2021.11.15, 2020.06.16
1. K8s Dashboard install
a. install Dashboard
- https://github.com/kubernetes/dashboard#kubernetes-dashboard
# Latest - Release
# v2.0.0 (K8s 1.18 호환), v.2.0.0-rc3 (K8s 1.16 호환), v.2.0.0-beta3 (K8s 1.15 호환)
$ k version --short
Client Version: v1.20.4
Server Version: v1.16.15
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc3/aio/deploy/recommended.yaml
$ kubectl patch service kubernetes-dashboard -n kubernetes-dashboard -p '{"spec": {"type": "NodePort"}}'
# Skip option on login page to access Dashboard (선택)
$ kubectl edit pod kubernetes-dashboard-7867cbccbb-xz6n7 -n kubernetes-dashboard
- args:
- --auto-generate-certificates
- --enable-skip-login # <-- add this line (nologin 설정시)
b. Creating user & Binding role
- https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
$ vi kubernetes-dashboard-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
$ kubectl apply -f kubernetes-dashboard-admin.yaml
…
$
c. Self-signed certificate 적용
- dashboard를 배포하면 자동적으로 Self-signed certificate가 생성 및 적용 (기본)
Chrome v80 이상: 루트 인증서(CA)를 신뢰하지 않기 때문에 "NET::ERR_CERT_INVALID" 에러로 접속 불가
우회 방법: 에러 화면에서 빈 여백을 선택 후 'thisisunsafe'를 입력하면 접근됨. (Chrome v95 테스트)
Firefox : 경고 무시하고 접속 가능 - 'Advanced...' ⇢ 'Accept the Risk and Continuer'
- 명시적 생성 및 적용 (선택)
openssl 명령어나 cert-manager를 사용하여 self-signed cetificate를 생성하고 적용한다.
https://github.com/kubernetes/dashboard/blob/master/docs/user/installation.md#recommended-setup
i. openssh 명령어로 self-signed cetificate 생성
$ mkdir certs
$ openssl req -nodes -newkey rsa:2048 -keyout certs/tls.key -out certs/tls.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard”
$ openssl x509 -req -sha256 -days 365 -in certs/tls.csr -signkey certs/tls.key -out certs/tls.crt
$ kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kubernetes-dashboard
ii. cert-manager로 self-signed cetificate 생성
$ cat k8s-dashboard-cert.yaml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: kubeflow-dashboard-cert
namespace: kubernetes-dashboard
spec:
commonName: kubernetes-dashboard
# Use ipAddresses if your LoadBalancer issues an IP
ipAddresses:
- 14.52.244.134
# Use dnsNames if your LoadBalancer issues a hostname (eg on AWS)
dnsNames:
- api.acp.kt.co.kr
isCA: true
issuerRef:
kind: ClusterIssuer
name: kubeflow-self-signing-issuer
secretName: kubernetes-dashboard-certs
$ k apply -f k8s-dashboard-cert.yaml
certificate.cert-manager.io/kubeflow-dashboard-cert created
[acp@iap01 self-singed-cert]$ k describe secrets kubernetes-dashboard-certs -n kubernetes-dashboard
Name: kubernetes-dashboard-certs
Namespace: kubernetes-dashboard
...
Type: kubernetes.io/tls
Data
====
ca.crt: 1184 bytes
tls.crt: 1184 bytes
tls.key: 1675 bytes
$
iii. self-signed cetificate 적용
$ k edit deployment.apps/kubernetes-dashboard -n kubernetes-dashboard
containers:
- args:
- --tls-cert-file=/tls.crt # 추가
- --tls-key-file=/tls.key # 추가
- --auto-generate-certificates
$
d. Custom TLS certificate 적용
--auto-generate-certificates can be left in place, and will be used as a fallback.
$ kubectl delete secrets kubernetes-dashboard-certs -n kubernetes-dashboard
$ kubectl create secret generic kubernetes-dashboard-certs -n kubernetes-dashboard \
--from-file=tls.crt=gsd_kt_co_kr_cert.pem \
--from-file=tls.key=gsd_kt_co_kr_key-no_pass_phrase.pem
$ k edit deployment.apps/kubernetes-dashboard -n kubernetes-dashboard
containers:
- args:
- --tls-cert-file=/tls.crt # 추가
- --tls-key-file=/tls.key # 추가
- --auto-generate-certificates
$
2. Accessing Dashboard
- https://stackoverflow.com/questions/46664104/how-to-sign-in-kubernetes-dashboard
- URL: https://34.73.206.141:30544/
$IP: Kunernetes Control plain or Worker Node (kubectl get nodes -o wide)
$Port: kubernetes-dashboard Pod의 NodePort(30544)
$ kubectl get service kubernetes-dashboard -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.102.251.216 <none> 443:30544/TCP 8h
$
Token 조회:
$ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
…
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2………
$
3. ingress 등록
- ingress 리소스 생성
✓ kubernetes-dashboard 서비스에 접근할 도메인명은 'dashboard.svc.acp.kt.co.kr'이다.
✓ kubernetes-dashboard 서비스에 HTTPS 프로토콜로 접근하도록 backend-protocol annotation를 지정한다..
✓ ingress를 통해 dashboard 접근시, ingress용 인증서를 사용하며 Chrome에서 ERR_CERT_INVALID 에러가 발생되지 않는다.
$ vi k8s-dashboard-ingress.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
rules:
- host: "dashboard.svc.acp.kt.co.kr"
http:
paths:
- path: "/"
backend:
serviceName: kubernetes-dashboard
servicePort: 443
$ k apply -f k8s-dashboard-ingress.yaml
ingress.networking.k8s.io/kubernetes-dashboard-ingress created
$
$ k get ing kubernetes-dashboard-ingress -n kubernetes-dashboard
NAME HOSTS ADDRESS PORTS AGE
kubernetes-dashboard-ingress dashboard.svc.acp.kt.co.kr 14.52.244.216 80, 443 8m12s
$
- kubernetes dashboard 접근
URL: https://dashboard.svc.acp.kt.co.kr/
'Kubernetes > Monitoring' 카테고리의 다른 글
GPU Monitor (0) | 2021.09.21 |
---|---|
Elastic Observability (0) | 2021.09.20 |
Elastic Observability - filebeat/metricbeat POD 오류 (0) | 2021.09.15 |
Dashboard on GCE (0) | 2021.09.15 |
Metrics-server (0) | 2021.09.14 |
댓글