How to access Kubernetes Dashboard from outside ne

2020-06-17 17:04发布

问题:

I am trying to access the kubernetes Dashboard using the Token method outside the network.

I ran these 2 commands to get the token

kubectl -n kube-system get secret

kubectl -n kube-system describe secret replicaset-controller-token-2p4fk

Copy paste output token into K8 Login page.

I'm getting this error browser console when I click on Sign in button (Page is not loading).

I'm running k8 on the internal server using the command:

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

And trying to access the k8 UI console from outside network.

Failed to load resource: the server responded with a status of 401 (Unauthorized)
vendor.bd425c26.js:6 Error during global settings reload:  Object
:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/api/v1/rbac/status:1 Failed to load resource: the server responded with a status of 401 (Unauthorized)
vendor.bd425c26.js:6 Possibly unhandled rejection: {"data":"MSG_LOGIN_UNAUTHORIZED_ERROR\n","status":401,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"api/v1/rbac/status","headers":{"Accept":"application/json, text/plain, */*"}},"statusText":"Unauthorized","xhrStatus":"complete","resource":{}}

I even tried these steps but no luck the page is not loading on clicking Sign in button.

$ kubectl -n kube-system get secret
# All secrets with type 'kubernetes.io/service-account-token' will allow to log in.
# Note that they have different privileges.
NAME                                     TYPE                                  DATA      AGE
deployment-controller-token-frsqj        kubernetes.io/service-account-token   3         22h

$ kubectl -n kube-system describe secret deployment-controller-token-frsqj
Name:         deployment-controller-token-frsqj
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=deployment-controller
              kubernetes.io/service-account.uid=64735958-ae9f-11e7-90d5-02420ac00002

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZXBsb3ltZW50LWN

Here is my Kube/config file

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRV..
    server: https://192.168.15.97:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBD..
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJ..

And why is that I'm not seeing Skip auth button next to Sign button?

I tried these steps as well:

Run the following commands:

  1. This command will create a service account for the dashboard in the default namespace

    $kubectl create serviceaccount dashboard -n default

  2. This command will add the cluster binding rules to your dashboard account

    kubectl create clusterrolebinding dashboard-admin -n default \ --clusterrole=cluster-admin \ --serviceaccount=default:dashboard

  3. This command will give you the token required for your dashboard login

    $kubectl get secret $(kubectl get serviceaccount dashboard -o jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64 --decode Can some help me here what am i missing out.

Some Findings: Link kubectl proxy command only allows HTTP connection. For domains other than localhost and 127.0.0.1 it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.

kubectl proxy

Doesn't support https calls.

Is there a way to run kubectl proxy command along with Kubernetes Server IP Address from an outside/Local windows network ?

Note: The local system is a Windows 10 & K8 is a Linux server. Docker Version: 18.09 & k8 Version: v1.13.1

Thanks,

回答1:

https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above

I have a note:

The Dashboard should not be exposed publicly using kubectl proxy command as it only allows HTTP connection. For domains other than localhost and 127.0.0.1 it will not be possible to sign in. Nothing will happen after clicking Sign in button on login page.



回答2:

I have this issue when I try to get access to the dashboard via kubectl proxy using plain http and public ip.

Error details: kubectl proxy produces errors http: proxy error: context canceled in console, in browser after you click "sign in" one of the requests which ends with /plugin/config returns json with MSG_LOGIN_UNAUTHORIZED_ERROR but the browser doesn't display any error.

The solution (source)

kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8443:443 --address 0.0.0.0

Of course you can use your interface ip instead of 0.0.0.0 if you want to bind it to one interface only. Then go to https://your.external.ip:8443/, it'll redirect you to https://your.external.ip:8443/#/login and you'll be asked for the token. Next, as described here:

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret \
| awk '/^deployment-controller-token-/{print $1}') | awk '$1=="token:"{print $2}'


回答3:

I suppose that you are using wrong secret for Bearer Token. Generally, you have to create ServiceAccount and then assign it appropriate service role via ClusterRoleBinding entitle log in to Dashboard using Bearer Token. Find more information about Kubernetes Dashboard Bearer Token authorization here.



回答4:

for enter in dashboard in a vcluster with virtual machines need a handler netwroks for external ip containers i have a post from this https://piensoluegoinstalo.com/kubernetes-cluster-dashboard-on-premise/

the answers is use metallb

https://piensoluegoinstalo.com/kubernetes-cluster-dashboard-on-premise/
vi metallb.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  namespace: metallb-system
  name: config
data:
  config: |
    address-pools:
    - name: default
      protocol: layer2
      addresses:
      - 192.168.1.240-192.168.1.250
kubectl create -f metallb.yaml

Create certificate for you ip external of a container dashboard and add this resolver in hosts file resolve ip, i used "dashboard" for name domain

mkdir $HOME/certs
cd $HOME/certs
openssl genrsa -out dashboard.key 2048
openssl rsa -in dashboard.key -out dashboard.key
openssl req -sha256 -new -key dashboard.key -out dashboard.csr -subj '/CN=dashboard'
openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
kubectl -n kube-system edit service kubernetes-dashboard

CHANGE TYPE TO LOAD BALANCER

apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kube-system"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}}
  creationTimestamp: "2019-04-24T22:21:15Z"
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
  resourceVersion: "1753"
  selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard
  uid: 4612785f-66df-11e9-8180-000c29e7b067
spec:
  clusterIP: 10.110.50.44
  externalTrafficPolicy: Cluster
  ports:
  - nodePort: 31394
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: LoadBalancer
status:
{}
kubectl -n kube-system get service kubernetes-dashboard
nano admin-user.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
kubectl create -f admin-user.yaml
nano cluster-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
kubectl create -f cluster-role.yaml
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

https://youtu.be/nZ-CDc7PjSg



回答5:

looks like the token is Base64 encoded. Did you tried to decode it before pasting it into the token field? see: https://kubernetes.io/docs/concepts/configuration/secret/#decoding-a-secret