Kubeadm 部署安装好了kubernetes之后,部署安装的dashboard,但是通过master_ip加6443不能访问,报错如下:
解决方案:
方案一:修改kubenetes-dashborard部署文件,利用nodeport方式进行访问
wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml
修改services为nodeport方式
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 80
targetPort: 9090
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
此方案验证,可行
方案二:修改apiserver yaml文件,增加用户名密码验证方式,跟禁用匿名请求访问secure port, 增加apiserver http协议访问,修改探针使用http协议
打开文件/etc/kubernetes/manifests/kube-apiserver.yaml:
- command:
- kube-apiserver
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --requestheader-group-headers=X-Remote-Group
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
- --secure-port=6443
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --insecure-bind-address=127.0.0.1
- --insecure-port=8080
- --allow-privileged=true
- --requestheader-allowed-names=front-proxy-client
- --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota
- --requestheader-username-headers=X-Remote-User
- --service-cluster-ip-range=10.96.0.0/12
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --experimental-bootstrap-token-auth=true
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --authorization-mode=Node,RBAC
- --advertise-address=162.3.160.61
- --etcd-servers=http://127.0.0.1:2379
- --basic-auth-file=/etc/kubernetes/basic_auth.csv
- --anonymous-auth=false
image: gcr.io/google_containers/kube-apiserver-amd64:v1.7.6
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 15
timeoutSeconds: 15
标红的修改的地方,增加了用户名与密码的验证,basic_auth.csv的格式如下:
123456,admin,qinghua #密码,用户名,用户名id
此方案可以列出api列表了
但是跳转kubernetes dashboard还是跳转不过去,一片空白,具体原因还在查。
参考文献: