如何从外部网络访问Kubernetes仪表板

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了如何从外部网络访问Kubernetes仪表板相关的知识,希望对你有一定的参考价值。

我试图使用网络外部的令牌方法访问kubernetes仪表板。

我运行这两个命令来获取令牌

kubectl -n kube-system get secret

kubectl -n kube-system describe secret replicaset-controller-token-2p4fk

将粘贴输出令牌复制到K8登录页面。

当我点击登录按钮(页面未加载)时,我收到此错误浏览器控制台。

enter image description here

我正在使用以下命令在内部服务器上运行k8:

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

并尝试从外部网络访问k8 UI控制台。

Failed to load resource: the server responded with a status of 401 (Unauthorized)
vendor.bd425c26.js:6 Error during global settings reload:  Object
:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/api/v1/rbac/status:1 Failed to load resource: the server responded with a status of 401 (Unauthorized)
vendor.bd425c26.js:6 Possibly unhandled rejection: "data":"MSG_LOGIN_UNAUTHORIZED_ERROR\n","status":401,"config":"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"api/v1/rbac/status","headers":"Accept":"application/json, text/plain, */*","statusText":"Unauthorized","xhrStatus":"complete","resource":

我甚至尝试了这些步骤,但没有运气,单击登录按钮时页面没有加载。

$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME                                     TYPE                                  DATA      AGE
deployment-controller-token-frsqj        kubernetes.io/service-account-token   3         22h

$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name:         deployment-controller-token-frsqj
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=deployment-controller
              kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWN

这是我的Kube /配置文件

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRV..
    server: https://192.168.15.97:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: 
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBD..
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJ..

为什么我没有看到Sign按钮旁边的Skip auth按钮?

我也试过这些步骤:

运行以下命令:

  1. 此命令将在默认命名空间中为仪表板创建服务帐户 $kubectl create serviceaccount dashboard -n default
  2. 此命令将集群绑定规则添加到仪表板帐户 kubectl create clusterrolebinding dashboard-admin -n default \ --clusterrole = cluster-admin \ --serviceaccount = default:dashboard
  3. 此命令将为您提供仪表板登录所需的令牌 $kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath=".secrets[0].name") -o jsonpath=".data.token" | base64 --decode有些人可以帮助我,我错过了什么。

一些调查结果:Link kubectl proxy命令仅允许HTTP连接。对于localhost和127.0.0.1以外的域,将无法登录。单击登录页面上的登录按钮后不会发生任何事情。

kubectl proxy

不支持https呼叫。

有没有办法从外部/本地Windows网络运行kubectl代理命令以及Kubernetes服务器IP地址?

注意:本地系统是Windows 10和K8是Linux服务器。 Docker版本:18.09&k8版本:v1.13.1

谢谢,

答案

我想你对Bearer Token使用了错误的秘密。通常,您必须创建ServiceAccount,然后通过ClusterRoleBinding授权使用Bearer Token登录仪表板,为其分配适当的服务角色。了解更多关于Kubernetes Dashboard Bearer Token授权here的信息。

另一答案

https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above

我有一张纸条:

不应使用kubectl proxy命令公开公开仪表板,因为它只允许HTTP连接。对于localhost和127.0.0.1以外的域,将无法登录。单击登录页面上的登录按钮后不会发生任何事情。

另一答案

用于输入vcluster中的仪表板,虚拟机需要一个外部ip容器的处理程序网络我有一个来自这个qazxsw poi的帖子

答案是使用metallb

https://piensoluegoinstalo.com/kubernetes-cluster-dashboard-on-premise/
https://piensoluegoinstalo.com/kubernetes-cluster-dashboard-on-premise/
vi metallb.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    address-pools:
    - name: default
      protocol: layer2
      addresses:
      - 192.168.1.240-192.168.1.250

为您创建容器仪表板外部的证书,并在主机文件解析IP中添加此解析器,我使用名称域的“仪表板”

kubectl create -f metallb.yaml
mkdir $HOME/certs
cd $HOME/certs
openssl genrsa -out dashboard.key 2048
openssl rsa -in dashboard.key -out dashboard.key
openssl req -sha256 -new -key dashboard.key -out dashboard.csr -subj '/CN=dashboard'
openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml

更改类型以加载平衡器

kubectl -n kube-system edit service kubernetes-dashboard
apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      "apiVersion":"v1","kind":"Service","metadata":"annotations":,"labels":"k8s-app":"kubernetes-dashboard","name":"kubernetes-dashboard","namespace":"kube-system","spec":"ports":["port":443,"targetPort":8443],"selector":"k8s-app":"kubernetes-dashboard"
  creationTimestamp: "2019-04-24T22:21:15Z"
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
  resourceVersion: "1753"
  selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard
  uid: 4612785f-66df-11e9-8180-000c29e7b067
spec:
  clusterIP: 10.110.50.44
  externalTrafficPolicy: Cluster
  ports:
  - nodePort: 31394
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: LoadBalancer
status:

kubectl -n kube-system get service kubernetes-dashboard
nano admin-user.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
kubectl create -f admin-user.yaml
nano cluster-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
kubectl create -f cluster-role.yaml

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk 'print $1')

另一答案

看起来像是Base64编码的令牌。在将其粘贴到令牌字段之前,您是否尝试对其进行解码?见:https://youtu.be/nZ-CDc7PjSg

以上是关于如何从外部网络访问Kubernetes仪表板的主要内容,如果未能解决你的问题,请参考以下文章

如何使用我的 IP 地址或本地 DN 在本地网络中访问我的 kubernetes 仪表板

如何远程访问本地 kubernetes minikube 仪表板

docker网络技术剖析

另辟蹊径打入kubernetes网络内访问服务

Kubernetes(k8s)底层网络原理刨析

从远程机器上部署的 kubernetes 仪表板服务访问本地笔记本电脑时无法访问站点问题