通过 Ingress HTTPS 的方式暴露 Kubernetes Dashboard 服务

一、实验环境版本信息

1. 操作系统的版本信息

CentOS Linux release 7.6.1810 (Core)

2. 各组件的版本信息

kubernetes cluster v1.17.0，推荐使用kubeadm v1.17.0 进行试验

etcd v3.4.3
kube-apiserver v1.17.0
kube-controller-manager v1.17.0
kube-scheduler v1.17.0
kubectl v1.17.0

docker 18.09.9
kubelet v1.17.0
calico v3.11.1

kubernetes dashborad，使用容器化的方式部署

kubernetes dashboard v2.0.0-rc5

二、配置以 http 的方式访问 Kubernetes Dashboard

1. 决定了 Kubernetes Dashboard 以 http 的形式对外提供服务的关键参数

   ## 以 http 对外提供服务时，Kubernetes Dashboard 默认是禁用登录模式的
   
   ## 特别注意：该参数启用后，Kubernetes Dashboard 会监听 8443 端口对外提供 https 服务，并且不会监听 9090 端口提供 http 服务
   --auto-generate-certificates
   
   ## 设置 http 监听端口，默认值为 9090。当 --auto-generate-certificates 开启时，经测试该参数无效
   --insecure-port
   
   ## 设置 http 监听地址，默认值为 127.0.0.1 
   --insecure-bind-address
   
   ## 设置以 http 提供服务时，Kubernetes Dashboard 是否启用登录模式，默认为 false
   --enable-insecure-login

2. 决定了 Kubernetes Dashboard 能够启动成功的关键参数

   ## 证书相关的secret对象放在哪个namespace下，通常情况下与 Kubernetes Dashboard 的 pod 所在的 namespace 相同，默认值为 kube-system
   --namespace

3. 修改相关的 Kubernetes YAML 部署文件，关闭 https 服务，然后开启 http 服务

   # git clone https://github.com/kubernetes/dashboard.git
   # cd dashboard/
   # git checkout -b v2.0.0-rc5.tag v2.0.0-rc5
   # git diff aio/deploy/recommended.yaml
   diff --git a/aio/deploy/recommended.yaml b/aio/deploy/recommended.yaml
   index 742f616..b8c48bd 100644
   --- a/aio/deploy/recommended.yaml
   +++ b/aio/deploy/recommended.yaml
   @@ -38,8 +38,12 @@ metadata:
      namespace: kubernetes-dashboard
    spec:
      ports:
   -    - port: 443
   +    - name: https
   +      port: 443
          targetPort: 8443
   +    - name: http
   +      port: 80
   +      targetPort: 9090
      selector:
        k8s-app: kubernetes-dashboard
   
   @@ -188,13 +192,21 @@ spec:
          containers:
            - name: kubernetes-dashboard
              image: kubernetesui/dashboard:v2.0.0-rc5
   -          imagePullPolicy: Always
   +          imagePullPolicy: IfNotPresent
              ports:
                - containerPort: 8443
                  protocol: TCP
   +              name: https
   +            - containerPort: 9090
   +              protocol: TCP
   +              name: http
              args:
   -            - --auto-generate-certificates
   +            # - --auto-generate-certificates
                - --namespace=kubernetes-dashboard
   +            # - --insecure-port=9090
   +            # - --port=8443
   +            # - --insecure-bind-address=0.0.0.0
   +            - --enable-insecure-login
                # Uncomment the following line to manually specify Kubernetes API server Host
                # If not specified, Dashboard will attempt to auto discover the API server and connect
                # to it. Uncomment only if the default does not work.
   @@ -207,9 +219,12 @@ spec:
                  name: tmp-volume
              livenessProbe:
                httpGet:
   -              scheme: HTTPS
   +              # scheme: HTTPS
   +              # path: /
   +              # port: 8443
   +              scheme: HTTP
                  path: /
   -              port: 8443
   +              port: 9090
                initialDelaySeconds: 30
                timeoutSeconds: 30
              securityContext:
   @@ -272,6 +287,7 @@ spec:
          containers:
            - name: dashboard-metrics-scraper
              image: kubernetesui/metrics-scraper:v1.0.3
   +          imagePullPolicy: IfNotPresent
              ports:
                - containerPort: 8000
                  protocol: TCP
   ## 按照上述git对比出来的变化进行修改
   
   # kubectl create -f aio/deploy/recommended.yaml

三、安装 Nginx Ingress Controller

1. 安装 Helm 3 包管理工具

# curl -o helm-v3.1.0-linux-amd64.tar.gz https://get.helm.sh/helm-v3.1.0-linux-amd64.tar.gz
# tar -zxvf helm-v3.1.0-linux-amd64.tar.gz
# cd linux-amd64/
# cp helm /usr/local/bin/

# helm version
version.BuildInfo{Version:"v3.1.0", GitCommit:"b29d20baf09943e134c2fa5e1e1cab3bf93315fa", GitTreeState:"clean", GoVersion:"go1.13.7"}

2. 使用 Helm 3 安装 Nginx Ingress Controller

## kubernetes node 上拉取镜像
# docker pull quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.29.0
# docker pull mirrorgooglecontainers/defaultbackend-amd64:1.5

# git clone https://github.com/helm/charts.git
# cd charts/
# git checkout -b 43edde894f4b141319e46e4311ddfa576a6973f6.tag 43edde894f4b141319e46e4311ddfa576a6973f6
# git diff stable/nginx-ingress/values.yaml
diff --git a/stable/nginx-ingress/values.yaml b/stable/nginx-ingress/values.yaml
index 270a1d3..107d259 100644
--- a/stable/nginx-ingress/values.yaml
+++ b/stable/nginx-ingress/values.yaml
@@ -28,7 +28,7 @@ controller:
   # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
   # is merged
-  hostNetwork: false
+  hostNetwork: true

   # Optionally customize the pod dnsConfig.
   dnsConfig: {}
@@ -119,7 +119,7 @@ controller:

   ## DaemonSet or Deployment
   ##
-  kind: Deployment
+  kind: DaemonSet

   ## Annotations to be added to the controller deployment
   ##
@@ -428,7 +428,7 @@ defaultBackend:

   name: default-backend
   image:
-    repository: k8s.gcr.io/defaultbackend-amd64
+    repository: mirrorgooglecontainers/defaultbackend-amd64
     tag: "1.5"
     pullPolicy: IfNotPresent
     # nobody user -> uid 65534
## 按照上述git对比出来的变化进行修改

# helm install nginx-ingress stable/nginx-ingress --set rbac.create=true --namespace kube-system
# helm list -n kube-system
NAME         	NAMESPACE  	REVISION	UPDATED                                	STATUS  	CHART               	APP VERSION
nginx-ingress	kube-system	1       	2020-02-16 12:20:48.748124293 +0800 CST	deployed	nginx-ingress-1.30.3	0.28.0

# kubectl get pod --all-namespaces -o wide
NAMESPACE              NAME                                             READY   STATUS    RESTARTS   AGE   IP                NODE     NOMINATED NODE   READINESS GATES
。。。
kube-system            nginx-ingress-controller-69878bd7c7-wjjmp        1/1     Running   0          20h   192.168.112.129   node01   <none>           <none>
kube-system            nginx-ingress-default-backend-7cbf68bcd8-6csw4   1/1     Running   0          20h   10.211.140.76     node02   <none>           <none>
。。。

四、配置以 Ingress https 的方式暴露 Kubernetes Dashboard 服务

1. 准备 https 证书，以 secret 的形式提交到 Kubernetes Cluster 上

   mkdir ingress/
   openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=dashboard.kubernetes.singhwang.com"
   
   ## 方法一：利用 kubectl 的功能，直接把证书创建到 kubernetes-dashboard-secret 这个 secret 对象中
   kubectl create secret tls kubernetes-dashboard-secret --key tls.key --cert tls.crt -n kubernetes-dashboard
   
   ## 方法二：证书内容做 base64 加密后，写入到 kubernetes-dashboard-secret 这个 secret 对象 data 部分的 tls.crt 和 tls.key 中
   cat <<EOF > ingress/01-secret.yaml
   apiVersion: v1
   kind: Secret
   metadata:
     name: kubernetes-dashboard-secret
     namespace: kubernetes-dashboard
   type: kubernetes.io/tls
   data:
     tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMVENDQWhXZ0F3SUJBZ0lKQUtSMDREdGNBN2MxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQzB4S3pBcEJnTlYKQkFNTUltUmhjMmhpYjJGeVpDNXJkV0psY201bGRHVnpMbk5wYm1kb2QyRnVaeTVqYjIwd0hoY05NakF3TWpFMgpNVEV3TXpVMFdoY05NakV3TWpFMU1URXdNelUwV2pBdE1Tc3dLUVlEVlFRRERDSmtZWE5vWW05aGNtUXVhM1ZpClpYSnVaWFJsY3k1emFXNW5hSGRoYm1jdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUIKQ2dLQ0FRRUFwZDZLanM0MnZhOElhWGxGM1hxeUYyM3gvTlJKMGtmM1B2V05hR3RsYzE2UW10Ry9Rcnl6SFVGOAoxOVJDQm5Td01tUVlMUE1xc0crYS9HOGExY0NoQm5mM3pmU09qSmpab0ErVmdqWnYrSE80YmxMaVZ0R25aYkJ5CldaNFZDdlJld0tDakdzQzhmSk5wZG0rYkxLdWgzNUZBeDNlekNnaXNOWXM5VEROWFpWdjArRk15dUNlczBQWUcKYWU1Zi96emtlTUxJT3RPUkc4NllIL2NyQVhUdUxQZko3RXlwRFpMMUpLY1pBUUw4S3RHQmk5aFZvN20xdHJ2NAo2dktudkZnL2pMREszNmI4MTNIekJaa21sUzUwV09XemFSbkxaaGZ6TGRpRkVIbHYwd05jd0dGbVlkb21VaFdnCjJwSEVSY0NrUG5uODF5YXZ2ZktCUElXNVFBZjd0d0lEQVFBQm8xQXdUakFkQmdOVkhRNEVGZ1FVM2tnTnFUMWgKM3ZpQkt0Z0U0VWRKS1J2Wmh3a3dId1lEVlIwakJCZ3dGb0FVM2tnTnFUMWgzdmlCS3RnRTRVZEpLUnZaaHdrdwpEQVlEVlIwVEJBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQXBLNXR0S0Q5amhXakxHRzNkZjRoClQ4RDhNeHV6SXhNWkRSMFJYeTBLWEhsNFU3VFZVbjVLTEJqdDVUUUQ4ZU00ZEk0N2RQaEUzOVRaV3ZGVmFRbjcKckpiUldXbFV5UmdlWmM2NFFWMzZiOVNLSnErSHRManFTQUNBQmVrT2lNT3pOdTgrWGFBUDRpaERtOG5kU2thQwpjd3U3QkltbHMxS1hHU2VOenNpWU8rOTJ5U3MzTHlYMnQ4aHB6eXFvUzlOTkF3Vnd6WVlhWUo3TmtEWWtaOUZZCnhPUmpuUGlhMEQyZmVzNFhNQkdYK2FScEV4K0MvWUpKTWJxSzJJN3MzK21jRitOaTE2KzJmd0pJTHZuR0hWRkcKaHVKa3RSMGQzK1ZBMzBlTDJMY3l6NW4rTERQeFk2Z1MrVTJiYzJJdFAyZjZRUlRJTTVCUmFjUEJDNlM3UXFKaAoyUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
     tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2wzb3FPemphOXJ3aHAKZVVYZGVySVhiZkg4MUVuU1IvYys5WTFvYTJWelhwQ2EwYjlDdkxNZFFYelgxRUlHZExBeVpCZ3M4eXF3YjVyOApieHJWd0tFR2QvZk45STZNbU5tZ0Q1V0NObS80YzdodVV1SlcwYWRsc0hKWm5oVUs5RjdBb0tNYXdMeDhrMmwyCmI1c3NxNkhma1VESGQ3TUtDS3cxaXoxTU0xZGxXL1Q0VXpLNEo2elE5Z1pwN2wvL1BPUjR3c2c2MDVFYnpwZ2YKOXlzQmRPNHM5OG5zVEtrTmt2VWtweGtCQXZ3cTBZR0wyRldqdWJXMnUvanE4cWU4V0QrTXNNcmZwdnpYY2ZNRgptU2FWTG5SWTViTnBHY3RtRi9NdDJJVVFlVy9UQTF6QVlXWmgyaVpTRmFEYWtjUkZ3S1ErZWZ6WEpxKzk4b0U4CmhibEFCL3UzQWdNQkFBRUNnZ0VBYlRNSHNXQ2R0VjlvZ0ZmdzRSRUg4bGpWdVlmaFdlazdJMTN4ek03M3FXNlcKY1BhcG5qd3hCNCszcXpmNGg5dUdySVl0VEZxQ3ZrbWJsWmxuNTFXOExWQUorck9JclpOcm91N2ZsU3hWcHhJNApWNW1GblhiRmFETXo5VUFYeG5CL2VQM0lvN0pENVJmL2xKT0JhM1ZMU3E2TUlVWHl2eVphaVoyenExa1pyb1krCmFYRWxrSjE4YmFWTHNXVnA2amgxVmxwVXhQTEZJQmloRzN2OWdVL09qTTF4YzVjaVJBZzBDd2hSTlV0SVZrU2EKeTdxUzZRNDZyaUIrSnViaDhFOW54VWJhMExoeGo3MUZZdklpemNGMklwTDNoN3ZzUWtWclk3Y3NRRGN5L2psSApjNllSU2ljRVBSdXEwM3Zwa2YxaUFmRDdzcEJ4RmJsLzZidmsxN0ZxNFFLQmdRRFN2dTZ2OU5MY3dPSnpZeDNFCnVqS0UvTVM0Z1pwWGFnK2VqTE1qMlBNR0RnSG9sa1Zua0l5aXhKa1Z1amhJMWVsRDVRc1hiS1VyMld1aUR4NGYKRFJxSGVqUUNUOHV2R1dOamtvOTRqZkZSUzBLa2pPa0NRajZQZVMwcGhneDNGdWVLdTFTT0g1eENyMGdla1dvMApxVUlWZ3BwZlVpdHVDLzd5Q2F6alZ4cTYzd0tCZ1FESmZLcmZ6NlNHNWVGU3BVL0dKV3pxbytEWjBVU25EWFFFCmpSL0gvdnBtNEpQTThXVTNrcUdTdTVlYkI2Nk9ENkxCVEhEUFE0dWNSSUxzNFlVa0RFZWdrbmRHMlllSSt0VkYKN3hoUUdxYXhGZDJxdjZSL2IxWEhNSFdUOVdVdURpUTJTYWVDY3c4NklhaC9ROGxTUmVLNWFSWHJYaHI2ZFZ0TQowaWlOZEUreUtRS0JnUUNTc3Y0TDFleUNabkk3eUI4TXRtQThXb2ZGdDlIc1Q1UVgxZkZOWHRPc3YwdHMwRTMzCnpaTllLbW8xeWE4c1pGdEFPOHdBdmt3cnZlbENvaXRoaWdtUmpPdHZRSVNVbXFPb3lIaStmbkFoR3JhRlBPRm0KQlI3dldIYXJsUGhRWGMxSHNTY20xN0k2YVRGV3RmcXNOYlllcXc4eWsweFFDbUdwc2pwNjlrTlJHUUtCZ0ZWUgpVKzNYdUJ4akpTbGcxTW5idVNZV1pMVDNOekhoc1hubjVFaEV3UFZsTFZDLyt4TXdKUGpFTktzeDhvazNON3pRClNJaUxXb2UrUHc1ZFpJcGlKTVpxbnRWQ2NYRGdmZ1RSL0tLVzFuVHdCR0EwTEV6RjhUV2FZSDlaanhHVWJXTUwKaDBIbXhORGh4YjYyRG42bkZ4MVowUzFNT1BKTFZYRFBJTnJkSUk0WkFvR0FZeDMyWDdlUWhTY2pLNVd1cnF6cQo5THR0ZTZNbDBHamV0MDNLUk5HdStBbVFhVkF4eEw1SGxHaEhpem5TK01ZZnlIMzVzVFZNcnVTNXUyVDVHVEZNCnkrdGtvdVRPRjY1T0YxRFZmNGtWNXM5aWJ0VVk5Z0lqYitFTHAvMzhZVmdJR2tKOGFuYXpOc3NSc3FaM1Z4MDAKbktjT1Y4MlhTRzY5T1YrSUt4YmhhT009Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
   
   EOF

2. 创建 ingress 资源对象到 Kubernetes Cluster 上

   cat <<EOF > ingress/02-ingress.yaml
   apiVersion: networking.k8s.io/v1beta1
   kind: Ingress
   metadata:
     name: kubernetes-dashboard
     namespace: kubernetes-dashboard
     annotations:
       nginx.ingress.kubernetes.io/ingress.class: nginx
       nginx.ingress.kubernetes.io/secure-backends: "true"
       nginx.ingress.kubernetes.io/ssl-passthrough: "true"
   spec:
     tls:
     - hosts:
       - dashboard.kubernetes.singhwang.com
       secretName: kubernetes-dashboard-secret
     rules:
       - host: dashboard.kubernetes.singhwang.com
         http:
           paths:
           - path: /
             backend:
               serviceName: kubernetes-dashboard
               servicePort: 80
   EOF
   
   kubectl create -f ingress/

3. 获取 ingress 资源对象中的 HOSTS 和 ADDRESS 在访问端做好 hosts 映射，条件允许的话，也可以配置为网络中的 DNS 记录

   # kubectl get ingress -n kubernetes-dashboard -o wide
   NAME                   HOSTS                                ADDRESS                           PORTS     AGE
   kubernetes-dashboard   dashboard.kubernetes.singhwang.com   192.168.112.129,192.168.112.130   80, 443   27s
   
   ## 访问端或者访问端的DNS中配置域名 dashboard.kubernetes.singhwang.com 解析为地址 192.168.112.129 或者 192.168.112.130

4. 接上一步，访问 Kubernetes Dashboard 服务 https://dashboard.kubernetes.singhwang.com
   

五、使用说明

1. 创建访问用户并授权

   mkdir -p access/
   cat <<EOF > access/01-serviceaccount.yaml
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: admin-user
     namespace: kubernetes-dashboard
   EOF
   
   cat <<EOF > access/02-clusterrolebinding.yaml
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: admin-user
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
   subjects:
   - kind: ServiceAccount
     name: admin-user
     namespace: kubernetes-dashboard
   EOF
   
   kubectl create -f access/

2. 获取用户的 Token， 并在登录页面上输入， 然后登录 Kubernetes Dashboard

   ## 获取上一步授权的用户 Token，用于登录 Kubernetes Dashboard 
   # kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
   Name:         admin-user-token-5k9vs
   Namespace:    kubernetes-dashboard
   Labels:       <none>
   Annotations:  kubernetes.io/service-account.name: admin-user
                 kubernetes.io/service-account.uid: 4a2e4bbf-2bb6-4e65-ab49-94913da8d04c
   
   Type:  kubernetes.io/service-account-token
   
   Data
   ====
   ca.crt:     1025 bytes
   namespace:  20 bytes
   token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkpWcTFvc0Rza0xYZVVhVnlkRkhUX2VDM1RBR1hUNXpKVkdna3kyRTAyVlEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVrOXZzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0YTJlNGJiZi0yYmI2LTRlNjUtYWI0OS05NDkxM2RhOGQwNGMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.r1tufqV-G_AF1D-WXhP0i_ggM4rBHuzcNryPIyaIdJOYQEfoQ_G7rPPb2qEux6XrmObFgbNZoXvXUWWn8Q_OulalGNmtAO17xgCvTPjs4A_jvQGv-kiVM_OjBAUL5VGn3leT4KkK60U2q6fGUuHVAu6Fzanq178r8F17uyY_6pAz5xkHx_CZQH4aVpOWOOgcN0u8IyjxSgder_KGP7tZqbrjv29hff6xnEWU_x3qxvxWxWtOOj8egjb_NpJQge5Lh_NQvi78djq8SaBn7otkapg8Ob6FuOP48q9N01ALoJoyT2yPVbml7JLoi1qizd5PAQ40ow18cF_soxTdh7iTRw
   
   ## 登录页面上输入 Token 后，点击对应按钮即可实现登录

六、参考资料

1. Kubernetes Dashboard 的官方资料

https://github.com/kubernetes/dashboard/blob/v2.0.0-rc5/src/app/backend/dashboard.go
https://github.com/kubernetes/dashboard/blob/v2.0.0-rc5/docs/user/accessing-dashboard/1.7.x-and-above.md
https://github.com/kubernetes/dashboard/blob/v2.0.0-rc5/docs/user/access-control/creating-sample-user.md
https://github.com/kubernetes/dashboard/blob/v2.0.0-rc5/docs/user/integrations.md
https://github.com/kubernetes/dashboard/blob/v2.0.0-rc5/docs/user/certificate-management.md

2. Nginx Ingress Controller

https://kubernetes.github.io/ingress-nginx/deploy/#using-helm
https://www.jianshu.com/p/2da985a32db8

3. Kubernetes Metric Server

https://www.cnblogs.com/ding2016/p/10786252.html
https://github.com/singhwang/k8s-prom-hpa

4. 关于 Chrome 无法访问 Kubernetes Dashboard 的问题解决

http://team.jiunile.com/blog/2018/12/k8s-dashboard-chrome-err.html
https://superuser.com/questions/27268/how-do-i-disable-the-warning-chrome-gives-if-a-security-certificate-is-not-trust
https://www.jianshu.com/p/a8cc2c04ee7c
https://blog.gxxsite.com/wei-mac-osxde-cheng-xu-tian-jia-yong-jiu-qi-dong-can-shu/