仪表板的入口配置
ingress configuration for dashboard
我做了 github 的 nginx ingress controller 教程并且
公开的 kubernetes 仪表板
kubernetes-dashboard NodePort 10.233.53.77 <none> 443:31925/TCP 20d
创建入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/ssl-passthrough: "true"
nginx.org/ssl-backends: "kubernetes-dashboard"
kubernetes.io/ingress.allow-http: "false"
name: dashboard-ingress
namespace: kube-system
spec:
tls:
- hosts:
- serverdnsname
secretName: kubernetes-dashboard-certs
rules:
- host: serverdnsname
http:
paths:
- path: /dashboard
backend:
serviceName: kubernetes-dashboard
servicePort: 443
ingress-nginx ingress-nginx NodePort 10.233.21.200 <none> 80:30827/TCP,443:32536/TCP 5h
https://serverdnsname:32536/dashboard
但仪表板抛出错误
2018/01/18 14:42:51 http: TLS handshake error from ipWhichEndsWith.77:52686: tls: first record does not look like a TLS handshake
和入口控制器日志
2018/01/18 14:42:51 [error] 864#864: *37 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 10.233.82.1, server: serverdnsname, request: "GET /dashboard HTTP/2.0", upstream: "http://ipWhichEndsWith.249:8443/dashboard", host: "serverdnsname:32536"
10.233.82.1 - [10.233.82.1] - - [18/Jan/2018:14:42:51 +0000] "GET /dashboard HTTP/2.0" 009 7 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 OPR/49.0.2725.64" 25 0.001 [kube-system-kubernetes-dashboard-443] ipWhichEndsWith.249:8443 7 0.001 200
在我看来,它与 nginx 重定向到上游有关:“http://ipWhichEndsWith.249:8443/dashboard”。
尝试将控制器映像版本更新为 0.9.0-beta.19 - 没有帮助
感谢您的帮助。
正如您所指出的,看起来 nginx 正在将您的 https 请求代理到 ipWhichEndsWith.249:8443,这是一个 HTTPS 端点,使用 http 作为协议。
您应该将以下注释添加到您的 PodSpec 中:
LATEST
This annotation was added to replace the deprecated annotation since 0.18.0
#2871 Add support for AJP protocol
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
DEPRECATED
This annotation was deprecated in 0.18.0 and removed after the release of
0.20.0
#3203 Remove annotations grpc-backend and secure-backend already deprecated
nginx.ingress.kubernetes.io/secure-backends: "true"
这应该会让 nginx 使用 https 将您的请求转发到 pods。
您还可以使用此处提供的 helm 图表
helm-chart/kubernetes-dashboard
然后设置您的 values.yaml 文件以覆盖 ingress 部分,例如启用它,并且可以添加主机。
仅供代码参考。有 2 个 gtocha。设置正确的注释,因为仪表板使用 https 并为入口使用正确的命名空间。 tls 配置是可选的。
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-google
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
tls:
- hosts:
- kube.mydomain.com
secretName: tls-secret
rules:
- host: kube.mydomain.com
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
要保持此票证更新(如果用户使用 nginx ingress)以访问 Kubernetes 仪表板,您需要应用以下注释:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
不要在 image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1 之后的版本上使用 secure-backends。它被替换为 backend-protocol。
如果用户在非 https 端口使用入口,例如80 可以按照此处 TLS termination(nging ingress 文档)的说明完成。
带有子域的完整代码示例:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- "dashboard.my.example.com"
secretName: kubernetes-dashboard-secret
rules:
- host: "dashboard.my.example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
希望这能帮助像我这样的初学者不要花太多时间去弄清楚如何去做。用户还应该考虑到入口控制器的外部负载均衡器配置。请记住将其设置为 SSL Pass-Through 作为您要转发的端口。
更新: 如果用户想要使用其他入口提供程序,例如Kubernetes Ingress Controller Documentation/HAProxy Kubernetes Ingress/Controller 1.4
带注释的代码示例:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
annotations:
haproxy.org/server-ssl: "true"
spec:
tls:
- hosts:
- "dashboard.my.example.com"
secretName: kubernetes-dashboard-secret
rules:
- host: "dashboard.my.example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
用户不应忘记每个命名空间的秘密都是唯一的。
这是适合我的仪表板入口。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^(/dashboard)$ / redirect;
spec:
ingressClassName: nginx
tls:
- hosts:
- yourdomain.com
secretName: kubernetes-dashboard-tls
rules:
- host: yourdomain.com
http:
paths:
- path: /dashboard(/|$)(.*)
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
我做了 github 的 nginx ingress controller 教程并且 公开的 kubernetes 仪表板
kubernetes-dashboard NodePort 10.233.53.77 <none> 443:31925/TCP 20d
创建入口
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/ssl-passthrough: "true"
nginx.org/ssl-backends: "kubernetes-dashboard"
kubernetes.io/ingress.allow-http: "false"
name: dashboard-ingress
namespace: kube-system
spec:
tls:
- hosts:
- serverdnsname
secretName: kubernetes-dashboard-certs
rules:
- host: serverdnsname
http:
paths:
- path: /dashboard
backend:
serviceName: kubernetes-dashboard
servicePort: 443
ingress-nginx ingress-nginx NodePort 10.233.21.200 <none> 80:30827/TCP,443:32536/TCP 5h
https://serverdnsname:32536/dashboard 但仪表板抛出错误
2018/01/18 14:42:51 http: TLS handshake error from ipWhichEndsWith.77:52686: tls: first record does not look like a TLS handshake
和入口控制器日志
2018/01/18 14:42:51 [error] 864#864: *37 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 10.233.82.1, server: serverdnsname, request: "GET /dashboard HTTP/2.0", upstream: "http://ipWhichEndsWith.249:8443/dashboard", host: "serverdnsname:32536"
10.233.82.1 - [10.233.82.1] - - [18/Jan/2018:14:42:51 +0000] "GET /dashboard HTTP/2.0" 009 7 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 OPR/49.0.2725.64" 25 0.001 [kube-system-kubernetes-dashboard-443] ipWhichEndsWith.249:8443 7 0.001 200
在我看来,它与 nginx 重定向到上游有关:“http://ipWhichEndsWith.249:8443/dashboard”。 尝试将控制器映像版本更新为 0.9.0-beta.19 - 没有帮助
感谢您的帮助。
正如您所指出的,看起来 nginx 正在将您的 https 请求代理到 ipWhichEndsWith.249:8443,这是一个 HTTPS 端点,使用 http 作为协议。
您应该将以下注释添加到您的 PodSpec 中:
LATEST
This annotation was added to replace the deprecated annotation since 0.18.0
#2871 Add support for AJP protocol
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
DEPRECATED
This annotation was deprecated in 0.18.0 and removed after the release of 0.20.0
#3203 Remove annotations grpc-backend and secure-backend already deprecated
nginx.ingress.kubernetes.io/secure-backends: "true"
这应该会让 nginx 使用 https 将您的请求转发到 pods。
您还可以使用此处提供的 helm 图表
helm-chart/kubernetes-dashboard
然后设置您的 values.yaml 文件以覆盖 ingress 部分,例如启用它,并且可以添加主机。
仅供代码参考。有 2 个 gtocha。设置正确的注释,因为仪表板使用 https 并为入口使用正确的命名空间。 tls 配置是可选的。
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-google
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
tls:
- hosts:
- kube.mydomain.com
secretName: tls-secret
rules:
- host: kube.mydomain.com
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
要保持此票证更新(如果用户使用 nginx ingress)以访问 Kubernetes 仪表板,您需要应用以下注释:
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
不要在 image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1 之后的版本上使用 secure-backends。它被替换为 backend-protocol。
如果用户在非 https 端口使用入口,例如80 可以按照此处 TLS termination(nging ingress 文档)的说明完成。
带有子域的完整代码示例:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- "dashboard.my.example.com"
secretName: kubernetes-dashboard-secret
rules:
- host: "dashboard.my.example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
希望这能帮助像我这样的初学者不要花太多时间去弄清楚如何去做。用户还应该考虑到入口控制器的外部负载均衡器配置。请记住将其设置为 SSL Pass-Through 作为您要转发的端口。
更新: 如果用户想要使用其他入口提供程序,例如Kubernetes Ingress Controller Documentation/HAProxy Kubernetes Ingress/Controller 1.4
带注释的代码示例:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
annotations:
haproxy.org/server-ssl: "true"
spec:
tls:
- hosts:
- "dashboard.my.example.com"
secretName: kubernetes-dashboard-secret
rules:
- host: "dashboard.my.example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
用户不应忘记每个命名空间的秘密都是唯一的。
这是适合我的仪表板入口。
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^(/dashboard)$ / redirect;
spec:
ingressClassName: nginx
tls:
- hosts:
- yourdomain.com
secretName: kubernetes-dashboard-tls
rules:
- host: yourdomain.com
http:
paths:
- path: /dashboard(/|$)(.*)
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443