安装 kubeadm-dind-cluster 后无法访问 K8s 仪表板

Question

我正在为 Kubernetes 开发人员和扩展 Kubernetes 的项目使用 kubeadm-dind-cluster 一个 Kubernetes 多节点集群。基于 kubeadm 和 DIND（Docker 中的 Docker）。

我有一个全新的 Centos 7 安装，我刚刚在上面运行了 ./dind-cluster-v1.13.sh up。我没有设置任何其他值，而是使用所有默认值进行联网。

一切正常：

[root@node01 dind-cluster]# kubectl get nodes
NAME          STATUS   ROLES    AGE   VERSION
kube-master   Ready    master   23h   v1.13.0
kube-node-1   Ready    <none>   23h   v1.13.0
kube-node-2   Ready    <none>   23h   v1.13.0

[root@node01 dind-cluster]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: http://127.0.0.1:32769
  name: dind
contexts:
- context:
    cluster: dind
    user: ""
  name: dind
current-context: dind
kind: Config
preferences: {}
users: []
[root@node01 dind-cluster]# kubectl cluster-info
Kubernetes master is running at http://127.0.0.1:32769
KubeDNS is running at http://127.0.0.1:32769/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[root@node01 dind-cluster]#

而且看起来很健康：

[root@node01 dind-cluster]# curl -w  '\n' http://127.0.0.1:32769/healthz
ok

我知道仪表板服务在那里：

[root@node01 dind-cluster]# kubectl get services kubernetes-dashboard -n kube-system
NAME                   TYPE       CLUSTER-IP    EXTERNAL-IP   PORT(S)        AGE
kubernetes-dashboard   NodePort   10.102.82.8   <none>        80:31990/TCP   23h

但是任何访问它的尝试都被拒绝：

[root@node01 dind-cluster]# curl http://127.0.0.1:8080/api/v1/namespaces/kube-system/services/kubernetes-dashboard
curl: (7) Failed connect to 127.0.0.1:8080; Connection refused

[root@node01 dind-cluster]# curl http://127.0.0.1:8080/ui
curl: (7) Failed connect to 127.0.0.1:8080; Connection refused

我还在防火墙日志中看到以下内容：

2019-02-05 19:45:19 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 127.0.0.1 --dport 32769 -j DNAT --to-destination 10.192.0.2:8080 ! -i br-669b654fc9cd' failed: iptables: No chain/target/match by that name.

2019-02-05 19:45:19 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-669b654fc9cd -o br-669b654fc9cd -p tcp -d 10.192.0.2 --dport 8080 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2019-02-05 19:45:19 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 10.192.0.2 -d 10.192.0.2 --dport 8080 -j MASQUERADE' failed: iptables: No chain/target/match by that name.

关于我如何从我的开发机器外部访问仪表板的任何建议？我不想使用代理来执行此操作。

Answer 1

您应该可以使用以下地址访问kubernetes-dashboard：

ClusterIP（适用于集群中的其他 pod）：

http://10.102.82.8:80/

NodePort（适用于所有可以使用其 IP 访问集群节点的主机）：

http://clusterNodeIP:31990/

通常 Kubernetes 仪表板使用https 协议，因此您可能需要使用不同的端口来请求kubernetes-dashboard 服务。

您还可以使用kube-apiserver 作为代理访问仪表板：

直接到dashboard Pod：

https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/pods/https:kubernetes-dashboard-pod-name:/proxy/#!/login

到仪表板 ClusterIP 服务：

https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login

我可以猜到 <master-ip>:<apiserver-port> 在你的情况下意味着 127.0.0.1:32769。

Answer 2

在这种情况下，您确实希望一切都开箱即用。但是，似乎设置缺少合适的服务帐户来通过仪表板访问和管理集群.

注意我在这里可能完全被误导了，也许kubeadm-dind-cluster 实际上提供了这样一个帐户。另请注意，此项目已在一段时间前停止。

无论如何，这就是我解决这个问题的方法。希望它对其他人（仍在尝试）有所帮助......

• 定义缺少的帐户和角色绑定：创建 yaml 文件

  # ------------------- Dashboard Secret ------------------- #
  # ...already available
  # ------------------- Dashboard Service Account ------------------- #
  # ...already available
  # ------------------- Dashboard Cluster Admin Account ------------------- #
  #
  # added by Ichthyo 2019-2
  #  - ServiceAccount and ClusterRoleBinding
  #  - allows administrative Access intoto Namespace kube-system
  #  - necessary to log-in via Kubernetes-Dashboard
  #
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: dash-admin
    namespace: kube-system
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: dash-admin
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: cluster-admin
  subjects:
  - kind: ServiceAccount
    name: dash-admin
    namespace: kube-system
  
  ---
  # ------------------- Dashboard Role & Role Binding ------------------- #
  
  kind: Role
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: kubernetes-dashboard-minimal
    namespace: kube-system
  rules:
    # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
    # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create"]
    # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics from heapster.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
    verbs: ["get"]
  
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: kubernetes-dashboard-minimal
    namespace: kube-system
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: kubernetes-dashboard-minimal
  subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system
  

• 将其应用到已经运行的集群

  kubectl apply -f k8s-dashboard-RBAC.yaml
  

• 然后找出dash-admin对应的安全令牌

  kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep dash-admin | awk '{print $1}')|egrep '^token:\s+'|awk '{print $2}
  

• 最后将提取的Token粘贴到登录界面