碼上歡樂
相關內容    簡體    繁體

kubernetes-dashboard-2.0.3

本文轉載自   查看原文   2020-08-02 16:02   984    k8s

1. 部署dashboard

文檔:https://www.jianshu.com/p/40c0405811ee

github地址: https://github.com/kubernetes/dashboard/blob/master/aio/deploy/recommended.yaml


1.1 下載部署文件recommended.yaml 並將鏡像的地址改為本地鏡像的地址

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml

1.2 下載鏡像

docker pull kubernetesui/dashboard:v2.0.3
docker tag kubernetesui/dashboard:v2.0.3 harbor.od.com/k8s/dashboard:v2.0.3
docker push harbor.od.com/k8s/dashboard:v2.0.3

docker pull kubernetesui/metrics-scraper:v1.0.4
docker tag kubernetesui/metrics-scraper:v1.0.4 harbor.od.com/k8s/metrics-scraper:v1.0.4
docker push harbor.od.com/k8s/metrics-scraper:v1.0.4

1.3 修改yaml文件

  • 注釋掉Dashboard Secret ,不然后面訪問顯示網頁不安全,證書過期,我們自己生成證書


  • 將鏡像修改為鏡像倉庫地址


  • 添加ingress配置
---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: kubernetes-dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
  rules:
    - host: k8s-dashboard.paic.com.cn
      http:
        paths: 
          - path: /
            backend:
              serviceName: kubernetes-dashboard
              servicePort: 443

  • 生成新的secret

    這里的secret必須在kubernetes-dashboard 名稱空間生成, 否則dashboard會起不來, dashboard是啟動在kubernetes-dashboard 這個名稱空間, 所以secret 也必須在這個空間生成

mkdir key && cd key
openssl genrsa -out dashboard.key 2048
openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.31.10'
openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kubernetes-dashboard

  • 部署dashboard
kubectl apply -f recommended.yaml

1.4 設置權限文件

  • admin-user.yaml
CopyapiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
  • admin-user-role-binding.yaml
CopyapiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

  • 部署權限文件
kubectl create -f admin-user.yaml 
kubectl create -f admin-user-role-binding.yaml

1.5 訪問dashboard

  • 設置本地dns解析

    因為dashboard是跑在ingress上, 域名所對應的ip設置成ingress-controller 所在的ip地址

kubectl get all -n ingress-nginx -owide


  • 本地配置dns (C:\Windows\System32\drivers\etc\hosts)
192.168.31.40 k8s-dashboard.paic.com.cn

  • 訪問 k8s-dashboard.paic.com.cn


  • master 上查看token
kubectl describe secret `kubectl get secret -n kube-system |grep admin |awk '{print $1}'` -n kube-system |grep ^token|awk '{print $2}'


2. dashboard 分權

根據名稱空間訪問相關資源, 下面的例子是ingress-nginx 和 kubernetes-dashboard的rbac部署文件,

ingress-nginx這里的secret只能在ingress-nginx 這個名稱空間訪問

kubernetes-dashboard 這里的secret只能在 kubernetes-dashboard 這個名稱空間訪問

mkdir dashboard-access-sa
cd dashboard-access-sa

2.1 編寫部署文件

access-sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress-nginx-sa
  namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubernetes-dashboard-sa
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-readonly
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: namespace-readonly
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-sa
    namespace: ingress-nginx
    apiGroup: ""
  - kind: ServiceAccount
    name: kubernetes-dashboard-sa
    namespace: kubernetes-dashboard
    apiGroup: ""
roleRef:
  kind: ClusterRole
  name: namespace-readonly
  apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: non-admin-user
rules:
  - apiGroups: ["", "extensions", "apps", "batch"]
    resources: ["replicasets", "pods", "configmaps", "pods/log", 'daemonsets', "jobs", "cronjobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments","services", "replicationcontrollers", "secrets", "serviceaccounts", "statefulsets", "ingresses", "persistentvolumeclaims", "events"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-sa-rolebinding
  namespace: ingress-nginx
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-sa
    namespace: ingress-nginx
roleRef:
  kind: ClusterRole
  name: non-admin-user
  apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-sa-rolebinding
  namespace: kubernetes-dashboard
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard-sa
    namespace: kubernetes-dashboard
roleRef:
  kind: ClusterRole
  name: non-admin-user
  apiGroup: ""

2.2 應用部署文件

kubectl apply -f access-sa.yaml

2.3 查看生成的secret

kubectl get secret -A |grep sa

使用各自的密鑰登陸dashboard查看

ingress-nginx這里的secret只能在ingress-nginx 這個名稱空間訪問, 其他的名稱空間無權限

kubernetes-dashboard 這里的secret只能在 kubernetes-dashboard 這個名稱空間訪問, 其他的名稱空間無權限


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Kubernetes之dashboard kubernetes 之dashboard Kubernetes系列:Kubernetes Dashboard 利用kubernetes 安裝 Kubernetes Dashboard Kubernetes 部署Dashboard UI kubernetes dashboard 2.0 學習kubernetes——部署dashboard kubernetes之部署dashboard 和heapster kubernetes-dashboard安裝 安裝Kubernetes Dashboard
 
粵ICP備18138465號   © 2018-2026 CODEPRJ.COM