dashboard是k8s的可視化管理平台,是三種管理k8s集群方法之一
首先下載鏡像上傳到我們的私有倉庫中:hdss7-200
# docker pull k8scn/kubernetes-dashboard-amd64:v1.8.3
# docker tag fcac9aa03fd6 harbor.od.com/public/dashboard:v1.8.3
# docker push harbor.od.com/public/dashboard:v1.8.3
編輯dashboard資源配置清單:
1、rbac.yaml
# vi rbac.yaml
# mkdir -p /data/k8s-yaml/dashboard # cd /data/k8s-yaml/dashboard
apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile name: kubernetes-dashboard-admin namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard-admin namespace: kube-system labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard-admin namespace: kube-system
2、dp.yaml
# vi dp.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: priorityClassName: system-cluster-critical containers: - name: kubernetes-dashboard image: harbor.od.com/public/dashboard:v1.8.3 resources: limits: cpu: 100m memory: 300Mi requests: cpu: 50m memory: 100Mi ports: - containerPort: 8443 protocol: TCP args: # PLATFORM-SPECIFIC ARGS HERE - --auto-generate-certificates volumeMounts: - name: tmp-volume mountPath: /tmp livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 timeoutSeconds: 30 volumes: - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard-admin tolerations: - key: "CriticalAddonsOnly" operator: "Exists"
3、svc.yaml
# vi svc.yaml
apiVersion: v1 kind: Service metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: selector: k8s-app: kubernetes-dashboard ports: - port: 443 targetPort: 8443
4、ingress.yaml
# vi ingress.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: kubernetes-dashboard namespace: kube-system annotations: kubernetes.io/ingress.class: traefik spec: rules: - host: dashboard.od.com http: paths: - backend: serviceName: kubernetes-dashboard servicePort: 443
創建資源:任意node
# kubectl create -f http://k8s-yaml.od.com/dashboard/rbac.yaml # kubectl create -f http://k8s-yaml.od.com/dashboard/dp.yaml # kubectl create -f http://k8s-yaml.od.com/dashboard/svc.yaml # kubectl create -f http://k8s-yaml.od.com/dashboard/ingress.yaml
添加域名解析:
# vi /var/named/od.com.zone
dashboard A 10.4.7.10
# systemctl restart named
通過瀏覽器訪問:
美好的點點點運維開始了~
但是,我們可以看到我們安裝1.8版本的dashboard,默認是可以跳過驗證的:
很顯然,跳過登錄,是不科學的,因為我們在配置dashboard的rbac權限時,綁定的角色是system:admin,這個是集群管理員的角色,權限很大,所以這里我們把版本換成1.10以上版本
下載1.10.1版本:
# docker pull loveone/kubernetes-dashboard-amd64:v1.10.1
# docker tag f9aed6605b81 harbor.od.com/public/dashboard:v1.10.1
# docker push harbor.od.com/public/dashboard:v1.10.1
修改dp.yaml重新應用,我直接用edit修改了,沒有使用apply
# kubectl edit deploy kubernetes-dashboard -n kube-system
等待滾動發布完成后,在刷新dashboard頁面:
可以看到這里原來的skip跳過已經沒有了,我們如果想登陸,必須輸入token,那我們如何獲取token呢:
# kubectl get secret -n kube-system
# kubectl describe secret kubernetes-dashboard-admin-token-pg77n -n kube-system
這樣我們就拿到了token,接下來我們試試能不能登錄:
我們發現我們還是無法登錄,原因是必須使用https登錄,接下來我們需要申請證書:
接下來我們申請證書:
依然使用cfssl來申請證書:hdss7-200
# cd /opt/certs/
# vi dashboard-csr.json
{ "CN": "*.od.com", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] }
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server dashboard-csr.json |cfssl-json -bare dashboard
然后拷貝到我們nginx的服務器上:7-11 7-12 都需要
# cd /etc/nginx/ # mkdir certs # cd certs # scp hdss7-200:/opt/cert/dash* ./
# cd /etc/nginx/conf.d/
# vi dashboard.od.com.conf
server { listen 80; server_name dashboard.od.com; rewrite ^(.*)$ https://${server_name}$1 permanent; } server { listen 443 ssl; server_name dashboard.od.com; ssl_certificate "certs/dashboard.pem"; ssl_certificate_key "certs/dashboard-key.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://default_backend_traefik; proxy_set_header Host $http_host; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; } }
# nginx -t
# nginx -s reload
然后刷新頁面:雖然證書無效(因為是自簽證書),但是已經是https了,試下我們剛才的token能不能登錄了
可以登錄了~
登錄是登錄了,但是我們要思考一個問題,我們使用rbac授權來訪問dashboard,如何做到權限精細化呢?比如開發,只能看,不能摸,不同的項目組,看到的資源應該是不一樣的,測試看到的應該是測試相關的資源。
我們在下一章詳解sa授權和ua授權。