摘要:
仪表板是K8S的web界面。用户可以使用KubernetesDashboard部署容器化应用程序、监视应用程序和管理集群本身。在KubernetesDashboard中,用户可以查看集群中应用程序的运行状态。1.下载yaml配置文件wgethttps://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recom
Dashboard是k8s的web界面,用户可以用 Kubernetes Dashboard 部署容器化的应用、监控应用、并对集群本身进行管理,在 Kubernetes Dashboard 中可以查看集群中应用的运行状态。
1、下载yaml配置文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
2、创建dashboard专有secret
浏览器访问时,默认文件中secret文件有问题,我们需要自定义一个证书进行认证
a) 创建证书请求文件
[root@k8s-master01 ~]# vim /opt/k8s/certs/dashboard-csr.json { "CN": "k8s-dashboard", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ShangHai", "L": "ShangHai", "O": "k8s-dashboard", "OU": "System" } ] }
b) 生成证书
[root@k8s-master01 certs]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=/opt/k8s/certs/ca-config.json -profile=kubernetes dashboard-csr.json | cfssljson -bare k8s-dashboard 2019/05/07 16:45:48 [INFO] generate received request 2019/05/07 16:45:48 [INFO] received CSR 2019/05/07 16:45:48 [INFO] generating key: rsa-2048 2019/05/07 16:45:48 [INFO] encoded CSR 2019/05/07 16:45:48 [INFO] signed certificate with serial number 443069371958574919693024095101339074526175227131 2019/05/07 16:45:48 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
c)创建secret
[root@k8s-master01 certs]# kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key=./k8s-dashboard-key.pem --from-file=dashboard.crt=./k8s-dashboard.pem -n kube-system
3、修改yaml文件
默认下载的资源清单文件,镜像地址不可用,以及secret也需要注释
[root@k8s-master01 ~]# vim /opt/dashboard/kubernetes-dashboard.yaml ## 修改三处 ### 注释默认secret配置 # ------------------- Dashboard Secret ------------------- # #apiVersion: v1 #kind: Secret #metadata: # labels: # k8s-app: kubernetes-dashboard # name: kubernetes-dashboard-certs # namespace: kube-system #type: Opaque ### k8s.gcr.io 修改为 registry.cn-hangzhou.aliyuncs.com/google_containers ... image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 ... #--- ### 为service添加NotePort模式 kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: type: NodePort ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard
4、跟据资源清单文件,创建
[root@k8s-master01 dashboard]# kubectl apply -f kubernetes-dashboard.yaml ### 查看pod,可以看到kubernetes-dashboard-5d9599dc98-qbpkb已经running [root@k8s-master01 ~]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-75569d87d7-tpjq5 1/1 Running 5 7d3h calico-node-bmpbd 1/1 Running 5 7d3h calico-node-dms6w 1/1 Running 6 7d3h
calico-node-f2xcp 1/1 Running 3 7d
calico-node-mxc5h 1/1 Running 3 7d
calico-node-zzbqn 1/1 Running 3 7d coredns-55f46dd959-9v98d 1/1 Running 5 7d3h coredns-55f46dd959-krcsq 1/1 Running 6 7d3h kubernetes-dashboard-5d9599dc98-qbpkb 1/1 Running 0 77s tiller-deploy-6d54f974dc-fmgk5 1/1 Running 6 7d3h ### 查看svc,对外端口:30721 [root@k8s-master01 ~]# kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.254.0.2 <none> 53/UDP,53/TCP,9153/TCP 7d3h kubernetes-dashboard NodePort 10.254.188.109 <none> 443:30721/TCP 5m54s tiller-deploy ClusterIP 10.254.20.131 <none> 44134/TCP 7d3h
5、创建集群管理员账号
dashboard部署好后,我们需要创建对应账号才可以登陆
a)创建用于登录dashborad的serviceaccount账号
[root@k8s-master01 ~]# kubectl create serviceaccount dashboard-admin -n kube-system
b)创建一个clusterrolebingding,将名称为cluster-admin的clusterrole绑定到我们刚刚创建的serviceaccount上,名称空间和sa使用:作为间隔
[root@k8s-master01 ~]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
c)查看secret
clusterrolebingding创建完成后系统会自动创建一个secret,名称以serviceaccount名称开头
[root@k8s-master01 ~]# kubectl get secret -n kube-system|grep dashboard-admin dashboard-admin-token-8rkds kubernetes.io/service-account-token 3 111s
d)获取tocken
[root@k8s-master01 ~]# kubectl describe secret dashboard-admin-token-8rkds -n kube-system Name: dashboard-admin-token-8rkds Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: 797f6a81-70a6-11e9-be01-000c29d932a4 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1363 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tOHJrZHMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNzk3ZjZhODEtNzBhNi0xMWU5LWJlMDEtMDAwYzI5ZDkzMmE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.qoVBiN0SPcvTTOXNwCo7moLVeR8FlQ2fJpAts_eAeFacqj_E8CzmgSgk15QLl5JDuSIvKMrZYgvq4Ei9AlmvJr80z_4HfMD2rwCMq3BoaIzlG-Pq44mnnPWO36p2885roPf11bW--VKzlugFpXCYRCSKwpPORb4kH-FiqvE65v3AA_9fo4WtgG1HO5w94cBmE_DqWcrtuNaKcwDpEXkJJtcmDVqQ978Jpuaw-YkS0aMOLbkVJ-tRjgQxYINtBhT29TxT0aS-4kOm9hXbSFAy84ss8pOEIPNmFmWxqwxNHyFT6gXiDaI-4KydSSb88JXi18PJfVJyV0GM3Pm8JkbwLw
6、登陆dashboard
需要使用https协议,可以看到有两种登陆方式,这里我们采用令牌的方式,就是上一步获取到的tocken
访问地址:https://10.10.0.17:30721 (这里访问地址任已节点IP即可,端口是dashboard service映射到主机的端口)
选择令牌登陆,输入上一步获取的tocken值输入登陆即可。
至此,Dashboard已经部署完毕,并创建集群管理员账号可以登陆,可以对集群进行管理。