配置ingress-controller
官网链接:https://github.com/kubernetes/ingress-nginx
拉取ingress-controller:wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.44.0/deploy/static/provider/cloud/deploy.yaml
修改配置:
apiVersion: apps/v1kind: Deployment...spec:...template:metadata:labels:app.kubernetes.io/name: ingress-nginxapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/component: controllerspec:dnsPolicy: ClusterFirst# 选择对应标签的节点nodeSelector:isIngress: "true"# 使用hostNetwork暴露服务hostNetwork: true
注意:使用的镜像为国外镜像,可以先科学上网拉下去,然后推到国内私有库上来使用;
部署ingress-controller: kubectl apply -f deploy.yaml
配置k8s-dashboard
基于现成的https证书:dashboard.crt、dashboard.key
手动创建kubernetes-dashboard-certs secret:
kubectl create namespace kubernetes-dashboard
kubectl create secret generic kubernetes-dashboard-certs --from-file=certs/ -n kubernetes-dashboard
下载dashboard.yaml文件:wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
修改recommended.yaml文件:
# 注释掉secret
#---
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kubernetes-dashboard
#type: Opaque
# 添加ssl证书路径,关闭自动更新证书,添加多长时间登出
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --tls-key-file=dashboard.key
- --tls-cert-file=dashboard.crt
- --token-ttl=3600
部署dashboard:kubectl apply -f recommended.yaml
创建admin-user管理员:
# vim dashboard-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: dashboard-admin
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin-bind-cluster-role
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
创建dashboard管理员:kubectl apply -f dashboard-admin.yaml
配置Ingress Nginx提供访问入口
创建dashboard-test.test.com域名的ingress nginx https证书
kubectl create secret tls k8s-dashboard --key dashboard/certs/dashboard.key --cert dashboard/certs/dashboard.crt -n kubernetes-dashboard
# vim dashboard-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
# 开启use-regex,启用path的正则匹配
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
# 默认为 true,启用 TLS 时,http请求会 308 重定向到https
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# 默认为 http,开启后端服务使用 proxy_pass https://协议
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
rules:
- host: dashboard-test.test.com
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
tls:
- hosts:
- dashboard-test.test.com
secretName: k8s-dashboard
## ingress-v1.1.0版本:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
# 开启use-regex,启用path的正则匹配
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
# 默认为 true,启用 TLS 时,http请求会 308 重定向到https
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# 默认为 http,开启后端服务使用 proxy_pass https://协议
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
rules:
- host: dashboard-test.datagrand.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
tls:
- hosts:
- dashboard-test.datagrand.com
secretName: k8s-dashboard
部署:kubectl apply -f dashboard-ingress.yaml
配置DNS指向对应的公网IP,也可以是公有云的负载均衡配置tcp转发到节点的443和80;
查看dashboard的token
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep dashboard-admin | awk '{print $1}')
若有收获,就点个赞吧
0 人点赞
