玩K8S?----Dashboard-Web页面

本文详细介绍如何在K8s环境中部署和配置Dashboard界面,包括角色控制、证书生成及资源暴露等步骤。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

K8S----Dashboard

环境: K8s群集搭建完成

[root@master ~]# mkdir dashboard2
[root@master ~]# cd dashboard2

//上传dashboard的模块文件
[root@master dashboard]# rz -E
rz waiting to receive.
[root@master dashboard]# ls 
dashboard-configmap.yaml   dashboard-rbac.yaml    k8s-admin.yaml
dashboard-controller.yaml  dashboard-secret.yaml  dashboard-service.yaml

//查看rbc 角色控制
[root@master dashboard2]# cat dashboard-rbac.yaml 
kind: Role "资源类型:角色"
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard "资源标签"
    addonmanager.kubernetes.io/mode: Reconcile
  name: kubernetes-dashboard-minimal "资源名称"
  namespace: kube-system "资源空间"
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding "资源类型,绑定角色"
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: Reconcile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

[root@master dashboard2]# cat dashboard-secret.yaml
apiVersion: v1
kind: Secret "资源类型为secret"
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    # Allows editing resource and makes sure it is created first.
    addonmanager.kubernetes.io/mode: EnsureExists
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    # Allows editing resource and makes sure it is created first.
    addonmanager.kubernetes.io/mode: EnsureExists
  name: kubernetes-dashboard-key-holder
  namespace: kube-system
type: Opaque

[root@master dashboard2]# cat dashboard-controller.yaml
apiVersion: v1
kind: ServiceAccount "服务账户"
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: Reconcile
  name: kubernetes-dashboard
  namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment "无状态资源"
metadata:
  name: kubernetes-dashboard "dashboard核心pod的名称"
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec: "资源规格"
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template: "pod模板"
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec: "pod规格"
      priorityClassName: system-cluster-critical
      containers:
      - name: kubernetes-dashboard
        image: siriuszg/kubernetes-dashboard-amd64:v1.8.3
        resources: "资源分配"
          limits:
            cpu: 100m "最大cpu0.1核"
            memory: 300Mi "最大内存300M"
          requests:
            cpu: 50m "请求资源信息"
            memory: 100Mi
        ports:
        - containerPort: 8443 ""
          protocol: TCP
        args:
          # PLATFORM-SPECIFIC ARGS HERE
          - --auto-generate-certificates
        volumeMounts: "挂载数据卷"
        - name: kubernetes-dashboard-certs
          mountPath: /certs "挂载点"
        - name: tmp-volume
          mountPath: /tmp "挂载点"
        livenessProbe: "生命探针"
          httpGet: "类型为httpget"
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30 "初始化延时"
          timeoutSeconds: 30
      volumes: "宿主机提供数据卷的信息"
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {} "挂载宿主机空目录"
      serviceAccountName: kubernetes-dashboard
      tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"

[root@master dashboard2]# cat dashboard-service.yaml 
apiVersion: v1
kind: Service "资源类型service"
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels: "资源标签"
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec: "资源规格"
  type: NodePort "暴露端口类型"
  selector:
    k8s-app: kubernetes-dashboard
  ports:
  - port: 443
    targetPort: 8443 "对外协议https"
    nodePort: 30001 "对外暴露的端口"

//创建角色
[root@master dashboard]# kubectl create -f dashboard-rbac.yaml
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
//创建证书
[root@master dashboard]# kubectl create -f dashboard-secret.yaml
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-key-holder created
//创建配置文件
[root@master dashboard]# kubectl create -f dashboard-configmap.yaml 
configmap/kubernetes-dashboard-settings created
//创建核心资源
[root@master dashboard]# kubectl create -f dashboard-controller.yaml
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
//创建dashboard服务
[root@master dashboard]# kubectl create -f dashboard-service.yaml
service/kubernetes-dashboard created

[root@master dashboard]# kubectl get pods -n kube-system
NAME                                    READY   STATUS              RESTARTS   AGE
kubernetes-dashboard-65f974f565-826hj   0/1     ContainerCreating   0          111s
kuboard-78bcb484bc-6lxzm                1/1     Running             0          8d                     "主要看上面一个,上面一个是刚创建的, kuboard-78bcb484bc-6lxzm这个是之前创建的kuboard资源,也是K8S的Web界面,具体可以看上面一篇博客"

[root@master dashboard]# kubectl get pods,svc -n kube-system -o wide
"pods信息"
NAME                                        READY   STATUS              RESTARTS   AGE     IP            NODE              NOMINATED NODE
pod/kubernetes-dashboard-65f974f565-826hj   0/1     ContainerCreating   0          3m43s   <none>        192.168.100.180   <none>
pod/kuboard-78bcb484bc-6lxzm                1/1     Running             0          8d      172.17.71.4   192.168.100.190   <none>

"svc信息"

NAME                           TYPE       CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE    SELECTOR
service/kubernetes-dashboard   NodePort   10.0.0.233   <none>        443:30001/TCP   2m5s   k8s-app=kubernetes-dashboard
service/kuboard                NodePort   10.0.0.185   <none>        80:32567/TCP    8d     k8s.kuboard.cn/layer=monitor,k8s.kuboard.cn/name=kuboard

[root@master dashboard]# ls
dashboard-configmap.yaml   dashboard-rbac.yaml    dashboard-service.yaml
dashboard-controller.yaml  dashboard-secret.yaml  k8s-admin.yaml
[root@master dashboard]# kubectl get pods -n kube-system
NAME                                    READY   STATUS    RESTARTS   AGE
kubernetes-dashboard-65f974f565-826hj   1/1     Running   0          5m23s
kuboard-78bcb484bc-6lxzm                1/1     Running   0          8d

创建token令牌登陆

#Service Account为Pod中的进程和外部用户提供身份信息。所有的kubernetes集群中账户分为两类,Kubernetes管理的serviceaccount(服务账户): pod --> 访问--> apiserver 和useraccount(用户账户): 客户端--> 访问-->apiserver
#RoloBinding可以将角色中定义的权限授予用户或用户组,RoleBinding包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(users、groups、service accounts),RoleBinding适用于某个命名空间内授权,而 ClusterRoleBinding适用于集群范围内的授权。
[root@master dashboard2]# cat k8s-admin.yaml
apiVersion: v1
kind: ServiceAccount "资源为服务账户类型"
metadata:
  name: dashboard-admin "资源名称"
  namespace: kube-system "定义命名空间"
---
kind: ClusterRoleBinding "资源类型为绑定集群角色类型"
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard-admin "资源名称"
subjects: "权限列表"
  - kind: ServiceAccount "服务账号信息"
    name: dashboard-admin "用户名"
    namespace: kube-system "归属空间"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

//创建认证令牌
[root@master dashboard]# kubectl create -f k8s-admin.yaml
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
[root@master dashboard]# kubectl get secret -n kube-system
NAME                               TYPE                                  DATA   AGE
dashboard-admin-token-p6mbj        kubernetes.io/service-account-token   3      11s
default-token-5rbf4                kubernetes.io/service-account-token   3      9d
kubernetes-dashboard-certs         Opaque                                0      6m14s
kubernetes-dashboard-key-holder    Opaque                                2      6m14s
kubernetes-dashboard-token-xm2lm   kubernetes.io/service-account-token   3      5m46s
kuboard-user-token-99c7z           kubernetes.io/service-account-token   3      8d
kuboard-viewer-token-nnhwq         kubernetes.io/service-account-token   3      8d

//查看token
[root@master dashboard]# kubectl describe secret dashboard-admin-token-p6mbj -n kube-system

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tcDZtYmoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDRjZDEwYzgtMDk0MS0xMWViLWI1NjctMDAwYzI5YTBjYWM5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.T05TDtcbo9iG5H4A47L6iutla8BJDtkQE18RXflsJKHJicmWZJHMoGsCGde9A1hEwjT8rMEEwaDvHf4ncwoan4Njg4bqU49JvbUp5J8zZHjLjsuP7tq1xoRquUDcJJV4QFdKTEokHiDs6MOCamnBgfehMA1M-O0ttsDN4x8mEVJw5X4IIF-3OAjD5F1qmI6xoElpbL4ezKmnpL80tDAVGeZLh82KzQzHgbNK6wdTDybnd9hBASNM7IbbHO4o0okdMdNkreHrhvm6G1L52Sq8y_FlflGBuCF9plvQj8vhUb3dVbzAobYIM798dOYZhz8FyxqAyv4AiPqG0HaafIgbHg

//查看kube-system所有资源,注意这里看到的资源名字会多一个 <资源类型/>
[root@master ~]# kubectl get all -n kube-system
NAME                                        READY   STATUS    RESTARTS   AGE
pod/kubernetes-dashboard-65f974f565-826hj   1/1     Running   0          128m	"web2"
pod/kuboard-78bcb484bc-6lxzm                1/1     Running   0          8d     "web1"

NAME                           TYPE       CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE
service/kubernetes-dashboard   NodePort   10.0.0.233   <none>        443:30001/TCP   127m
service/kuboard                NodePort   10.0.0.185   <none>        80:32567/TCP    8d

NAME                                   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/kubernetes-dashboard   1         1         1            1           128m
deployment.apps/kuboard                1         1         1            1           8d

NAME                                              DESIRED   CURRENT   READY   AGE
replicaset.apps/kubernetes-dashboard-65f974f565   1         1         1       128m
replicaset.apps/kuboard-78bcb484bc                1         1         1       8d

/查看service服务
[root@master dashboard2]# kubectl get svc -n kube-system -o wide
NAME                   TYPE       CLUSTER-IP   EXTERNAL-IP   PORT(S)         AGE     SELECTOR
kubernetes-dashboard   NodePort   10.0.0.233   <none>        443:30001/TCP   6h26m   k8s-app=kubernetes-dashboard
kuboard                NodePort   10.0.0.185   <none>        80:32567/TCP    8d      k8s.kuboard.cn/layer=monitor,k8s.kuboard.cn/name=kuboard

//查看证书资源
[root@master dashboard2]# kubectl get secret -n kube-system -o wide
NAME                               TYPE                                  DATA   AGE
dashboard-admin-token-p6mbj        kubernetes.io/service-account-token   3      6h23m
default-token-5rbf4                kubernetes.io/service-account-token   3      9d
kubernetes-dashboard-certs         Opaque                                11     26m
kubernetes-dashboard-key-holder    Opaque                                2      6h29m
kubernetes-dashboard-token-mpft7   kubernetes.io/service-account-token   3      25m
kuboard-user-token-99c7z           kubernetes.io/service-account-token   3      8d
kuboard-viewer-token-nnhwq         kubernetes.io/service-account-token   3      8d

//查看pod资源
[root@master dashboard2]# kubectl get pod -n kube-system -o wide
NAME                                    READY   STATUS    RESTARTS   AGE   IP            NODE              NOMINATED NODE
kubernetes-dashboard-7dffbccd68-k62p8   1/1     Running   0          25m   172.17.96.7   192.168.100.180   <none>
kuboard-78bcb484bc-6lxzm                1/1     Running   0          8d    172.17.71.4   192.168.100.190   <none>
//以上可以看出 pod资源会被分配到下面各个节点,而secret和service资源不会分配到节点

//节点查看
[root@node1 ~]# docker ps -a
CONTAINER ID        IMAGE                                                                 COMMAND                  CREATED             STATUS                  PORTS               NAMES
32151b0d6e02        784cf2722f44                                                          "/dashboard --insecu…"   28 minutes ago      Up 28 minutes                               k8s_kubernetes-dashboard_kubernetes-dashboard-7dffbccd68-k62p8_kube-system_df252093-0973-11eb-b240-000c299fee79_0
5846bae9d0cf        registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0   "/pause"                 28 minutes ago      Up 28 minutes                               k8s_POD_kubernetes-dashboard-7dffbccd68-k62p8_kube-system_df252093-0973-11eb-b240-000c299fee79_0
44370f163cf9        tomcat                                                                "catalina.sh run"        8 days ago          Up 8 days                                   k8s_tomcat_tomcat-5496486897-hfsmt_default_37d97252-02cb-11eb-b567-000c29a0cac9_0
4127b9764900        registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0   "/pause"                 8 days ago          Up 8 days                                   k8s_POD_tomcat-5496486897-hfsmt_default_37d

[root@node2 ~]# docker ps -a
CONTAINER ID        IMAGE                                                                 COMMAND                  CREATED             STATUS              PORTS               NAMES
7d8e03cc3eb1        httpd                                                                 "httpd-foreground"       8 days ago          Up 8 days                               k8s_apache_apache-7f7d9c5d59-7cxc9_default_dc1177ef-02cb-11eb-b567-000c29a0cac9_0
f74805406e74        registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0   "/pause"                 8 days ago          Up 8 days                               k8s_POD_apache-7f7d9c5d59-7cxc9_default_dc1177e

//节点里也没有service  secret 的信息,节点里只有两个dashporad的容器

mark

mark

mark

mark

mark

mark

  • Edg浏览器和谷歌浏览器访问dashboard问题:

mark

mark

  • 解决: 创建自签证书
//修改dashboard核心配置文件
[root@master dashboard2]# vim dashboard-controller.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: Reconcile
  name: kubernetes-dashboard
  namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
      priorityClassName: system-cluster-critical
      containers:
      - name: kubernetes-dashboard
        image: siriuszg/kubernetes-dashboard-amd64:v1.8.3
        resources:
          limits:
            cpu: 100m
            memory: 300Mi
          requests:
            cpu: 50m
            memory: 100Mi
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          # PLATFORM-SPECIFIC ARGS HERE
          - --auto-generate-certificates
          - --tls-key-file=dashboard-key.pem "添加秘钥,注意这里使用的是相对路径"
          - --tls-cert-file=dashboard.pem "添加证书注意这里使用的是相对路径"
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
        - name: tmp-volume
          mountPath: /tmp
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"
        
[root@master dashboard2]# cat dashboard-cert.sh 
cat > dashboard-csr.json <<EOF
{
   "CN": "Dashboard",
   "hosts": [],
   "key": {
       "algo": "rsa",
       "size": 2048
   },
   "names": [
       {
           "C": "CN",
           "L": "BeiJing",
           "ST": "BeiJing"
       }
   ]
}
EOF

K8S_CA=$1 "注意这里的地址$1,传参路径,要用到的ca证书,我构建的群集证书地址为/root/k8s/k8s-cert/"
cfssl gencert -ca=$K8S_CA/ca.pem -ca-key=$K8S_CA/ca-key.pem -config=$K8S_CA/ca-config.json -profile=kubernetes dashboard-csr.json | cfssljson -bare dashboard
kubectl delete secret kubernetes-dashboard-certs -n kube-system
kubectl create secret generic kubernetes-dashboard-certs --from-file=./ -n kube-system

[root@master dashboard2]# bash dashboard-cert.sh /root/k8s/k8s-cert/
2020/10/08 20:12:00 [INFO] generate received request
2020/10/08 20:12:00 [INFO] received CSR
2020/10/08 20:12:00 [INFO] generating key: rsa-2048
2020/10/08 20:12:01 [INFO] encoded CSR
2020/10/08 20:12:01 [INFO] signed certificate with serial number 309539057863070921682777361742531447433771414641
2020/10/08 20:12:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
secret "kubernetes-dashboard-certs" deleted
secret/kubernetes-dashboard-certs created

//dashboard.csr; dashboard-csr.json; dashboard-key.pem; dashboard.pem 会生成这四个证书

[root@master dashboard2]# ls
dashboard-cert.sh          dashboard.csr       dashboard.pem          dashboard-service.yaml
dashboard-configmap.yaml   dashboard-csr.json  dashboard-rbac.yaml    k8s-admin.yaml
dashboard-controller.yaml  dashboard-key.pem   dashboard-secret.yaml

//重新加载资源配置
[root@master dashboard2]# kubectl apply -f dashboard-controller.yaml
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
serviceaccount/kubernetes-dashboard configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
deployment.apps/kubernetes-dashboard configured

//查看证书
[root@master dashboard2]# kubectl get secret -n kube-system
NAME                               TYPE                                  DATA   AGE
dashboard-admin-token-p6mbj        kubernetes.io/service-account-token   3      6h2m
default-token-5rbf4                kubernetes.io/service-account-token   3      9d
...
//查看token,复制令牌
[root@master dashboard2]# kubectl describe secret dashboard-admin-token-p6mbj -n kube-system

mark
mark

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值