本文详细介绍如何在K8s环境中部署和配置Dashboard界面,包括角色控制、证书生成及资源暴露等步骤。
K8S----Dashboard
环境: K8s群集搭建完成
[root@master ~]# mkdir dashboard2
[root@master ~]# cd dashboard2
//上传dashboard的模块文件
[root@master dashboard]# rz -E
rz waiting to receive.
[root@master dashboard]# ls
dashboard-configmap.yaml dashboard-rbac.yaml k8s-admin.yaml
dashboard-controller.yaml dashboard-secret.yaml dashboard-service.yaml
//查看rbc 角色控制
[root@master dashboard2]# cat dashboard-rbac.yaml
kind: Role "资源类型:角色"
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard "资源标签"
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-minimal "资源名称"
namespace: kube-system "资源空间"
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding "资源类型,绑定角色"
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
[root@master dashboard2]# cat dashboard-secret.yaml
apiVersion: v1
kind: Secret "资源类型为secret"
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-key-holder
namespace: kube-system
type: Opaque
[root@master dashboard2]# cat dashboard-controller.yaml
apiVersion: v1
kind: ServiceAccount "服务账户"
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard
namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment "无状态资源"
metadata:
name: kubernetes-dashboard "dashboard核心pod的名称"
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec: "资源规格"
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template: "pod模板"
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec: "pod规格"
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: siriuszg/kubernetes-dashboard-amd64:v1.8.3
resources: "资源分配"
limits:
cpu: 100m "最大cpu0.1核"
memory: 300Mi "最大内存300M"
requests:
cpu: 50m "请求资源信息"
memory: 100Mi
ports:
- containerPort: 8443 ""
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
volumeMounts: "挂载数据卷"
- name: kubernetes-dashboard-certs
mountPath: /certs "挂载点"
- name: tmp-volume
mountPath: /tmp "挂载点"
livenessProbe: "生命探针"
httpGet: "类型为httpget"
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30 "初始化延时"
timeoutSeconds: 30
volumes: "宿主机提供数据卷的信息"
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {} "挂载宿主机空目录"
serviceAccountName: kubernetes-dashboard
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
[root@master dashboard2]# cat dashboard-service.yaml
apiVersion: v1
kind: Service "资源类型service"
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels: "资源标签"
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec: "资源规格"
type: NodePort "暴露端口类型"
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443 "对外协议https"
nodePort: 30001 "对外暴露的端口"
//创建角色
[root@master dashboard]# kubectl create -f dashboard-rbac.yaml
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
//创建证书
[root@master dashboard]# kubectl create -f dashboard-secret.yaml
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-key-holder created
//创建配置文件
[root@master dashboard]# kubectl create -f dashboard-configmap.yaml
configmap/kubernetes-dashboard-settings created
//创建核心资源
[root@master dashboard]# kubectl create -f dashboard-controller.yaml
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
//创建dashboard服务
[root@master dashboard]# kubectl create -f dashboard-service.yaml
service/kubernetes-dashboard created
[root@master dashboard]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
kubernetes-dashboard-65f974f565-826hj 0/1 ContainerCreating 0 111s
kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d "主要看上面一个,上面一个是刚创建的, kuboard-78bcb484bc-6lxzm这个是之前创建的kuboard资源,也是K8S的Web界面,具体可以看上面一篇博客"
[root@master dashboard]# kubectl get pods,svc -n kube-system -o wide
"pods信息"
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
pod/kubernetes-dashboard-65f974f565-826hj 0/1 ContainerCreating 0 3m43s <none> 192.168.100.180 <none>
pod/kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d 172.17.71.4 192.168.100.190 <none>
"svc信息"
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes-dashboard NodePort 10.0.0.233 <none> 443:30001/TCP 2m5s k8s-app=kubernetes-dashboard
service/kuboard NodePort 10.0.0.185 <none> 80:32567/TCP 8d k8s.kuboard.cn/layer=monitor,k8s.kuboard.cn/name=kuboard
[root@master dashboard]# ls
dashboard-configmap.yaml dashboard-rbac.yaml dashboard-service.yaml
dashboard-controller.yaml dashboard-secret.yaml k8s-admin.yaml
[root@master dashboard]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
kubernetes-dashboard-65f974f565-826hj 1/1 Running 0 5m23s
kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d
创建token令牌登陆
#Service Account为Pod中的进程和外部用户提供身份信息。所有的kubernetes集群中账户分为两类,Kubernetes管理的serviceaccount(服务账户): pod --> 访问--> apiserver 和useraccount(用户账户): 客户端--> 访问-->apiserver
#RoloBinding可以将角色中定义的权限授予用户或用户组,RoleBinding包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(users、groups、service accounts),RoleBinding适用于某个命名空间内授权,而 ClusterRoleBinding适用于集群范围内的授权。
[root@master dashboard2]# cat k8s-admin.yaml
apiVersion: v1
kind: ServiceAccount "资源为服务账户类型"
metadata:
name: dashboard-admin "资源名称"
namespace: kube-system "定义命名空间"
---
kind: ClusterRoleBinding "资源类型为绑定集群角色类型"
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: dashboard-admin "资源名称"
subjects: "权限列表"
- kind: ServiceAccount "服务账号信息"
name: dashboard-admin "用户名"
namespace: kube-system "归属空间"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
//创建认证令牌
[root@master dashboard]# kubectl create -f k8s-admin.yaml
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
[root@master dashboard]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
dashboard-admin-token-p6mbj kubernetes.io/service-account-token 3 11s
default-token-5rbf4 kubernetes.io/service-account-token 3 9d
kubernetes-dashboard-certs Opaque 0 6m14s
kubernetes-dashboard-key-holder Opaque 2 6m14s
kubernetes-dashboard-token-xm2lm kubernetes.io/service-account-token 3 5m46s
kuboard-user-token-99c7z kubernetes.io/service-account-token 3 8d
kuboard-viewer-token-nnhwq kubernetes.io/service-account-token 3 8d
//查看token
[root@master dashboard]# kubectl describe secret dashboard-admin-token-p6mbj -n kube-system
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tcDZtYmoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDRjZDEwYzgtMDk0MS0xMWViLWI1NjctMDAwYzI5YTBjYWM5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.T05TDtcbo9iG5H4A47L6iutla8BJDtkQE18RXflsJKHJicmWZJHMoGsCGde9A1hEwjT8rMEEwaDvHf4ncwoan4Njg4bqU49JvbUp5J8zZHjLjsuP7tq1xoRquUDcJJV4QFdKTEokHiDs6MOCamnBgfehMA1M-O0ttsDN4x8mEVJw5X4IIF-3OAjD5F1qmI6xoElpbL4ezKmnpL80tDAVGeZLh82KzQzHgbNK6wdTDybnd9hBASNM7IbbHO4o0okdMdNkreHrhvm6G1L52Sq8y_FlflGBuCF9plvQj8vhUb3dVbzAobYIM798dOYZhz8FyxqAyv4AiPqG0HaafIgbHg
//查看kube-system所有资源,注意这里看到的资源名字会多一个 <资源类型/>
[root@master ~]# kubectl get all -n kube-system
NAME READY STATUS RESTARTS AGE
pod/kubernetes-dashboard-65f974f565-826hj 1/1 Running 0 128m "web2"
pod/kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d "web1"
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes-dashboard NodePort 10.0.0.233 <none> 443:30001/TCP 127m
service/kuboard NodePort 10.0.0.185 <none> 80:32567/TCP 8d
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
deployment.apps/kubernetes-dashboard 1 1 1 1 128m
deployment.apps/kuboard 1 1 1 1 8d
NAME DESIRED CURRENT READY AGE
replicaset.apps/kubernetes-dashboard-65f974f565 1 1 1 128m
replicaset.apps/kuboard-78bcb484bc 1 1 1 8d
/查看service服务
[root@master dashboard2]# kubectl get svc -n kube-system -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
kubernetes-dashboard NodePort 10.0.0.233 <none> 443:30001/TCP 6h26m k8s-app=kubernetes-dashboard
kuboard NodePort 10.0.0.185 <none> 80:32567/TCP 8d k8s.kuboard.cn/layer=monitor,k8s.kuboard.cn/name=kuboard
//查看证书资源
[root@master dashboard2]# kubectl get secret -n kube-system -o wide
NAME TYPE DATA AGE
dashboard-admin-token-p6mbj kubernetes.io/service-account-token 3 6h23m
default-token-5rbf4 kubernetes.io/service-account-token 3 9d
kubernetes-dashboard-certs Opaque 11 26m
kubernetes-dashboard-key-holder Opaque 2 6h29m
kubernetes-dashboard-token-mpft7 kubernetes.io/service-account-token 3 25m
kuboard-user-token-99c7z kubernetes.io/service-account-token 3 8d
kuboard-viewer-token-nnhwq kubernetes.io/service-account-token 3 8d
//查看pod资源
[root@master dashboard2]# kubectl get pod -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
kubernetes-dashboard-7dffbccd68-k62p8 1/1 Running 0 25m 172.17.96.7 192.168.100.180 <none>
kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d 172.17.71.4 192.168.100.190 <none>
//以上可以看出 pod资源会被分配到下面各个节点,而secret和service资源不会分配到节点
//节点查看
[root@node1 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
32151b0d6e02 784cf2722f44 "/dashboard --insecu…" 28 minutes ago Up 28 minutes k8s_kubernetes-dashboard_kubernetes-dashboard-7dffbccd68-k62p8_kube-system_df252093-0973-11eb-b240-000c299fee79_0
5846bae9d0cf registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 "/pause" 28 minutes ago Up 28 minutes k8s_POD_kubernetes-dashboard-7dffbccd68-k62p8_kube-system_df252093-0973-11eb-b240-000c299fee79_0
44370f163cf9 tomcat "catalina.sh run" 8 days ago Up 8 days k8s_tomcat_tomcat-5496486897-hfsmt_default_37d97252-02cb-11eb-b567-000c29a0cac9_0
4127b9764900 registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 "/pause" 8 days ago Up 8 days k8s_POD_tomcat-5496486897-hfsmt_default_37d
[root@node2 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7d8e03cc3eb1 httpd "httpd-foreground" 8 days ago Up 8 days k8s_apache_apache-7f7d9c5d59-7cxc9_default_dc1177ef-02cb-11eb-b567-000c29a0cac9_0
f74805406e74 registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 "/pause" 8 days ago Up 8 days k8s_POD_apache-7f7d9c5d59-7cxc9_default_dc1177e
//节点里也没有service 和 secret 的信息,节点里只有两个dashporad的容器
- Edg浏览器和谷歌浏览器访问dashboard问题:
- 解决: 创建自签证书
//修改dashboard核心配置文件
[root@master dashboard2]# vim dashboard-controller.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard
namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: siriuszg/kubernetes-dashboard-amd64:v1.8.3
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8443
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
- --tls-key-file=dashboard-key.pem "添加秘钥,注意这里使用的是相对路径"
- --tls-cert-file=dashboard.pem "添加证书注意这里使用的是相对路径"
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
- name: tmp-volume
mountPath: /tmp
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
[root@master dashboard2]# cat dashboard-cert.sh
cat > dashboard-csr.json <<EOF
{
"CN": "Dashboard",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
K8S_CA=$1 "注意这里的地址$1,传参路径,要用到的ca证书,我构建的群集证书地址为/root/k8s/k8s-cert/"
cfssl gencert -ca=$K8S_CA/ca.pem -ca-key=$K8S_CA/ca-key.pem -config=$K8S_CA/ca-config.json -profile=kubernetes dashboard-csr.json | cfssljson -bare dashboard
kubectl delete secret kubernetes-dashboard-certs -n kube-system
kubectl create secret generic kubernetes-dashboard-certs --from-file=./ -n kube-system
[root@master dashboard2]# bash dashboard-cert.sh /root/k8s/k8s-cert/
2020/10/08 20:12:00 [INFO] generate received request
2020/10/08 20:12:00 [INFO] received CSR
2020/10/08 20:12:00 [INFO] generating key: rsa-2048
2020/10/08 20:12:01 [INFO] encoded CSR
2020/10/08 20:12:01 [INFO] signed certificate with serial number 309539057863070921682777361742531447433771414641
2020/10/08 20:12:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
secret "kubernetes-dashboard-certs" deleted
secret/kubernetes-dashboard-certs created
//dashboard.csr; dashboard-csr.json; dashboard-key.pem; dashboard.pem 会生成这四个证书
[root@master dashboard2]# ls
dashboard-cert.sh dashboard.csr dashboard.pem dashboard-service.yaml
dashboard-configmap.yaml dashboard-csr.json dashboard-rbac.yaml k8s-admin.yaml
dashboard-controller.yaml dashboard-key.pem dashboard-secret.yaml
//重新加载资源配置
[root@master dashboard2]# kubectl apply -f dashboard-controller.yaml
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
serviceaccount/kubernetes-dashboard configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
deployment.apps/kubernetes-dashboard configured
//查看证书
[root@master dashboard2]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
dashboard-admin-token-p6mbj kubernetes.io/service-account-token 3 6h2m
default-token-5rbf4 kubernetes.io/service-account-token 3 9d
...
//查看token,复制令牌
[root@master dashboard2]# kubectl describe secret dashboard-admin-token-p6mbj -n kube-system
扫一扫
2712
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
