.105.230.71 <none> 8000/TCP 89s
kubernetes-dashboard ClusterIP 10.110.131.182 <none> 443/TCP 90s
[root@kubernetes-master ~]#
开启kube-proxy
[root@kubernetes-master ~]# kubectl proxy --address='0.0.0.0' --accept-hosts='^*$'
Starting to serve on [::]:8001
注意不要关闭
访问dashboard
http://192.168.2.10:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/login
访问网址即可打开,可以看到提示需要通过HTTPS或使用localhost才可访问,其中192.168.80.10为centos上的master节点,无法通过localhost访问,所以先通过nodeport方式映射端口访问
1.3、修改配置使用NodePort方式映射端口
修改配置文件recommended.yaml,使用30008映射内部端口
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort # 新增
ports:
- port: 443
targetPort: 8443
nodePort: 30008 # 新增
selector:
k8s-app: kubernetes-dashboard
---
重新应用配置,通过
https://192.168.2.10:30008/#/login访问dashboard,此处选择Token认证方式,Token的获取方式如下
kubectl -n kube-system describe $(kubectl -n kube-system get secret -n kube-system -o name | grep namespace) | grep token
image.png
image.png
1.4 使用自签证书解决证书无效
签发一个证书,假定使用的域名为
www.freeeook.com,注意需配置host将此域名到节点
编写v3.ext文件,内容如下
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.freeeook.com
通过以下命令生成证书,并将freeeook.crt证书安装到“受信任的根证书颁发机构”
openssl genrsa -des3 -out temp.key 2048 #需输入密码(如123456)
openssl rsa -in temp.key -out freeeook.key #需输入密码(如123456)
openssl req -new -key freeeook.key -out freeeook.csr -subj "/C=CN/ST=BJ/L=BJ/O=freeeook/OU=freeeook/CN=freeeook.com/emailAddress=help@freeeook.com"
openssl x509 -req -days 365 -extfile v3.ext -in freeeook.csr -signkey freeeook.key -out freeeook.crt
重新创建secret
kubectl get secret -n kubernetes-dashboard # 可查看当前配置的secret
[root@kubernetes-master dashboard]# kubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard
secret "kubernetes-dashboard-certs" deleted
[root@kubernetes-master dashboard]# kubectl create secret generic kubernetes-dashboard-certs --from-file=tls.key=/root/dashboard/freeeook.key --from-file=tls.crt=/root/dashboard/freeeook.crt -n kubernetes-dashboard
secret/kubernetes-dashboard-certs created
[root@kubernetes-master dashboard]#
[root@kubernetes-master dashboard]# k describe secret kubernetes-dashboard-certs -n kubernetes-dashboard
Name: kubernetes-dashboard-certs
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
tls.key: 1675 bytes
tls.crt: 1598 bytes
编辑recommended.yaml配置文件
注释以下内容
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kubernetes-dashboard
#type: Opaque
kubernetes-dashboard的Deplyment调整如下
#- --auto-generate-certificates #注释掉
- --tls-cert-file=tls.crt #新增
- --tls-key-file=tls.key #新增
修改完成后重新应用配置文件
kubectl apply -f recommended.yaml
image.png
访问https://www.freeeook.com:30008,可以看到可正常访问,说明当前证书没有问题了,此种方式是使用NodePort方式暴露端口访问,下一步将通过使用ingress转发完成访问。
2、Ingress安装部署
2.1、准备好所依赖的镜像及配置文件
下载配置文件deploy.yaml
依赖镜像如下
- k8s.gcr.io/ingress-nginx/controller:v0.41.0
- jettech/kube-webhook-certgen:v1.5.0
导入镜像
docker load < docker.io+jettech+kube-webhook-certgen:v1.5.0.tar
docker tag 344297e197b6 docker.io/jettech/kube-webhook-certgen:v1.5.0
docker load < k8s.gcr.io+ingress-nginx+controller:v0.41.0.tar
docker tag 28baf567207f k8s.gcr.io/ingress-nginx/controller:v0.41.0
2.2、部署ingress
[root@kubernetes-master ~]# kubectl apply -f deploy.yaml
[root@kubernetes-master ~]# kubectl get po -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-9674v 0/1 Completed 0 4m4s
ingress-nginx-admission-patch-rkxt2 0/1 Completed 1 4m4s
ingress-nginx-controller-75d88c68db-xfzjj 1/1 Running 0 4m4s
[root@kubernetes-master ~]#
2.3、通过ingress访问dashboard
编写dashboard-ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- www.freeeook.com
secretName: kubernetes-dashboard-certs
rules:
- host: www.freeeook.com
http:
paths:
- path:
backend:
serviceName: kubernetes-dashboard
servicePort: 443
应用ingress配置
kubectl apply -f dashboard-ingress.yaml
查看Ingress配置的service端口(Ingress默认以NodePort方式暴露,可配置固定端口)
[root@kubernetes-master ingress]# kubectl get service -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.100.27.132 <pending> 80:31230/TCP,443:31543/TCP 5h1m
ingress-nginx-controller-admission ClusterIP 10.110.93.201 <none> 443/TCP 5h1m
[root@kubernetes-master ingress]#
使用https://www.freeeook.com:31543/访问应用即可,注意需配置host将此域名到节点
