logo标签列表

仪表板的Ingress配置

nginxkubernetesdashboarddocker-ingress
17

我按照GitHub上的 Nginx Ingress 控制器教程进行操作,并将 Kubernetes 仪表板暴露出来。

kubernetes-dashboard   NodePort    10.233.53.77    <none>        443:31925/TCP   20d
创建了入口。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.org/ssl-backends: "kubernetes-dashboard"
    kubernetes.io/ingress.allow-http: "false"
  name: dashboard-ingress
  namespace: kube-system
spec:
  tls:
  - hosts:
    - serverdnsname
    secretName: kubernetes-dashboard-certs
  rules:
  - host: serverdnsname
    http:
      paths:
      - path: /dashboard
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

ingress-nginx   ingress-nginx          NodePort    10.233.21.200   <none>        80:30827/TCP,443:32536/TCP   5h

https://serverdnsname:32536/dashboard但是仪表板出现错误

2018/01/18 14:42:51 http: TLS handshake error from ipWhichEndsWith.77:52686: tls: first record does not look like a TLS handshake

和入口控制器日志

2018/01/18 14:42:51 [error] 864#864: *37 upstream sent no valid HTTP/1.0 header while reading response header from upstream, client: 10.233.82.1, server: serverdnsname, request: "GET /dashboard HTTP/2.0", upstream: "http://ipWhichEndsWith.249:8443/dashboard", host: "serverdnsname:32536"
10.233.82.1 - [10.233.82.1] - - [18/Jan/2018:14:42:51 +0000] "GET /dashboard HTTP/2.0" 009 7 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 OPR/49.0.2725.64" 25 0.001 [kube-system-kubernetes-dashboard-443] ipWhichEndsWith.249:8443 7 0.001 200

我认为这与nginx重定向到上游有关: "http://以249结尾的IP地址:8443/dashboard"。 尝试将控制器图像版本更新为0.9.0-beta.19-没有帮助。

感谢任何帮助。

6个回答
38
正如您所指出的那样,似乎nginx正在将您的https请求代理到以ipWhichEndsWith.249:8443结尾的HTTPS端点,使用http作为协议。
您应该在PodSpec中添加以下注释:

LATEST

此注释已添加以替换自0.18.0起弃用的注释

#2871 添加对AJP协议的支持

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

已弃用

该注释在0.18.0版本中被弃用,并在发布0.20.0版本后删除。

#3203 移除已弃用的grpc-backend和secure-backend注释

nginx.ingress.kubernetes.io/secure-backends: "true"
这样做可以让nginx将您的请求转发到使用https的pods。
来源:https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#backend-protocol 文档:https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol
3
您先生是一位真正的英雄。 - kainlite
3
对于那些来得比较晚的人,这个被修改为:nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"。我认为 k8s 真的需要提供一个变更日志。 - cyl19910101
5
为了保持此票据的更新(如果用户使用Nginx Ingress),以便访问Kubernetes仪表板,您需要应用以下注释:
annotations:
  kubernetes.io/ingress.class: "nginx"
  nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

请勿在版本高于image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1的环境中使用secure-backends,应改用backend-protocol

如果用户在非https端口(例如80)使用ingress,则可以按此处所述进行TLS终止(nging ingress文档)。

带有子域名的完整代码示例:

apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: kubernetes-dashboard-ingress
        namespace: kubernetes-dashboard
        annotations:
          kubernetes.io/ingress.class: "nginx"
          nginx.ingress.kubernetes.io/ssl-passthrough: "true"
          nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      spec:
        tls:
        - hosts:
            - "dashboard.my.example.com"
          secretName: kubernetes-dashboard-secret
        rules:
        - host: "dashboard.my.example.com"
          http:
            paths:
            - path: /
              pathType: Prefix
              backend:
                service:
                  name: kubernetes-dashboard
                  port:
                    number: 443

希望这对像我一样的初学者有所帮助,不用花太多时间去弄清如何做。另外,用户应考虑外部负载均衡器配置到入口控制器的情况。记得将其设置为 SSL Pass-Through 以便转发端口。

更新: 如果用户想使用另一个入口提供程序,例如Kubernetes Ingress Controller Documentation/HAProxy Kubernetes Ingress/Controller 1.4

带有注释的代码示例:

apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: kubernetes-dashboard-ingress
        namespace: kubernetes-dashboard
        annotations:
          haproxy.org/server-ssl: "true"
      spec:
        tls:
        - hosts:
            - "dashboard.my.example.com"
          secretName: kubernetes-dashboard-secret
        rules:
          - host: "dashboard.my.example.com"
            http:
              paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: kubernetes-dashboard
                    port:
                      number: 443

用户不应忘记,每个命名空间的秘密都是独一无二的。

haproxy.org/sever-ssl: "true" 今天救了我的一天。 - BartBiczBoży
这个帮了大忙! - Anis
5

仅供代码参考。有两个要点需要注意。设置正确的注释,因为控制台使用了https,并且使用正确的命名空间进行ingress操作。tls配置是可选的。

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard-google
  namespace: kube-system
  annotations:
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  tls:
    - hosts:
      - kube.mydomain.com
      secretName: tls-secret
  rules:
    - host: kube.mydomain.com
      http:
        paths:
        - path: /
          backend:
            serviceName: kubernetes-dashboard
            servicePort: 443
2
您也可以在此处使用可用的Helm Charts helm-chart/kubernetes-dashboard 然后设置您的values.yaml文件,以便覆盖ingress部分,如启用它并添加可用的主机。
1

这是一个适用于我的仪表板的入口。

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: kubernetes-dashboard
      namespace: kube-system
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        nginx.ingress.kubernetes.io/rewrite-target: /$2
        nginx.ingress.kubernetes.io/configuration-snippet: |
          rewrite ^(/dashboard)$ $1/ redirect;
    spec:
      ingressClassName: nginx
      tls:
      - hosts:
        - yourdomain.com
        secretName: kubernetes-dashboard-tls
      rules:
      - host: yourdomain.com
        http:
            paths:
              - path: /dashboard(/|$)(.*)
                pathType: Prefix
                backend:
                  service:
                    name: kubernetes-dashboard
                    port:
                      number: 443
0
这个问题将在部署过程中通过设置SERVER_BASEPATH和SERVER_REWRITEBASEPATH来解决,入口层的重定向将会很顺利。
部署文件
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: osd-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: osd
  template:
    metadata:
      labels:
        app: osd
    spec:
      containers:
        - name: osd
          imagePullPolicy: Never
          image: 
          env:
            - name: server.ssl.enabled
              value: "false"
            - name: OPENSEARCH_HOSTS
              value: http://opensearch-service:9200
            - name: SERVER_BASEPATH
              value: /dashboard
            - name: SERVER_REWRITEBASEPATH
              value: "true"              
          ports:
            - containerPort: 5601
              name: http

服务文件:

---
apiVersion: v1
kind: Service
metadata:
  name: osd-service
spec:
  selector:
    app: osd
  type: ClusterIP
  ports:
    - name: port5601
      protocol: TCP
      port: 5601
      targetPort: 5601

内部文件:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: osd-ingress
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"  
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - path: /dashboard
        pathType: Prefix
        backend:
          service:
            name: osd-service
            port:
              number: 5601
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接