因此我安装了带有以下清单的 kubernetes 仪表板:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommished.yaml
然后我创建了这个指向我的仪表板服务的入口资源
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard-nginx-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.org/upstream-zone-size: "0"
spec:
ingressClassName: nginx
rules:
- host: k8s-dashboard.<myDomain>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
tls:
- hosts:
- k8s-dashboard.<myDomain>
# secretName omitted to use default wildcard certificate
然后,如果我从 Raspberry(或任何其他设备)对 URL 进行卷曲操作,则会收到错误
guille@raspberrypi:~/K8S/kubernetes-dashboard $ curl https://k8s-dashboard.<myDomain>/
Client sent an HTTP request to an HTTPS server.
但是如果我从集群内部卷曲(使用卷曲荚)
guille@raspberrypi:~/K8S/kubernetes-dashboard $ kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.96.68.254 <none> 8000/TCP 78m
kubernetes-dashboard ClusterIP 10.96.169.120 <none> 443/TCP 78m
guille@raspberrypi:~/K8S/kubernetes-dashboard $ kubectl exec mycurlpod -n default -i --tty -- curl -k https://10.96.169.120
<!--
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--><!DOCTYPE html><html lang="en" dir="ltr"><head>
<meta charset="utf-8">
<title>Kubernetes Dashboard</title>
<link rel="icon" type="image/png" href="assets/images/kubernetes-logo.png">
<meta name="viewport" content="width=device-width">
<style>html,body{height:100%;margin:0}*::-webkit-scrollbar{background:transparent;height:8px;width:8px}</style><link rel="stylesheet" href="styles.243e6d874431c8e8.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.243e6d874431c8e8.css"></noscript></head>
<body>
<kd-root></kd-root>
<script src="runtime.134ad7745384bed8.js" type="module"></script><script src="polyfills.5c84b93f78682d4f.js" type="module"></script><script src="scripts.2c4f58d7c579cacb.js" defer></script><script src="en.main.3550e3edca7d0ed8.js" type="module"></script>
</body></html>
如您所见,仪表板已正确部署,但我无法通过入口访问它。
对此有什么想法吗?
要使 SSL 直通正常工作,您需要为 ingress-nginx pod 启用标志
--enable-ssl-passthrough
。这可以解释这里的问题。因此,对于您部署的清单中容器的 args:
部分,将 --enable-ssl-passthrough
添加到列表中,然后重试。
另外,请查看 ingress-nginx pod 日志;他们可能已经告诉您问题是什么。作为旁注:您还可以通过卷曲 ingress-nginx 并将主机标头设置为您想要访问的服务来测试集群内通过 ingress-nginx 的连接。
另请参阅:https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough
有一个适合我的入口配置示例:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard-local
namespace: kube-system
annotations:
# restrict to private network scopes
"nginx.ingress.kubernetes.io/whitelist-source-range": "10.1.1.0/24"
"nginx.ingress.kubernetes.io/force-ssl-redirect": "true"
"nginx.ingress.kubernetes.io/ssl-passthrough": "true"
"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS"
spec:
# ingressClassName: public - optional if you need to specify ingress class
rules:
- host: dashboard.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
确保在
whitelist-source-range
参数中指定了有效的子网,并且在第 #5 行中正确指定了 kubernetes-dashboard
服务的命名空间。
还要仔细检查是否没有通过命令
kubectl get ingress -A
为 kubernetes 仪表板创建任何其他入口,以避免冲突。