Kubernetes Dashboard的后端必须通过https访问,是自签名的ssl证书。使用Ingress连接时,会出现证书验证的问题,因此要配置Ingress忽略ssl验证。

Ingress Nginx

Ingress Nginx是k8s官方社区开发的Ingress控制器,是基于Nginx的。熟悉Nginx的话,配置起来会比较简单。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/server-snippet: |
      proxy_ssl_verify off;
spec:
  tls:
  - hosts:
    - dashboard.domain.com
    secretName: tls-domain-com
  rules:
  - host: dashboard.domain.com
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

Traefik

切换到k3s后,默认的Ingress控制器是Traefik。Traefik看起来比Nginx更轻量,更强大。Traefik比较智能,会根据端口、服务名称等信息自动判断后端是不是https协议,而不必额外指定后端的协议类型。但是对于自签名ssl证书的验证只能在traefik全局进行配置。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-1.81.0.tgz
  set:
    rbac.enabled: "true"
    ssl.enabled: "true"
    ssl.insecureSkipVerify: "true"
    metrics.prometheus.enabled: "false"
    kubernetes.ingressEndpoint.useDefaultPublishedService: "true"

---

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  annotations:
    traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
  tls:
  - hosts:
    - dashboard.fat4.cn
    secretName: tls-fat4-cn
  rules:
  - host: dashboard.fat4.cn
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name. If this is not an option, you may need to skip TLS certificate verification. See the insecureSkipVerify setting for more details.

可以说一切答案藏在官方文档中,只是初次接触时很少会完整的将文档看下来。

参考文章