Dashboard是k8s的web界面,用戶可以用 Kubernetes Dashboard 部署容器化的應用、監控應用、並對集群本身進行管理,在 Kubernetes Dashboard 中可以查看集群中應用的運行狀態。
1、下載yaml配置文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
2、創建dashboard專有secret
瀏覽器訪問時,默認文件中secret文件有問題,我們需要自定義一個證書進行認證
a) 創建證書請求文件
[root@k8s-master01 ~]# vim /opt/k8s/certs/dashboard-csr.json { "CN": "k8s-dashboard", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ShangHai", "L": "ShangHai", "O": "k8s-dashboard", "OU": "System" } ] }
b) 生成證書
[root@k8s-master01 certs]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \ -ca-key=/etc/kubernetes/ssl/ca-key.pem \ -config=/opt/k8s/certs/ca-config.json \ -profile=kubernetes dashboard-csr.json | cfssljson -bare k8s-dashboard 2019/05/07 16:45:48 [INFO] generate received request 2019/05/07 16:45:48 [INFO] received CSR 2019/05/07 16:45:48 [INFO] generating key: rsa-2048 2019/05/07 16:45:48 [INFO] encoded CSR 2019/05/07 16:45:48 [INFO] signed certificate with serial number 443069371958574919693024095101339074526175227131 2019/05/07 16:45:48 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
c)創建secret
[root@k8s-master01 certs]# kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key=./k8s-dashboard-key.pem --from-file=dashboard.crt=./k8s-dashboard.pem -n kube-system
3、修改yaml文件
默認下載的資源清單文件,鏡像地址不可用,以及secret也需要注釋
[root@k8s-master01 ~]# vim /opt/dashboard/kubernetes-dashboard.yaml ## 修改三處 ### 注釋默認secret配置 # ------------------- Dashboard Secret ------------------- # #apiVersion: v1 #kind: Secret #metadata: # labels: # k8s-app: kubernetes-dashboard # name: kubernetes-dashboard-certs # namespace: kube-system #type: Opaque ### k8s.gcr.io 修改為 registry.cn-hangzhou.aliyuncs.com/google_containers ... image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 ... #--- ### 為service添加NotePort模式 kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: type: NodePort ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard
4、跟據資源清單文件,創建
[root@k8s-master01 dashboard]# kubectl apply -f kubernetes-dashboard.yaml ### 查看pod,可以看到kubernetes-dashboard-5d9599dc98-qbpkb已經running [root@k8s-master01 ~]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-75569d87d7-tpjq5 1/1 Running 5 7d3h calico-node-bmpbd 1/1 Running 5 7d3h calico-node-dms6w 1/1 Running 6 7d3h
calico-node-f2xcp 1/1 Running 3 7d
calico-node-mxc5h 1/1 Running 3 7d
calico-node-zzbqn 1/1 Running 3 7d coredns-55f46dd959-9v98d 1/1 Running 5 7d3h coredns-55f46dd959-krcsq 1/1 Running 6 7d3h kubernetes-dashboard-5d9599dc98-qbpkb 1/1 Running 0 77s tiller-deploy-6d54f974dc-fmgk5 1/1 Running 6 7d3h ### 查看svc,對外端口:30721 [root@k8s-master01 ~]# kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.254.0.2 <none> 53/UDP,53/TCP,9153/TCP 7d3h kubernetes-dashboard NodePort 10.254.188.109 <none> 443:30721/TCP 5m54s tiller-deploy ClusterIP 10.254.20.131 <none> 44134/TCP 7d3h
5、創建集群管理員賬號
dashboard部署好后,我們需要創建對應賬號才可以登陸
a)創建用於登錄dashborad的serviceaccount賬號
[root@k8s-master01 ~]# kubectl create serviceaccount dashboard-admin -n kube-system
b)創建一個clusterrolebingding,將名稱為cluster-admin的clusterrole綁定到我們剛剛創建的serviceaccount上,名稱空間和sa使用:作為間隔
[root@k8s-master01 ~]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
c)查看secret
clusterrolebingding創建完成后系統會自動創建一個secret,名稱以serviceaccount名稱開頭
[root@k8s-master01 ~]# kubectl get secret -n kube-system|grep dashboard-admin dashboard-admin-token-8rkds kubernetes.io/service-account-token 3 111s
d)獲取tocken
[root@k8s-master01 ~]# kubectl describe secret dashboard-admin-token-8rkds -n kube-system Name: dashboard-admin-token-8rkds Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: 797f6a81-70a6-11e9-be01-000c29d932a4 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1363 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tOHJrZHMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNzk3ZjZhODEtNzBhNi0xMWU5LWJlMDEtMDAwYzI5ZDkzMmE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.qoVBiN0SPcvTTOXNwCo7moLVeR8FlQ2fJpAts_eAeFacqj_E8CzmgSgk15QLl5JDuSIvKMrZYgvq4Ei9AlmvJr80z_4HfMD2rwCMq3BoaIzlG-Pq44mnnPWO36p2885roPf11bW--VKzlugFpXCYRCSKwpPORb4kH-FiqvE65v3AA_9fo4WtgG1HO5w94cBmE_DqWcrtuNaKcwDpEXkJJtcmDVqQ978Jpuaw-YkS0aMOLbkVJ-tRjgQxYINtBhT29TxT0aS-4kOm9hXbSFAy84ss8pOEIPNmFmWxqwxNHyFT6gXiDaI-4KydSSb88JXi18PJfVJyV0GM3Pm8JkbwLw
6、登陸dashboard
需要使用https協議,可以看到有兩種登陸方式,這里我們采用令牌的方式,就是上一步獲取到的tocken
訪問地址:
https://10.10.0.17:30721 (這里訪問地址任已節點IP即可,端口是dashboard service映射到主機的端口)
選擇令牌登陸,輸入上一步獲取的tocken值輸入登陸即可。
至此,Dashboard已經部署完畢,並創建集群管理員賬號可以登陸,可以對集群進行管理。