安装dashboard#
参考https://docs.k3s.io/installation/kube-dashboard。如果获取k8s dashboard yaml出现问题,可能是这个版本本身还不存在,可直接看k8s官网使用的是哪个版本的dashboard yaml。k3s kubectl -n kubernetes-dashboard create token admin-user生成的token在登录时需要用到
准备证书#
- 部署完毕后,生成证书,这里生成了泛域名证书,方便使用
1
2
3
| openssl req -newkey rsa:2048 -nodes -keyout root.key -x509 -days 365 -out root.crt -subj "/CN=Root CA"
openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr -subj "/CN=home.site" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:home.site,DNS:*.home.site"))
openssl x509 -req -in domain.csr -CA root.crt -CAkey root.key -CAcreateserial -out domain.crt -days 365 -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:home.site,DNS:*.home.site"))
|
- 将公私钥添加至k8s secret
k3s kubectl create secret tls dashboard-ingress-certs --key domain.key --cert domain.crt -n kubernetes-dashboard
使用traefik暴露k8s dashboard service#
ingress objects是k8s native objects,ingressRoutes是traefik自己定义的一类资源,有些功能用起来更简单。因此这里我直接使用ingressRoutes,k3s kubectl apply -f ingressroute.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: traefik-servers-transport
namespace: kubernetes-dashboard
spec:
serverName: "test"
insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: kubernetes-dashboard-route
namespace: kubernetes-dashboard
spec:
entryPoints:
- websecure
tls:
secretName: dashboard-ingress-certs
routes:
- match: Host(`dashboard.home.site`)
kind: Rule
services:
- name: kubernetes-dashboard
namespace: kubernetes-dashboard
port: 443
serversTransport: traefik-servers-transport
|
在dns服务器或者在hosts配置解析后,即可访问
- 使用traefik2暴露k8s-dashboard
- customize taefik2 config
- difference between ingress and ingressRoute
- ingressRoute文档