1. 部署dashboard
文檔:https://www.jianshu.com/p/40c0405811ee
github地址: https://github.com/kubernetes/dashboard/blob/master/aio/deploy/recommended.yaml
1.1 下載部署文件recommended.yaml 並將鏡像的地址改為本地鏡像的地址
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
1.2 下載鏡像
docker pull kubernetesui/dashboard:v2.0.3
docker tag kubernetesui/dashboard:v2.0.3 harbor.od.com/k8s/dashboard:v2.0.3
docker push harbor.od.com/k8s/dashboard:v2.0.3
docker pull kubernetesui/metrics-scraper:v1.0.4
docker tag kubernetesui/metrics-scraper:v1.0.4 harbor.od.com/k8s/metrics-scraper:v1.0.4
docker push harbor.od.com/k8s/metrics-scraper:v1.0.4
1.3 修改yaml文件
- 注釋掉Dashboard Secret ,不然后面訪問顯示網頁不安全,證書過期,我們自己生成證書

- 將鏡像修改為鏡像倉庫地址


- 添加ingress配置
---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
rules:
- host: k8s-dashboard.paic.com.cn
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
-
生成新的secret
這里的secret必須在kubernetes-dashboard 名稱空間生成, 否則dashboard會起不來, dashboard是啟動在kubernetes-dashboard 這個名稱空間, 所以secret 也必須在這個空間生成
mkdir key && cd key
openssl genrsa -out dashboard.key 2048
openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.31.10'
openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kubernetes-dashboard
- 部署dashboard
kubectl apply -f recommended.yaml
1.4 設置權限文件
- admin-user.yaml
CopyapiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
- admin-user-role-binding.yaml
CopyapiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
- 部署權限文件
kubectl create -f admin-user.yaml
kubectl create -f admin-user-role-binding.yaml
1.5 訪問dashboard
-
設置本地dns解析
因為dashboard是跑在ingress上, 域名所對應的ip設置成ingress-controller 所在的ip地址
kubectl get all -n ingress-nginx -owide

- 本地配置dns (
C:\Windows\System32\drivers\etc\hosts)
192.168.31.40 k8s-dashboard.paic.com.cn
- 訪問
k8s-dashboard.paic.com.cn



- master 上查看token
kubectl describe secret `kubectl get secret -n kube-system |grep admin |awk '{print $1}'` -n kube-system |grep ^token|awk '{print $2}'

2. dashboard 分權
根據名稱空間訪問相關資源, 下面的例子是ingress-nginx 和 kubernetes-dashboard的rbac部署文件,
ingress-nginx這里的secret只能在ingress-nginx 這個名稱空間訪問
kubernetes-dashboard 這里的secret只能在 kubernetes-dashboard 這個名稱空間訪問
mkdir dashboard-access-sa
cd dashboard-access-sa
2.1 編寫部署文件
access-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: ingress-nginx-sa
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard-sa
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-readonly
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-readonly
subjects:
- kind: ServiceAccount
name: ingress-nginx-sa
namespace: ingress-nginx
apiGroup: ""
- kind: ServiceAccount
name: kubernetes-dashboard-sa
namespace: kubernetes-dashboard
apiGroup: ""
roleRef:
kind: ClusterRole
name: namespace-readonly
apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: non-admin-user
rules:
- apiGroups: ["", "extensions", "apps", "batch"]
resources: ["replicasets", "pods", "configmaps", "pods/log", 'daemonsets', "jobs", "cronjobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments","services", "replicationcontrollers", "secrets", "serviceaccounts", "statefulsets", "ingresses", "persistentvolumeclaims", "events"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ingress-nginx-sa-rolebinding
namespace: ingress-nginx
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
subjects:
- kind: ServiceAccount
name: ingress-nginx-sa
namespace: ingress-nginx
roleRef:
kind: ClusterRole
name: non-admin-user
apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-sa-rolebinding
namespace: kubernetes-dashboard
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-sa
namespace: kubernetes-dashboard
roleRef:
kind: ClusterRole
name: non-admin-user
apiGroup: ""
2.2 應用部署文件
kubectl apply -f access-sa.yaml
2.3 查看生成的secret
kubectl get secret -A |grep sa

使用各自的密鑰登陸dashboard查看
ingress-nginx這里的secret只能在ingress-nginx 這個名稱空間訪問, 其他的名稱空間無權限
kubernetes-dashboard 這里的secret只能在 kubernetes-dashboard 這個名稱空間訪問, 其他的名稱空間無權限
