安裝 dashboard
1.1 下載 yaml 文件
[root@uk8s-a ~]# mkdir web-ui
[root@uk8s-a ~]# cd web-ui/
[root@uk8s-a web-ui]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
1.2 制作證書
因為要使用 ingress 通過域名的方式對外暴露訪問,所以需要自己制作證書
准備證書生成腳本
[root@uk8s-a web-ui]# mkdir certs
[root@uk8s-a web-ui]# cd certs
[root@uk8s-a certs]# vim create_cert.sh
#!/bin/bash
# author: liyongjian5179@163.com
# bash create_cert.sh kubernetes-dashboard-certs dashboard dashboard.5179.top kubernetes-dashboard
if [ $# -ne 4 ];then
echo "please user in: `basename $0` SECRET_NAME CERT_NAME DOMAIN NAMESPACE"
exit 1
fi
SECRET_NAME=$1
CERT_NAME=$2
DOMAIN=$3
NAMESPACE=$4
# TLS Secrets
# Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.
# You can generate a self-signed certificate and private key with:
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERT_NAME}.key -out ${CERT_NAME}.crt -subj "/CN=${DOMAIN}/O=${DOMAIN}"
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERT_NAME}.key -out ${CERT_NAME}.crt -subj "/CN=${DOMAIN}/O=${DOMAIN}"
# 創建 NAMESPACE
kubectl get namespace |grep ${NAMESPACE}
if [ $? -eq 0 ]; then
echo "[INFO] ${NAMESPACE} is already exists"
else
kubectl create namespace ${NAMESPACE}
echo "[INFO] create ${NAMESPACE} success!"
fi
# Then create the secret in the cluster via:
# kubectl create secret tls ${SECRET_NAME} --key ${CERT_NAME}.key --cert ${CERT_NAME}.crt
# 如果你使用--key --cert方式則創建的secret中data的默認2個文件名就是tls.key和tls.crt
kubectl create secret generic ${SECRET_NAME} --from-file=${CERT_NAME}.crt --from-file=${CERT_NAME}.key -n ${NAMESPACE}
# The resulting secret will be of type kubernetes.io/tls.
執行一下
[root@uk8s-a certs]# bash create_cert.sh kubernetes-dashboard-certs dashboard dashboard.5179.top kubernetes-dashboard
Generating a 2048 bit RSA private key
........+++
....................................................+++
writing new private key to 'dashboard.key'
-----
kubernetes-dashboard Active 2m48s
[INFO] kubernetes-dashboard is already exists
secret/kubernetes-dashboard-certs created
1.3 修改配置文件
修改文件,使用自己制作的證書
[root@uk8s-a web-ui]# vim ./recommended.yaml
#將以下內容注釋,因為要用我們自己生成的證書
# ---
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kubernetes-dashboard
#type: Opaque
...
# 修改啟動參數,添加證書路徑
...
kind: Deployment
apiVersion: apps/v1
metadata:
spec:
...
spec:
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.3
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
command: # 新增
- /dashboard # 新增
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --token-ttl=3600 # 新增
- --bind-address=0.0.0.0 # 新增
- --tls-cert-file=dashboard.crt # 新增
- --tls-key-file=dashboard.key # 新增
其中auto-generate-certificates不能注釋,因為我看到過有帖子說要注釋掉(這個參數不僅僅是自動證書的開關,還是總的HTTPS的開關,當我們手工配置了證書后,容器不會自動生成)。
另外兩個 tls 參數指定的是被掛載到容器中的證書的名字
執行一下該文件
[root@uk8s-a web-ui]# kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard unchanged
serviceaccount/kubernetes-dashboard unchanged
service/kubernetes-dashboard unchanged
secret/kubernetes-dashboard-csrf configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
secret/kubernetes-dashboard-key-holder configured
configmap/kubernetes-dashboard-settings unchanged
role.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
deployment.apps/kubernetes-dashboard unchanged
service/dashboard-metrics-scraper unchanged
deployment.apps/dashboard-metrics-scraper unchanged
創建 ingress 文件
[root@uk8s-a ingress]# vim ingress-dashboard.yaml
[root@uk8s-a ingress]# cat ingress-dashboard.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
# 開啟use-regex,啟用path的正則匹配
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- dashboard.5179.top
secretName: kubernetes-dashboard-certs
rules:
- host: dashboard.5179.top
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
創建用戶
[root@uk8s-a web-ui]# cat create-user.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
[root@uk8s-a web-ui]# kubectl apply -f create-user.yaml
serviceaccount/admin-user unchanged
clusterrolebinding.rbac.authorization.k8s.io/admin-user unchanged
獲取登陸token
[root@uk8s-a web-ui]# cat get-user-token.sh
#!/bin/bash
USER=${1:-admin-user}
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep $USER | awk '{print $1}')
# 執行一下腳本
[root@uk8s-a web-ui]# bash get-user-token.sh
Name: admin-user-token-dhx6r
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 84583c60-2c95-4118-9158-6341962d917f
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1363 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImZlaXFTZERBdjhGLWwyZ0xLTzljaHdhSlJ1OWdfeTNDWU4wRzhuS3MyYTAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWRoeDZyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4NDU4M2M2MC0yYzk1LTQxMTgtOTE1OC02MzQxOTYyZDkxN2YiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.tPgicyWaMDfN5GkLY8XX2S-jhS-pvNC6eNvZ1FCIgZi3quWQND_JASqUr4Y9nyzdFtt-Jog1QbBCRGOE1YMrc3CX27TZttsbJNgq_PqlSjJ8NpmQfUzL5EAaYEUk7bcTRsePrGpECLqih7OOMN1lXO3WYiMJLfeDvkSaUweuUQzSTGtdkzbjVmVY-DksejyXSO_DI_-DMa4lq8zTnegwywdNUkFu06J_DXTTZZIpyKBKvpKz0pny2JIS4x9rI6v4g4Ljw47U7GM30CkQeletagQ8tjXf8g2QTp7Puc9NIpK39u8H1SIqbEZCBtRTJEfLTibDXXnlNplZF5FQ5bms1g
用這個 token 去訪問界面
