[英]How to access Kubernetes Dashboard from outside network
I am trying to access the kubernetes Dashboard using the Token method outside the network.我正在尝试使用网络外部的 Token 方法访问 kubernetes Dashboard。
I ran these 2 commands to get the token我运行了这两个命令来获取令牌
kubectl -n kube-system get secret
kubectl -n kube-system describe secret replicaset-controller-token-2p4fk
Copy paste output token into K8 Login page.将粘贴输出令牌复制到 K8 登录页面。
I'm getting this error browser console when I click on Sign in button (Page is not loading).单击“登录”按钮(页面未加载)时,浏览器控制台出现此错误。
I'm running k8 on the internal server using the command:我使用以下命令在内部服务器上运行 k8:
kubectl proxy --address 0.0.0.0 --accept-hosts '.*'
And trying to access the k8 UI console from outside network .并尝试从外部网络访问 k8 UI 控制台。
Failed to load resource: the server responded with a status of 401 (Unauthorized)
vendor.bd425c26.js:6 Error during global settings reload: Object
:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/api/v1/rbac/status:1 Failed to load resource: the server responded with a status of 401 (Unauthorized)
vendor.bd425c26.js:6 Possibly unhandled rejection: {"data":"MSG_LOGIN_UNAUTHORIZED_ERROR\n","status":401,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"api/v1/rbac/status","headers":{"Accept":"application/json, text/plain, */*"}},"statusText":"Unauthorized","xhrStatus":"complete","resource":{}}
I even tried these steps but no luck the page is not loading on clicking Sign in button.我什至尝试了这些步骤,但不幸的是,点击登录按钮时页面没有加载。
$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME TYPE DATA AGE
deployment-controller-token-frsqj kubernetes.io/service-account-token 3 22h
$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name: deployment-controller-token-frsqj
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=deployment-controller
kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWN
Here is my Kube/config file这是我的 Kube/config 文件
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRV..
server: https://192.168.15.97:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBD..
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJ..
And why is that I'm not seeing Skip auth button next to Sign button?为什么我没有在 Sign 按钮旁边看到Skip auth 按钮?
I tried these steps as well:我也尝试了这些步骤:
Run the following commands:运行以下命令:
This command will create a service account for the dashboard in the default namespace此命令将在默认命名空间中为仪表板创建一个服务帐户
$kubectl create serviceaccount dashboard -n default
This command will add the cluster binding rules to your dashboard account此命令会将集群绑定规则添加到您的仪表板帐户
kubectl create clusterrolebinding dashboard-admin -n default \ --clusterrole=cluster-admin \ --serviceaccount=default:dashboard kubectl 创建 clusterrolebinding dashboard-admin -n default \ --clusterrole=cluster-admin \ --serviceaccount=default:dashboard
This command will give you the token required for your dashboard login此命令将为您提供仪表板登录所需的令牌
$kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
$kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
Can some help me here what am i missing out. $kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode
有什么可以帮助我的,我错过了什么。
Some Findings: Link kubectl proxy command only allows HTTP connection.一些发现: Link kubectl proxy 命令只允许 HTTP 连接。 For domains other than localhost and 127.0.0.1 it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.
对于 localhost 和 127.0.0.1 以外的域,将无法登录。单击登录页面上的登录按钮后不会发生任何事情。
kubectl proxy
Doesn't support https calls.不支持 https 调用。
Is there a way to run kubectl proxy command along with Kubernetes Server IP Address from an outside/Local windows network?有没有办法从外部/本地 Windows 网络运行kubectl proxy命令以及 Kubernetes 服务器 IP 地址?
Note: The local system is a Windows 10 & K8 is a Linux server.注意:本地系统是 Windows 10 & K8 是 Linux 服务器。 Docker Version: 18.09 & k8 Version: v1.13.1
Docker 版本:18.09 & k8 版本:v1.13.1
Thanks,谢谢,
I have this issue when I try to get access to the dashboard via kubectl proxy
using plain http and public ip.当我尝试使用纯 http 和公共 ip 通过
kubectl proxy
访问仪表板时,我遇到了这个问题。
Error details: kubectl proxy
produces errors http: proxy error: context canceled
in console, in browser after you click "sign in" one of the requests which ends with /plugin/config
returns json with MSG_LOGIN_UNAUTHORIZED_ERROR
but the browser doesn't display any error.错误详细信息:
kubectl proxy
产生错误http: proxy error: context canceled
in console, in browser after you click "sign in" 其中一个以/plugin/config
结尾的请求返回带有MSG_LOGIN_UNAUTHORIZED_ERROR
的 json 但浏览器不显示任何错误.
The solution ( source )解决方案( 来源)
kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8443:443 --address 0.0.0.0
Of course you can use your interface ip instead of 0.0.0.0 if you want to bind it to one interface only.当然,如果你只想将它绑定到一个接口,你可以使用你的接口 ip 而不是 0.0.0.0。 Then go to
https://your.external.ip:8443/
, it'll redirect you to https://your.external.ip:8443/#/login
and you'll be asked for the token.然后转到
https://your.external.ip:8443/
,它会将您重定向到https://your.external.ip:8443/#/login
并且系统会要求您提供令牌。 Next, as described here :接下来,如此处所述:
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret \
| awk '/^deployment-controller-token-/{print $1}') | awk '$1=="token:"{print $2}'
https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-及以上版本
I have a note:我有一个注意事项:
The Dashboard should not be exposed publicly using kubectl proxy command as it only allows HTTP connection.仪表板不应使用 kubectl proxy 命令公开,因为它只允许 HTTP 连接。 For domains other than localhost and 127.0.0.1 it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.
对于 localhost 和 127.0.0.1 以外的域,将无法登录。单击登录页面上的登录按钮后不会发生任何事情。
In case you have ssh access to the Kubernetes, you can execute on the machine running the cluster:如果你有 Kubernetes 的 ssh 访问权限,你可以在运行集群的机器上执行:
kubectl proxy --address 0.0.0.0 --accept-hosts '.*'
And then create a local port forwarding:然后创建本地端口转发:
ssh -L:8001:XXX.XXX.XXX.XXX:8001 username@XXX.XXX.XXX.XXX
where username
is your username using to connect to the machine and XXX.XXX.XXX.XXX
is the IP address of the master node.其中
username
是您用来连接机器的用户名, XXX.XXX.XXX.XXX
是主节点的 IP 地址。 Then you would be able to pass the token and access the dashboard.然后您就可以传递令牌并访问仪表板。
Of course, this is a very dirty trick and I would hardly advise against using it in a production environment.当然,这是一个非常肮脏的技巧,我几乎不建议不要在生产环境中使用它。
with this you able to see the dashboard from the net这样你就可以从网上看到仪表板
microk8s kubectl port-forward -n kube-system service/kubernetes-dashboard 443:443 --address 0.0.0.0
You can then access the Dashboard at https://<server-host/ip>
然后,您可以通过
https://<server-host/ip>
访问仪表板
I suppose that you are using wrong secret for Bearer Token
.我想您对
Bearer Token
使用了错误的秘密。 Generally, you have to create ServiceAccount
and then assign it appropriate service role via ClusterRoleBinding
entitle log in to Dashboard using Bearer Token
.通常,您必须创建
ServiceAccount
,然后通过ClusterRoleBinding
授权它使用Bearer Token
登录到 Dashboard 为其分配适当的服务角色。 Find more information about Kubernetes Dashboard Bearer Token
authorization here . 在此处查找有关 Kubernetes Dashboard
Bearer Token
授权的更多信息。
for enter in dashboard in a vcluster with virtual machines need a handler netwroks for external ip containers i have a post from this https://piensoluegoinstalo.com/kubernetes-cluster-dashboard-on-premise/要在带有虚拟机的 vcluster 中输入仪表板,需要外部 ip 容器的处理程序 netwroks 我从这个https://piensoluegoinstalo.com/kubernetes-cluster-dashboard-on-premise/发帖
the answers is use metallb答案是使用 metallb
https://piensoluegoinstalo.com/kubernetes-cluster-dashboard-on-premise/
vi metallb.yaml
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 192.168.1.240-192.168.1.250
kubectl create -f metallb.yaml
Create certificate for you ip external of a container dashboard and add this resolver in hosts file resolve ip, i used "dashboard" for name domain为容器仪表板外部的 ip 创建证书,并在主机文件解析 ip 中添加此解析器,我使用“仪表板”作为名称域
mkdir $HOME/certs
cd $HOME/certs
openssl genrsa -out dashboard.key 2048
openssl rsa -in dashboard.key -out dashboard.key
openssl req -sha256 -new -key dashboard.key -out dashboard.csr -subj '/CN=dashboard'
openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
kubectl -n kube-system edit service kubernetes-dashboard
CHANGE TYPE TO LOAD BALANCER将类型更改为负载均衡器
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kube-system"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}}
creationTimestamp: "2019-04-24T22:21:15Z"
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
resourceVersion: "1753"
selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard
uid: 4612785f-66df-11e9-8180-000c29e7b067
spec:
clusterIP: 10.110.50.44
externalTrafficPolicy: Cluster
ports:
- nodePort: 31394
port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: LoadBalancer
status:
{}
kubectl -n kube-system get service kubernetes-dashboard
nano admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
kubectl create -f admin-user.yaml
nano cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
kubectl create -f cluster-role.yaml
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
looks like the token is Base64 encoded.看起来令牌是 Base64 编码的。 Did you tried to decode it before pasting it into the token field?
在将其粘贴到令牌字段之前,您是否尝试对其进行解码? see: https://kubernetes.io/docs/concepts/configuration/secret/#decoding-a-secret
请参阅: https ://kubernetes.io/docs/concepts/configuration/secret/#decoding-a-secret
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.