dashboard反向代理
1、获取dashboard的yaml文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
2、将yaml文件中的以下两部分注释,后面手动创建namespace,和secret
#apiVersion: v1
#kind: Namespace
#metadata:
#name: kubernetes-dashboard
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kubernetes-dashboard
#type: Opaque
3、生成自签名ssl证书和私钥
#生成私钥
openssl genrsa -out dashboard.pass.key 2048
#将私钥公开
openssl rsa -in dashboard.pass.key -out dashboard.key
#生成证书签署请求
sudo openssl req -new -key dashboard.key -out dashboard.csr
#生成自签名ssl证书
openssl x509 -req -days 3650 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
4、手动创建kubernetes-dashboard命名空间和secret
kubectl create ns kubernetes-dashboard
kubectl -n kubernetes-dashboard create secret tls kubernetes-dashboard-certs --key dashboard.key --cert dashboard.crt
5、部署dashboard
kubectl apply -f recommended.yaml
6、在/etc/hosts文件中自定义域名
10.192.30.4 dashboard.k8s.com
7、部署nginx-ingress-controller
wget https://github.com/kubernetes/ingress-nginx/blob/nginx-0.22.0/deploy/mandatory.yaml
8、部署dashboard-ingress.yaml ,使ingress转发dashboard服务
kubectl apply -f dashboard-ingress.yaml
注意替换其中的hosts
dashboard-ingress.yaml文件
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: k8s-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- dashboard.k8s.com
- "*.k8s.com"
secretName: kubernetes-dashboard-certs
rules:
- host: dashboard.k8s.com
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
9、配置nginx转发请求到ingress
注意替换其中的证书(ssl_certificate)、密钥(ssl_certificate_key)和域名(proxy_pass https)部分。
nginx.conf文件
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name 10.192.30.4;
root /usr/share/nginx/html;
ssl_certificate /home/ccs/workspace/k8s/dashboard/secretkey/dashboard.crt;
ssl_certificate_key /home/ccs/workspace/k8s/dashboard/secretkey/dashboard.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass https://dashboard.k8s.com:443;
proxy_ssl_certificate /home/ccs/workspace/k8s/dashboard/secretkey/dashboard.crt;
proxy_ssl_certificate_key /home/ccs/workspace/k8s/dashboard/secretkey/dashboard.key;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
10、创建dashboard-rbac
dashboard-rbac.yaml文件
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
#create a ClusterRoleBinding
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
11、获取token
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"
12、开启访问
kubectl proxy
13、访问https://dashboard.k8s.com