參考資料:
官方部署方法如下:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
該方法是通過指定官方的yaml文件, 用kubectl來進行部署,然而這個方法存在很多問題,首先是該yaml文件的地址有時候並不能訪問,需要掛梯子;其次,該文件指定的dashboard的鏡像也需要梯子才能訪問;再者,部署的dashboard的證書過期時間有問題,導致chrome、safari等都不能訪問,僅firefox可以訪問。所以需要對部署流程做調整,先創建自簽證書,再用證書來部署(最好是用第三方的證書,目前chrome無法訪問使用自簽證書的網站,需要添加信任)。
用openssl生成自簽證書(有第三方證書可跳過)
- 生成證書請求的key
openssl genrsa -out dashboard.key 2048
- 生成證書請求
openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=<your_ip>'
<your_ip>換成自己的ip或域名??
- 生成自簽證書
openssl x509 -days 3650 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
這里指定了過期時間3650天,默認365天
部署kubernetes-dashboard
- 創建部署kubernetes-dashboard的yaml文件
kubernetes-dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort #NodePort方式,改用其它方式把這行去掉
ports:
- port: 443
targetPort: 8443
nodePort: 32100 #NodePort方式端口,改用其它方式把這行去掉
selector:
k8s-app: kubernetes-dashboard
---
\#不要用自帶的證書,自帶證書時間出錯
\#apiVersion: v1
\#kind: Secret
\#metadata:
\# labels:
\# k8s-app: kubernetes-dashboard
\# name: kubernetes-dashboard-certs
\# namespace: kubernetes-dashboard
\#type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
\# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
\# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
\# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
#image: registry.cn-hangzhou.aliyuncs.com/kubernetesui/dashboard:v2.0.0-beta5
image: kubernetesui/dashboard:v2.0.0-beta5
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# 把token過期時間設置為43200分鍾,默認是15分鍾
- --token-ttl=43200
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.1
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
這個Markdown解析器下的details標簽可能導致格式錯誤,這里給下文件—— 傳送門
根據官方文件做了微調:
1)把cert注釋掉,使用待會自己創建的cert,因為默認的證書有問題;
2)把token過期時間設置為43200分鍾,默認為15分鍾;
3)把dashboard訪問方式改為NodePort,端口是32100,訪問時用pod所在主機的ip加端口號即可訪問;
4)imagePullPolicy改為IfNotPresent,當本地找不到鏡像時才從網上拉取;
注意查看鏡像路徑是否有效,如果無效,自行百度查找鏡像源,或者到別的地方把鏡像下載到本地,然后把tag改成和yaml文件中的image一致
- 部署kubernetes-dashboard
kubectl create -f <yaml_path>
<yaml_path>換成自己yaml的路徑
- 部署完成后還是不能訪問,因為yaml文件中注釋掉了kubernetes-dashboard-certs,相關的pod沒跑起來,所以此時應創建certs
kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kubernetes-dashboard
"dashboard.key"、"dashboard.crt"是之前生成的自簽證書的相關文件的路徑,這里用相對路徑,所以直接給個名字; 創建的secret名為"kubernetes-dashboard-certs"; 用"-n kubernetes-dashboard"指明命名空間"kubernetes-dashboard",可自行更改,不過建議用這個,因為后面的操作是接着這里的
- 一般經過以上步驟就可以訪問dashboard,可以跳過這一步了,但如果此時仍不能訪問,pod不是處於"running"狀態,可以刪除kubenetes-dashboard相關的pod,讓kubelet自動生成一個新的可運行的pod
查看kubernetes-dashboard的pod名:
kubectl get pods -n kubernetes-dashboard
刪除該pod:
kubectl delete pod -n kubernetes-dashboard <pod名>
- 如果chrome仍然無法訪問,需要到設置里把證書設置為"受信任證書"
之前chrome雖然提示”不是私密連接“,但是是可以繼續訪問的,不知是更新了還是怎樣,現在不能訪問了,只能到設置添加信任,2020.4.7更
”設置“->”隱私設置和安全性“->”更多“->”管理證書“,找到你的證書,然后點擊”信任旁邊的三角“,選擇”始終信任“
創建訪問用戶
創建用於訪問dashboard的Service Account
admin-user.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
命令:
kubectl create -f admin-user.yaml
為用戶綁定角色,創建ClusterRoleBinding
rolebinding.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
命令:
kubectl create -f rolebinding.yaml
也可以把兩個yaml文件合成一個,中間用"---"隔開,用一個"kubectl create"語句即可,如下:
##創建名為admin-user的用戶
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
## 把集群角色cluster-admin綁定到admin-user
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
操作命令:
kubectl create -f dashboard-adminuser.yaml
以上創建Service Account和ClusterRoleBinding的操作,不用配置文件,直接命令行也是可以的:
在"kubernetes-dashboard"命名空間下創建一個名為"admin-user"的用戶:
kubectl create serviceaccount admin-user -n kubernetes-dashboard
創建一個叫"admin-user"的“角色綁定”,給"admin-user"用戶授予"cluster-admin"角色:
kubectl create clusterrolebinding admin-user --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user
多送了兩個步驟,是不是很驚喜? (#^.^#)
獲取登錄密鑰
在上面創建用戶的時候,kubectl會自動生成一個對應該用戶的"secret",”secret“的名字是以用戶名為前綴加上"-token-五位隨機序列",例如創建的是"admin-user",在我電腦上的"secret"為"admin-user-token-5fkcr",
此時通過"kubectl describe"命令即可看到該用戶的token,但由於kubernetes中的密鑰太多,所以需要用以下命令篩選出需要的密鑰:
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
得到類似如下的信息,把”token“后面那一串復制到dashboard登錄,然后就可以愉快的玩耍啦
補充
在給dashboard分配角色時給了admin權限,可能對安全性有所影響。以上對官方的yaml做了修改,把dashboard部署方式改為NodePort,以使得可以通過節點ip+端口訪問,當然這是不太安全的,最好是改為ingress或apiserver方式;如果使用官方默認部署方式,只能本機訪問,而且需要先開啟代理
kubectl proxy
使用官方部署方式,並開啟代理后的訪問地址是:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.
Tips
歡迎指正錯誤,如果有問題可以評論區留言謝謝Thanks♪(・ω・)ノ