Kubernetes Dashboard的后端必须通过https访问,是自签名的ssl证书。使用Ingress连接时,会出现证书验证的问题,因此要配置Ingress忽略ssl验证。
Ingress Nginx
Ingress Nginx是k8s官方社区开发的Ingress控制器,是基于Nginx的。熟悉Nginx的话,配置起来会比较简单。
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_verify off;
spec:
tls:
- hosts:
- dashboard.domain.com
secretName: tls-domain-com
rules:
- host: dashboard.domain.com
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
Traefik
切换到k3s后,默认的Ingress控制器是Traefik。Traefik看起来比Nginx更轻量,更强大。Traefik比较智能,会根据端口、服务名称等信息自动判断后端是不是https协议,而不必额外指定后端的协议类型。但是对于自签名ssl证书的验证只能在traefik全局进行配置。
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: traefik
namespace: kube-system
spec:
chart: https://%{KUBERNETES_API}%/static/charts/traefik-1.81.0.tgz
set:
rbac.enabled: "true"
ssl.enabled: "true"
ssl.insecureSkipVerify: "true"
metrics.prometheus.enabled: "false"
kubernetes.ingressEndpoint.useDefaultPublishedService: "true"
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
tls:
- hosts:
- dashboard.fat4.cn
secretName: tls-fat4-cn
rules:
- host: dashboard.fat4.cn
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
Please note that by enabling TLS communication between traefik and your pods, you will have to have trusted certificates that have the proper trust chain and IP subject name. If this is not an option, you may need to skip TLS certificate verification. See the insecureSkipVerify setting for more details.
可以说一切答案藏在官方文档中,只是初次接触时很少会完整的将文档看下来。