安装kubeadm-dind-cluster后无法访问K8s仪表板

Question

我正在为Kubernetes的开发人员和扩展Kubernetes的项目使用kubeadm-dind-cluster Kubernetes多节点集群。基于kubeadm和DIND（Docker中的Docker）。

我有一个全新的Centos 7安装程序，我刚刚在其上运行./dind-cluster-v1.13.sh up。我没有设置其他任何值，而是使用所有默认值进行联网。

一切都很好：

[root@node01 dind-cluster]# kubectl get nodes
NAME          STATUS   ROLES    AGE   VERSION
kube-master   Ready    master   23h   v1.13.0
kube-node-1   Ready    <none>   23h   v1.13.0
kube-node-2   Ready    <none>   23h   v1.13.0

[root@node01 dind-cluster]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: http://127.0.0.1:32769
  name: dind
contexts:
- context:
    cluster: dind
    user: ""
  name: dind
current-context: dind
kind: Config
preferences: {}
users: []
[root@node01 dind-cluster]# kubectl cluster-info
Kubernetes master is running at http://127.0.0.1:32769
KubeDNS is running at http://127.0.0.1:32769/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[root@node01 dind-cluster]#

它看起来很健康：

[root@node01 dind-cluster]# curl -w  '\n' http://127.0.0.1:32769/healthz
ok

我知道仪表板服务在那里

[root@node01 dind-cluster]# kubectl get services kubernetes-dashboard -n kube-system
NAME                   TYPE       CLUSTER-IP    EXTERNAL-IP   PORT(S)        AGE
kubernetes-dashboard   NodePort   10.102.82.8   <none>        80:31990/TCP   23h

但是任何尝试访问它的请求都会被拒绝：

[root@node01 dind-cluster]# curl http://127.0.0.1:8080/api/v1/namespaces/kube-system/services/kubernetes-dashboard
curl: (7) Failed connect to 127.0.0.1:8080; Connection refused

[root@node01 dind-cluster]# curl http://127.0.0.1:8080/ui
curl: (7) Failed connect to 127.0.0.1:8080; Connection refused

我还在防火墙日志中看到以下内容：

2019-02-05 19:45:19 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 127.0.0.1 --dport 32769 -j DNAT --to-destination 10.192.0.2:8080 ! -i br-669b654fc9cd' failed: iptables: No chain/target/match by that name.

2019-02-05 19:45:19 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-669b654fc9cd -o br-669b654fc9cd -p tcp -d 10.192.0.2 --dport 8080 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-02-05 19:45:19 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 10.192.0.2 -d 10.192.0.2 --dport 8080 -j MASQUERADE' failed: iptables: No chain/target/match by that name.

关于我实际上如何从开发计算机外部访问仪表板的任何建议？我不想使用代理来执行此操作。

Answer 1

您应该可以使用以下地址访问kubernetes-dashboard：

ClusterIP（适用于群集中的其他Pod）：

http://10.102.82.8:80/

NodePort（适用于每个可以使用其IP访问群集节点的主机）

http://clusterNodeIP:31990/

通常，Kubernetes仪表板使用https协议，因此您可能需要使用不同的端口来请求kubernetes-dashboard服务。

您还可以使用kube-apiserver作为代理访问仪表板：

直接到仪表板Pod：

https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/pods/https:kubernetes-dashboard-pod-name:/proxy/#!/login

到仪表板ClusterIP服务：

https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login

我猜想<master-ip>:<apiserver-port>在您的情况下将意味着127.0.0.1:32769。

Answer 2

在这种情况下，您确实希望所有功能都可以立即使用。但是，似乎该设置缺少通过仪表板访问和管理集群的合适的服务帐户。

请注意，我在这里可能完全被误导，也许kubeadm-dind-cluster实际上提供了这样一个帐户。另请注意，该项目已在一段时间前终止。

无论如何，这是我解决该问题的方法。希望对其他人（仍然）尝试一下有帮助。

• 定义缺少的帐户和角色绑定：创建Yaml文件

  # ------------------- Dashboard Secret ------------------- #
  # ...already available
  # ------------------- Dashboard Service Account ------------------- #
  # ...already available
  # ------------------- Dashboard Cluster Admin Account ------------------- #
  #
  # added by Ichthyo 2019-2
  #  - ServiceAccount and ClusterRoleBinding
  #  - allows administrative Access intoto Namespace kube-system
  #  - necessary to log-in via Kubernetes-Dashboard
  #
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: dash-admin
    namespace: kube-system
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: dash-admin
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: cluster-admin
  subjects:
  - kind: ServiceAccount
    name: dash-admin
    namespace: kube-system
  
  ---
  # ------------------- Dashboard Role & Role Binding ------------------- #
  
  kind: Role
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: kubernetes-dashboard-minimal
    namespace: kube-system
  rules:
    # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
    # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create"]
    # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics from heapster.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
    verbs: ["get"]
  
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: kubernetes-dashboard-minimal
    namespace: kube-system
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: kubernetes-dashboard-minimal
  subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system
  

• 将其应用于已经运行的集群

  kubectl apply -f k8s-dashboard-RBAC.yaml
  

• 然后找出与dash-admin对应的安全令牌

  kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep dash-admin | awk '{print $1}')|egrep '^token:\s+'|awk '{print $2}
  

• 将提取的令牌最终粘贴到登录屏幕