Adrian Goins 最近举办了关于如何使用 K3s 和 Traefik 保护和控制边缘的 Kubernetes 大师班,演示了如何访问 K3s 的 Traefik Proxy 仪表板,可以通过以下途径注册观看回放:https://more.suse.com/MC_Secure_Edge_K3s_Traefik.htmlRancher Desktop 创建了一个单节点 K3s 集群,我非常好奇在使用 Rancher Desktop 时,是否可以访问 Traefik Proxy 仪表板。我在 Adrian 的课程上提出了这个问题,他说应该可以,于是我便开始着手操作。

注意:本文使用的环境为 Linux 操作系统,如 Mac 或 Windows 需视情况调整参数。

本文参考了 Adrian 在 GitHub 上发布的一些课程: https://github.com/traefik-workshops/k3s-and-traefik-proxy

首先,克隆 Adrian 的 repo:

> git clone https://github.com/traefik-workshops/k3s-and-traefik-proxy.git
> cd k3s-and-traefik-proxy/

第一课: 暴露 Traefik 仪表盘

注意:01-Expose-the-Dashboard 中的所有文件目前都没有在 Adrian 的课程中使用。

将集群 IP 设置为变量

Adrian 建议检查 kubeconfig 文件中的集群 IP 地址,Rancher Desktop 会在主机上创建一个 ~/.kube/config 文件:

> grep server ~/.kube/config
server: https://127.0.0.1:6443 > export CLUSTERIP=127.0.0.1

此时,Adrian 继续他的课程,但目前 Linux 上的 Rancher Desktop 存在一个问题:特权端口(低于 1024 的端口)无法访问。请参考 https://github.com/rancher-sandbox/rancher-desktop/issues/576

相反,Linux 上的 Rancher Desktop 用户必须了解 HTTP (80) 和 HTTPS (443) 端口已转发到哪些 Ingress 端口:

> kubectl get service -n kube-system traefik
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik LoadBalancer 10.43.146.37 192.168.5.15 80:30876/TCP,443:30614/TCP 26

我们将 Ingress 端口保存到变量中,以便可以在整个课程中使用:

> export CLUSTERHTTP=`kubectl get service -n kube-system traefik -o json | jq '.spec.ports[0].nodePort'`
> export CLUSTERHTTPS=`kubectl get service -n kube-system traefik -o json | jq '.spec.ports[1].nodePort'`

切换当前 Namespace 为 kube-system

> kubectl config set-context --current --namespace kube-system
Context "rancher-desktop" modified.

创建 Service

> kubectl expose deploy/traefik -n kube-system --port=9000 --target-port=9000 --name=traefik-dashboard
service/traefik-dashboard exposed

创建 Ingress

> kubectl create ingress traefik-dashboard --rule="dashboard.traefik.$CLUSTERIP.sslip.io/*=traefik-dashboard:9000"
ingress.networking.k8s.io/traefik-dashboard created

访问仪表板

与 Adrian 步骤不同的是,我们需要在 URL 中包含 HTTP 的 Ingress 端口:

> curl -si http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/dashboard/ | head -n 1
HTTP/1.1 200 OK
> echo http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/dashboard/
http://dashboard.traefik.127.0.0.1.sslip.io:30876/dashboard/

添加 Annotations

> kubectl annotate ingress traefik-dashboard traefik.ingress.kubernetes.io/router.entrypoints=web
ingress.networking.k8s.io/traefik-dashboard annotated

第 2 课:使用 Middleware 保护仪表板

> cd 02-Secure-the-Dashboard-With-Middleware

创建用户文件

注意 Adrian 已根据研讨会提供了用户文件设置:

> cat users
user@example.com:$apr1$nWlieTS.$pbESld2QB5uYuUTAfFICr.
admin@example.com:$apr1$XMtXkoUy$IwIKiM./ujfaYf6/MsCaf1

从用户文件中创建仪表板 dashboard-users Secret

> kubectl create secret generic dashboard-users --from-file=users
secret/dashboard-users created

从 middleware-auth.yaml 创建 Middleware

> cat middleware-auth.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: dashboard-auth
spec:
basicAuth:
secret: dashboard-users > kubectl apply -f middleware-auth.yaml
middleware.traefik.containo.us/dashboard-auth created

将 Middleware 应用到 Ingress

> kubectl annotate ingress traefik-dashboard \
traefik.ingress.kubernetes.io/router.middlewares=kube-system-dashboard-auth@kubernetescrd
ingress.networking.k8s.io/traefik-dashboard annotated

请注意,如果你在浏览器中一直访问仪表板,那么现在应该提示你输入用户名和密码:

测试 Middleware

> curl -si http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/dashboard/ | head -n 1
HTTP/1.1 401 Unauthorized
> curl -si -u 'admin@example.com:admin1234' http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/dashboard/ | head -n 1
HTTP/1.1 200 OK

创建 Middleware 以添加 /dashboard 前缀

> cat middleware-rewrite.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: dashboard-rewrite
spec:
addPrefix:
prefix: /dashboard > kubectl apply -f middleware-rewrite.yaml
middleware.traefik.containo.us/dashboard-rewrite created

将第二个 Middleware 应用到 Ingress

> kubectl annotate ingress traefik-dashboard \
traefik.ingress.kubernetes.io/router.middlewares=kube-system-dashboard-rewrite@kubernetescrd,kube-system-dashboard-auth@kubernetescrd \
--overwrite=true
ingress.networking.k8s.io/traefik-dashboard annotated

访问没有 /dashboard/ 的仪表板

> curl -si http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/ | head -n 1
HTTP/1.1 401 Unauthorized

修复仪表板

> kubectl create ingress traefik-dashboard-api --rule="dashboard.traefik.$CLUSTERIP.sslip.io/api/*=traefik-dashboard:9000"
ingress.networking.k8s.io/traefik-dashboard-api created
> kubectl annotate ingress traefik-dashboard-api \
traefik.ingress.kubernetes.io/router.middlewares=kube-system-dashboard-auth@kubernetescrd
ingress.networking.k8s.io/traefik-dashboard-api annotated

第 3 课:使用 IngressRoute 自定义资源

> cd ../03-Use-the-IngressRoute-Custom-Resource/

将 Ingress 更改为 IngressRoutes

移除之前创建的 Ingress:

> kubectl delete ingress/traefik-dashboard ingress/traefik-dashboard-api
ingress.networking.k8s.io "traefik-dashboard" deleted
ingress.networking.k8s.io "traefik-dashboard-api" deleted

创建新的 IngressRoute,我们需要更改 IP 地址:

> cat ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-secure
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host("dashboard.traefik.10.68.0.70.sslip.io")
services:
- name: traefik-dashboard
port: 9000
middlewares:
- name: dashboard-auth
- name: dashboard-rewrite
- kind: Rule
match: Host("dashboard.traefik.10.68.0.70.sslip.io") && PathPrefix("/api")
services:
- name: traefik-dashboard
port: 9000
middlewares:
- name: dashboard-auth > sed -i "s/10\.68\.0\.70/${CLUSTERIP}/" ingressroute.yaml > cat ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-secure
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host("dashboard.traefik.127.0.0.1.sslip.io")
services:
- name: traefik-dashboard
port: 9000
middlewares:
- name: dashboard-auth
- name: dashboard-rewrite
- kind: Rule
match: Host("dashboard.traefik.127.0.0.1.sslip.io") && PathPrefix("/api")
services:
- name: traefik-dashboard
port: 9000
middlewares:
- name: dashboard-auth > kubectl apply -f ingressroute.yaml
ingressroute.traefik.containo.us/traefik-dashboard-secure created

查看 IngressRoute

> kubectl get ingressroute traefik-dashboard -o yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
creationTimestamp: "2022-02-11T16:01:09Z"
generation: 1
labels:
app.kubernetes.io/instance: traefik
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: traefik
helm.sh/chart: traefik-10.9.100
name: traefik-dashboard
namespace: kube-system
resourceVersion: "657"
uid: 7993457e-7cde-478b-82c9-76acc5eebbd9
spec:
entryPoints:
- traefik
routes:
- kind: Rule
match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
services:
- kind: TraefikService
name: api@internal

什么是 TraefikService?

> kubectl patch ingressroute/traefik-dashboard-secure --type=json --patch-file patch-dashboard-service.yaml
ingressroute.traefik.containo.us/traefik-dashboard-secure patched
> kubectl delete service traefik-dashboard
service "traefik-dashboard" deleted
> curl -si -u 'admin@example.com:admin1234' http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/ | head -n 1
HTTP/1.1 200 OK

第 4 课:使用 TLS 保护仪表板

> cd ../04-Secure-the-Dashboard-With-TLS/

设置 cert-manager

我使用了最新版本的 cert-manager,目前是 1.7.1:

> kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.7.1/cert-manager.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
...
...
...
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
> kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-cainjector-d6cbc4d9-j8q8x 1/1 Running 0 70s
cert-manager-6d8d6b5dbb-ts2mq 1/1 Running 0 70s
cert-manager-webhook-85fb68c79b-ql658 1/1 Running 0 70s

创建 ClusterIssuer

> cat clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned
spec:
selfSigned: {} > kubectl apply -f clusterissuer.yaml
clusterissuer.cert-manager.io/selfsigned created

为仪表板生成证书

我们需要更改 IP 地址:

> cat certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dashboard
spec:
subject:
organizations:
- Traefik Academy
commonName: dashboard.traefik.10.68.0.70.sslip.io
issuerRef:
kind: ClusterIssuer
name: selfsigned
secretName: dashboard-crt > sed -i "s/10\.68\.0\.70/${CLUSTERIP}/" certificate.yaml > cat certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dashboard
spec:
subject:
organizations:
- Traefik Academy
commonName: dashboard.traefik.127.0.0.1.sslip.io
issuerRef:
kind: ClusterIssuer
name: selfsigned
secretName: dashboard-crt > kubectl apply -f certificate.yaml
certificate.cert-manager.io/dashboard created
> kubectl get secret | grep tls
k3s-serving kubernetes.io/tls 2 87m
dashboard-crt

将证书添加到 IngressRoute

> cat patch-dashboard-tls.yaml
- op: replace
path: /spec/entryPoints
value:
- websecure
- op: add
path: /spec/tls
value:
secretName: dashboard-crt > kubectl patch ingressroute/traefik-dashboard-secure \
--type=json \
--patch-file patch-dashboard-tls.yaml
ingressroute.traefik.containo.us/traefik-dashboard-secure patched
> echo https://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTPS/
https://dashboard.traefik.127.0.0.1.sslip.io:30614/

添加 HTTP 重定向

> cat middleware-scheme.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-permanent
spec:
redirectScheme:
permanent: true
scheme: https

需要在 middleware-scheme.yaml 添加 HTTPS 端口,并在 ingressroute.yaml 中更改 IP 地址:

> echo "    port: \"${CLUSTERHTTPS}\"" >> middleware-scheme.yaml

> cat middleware-scheme.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-permanent
spec:
redirectScheme:
permanent: true
scheme: https
port: "30614" > kubectl apply -f middleware-scheme.yaml
middleware.traefik.containo.us/redirect-permanent created > cat ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-http
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host("dashboard.traefik.10.68.0.70.sslip.io")
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: redirect-permanent > sed -i "s/10\.68\.0\.70/${CLUSTERIP}/" ingressroute.yaml > cat ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-http
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host("dashboard.traefik.127.0.0.1.sslip.io")
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: redirect-permanent > kubectl apply -f ingressroute.yaml
ingressroute.traefik.containo.us/traefik-dashboard-http created
> curl -si http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/ | head -n 1
HTTP/1.1 301 Moved Permanently

如果我们删除 head 命令,我们可以看到它被移动到了哪里:

> curl -si http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/
HTTP/1.1 301 Moved Permanently
Location: https://dashboard.traefik.127.0.0.1.sslip.io:30614/
Date: Fri, 11 Feb 2022 17:40:15 GMT
Content-Length: 17
Content-Type: text/plain; charset=utf-8

该位置应包括 HTTPS 的 Ingress 端口:

> echo http://dashboard.traefik.$CLUSTERIP.sslip.io:$CLUSTERHTTP/
http://dashboard.traefik.127.0.0.1.sslip.io:30876/

如果我们在 Web 浏览器中打开 URL,它应该重定向到 HTTPS 站点。如果没有,你可能需要清除 Web 浏览器的缓存。

如何使用 Rancher Desktop 访问 Traefik Proxy 仪表板的更多相关文章

  1. 通过Rancher Desktop在桌面上运行K8s

    Rancher 发行的操作系统新选择:Rancher Desktop for Windows,它可以帮助你在Windows桌面上管理Kubernetes和容器.当然他当然会支持Linux,Mac的. ...

  2. 在 Traefik Proxy 2.5 中使用/开发私有插件(Traefik 官方博客)

    Traefik Proxy 在设计上是一个模块化路由器,允许您将中间件放入您的路由中,并在请求到达预期的后端服务目的地之前对其进行修改. Traefik 内置了许多这样的中间件,还允许您以插件的形式加 ...

  3. 在Rancher 1.6上部署Traefik负载均衡器

    一.给Traefik主机打标签 01-给即将部署Traefik的主机节点打上标签.jpg 02-主机打完traefik_lb标签后的状态.jpg 二.在Rancher应用商店中部署Traefik 应用 ...

  4. 【转】关于高可用负载均衡的探索-基于Rancher和Traefic

    原文链接:http://www.dwz.cn/7F4r2T 原创 2018-03-23 张新峰 RancherLabs 本文于3月22日晚由张新峰,杭州爱医康架构师技术分享整理而成.本次分享介绍了如何 ...

  5. 【转载】浅析从外部访问 Kubernetes 集群中应用的几种方式

    一般情况下,Kubernetes 的 Cluster Network 是属于私有网络,只能在 Cluster Network 内部才能访问部署的应用.那么如何才能将 Kubernetes 集群中的应用 ...

  6. 干货 | 京东云Kubernetes集群+Traefik实战

    摘要 Traefik支持丰富的annotations配置,可配置众多出色的特性,例如:自动熔断.负载均衡策略.黑名单.白名单.所以Traefik对于微服务来说简直就是一神器. 利用Traefik,并结 ...

  7. Docker Compose + Traefik v2 快速安装, 自动申请SSL证书 http转https 初次尝试

    前言 昨晚闲得无聊睡不着觉,拿起服务器尝试部署了一下Docker + Traefik v2.1.6 ,以下是一些配置的总结,初次接触,大佬勿喷. 我的系统环境是 Ubuntu 18.04.3 LTS ...

  8. Step by Step!教你如何在k3s集群上使用Traefik 2.x

    本文来自边缘计算k3s社区 作者简介 Cello Spring,瑞士人.从电子起步,拥有电子工程学位.尔后开始关注计算机领域,在软件开发领域拥有多年的工作经验. Traefik是一个十分可靠的云原生动 ...

  9. 运行一个nodejs服务,先发布为deployment,然后创建service,让集群外可以访问

    问题来源 海口-老男人 17:42:43 就是我要运行一个nodejs服务,先发布为deployment,然后创建service,让集群外可以访问 旧报纸 17:43:35 也就是 你的需求为 一个a ...

随机推荐

  1. JVM探究(一)谈谈双亲委派机制和沙箱安全机制

    JVM探究 请你谈谈你对JVM的理解?java8虚拟机和之前的变化gengxin? 什么是OOM,什么是栈溢出StackOverFlowError JVM的常用调优参数有哪些? 内存快转如何抓取,怎么 ...

  2. Go语言测试:testing

    学习参考来源:https://www.liwenzhou.com/posts/Go/16_test/ go test工具 必须导入包: import "testing" go te ...

  3. centos6.6手动安装mysql5.5并配置主从同步

    0.实验环境 主机IP(Master) 192.168.61.150 centos6.6 从机IP(Slave)   192.168.61.157 centos6.6 1.查看centos系统版本 [ ...

  4. Python SQL execute加参数的原理

    在Python中,当用pymysql库,或者MySQLdb库进行数据库查询时,为了防止sql注入,可以在execute的时候,把参数单独带进去,例如: def execute_v1(): config ...

  5. atan2(y,x)和pow(x,y)

    atan2(y,x): 函数atan2(y, x)是4象限反正切,求的是y/x的反正切,其返回值为[-π,+π]之间的一个数.它的取值不仅取决于正切值y/x,还取决于点 (x, y) 落入哪个象限: ...

  6. 用 CSS 让你的文字更有文艺范

    透明文字,模糊文字,镂空文字,渐变文字,图片背景文字,用 CSS 让你的文字也有 freestyle- 前言 我们做页面涉及字体的时候,最多就是换个 color 换个 font-family,总是觉得 ...

  7. Vi方向键变乱码 退格键不能使用

    Ubuntu下,使用vi的时候有点问题,就是在编辑模式下使用方向键的时候,并不会使光标移动,而是在命令行中出现[A [B [C [D之类的字母,而且编辑错误的话,就连平时关于的退格键(Backspac ...

  8. 火山引擎MARS-APM Plus x 飞书 |降低线上OOM,提高App性能稳定性

    通过使用火山引擎MARS-APM Plus的memory graph功能,飞书研发团队有效分析定位问题线上case多达30例,线上OOM率降低到了0.8‰,降幅达到60%.大幅提升了用户体验,为飞书的 ...

  9. 好用的 NPL 词库分类。

    ## 好用的 NPL 词库分类. 专业的词库分类技术. 主要服务于金融领域的词库划分. 上图!对比一下我们的分词和jie等模型的效果.做的就是专业! ![在这里插入图片描述](https://img- ...

  10. 关于老Windows平板电脑睡眠状态下无法开机(睡死)的问题及解决方案

    1.简述 前几天我从闲鱼上淘了一个二手Windows平板, 拿来上课记笔记用. 型号是联想的Thinkpad Helix 2nd, 2015年出产. cpu是酷睿m-5y71超低功耗处理器, TDP只 ...