AWS EKS DashBoard(ver.k8s) 배포하기

Amazon Web Services(AWS)는 확장 가능하고 신뢰할 수 있는 클라우드 컴퓨팅 플랫폼으로,

서버, 스토리지, 데이터베이스 등 IT 인프라를 인터넷을 통해 손쉽게 제공받을 수 있게 해주는 강력한 서비스입니다.

 

Certified Practitioner for Platform Operations(CPPO) 진행하면서 해본 것을 복귀하는 내용입니다.

 

 

 

 

 

▶ 내용

Kubernetes Dashboard는 클러스터의 리소스 상태를 직관적으로 확인하고

관리할 수 있는 웹 기반 UI입니다.

 

클러스터 내에서 배포된 애플리케이션의 상태, 리소스 사용량, 네트워크 설정 등을 한눈에 파악할 수 있습니다.

 

Helm chart나 YAML 파일을 이용해 쉽게 배포할 수 있으며

ServiceAccount와 ClusterRoleBinding을 설정해 접근 권한을 세밀하게 제어할 수 있습니다.

 

 

 

▶ 설정

> Kubernetes DashBoard YAML 다운로드

공홈에서 안내하는 git에서 yaml를 OutFile 옵션을 통해서 yaml로 받습니다.

명령어: curl -vk https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.1/aio/deploy/recommended.yaml -OutFile


Enter host password for user 'tFile':
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host raw.githubusercontent.com:443 was resolved.
* IPv6: 2606:50c0:8001::154, 2606:50c0:8000::154, 2606:50c0:8002::154, 2606:50c0:8003::154
* IPv4: 185.199.110.133, 185.199.111.133, 185.199.108.133, 185.199.109.133
*   Trying 185.199.110.133:443...
* Connected to raw.githubusercontent.com (185.199.110.133) port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3099 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io
*  start date: Mar 15 00:00:00 2024 GMT
*  expire date: Mar 14 23:59:59 2025 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [193 bytes data]
* using HTTP/2
* Server auth using Basic with user 'tFile'
* [HTTP/2] [1] OPENED stream for https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.1/aio/deploy/recommended.yaml
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: raw.githubusercontent.com]
* [HTTP/2] [1] [:path: /kubernetes/dashboard/v2.6.1/aio/deploy/recommended.yaml]
* [HTTP/2] [1] [authorization: Basic dEZpbGU6eWVz]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET /kubernetes/dashboard/v2.6.1/aio/deploy/recommended.yaml HTTP/2
> Host: raw.githubusercontent.com
> Authorization: Basic dEZpbGU6eWVz
> User-Agent: curl/8.5.0
> Accept: */*
>
{ [5 bytes data]
< HTTP/2 200
< cache-control: max-age=300
< content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< content-type: text/plain; charset=utf-8
< etag: "485b7037cb6011050df8ea2e0cd9a7ea9f4d6221195600424c7dc6c475586e65"
< strict-transport-security: max-age=31536000
< x-content-type-options: nosniff
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< x-github-request-id: B5AE:D5C93:18FE21:283C34:6729945E
< accept-ranges: bytes
< date: Tue, 05 Nov 2024 03:43:26 GMT
< via: 1.1 varnish
< x-served-by: cache-icn1450077-ICN
< x-cache: MISS
< x-cache-hits: 0
< x-timer: S1730778207.565385,VS0,VE375
< vary: Authorization,Accept-Encoding,Origin
< access-control-allow-origin: *
< cross-origin-resource-policy: cross-origin
< x-fastly-request-id: 60919b29260e5c14bc9622a0e8a5de1186b32441
< expires: Tue, 05 Nov 2024 03:48:26 GMT
< source-age: 0
< content-length: 7621
<
{ [7621 bytes data]
100  7621  100  7621    0     0  19260      0 --:--:-- --:--:-- --:--:-- 19293
* Connection #0 to host raw.githubusercontent.com left intact

 

 

 

>  관련 이미지 PULL

Private subnet에서 YAML을 apply 할 것이기 때문에 Public Registry 에서 당겨와야 하는 이미지가 있음으로 미리 Private Registry에 PUSH 하도록 합니다.

명령어: cat recommended-edit.yaml | grep kubernetesui


image: kubernetesui/dashboard:v2.6.1
image: kubernetesui/metrics-scraper:v1.0.8

 

[ PULL ]

명령어: docker pull kubernetesui/metrics-scraper:v1.0.8 & docker pull kubernetesui/dashboard:v2.6.1
[1] 21423
v1.0.8: Pulling from kubernetesui/metrics-scraper
v2.6.1: Pulling from kubernetesui/dashboard
59c975f0dfc3: Pulling fs layer
cfbdf603599c: Pulling fs layer
59c975f0dfc3: Pull complete
cfbdf603599c: Pull complete
Digest: sha256:76049887f07a0476dc93efc2d3569b9529bf982b22d29f356092ce206e98765c
16e4b54fd24a: Downloading [=====================>                             ]  31.64MB/74.09MB
docker.io/kubernetesui/metrics-scraper:v1.0.8

What's next:
16e4b54fd24a: Pull complete
43a99b533a29: Pull complete
Digest: sha256:290bebc3cd96c22b6f89e7b21f5c2b16ce5c275a0ec2c2de10e0d8b9dd110289
Status: Downloaded newer image for kubernetesui/dashboard:v2.6.1
docker.io/kubernetesui/dashboard:v2.6.1

What's next:
    View a summary of image vulnerabilities and recommendations → docker scout quickview kubernetesui/dashboard:v2.6.1

 

[ CHECK & PUSH ]

명령어: docker images kubernetesui/dashboard
REPOSITORY               TAG       IMAGE ID       CREATED       SIZE
kubernetesui/dashboard   v2.6.1    adad549a4764   2 years ago   244MB



명령어: docker images kubernetesui/metrics-scraper
REPOSITORY                     TAG       IMAGE ID       CREATED       SIZE
kubernetesui/metrics-scraper   v1.0.8    a422e0e98235   2 years ago   42.3MB



명령어: docker tag kubernetesui/dashboard:v2.6.1 890742581270.dkr.ecr.ap-northeast-2.amazonaws.com/testkior/repo-kior:dashboard
명령어: docker tag kubernetesui/metrics-scraper:v1.0.8 890742581270.dkr.ecr.ap-northeast-2.amazonaws.com/testkior/repo-kior:metrics



명령어: docker push 890742581270.dkr.ecr.ap-northeast-2.amazonaws.com/testkior/repo-kior:dashboard
The push refers to repository [890742581270.dkr.ecr.ap-northeast-2.amazonaws.com/testkior/repo-kior]
4b6bbe523aa9: Pushed
063a6b6ed959: Pushed
dashboard: digest: sha256:24794ca4ce01d765499d5b63a2d63eb31a8bd0469ccceee983f62ae2deb0e095 size: 736



명령어: docker push 890742581270.dkr.ecr.ap-northeast-2.amazonaws.com/testkior/repo-kior:metrics
The push refers to repository [890742581270.dkr.ecr.ap-northeast-2.amazonaws.com/testkior/repo-kior]
7debf107fa8e: Pushed
a10378d68413: Pushed
metrics: digest: sha256:853c43f3cced687cb211708aa0024304a5adb33ec45ebf5915d318358822e09a size: 736

 

 

 

>  Kubernetest DashBoard YAML 수정하기

앞선 작업에서 필요한 2개의 이미지에 대해서 ecr로 이동시켰습니다.

그러면 apply 할 때 변경된 이미지 정보로 배포 될 수 있도록 수정합니다.

 

로그인을 할때 'KEY CODE'를 사용하면 불편한 점이 있기 때문에 생략 버튼을 만들었습니다.

이 방식은 분명하게 보안에 취약한 사항이지만 AWS는 보안그룹이 있기도 하구, 포스팅 기준은 개발기 설정이기 때문에 적용해봤습니다.

    spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
       containers:
         - name: kubernetes-dashboard
           image: kubernetesui/dashboard:v2.6.1
           imagePullPolicy: Always
           ports:
             - containerPort: 8443
               protocol: TCP
           args:
             - --enable-skip-login
             - --disable-settings-authorizer
             - --auto-generate-certificates
             - --namespace=kubernetes-dashboard
             # Uncomment the following line to manually specify Kubernetes API server Host
             # If not specified, Dashboard will attempt to auto discover the API server and connect
             # to it. Uncomment only if the default does not work.
             # - --apiserver-host=http://my-address:port
           volumeMounts:
             - name: kubernetes-dashboard-certs
               mountPath: /certs
               # Create on-disk volume to store exec logs
             - mountPath: /tmp
               name: tmp-volume

 

>  Kubernetest DashBoard 배포 및 접근

명령어: kubectl apply -f recommended-edit.yaml


namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

 

 

Bastion 서버에서 kubectl proxy를 통해서 클러스터의 내부 리소스를 외부에서 액세스해야 할 때 유용합니다.

"kubectl proxy --address='0.0.0.0' --accept-hosts='.*' --port=8080"

 

브라우저 요청 Address

http://Bastion서버IP:8080/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/login

 

 

 

 

 

▶ 결론

 

UI가 있고 없고는 편의성의 차이가 있습니다.

괜히 상용들이 UI를 제공에 노력하는 것은 이유가 있다고 생각합니다 :)