安裝Kubernetes Dashboard

kuberbetes的web界面

官方文檔：https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

安裝方式也是執行下yaml文件即可，按照官方默認的文件安裝后需要在需要在客戶機上執行  kubetcl proxy 命令后才可以訪問

這里采用的是nodeport的方式，kubernetes版本V1.17

• 下載配置文件

下載文件
# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml

•  修改配置

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort   ###增加類型
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 32567     ###增加端口

 selector: k8s-app: kubernetes-dashboard

•  生成svc

kubectl apply -f recommended.yaml
#安裝成功后可以查看service狀態
kubectl get svc --all-namespaces

•  因為證書過期的問題，這里只能使用firefox瀏覽器訪問，重新生成證書，參考文檔 https://www.cnblogs.com/panwenbin-logs/p/10052554.html

# cd /etc/kubernetes/pki/
# (umask 077; openssl genrsa -out dashboard.key 2048)  #創建一個證書
Generating RSA private key, 2048 bit long modulus
............................................................................................+++
.............+++
e is 65537 (0x10001)
# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=qiangungun/CN=kubernetes-dashboard"    #建立證書的簽署請求
# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650 #使用集群的ca來簽署證書
Signature ok
subject=/O=qiangungun/CN=kubernetes-dashboard
Getting CA Private Key
# kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key  -n kubernetes-dashboard  #我們需要把我們創建的證書創建為secret給k8s使用,這里注意更改名稱空間
secret "kubernetes-dashboard-certs" created

• 創建管理用戶（為了保護群集數據，默認情況下，Dashboard會使用最少的RBAC配置進行部署。當前，儀表板僅支持使用Bearer令牌登錄。），https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md

# vim user.yaml ####編輯yaml文件
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

• kubectl apply -f user.yaml
• kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}') ###執行命令顯示登錄的token

Name:         admin-user-token-pzcfj
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: 266dab12-3ab6-4fec-b068-c01d3ffcbb02

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6Ilgtb0hyNlpLSHd1TEpTVGVWR25MckJtcVFqVGJyTG5idnprTktkT3d0cUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXB6Y2ZqIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyNjZkYWIxMi0zYWI2LTRmZWMtYjA2OC1jMDFkM2ZmY2JiMDIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.L-VrFuN5tX6Xnmj1tROk-lBwlYkmLFP8nCXMyqBwsD48ChN3YaZFsaKVlR_tGn7fF9vR2rX3lKtx6SMGjT9cC7iolZ_fw_9M_Gyiav84mPwIx9K0g17OAX7NCZbuUHPjtmk77fkjUNhbcZz6V1_79JJJJa4vo8orYyNOq9AGSart8-IfJ9v_R1KA2LPO9K9U4lzqJAil7WpVZASciAz1LJprGJcRqry2D1Ei34S0wa2aovSa3f5k-UTMcTzscKg
ca.crt:     1025 bytes
namespace:  20 bytes

• 瀏覽器訪問 https://任意一節點的IP:32567

• 輸入Token訪問

 

 

 

• 至此，初步的設置算是完成了，但是創建的admin-user用戶擁有很高的權限，如果需要創建分級權限可以參考 https://www.cnblogs.com/panwenbin-logs/p/10052554.html