1、部署前说明:
容器运行在namespace的 kube-system空间 创建容器运行接到的label kubectl label node k8s-node-01 dashboard=kubernetes-dashboard kubectl label node k8s-node-02 dashboard=kubernetes-dashboard kubectl get node --show-labels
2、kubernetes-dashboard 准备
cd /apps/work/k8s/kubernetes
tar -xvf kubernetes-src.tar.gz
cd cluster/addons/dashboard
3、修改kubernetes-dashboard 配置
### 1、修改dashboard-secret.yaml
删除
-------------------------------------------------------------------------------------
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
------------------------------------------------------------------------------------
修改后 vi dashboard-secret.yaml
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-key-holder
namespace: kube-system
type: Opaque
------------------------------------------------------------------------------------------------------------------------------------------------------
### 2、dashboard-controller.yaml
添加- --token-ttl=43200
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
- --token-ttl=43200
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 image: juestnow/kubernetes-dashboard-amd64:v1.10.1
-----------------------------------------------------------------------------------------------------------------------------------------------------
修改后
vim dashboard-controller.yaml
-----------------------------------------------------------------------------------------------------------------------------------------------------
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard
namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: juestnow/kubernetes-dashboard-amd64:v1.10.1
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8443
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
- --token-ttl=43200
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
- name: tmp-volume
mountPath: /tmp
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
--------------------------------------------------------------------------------------------------------------------------------------------------------
###3、修改dashboard-service.yaml
vim dashboard-service.yaml
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
type: NodePort # 增加这一行
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443
指定端口类型为 NodePort,这样外界可以通过地址 nodeIP:nodePort 访问 dashboard
--------------------------------------------------------------------------------------------------------------------------------------------------------
其它文件保持不变一定要给节点打标签不然容器不会部署运行
4、创建kubernetes-dashboard 证书
cd /apps/work/k8s/kubernetes/cluster/addons/dashboard
mkdir certs
cd certs
创建dashboard证书
cat << EOF | tee /apps/work/k8s/cfssl/k8s/dashboard.json
{
"CN": "dashboard",
"hosts": [""],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "niuke",
"OU": "niuke"
}
]
}
EOF
##### 生成kubernetes-dashboard 证书,当然如果有外部签发的证书也可以使用
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/k8s/k8s-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/k8s/dashboard.json | \
cfssljson -bare ./dashboard
#### 重命名生成的证书
mv dashboard.pem dashboard.crt
mv dashboard-key.pem dashboard.key
创建证书secret
kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system
kubectl get secret -n kube-system | grep dashboard
kubectl get secret kubernetes-dashboard-certs -n kube-system -o yaml
5、创建kubernetes-dashboard 服务
kubectl create -f .
或者
kubectl apply -f .
6、检查kubernetes-dashboard 服务 是否 创建成功
建议使用火狐浏览器访问,火狐浏览器ca导入是独立的,请自行导入k8s ca证书不然访问不了的
kubectl get deployment kubernetes-dashboard -n kube-system
NAME READY UP-TO-DATE AVAILABLE AGE
kubernetes-dashboard 1/1 1 1 49d
kubectl --namespace kube-system get pods -o wide| grep kubernetes-dashboard
[root@jenkins certs]# kubectl --namespace kube-system get pods -o wide| grep kubernetes-dashboard
kubernetes-dashboard-8b6ff74d4-tq4rt 1/1 Running 1 47d 10.65.0.36 node01 <none> <none>
kubectl get services kubernetes-dashboard -n kube-system
[root@jenkins certs]# kubectl get services kubernetes-dashboard -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.64.153.65 <none> 443:51874/TCP 49d
外部访问
https://10.64.153.65
或者
kubectl cluster-info
[root@jenkins certs]# kubectl cluster-info
Kubernetes master is running at https://api.k8s.niuke.local:6443
CoreDNS is running at https://api.k8s.niuke.local:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
kubernetes-dashboard is running at https://api.k8s.niuke.local:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
远程浏览器打开 记得路由一定可达 k8s-master 路由能访问容器网络及k8s网络如果不能这种方案是打不开网站
https://api.k8s.niuke.local:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
又或者
https://10.65.0.36:8443
还可以所有的node 节点ip 加端口51874访问
我这边几个网络都跟办公网络打通可以直接访问的
7、创建kubernetes-dashboard token 登录
7.1、 生成token
创建 token
kubectl create sa dashboard-admin -n kube-system
授权token 访问权限
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
获取token
ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')
获取dashboard.kubeconfig 使用token 值
DASHBOARD_LOGIN_TOKEN=$(kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{print $2}')
echo ${DASHBOARD_LOGIN_TOKEN}
7.2、创建使用 token 的 Kubeconfig 文件
KUBE_APISERVER="https://api.k8s.niuke.local:6443"
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=dashboard.kubeconfig
# 设置客户端认证参数,使用上面创建的 Token
kubectl config set-credentials dashboard_user \
--token=${DASHBOARD_LOGIN_TOKEN} \
--kubeconfig=dashboard.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=dashboard_user \
--kubeconfig=dashboard.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=dashboard.kubeconfig
7.3 验证kubernetes-dashboard token 登录
sz dashboard.kubeconfig
https://10.65.0.36:8443/#!/login
选择 Kubeconfig 单击 下面choose Kubeconfig file 选择dashboard.kubeconfig 点击登录
登录成功后界面
下一篇: Kubernetes 生产环境安装部署 基于 Kubernetes v1.14.0 之 nfs cephrbd cephfs 动态pv部署
