본문 바로가기
Kubernetes/Monitoring

Dashboard on bare-metal

by 여행을 떠나자! 2021. 9. 15.

2021.11.15, 2020.06.16

 

1. K8s Dashboard install

a. install Dashboard

- https://github.com/kubernetes/dashboard#kubernetes-dashboard

   # Latest - Release

   # v2.0.0 (K8s 1.18 호환), v.2.0.0-rc3 (K8s 1.16 호환), v.2.0.0-beta3 (K8s 1.15 호환)

$ k version --short
Client Version: v1.20.4
Server Version: v1.16.15
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc3/aio/deploy/recommended.yaml
$ kubectl patch service kubernetes-dashboard -n kubernetes-dashboard -p '{"spec": {"type": "NodePort"}}'

 

   # Skip option on login page to access Dashboard (선택)

$ kubectl edit pod kubernetes-dashboard-7867cbccbb-xz6n7 -n kubernetes-dashboard
  - args:
    - --auto-generate-certificates
    - --enable-skip-login                 # <-- add this line  (nologin 설정시)  

 

b. Creating user & Binding role

- https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md

$ vi kubernetes-dashboard-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
$ kubectl apply -f kubernetes-dashboard-admin.yaml
…
$

 

c. Self-signed certificate 적용

- dashboard를 배포하면 자동적으로 Self-signed certificate가 생성 및 적용 (기본)

   Chrome v80 이상:  루트 인증서(CA)를 신뢰하지 않기 때문에 "NET::ERR_CERT_INVALID" 에러로 접속 불가

       우회 방법: 에러 화면에서 빈 여백을 선택 후 'thisisunsafe'를 입력하면 접근됨. (Chrome v95 테스트)

   Firefox : 경고 무시하고 접속 가능 - 'Advanced...' ⇢ 'Accept the Risk and Continuer'

 

- 명시적 생성 및 적용 (선택)

   openssl 명령어나 cert-manager를 사용하여 self-signed cetificate를 생성하고 적용한다.

   https://github.com/kubernetes/dashboard/blob/master/docs/user/installation.md#recommended-setup

 

i. openssh 명령어로 self-signed cetificate 생성

$ mkdir certs
$ openssl req -nodes -newkey rsa:2048 -keyout certs/tls.key -out certs/tls.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard”
$ openssl x509 -req -sha256 -days 365 -in certs/tls.csr -signkey certs/tls.key -out certs/tls.crt
$ kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kubernetes-dashboard

 

ii. cert-manager로 self-signed cetificate 생성

$ cat k8s-dashboard-cert.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: kubeflow-dashboard-cert
  namespace: kubernetes-dashboard
spec:
  commonName: kubernetes-dashboard
  # Use ipAddresses if your LoadBalancer issues an IP
  ipAddresses:
  - 14.52.244.134
  # Use dnsNames if your LoadBalancer issues a hostname (eg on AWS)
  dnsNames:
  - api.acp.kt.co.kr
  isCA: true
  issuerRef:
    kind: ClusterIssuer
    name: kubeflow-self-signing-issuer
  secretName: kubernetes-dashboard-certs
$ k apply -f k8s-dashboard-cert.yaml
certificate.cert-manager.io/kubeflow-dashboard-cert created
[acp@iap01 self-singed-cert]$ k describe secrets kubernetes-dashboard-certs -n kubernetes-dashboard
Name:         kubernetes-dashboard-certs
Namespace:    kubernetes-dashboard
...

Type:  kubernetes.io/tls

Data
====
ca.crt:   1184 bytes
tls.crt:  1184 bytes
tls.key:  1675 bytes
$

 

iii. self-signed cetificate 적용

$ k edit deployment.apps/kubernetes-dashboard -n kubernetes-dashboard
containers:
      - args:
        - --tls-cert-file=/tls.crt        # 추가
        - --tls-key-file=/tls.key         # 추가
        - --auto-generate-certificates
$

 

d. Custom TLS certificate 적용

--auto-generate-certificates can be left in place, and will be used as a fallback.

$ kubectl delete secrets kubernetes-dashboard-certs -n kubernetes-dashboard
$ kubectl create secret generic kubernetes-dashboard-certs  -n kubernetes-dashboard \
  --from-file=tls.crt=gsd_kt_co_kr_cert.pem \
  --from-file=tls.key=gsd_kt_co_kr_key-no_pass_phrase.pem
$ k edit deployment.apps/kubernetes-dashboard -n kubernetes-dashboard
containers:
      - args:
        - --tls-cert-file=/tls.crt        # 추가
        - --tls-key-file=/tls.key         # 추가
        - --auto-generate-certificates
$

 

 

2. Accessing Dashboard

- https://stackoverflow.com/questions/46664104/how-to-sign-in-kubernetes-dashboard

- URL: https://34.73.206.141:30544/

   $IP: Kunernetes Control plain or Worker Node (kubectl get nodes -o wide)

   $Port: kubernetes-dashboard Pod의 NodePort(30544)

$ kubectl get service kubernetes-dashboard -n kubernetes-dashboard
NAME                   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   NodePort   10.102.251.216   <none>        443:30544/TCP   8h
$

   Token 조회:

$ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
…
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2………
$

 

 

3. ingress 등록

- ingress 리소스 생성

   ✓ kubernetes-dashboard 서비스에 접근할 도메인명은 'dashboard.svc.acp.kt.co.kr'이다. 

   ✓ kubernetes-dashboard 서비스에 HTTPS 프로토콜로 접근하도록 backend-protocol annotation를 지정한다..

   ✓ ingress를 통해 dashboard 접근시, ingress용 인증서를 사용하며 Chrome에서 ERR_CERT_INVALID 에러가 발생되지 않는다. 

$ vi k8s-dashboard-ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: kubernetes-dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
  rules:
  - host: "dashboard.svc.acp.kt.co.kr"
    http:
      paths:
      - path: "/"
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
$ k apply -f k8s-dashboard-ingress.yaml
ingress.networking.k8s.io/kubernetes-dashboard-ingress created
$
$ k get ing kubernetes-dashboard-ingress -n kubernetes-dashboard
NAME                           HOSTS                        ADDRESS         PORTS     AGE
kubernetes-dashboard-ingress   dashboard.svc.acp.kt.co.kr   14.52.244.216   80, 443   8m12s
$

 

- kubernetes dashboard 접근 

   URL: https://dashboard.svc.acp.kt.co.kr/

'Kubernetes > Monitoring' 카테고리의 다른 글

GPU Monitor  (0) 2021.09.21
Elastic Observability  (0) 2021.09.20
Elastic Observability - filebeat/metricbeat POD 오류  (0) 2021.09.15
Dashboard on GCE  (0) 2021.09.15
Metrics-server  (0) 2021.09.14

댓글