如何在集群外访问/公开 kubernetes-dashboard 服务? [英] How to access/expose kubernetes-dashboard service outside of a cluster?

问题描述

我有以下服务:

ubuntu@master:~$ kubectl get services --all-namespaces
NAMESPACE     NAME                   CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
default       kubernetes             100.64.0.1      <none>        443/TCP         48m
kube-system   kube-dns               100.64.0.10     <none>        53/UDP,53/TCP   47m
kube-system   kubernetes-dashboard   100.70.83.136   <nodes>       80/TCP          47m

我正在尝试访问 kubernetes 仪表板.考虑到 curl 不是浏览器，以下响应似乎是合理的.

I am attempting to access kubernetes dashboard. The following response seems reasonable, taking into account curl is not a browser.

ubuntu@master:~$ curl 100.70.83.136
 <!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title>Kubernetes Dashboard</title> <link rel="icon" type="image/png" href="assets/images/kubernetes-logo.png"> <meta name="viewport" content="width=device-width"> <link rel="stylesheet" href="static/vendor.36bb79bb.css"> <link rel="stylesheet" href="static/app.d2318302.css"> </head> <body> <!--[if lt IE 10]>
      <p class="browsehappy">You are using an <strong>outdated</strong> browser.
      Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your
      experience.</p>
    <![endif]--> <kd-chrome layout="column" layout-fill> </kd-chrome> <script src="static/vendor.633c6c7a.js"></script> <script src="api/appConfig.json"></script> <script src="static/app.9ed974b1.js"></script> </body> </html> 

根据文档，正确的访问点是 https://localhost/ui.所以，我正在尝试并收到有点令人担忧的结果.这是预期的反应吗?

According to the documentation the right access point is https://localhost/ui. So, I am trying it and receive a bit worrying result. Is it expected response?

ubuntu@master:~$ curl https://localhost/ui
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

在没有证书验证的情况下尝试相同的方法.对于 curl 可能没问题.但我在浏览器中得到了相同的结果，它通过 vagrant forwarded_port 选项通过端口转发进行连接.

Trying the same without certificate validation. For curl it might be OK. but I have got the same in a browser, which is connecting though port forwarding via vagrant forwarded_port option.

ubuntu@master:~$ curl -k https://localhost/ui
Unauthorized

我做错了什么?以及如何确保我可以访问用户界面?目前它以未授权响应.

仪表板的文档告诉密码在配置中:

The docs for the dashboard tell the password is in the configuration:

ubuntu@master:~$ kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

但似乎我什么都没有... 这是预期的行为吗?如何使用 UI 进行授权?

but it seems I have got nothing... Is it expected behavior? How can I authorize with the UI?

推荐答案

官方 wiki 有点混乱，所以我在这里重新排序:

The offical wiki is a little bit confusing so I reordered it here:

如果您使用推荐 yaml 来部署仪表盘，你应该只通过 https 访问仪表盘，你应该生成你的证书，参考 指南.然后你可以运行 kubectl proxy --address='0.0.0.0' --accept-hosts='^*$' 来访问http://localhost:8001/ui"上的仪表板.此页面需要使用令牌登录.要生成它，请参阅此页面.您也可以将 NodePort 添加到您的 yaml 并使用 : 访问它.

If you use the recommended yaml to deploy the dashboard, you should only access your dashboard by https, and you should generate your certs, refer to guide. Then you can run kubectl proxy --address='0.0.0.0' --accept-hosts='^*$' to visit the dashboard on "http://localhost:8001/ui". This page needs to use a token to login. To generate it, refer to this page. Also you can add NodePort to your yaml and access it using <nodeip>:<port>.

如果您使用 http 替代 方法进行部署，您只能通过 nodeip:port 访问您的仪表板.记得先添加到yaml中！！部署后，您还应该生成您的令牌并为每个请求添加标头Authorization: Bearer .

If you deploy using the http alternative method, you can only access your dashboard by nodeip:port. Remember to add it to yaml first!! After deployment, you should also generate your token and add header Authorization: Bearer <token> for every request.

我认为这可以帮助您和其他想要使用 kube-dashboard 的人.

I think this can help you and others who want to use kube-dashboard.

这篇关于如何在集群外访问/公开 kubernetes-dashboard 服务?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！