![](/img/trans.png)
[英]Unable to access the Kubernetes Dashboard on Google Cloud Platform
[英]Unable to access Kubernetes dashboard from outside the cluster
我已经设置了包含一个主节点和三个节点的 Kubernetes 集群。 我使用以下设置:
1. kubeadm (1.7.1)
2. kubectl (1.7.1)
3.kubelet (1.7.1)
4.编织(weave-kube-1.6)
5. docker (17.06.0~ce-0~debian)
所有四个实例都已在 Google Cloud 中设置,操作系统为 Debian GNU/Linux 9 (stretch)
$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system etcd-master 1/1 Running 0 19m
kube-system kube-apiserver-master 1/1 Running 0 19m
kube-system kube-controller-manager-master 1/1 Running 0 19m
kube-system kube-dns-2425271678-cq9wh 3/3 Running 0 24m
kube-system kube-proxy-q399p 1/1 Running 0 24m
kube-system kube-scheduler-master 1/1 Running 0 19m
kube-system weave-net-m4bgj 2/2 Running 0 4m
$ kubectl get nodes
NAME STATUS AGE VERSION
master Ready 1h v1.7.1
node1 Ready 6m v1.7.1
node2 Ready 5m v1.7.1
node3 Ready 7m v1.7.1
apiserver进程使用以下参数运行:
root 1148 1101 1 04:38 ? 00:03:38 kube-apiserver
--experimental-bootstrap-token-auth=true --allow-privileged=true
--secure-port=6443
--insecure-port=0 --service-cluster-ip-range=10.96.0.0/12
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
--requestheader-username-headers=X-Remote-User
--authorization-mode=Node,RBAC --advertise-address=10.128.0.2
--etcd-servers=http://127.0.0.1:2379
我运行了以下命令来访问仪表板:
$ kubectl create -f https://rawgit.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml
serviceaccount "kubernetes-dashboard" created
clusterrolebinding "kubernetes-dashboard" created
deployment "kubernetes-dashboard" created
但是由于仪表板无法访问,我也尝试了以下命令,尽管它看起来不太相关。 在某处看到过。
kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
最后,我发现了一个看起来与我的问题相关的链接。 我试过了,但出现以下错误:
d:\Work>kubectl --kubeconfig=d:\Work\admin.conf proxy -p 80
Starting to serve on 127.0.0.1:80I0719 13:37:13.971200 5680 logs.go:41] http: proxy error: context canceled
I0719 13:37:15.893200 5680 logs.go:41] http: proxy error: dial tcp 124.179.54.120:6443: connectex: No connection could be made
because the target machine actively refused it.
如果我做telnet
从我的笔记本电脑上的端口22,主IP(124.179.54.120),它的工作原理,但它不工作的端口6443.端口6443是主开,因为我能够nc
从给定的主端口上我的节点机器如下图:
tom@node1:~$ nc -zv 10.128.0.2 6443
master.c.kubernetes-174104.internal [10.128.0.2] 6443 (?) open
在我的笔记本电脑上,防火墙已经被禁用,我也在主服务器上禁用了防火墙。
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere /* kubernetes service portals */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere /* kubernetes service portals */
Chain KUBE-SERVICES (2 references)
target prot opt source destination
在 Google Cloud 控制台中,我将 TCP 和 UDP 端口 6443 添加到 Google Cloud 防火墙规则中的入口请求,但我仍然无法使用http://localhost/ui
访问仪表板
防火墙配置详情:
更新: d:\\Work\\admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <CA_cert>
server: https://124.179.54.120:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: <client-cert>
client-key-data: <client-key>
UPDATE1:从三个节点之一,我运行了以下命令:
tom@node1:~$ curl -v http://127.0.0.1:8001
* Rebuilt URL to: http://127.0.0.1:8001/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8001 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8001
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 502 Bad Gateway
< Date: Thu, 20 Jul 2017 06:57:48 GMT
< Content-Length: 0
< Content-Type: text/plain; charset=utf-8
<
* Curl_http_done: called premature == 0
* Connection #0 to host 127.0.0.1 left intact
默认情况下,kubectl 代理仅接受来自localhost
以及 ipv4 和 ipv6 环回地址的传入连接。
尝试在运行代理时设置--accept-hosts='.*'
,以便它开始接受来自任何地址的连接。
您可能还需要将--address
标志设置为公共 IP,因为默认值为127.0.0.1
。
kubectl 代理文档中的更多详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.