K8S Dashboard是官方的一个基于WEB的用户界面,专门用来管理K8S集群,并可展示集群的状态。K8S集群安装好后默认没有包含Dashboard,需要额外创建它。如下操作: 1、下载Dashboard项目清单文件
[root@k8s-master-dev dashboard]# wget https://raw.githubusercontent.com/kubernetes/dashboard/be4f2813b7cc13f682f2af5025d42813c8e7fbd3/aio/deploy/recommended/kubernetes-dashboard.yaml
[root@k8s-master-dev dashboard]# ls
kubernetes-dashboard-amd64.tar kubernetes-dashboard.yaml
[root@k8s-master-dev dashboard]# docker load < kubernetes-dashboard-amd64.tar
5f222ffea122: Loading layer [==================================================>] 123MB/123MB
Loaded image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
[root@k8s-master-dev dashboard]# kubectl apply -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
[root@k8s-master-dev dashboard]#
[root@k8s-master-dev ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78fcdf6894-9t2x5 1/1 Running 7 10d
coredns-78fcdf6894-tvbtd 1/1 Running 6 10d
etcd-k8s-master-dev 1/1 Running 6 10d
kube-apiserver-k8s-master-dev 1/1 Running 4 10d
kube-controller-manager-k8s-master-dev 1/1 Running 7 10d
kube-flannel-ds-amd64-9tmns 1/1 Running 1 10d
kube-flannel-ds-amd64-cn8v5 1/1 Running 7 10d
kube-flannel-ds-amd64-gwf76 1/1 Running 1 10d
kube-flannel-ds-amd64-v4g6w 1/1 Running 1 10d
kube-proxy-4ks89 1/1 Running 1 10d
kube-proxy-b47qm 1/1 Running 2 10d
kube-proxy-dz778 1/1 Running 5 10d
kube-proxy-mg5rr 1/1 Running 2 10d
kube-scheduler-k8s-master-dev 1/1 Running 7 10d
kubernetes-dashboard-5dd89b9875-9v7bm 1/1 Running 0 15h
[root@k8s-master-dev ~]#
2、由于Dashboard项目创建的service类型为ClusterIP,无法提供外部访问。为了让cluster外部用户访问Dashboard,需将service的类型修改为NodePort。如下所示:
[root@k8s-master-dev ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 10d
kubernetes-dashboard ClusterIP 10.103.192.236 <none> 443/TCP 15h
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
service/kubernetes-dashboard patched
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 10d
kubernetes-dashboard NodePort 10.103.192.236 <none> 443:6774/TCP 15h
[root@k8s-master-dev ~]#
然后就可以在cluster 外部 访问集群中任何一个node的IP 的 6774端口(https方式访问)。如下图所示:
3、Dashboard 作为一个Pod运行,它自己不做认证。当client 以https的方式访问 dashboard pod时,必须提供一个ServiceAccount ,然后由 Dashboard 这个Pod 将该ServiceAccount 的info发送至 k8s cluser认证。 所以本例中创建serviceaccount,并绑定至cluster-admin role,如下所示:
[root@k8s-master-dev ~]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@k8s-master-dev ~]# kubectl describe sa dashboard-admin -n kube-system
Name: dashboard-admin
Namespace: kube-system
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: dashboard-admin-token-7dx6b
Tokens: dashboard-admin-token-7dx6b
Events: <none>
[root@k8s-master-dev ~]# kubectl create clusterrolebinding dashboard-cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin-binding created
[root@k8s-master-dev ~]# kubectl get secret -n kube-system | grep dashboard-admin
dashboard-admin-token-7dx6b kubernetes.io/service-account-token 3 2m
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl describe secret dashboard-admin-token-7dx6b -n kube-system
Name: dashboard-admin-token-7dx6b
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=dashboard-admin
kubernetes.io/service-account.uid=02237028-49e9-11e9-a017-000c295011ce
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRta4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQ5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9
[root@k8s-master-dev ~]#
使用该serviceAccount的token 即可以访问Dashboard,如下所示:
4、由于token过长,使用不方便,为此将配置kubeconfig 以方便用户访问,如下所示:
[root@k8s-master-dev ~]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="http://192.168.20.79:6443" --embed-certs=true --kubeconfig=/root/cluster-admin.conf
Cluster "kubernetes" set.
[root@k8s-master-dev ~]# kubectl config view --kubeconfig=/root/cluster-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: http://192.168.20.79:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# DASHBOARD_ADMIN_TOKEN=$(kubectl describe secret dashboard-admin-token-7dx6b -n kube-system | tail -1|awk '{print $2}')
[root@k8s-master-dev ~]# kubectl config set-credentials dashboard-cluster-admin --token=$DASHBOARD_ADMIN_TOKEN --kubeconfig=/root/cluster-admin.conf
User "dashboard-cluster-admin" set.
[root@k8s-master-dev ~]# kubectl config view --kubeconfig=/root/cluster-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: http://192.168.20.79:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: dashboard-cluster-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9ahmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY29bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9
[root@k8s-master-dev ~]#
注:以下两种方法都可以获取serviceAccount的token
[root@k8s-master-dev ~]# kubectl get secret dashboard-admin-token-7dx6b -o jsonpath={.data.token} -n kube-system | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2Nvd50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3aViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEso_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl describe secret dashboard-admin-token-7dx6b -n kube-system | tail -1|awk '{print $2}'
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zsXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vbRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9
[root@k8s-master-dev ~]#
创建context 上下文,并切换当前上下文件。如下所示:
[root@k8s-master-dev ~]# kubectl config set-context dashboard-cluster-admin@kubernetes --cluster=kubernetes --user=dashboard-cluster-admin --kubeconfig=/root/cluster-admin.conf
Context "dashboard-cluster-admin@kubernetes" created.
[root@k8s-master-dev ~]# kubectl config view --kubeconfig=/root/cluster-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: http://192.168.20.79:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: dashboard-cluster-admin
name: dashboard-cluster-admin@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: dashboard-cluster-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8XQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl config use-context dashboard-cluster-admin@kubernetes --kubeconfig=/root/cluster-admin.conf
Switched to context "dashboard-cluster-admin@kubernetes".
[root@k8s-master-dev ~]# kubectl config view --kubeconfig=/root/cluster-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: http://192.168.20.79:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: dashboard-cluster-admin
name: dashboard-cluster-admin@kubernetes
current-context: dashboard-cluster-admin@kubernetes
kind: Config
preferences: {}
users:
- name: dashboard-cluster-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsfmt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pty9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTwLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjgVUQ_wMb22i4CPY4VakXA05DNbCuOf9
[root@k8s-master-dev ~]#
5、至此kubeconfig 配置完毕,将配置完成的文件复制到用户所在的计算机上即可使用。如下所示:
yuandeMacBook-Pro:~ yuanjicai$ scp root@192.168.20.79:/root/cluster-admin.conf Desktop/
cluster-admin.conf 100% 2640 867.5KB/s 00:00
yuandeMacBook-Pro:~ yuanjicai$
6、如果希望创建 default 名称空间的管理员,而不是整个集群的管理员,可参考如下命令:
kubectl create serviceaccount def-ns-admin -n default
kubectl create rolebinding def-ns-bingding-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
kubectl get secret
kubectl describe secret def-ns-admin-token-nlq7c
cd /etc/kubernetes/pki/
kubectl config set-cluster kubernetes --certificate-authority=ca.crt --server="http://192.168.20.79:6443" --embed-certs=true --kubeconfig=/root/default-ns-admin.conf
DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-nlq7c -o jsonpath={.data.token} | base64 -d)
kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/default-ns-admin.conf
kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/default-ns-admin.conf
kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/default-ns-admin.conf
补充:使用ingress 代理dashboard
# cat ingress-rule-dashboard-svc.yaml
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-rule-k8sdashd
namespace: kube-system
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- k8sdashd-devel.domain.cn
secretName: domain.cn-kubesystem-crt
rules:
- host: k8sdashd-devel.domain.cn
http:
paths:
- path:
backend:
serviceName: kubernetes-dashboard
servicePort: 443
# kubectl apply -f ingress-rule-dashboard-svc.yaml
注:需要提前在kube-system名称空间中创建domain.cn-kubesystem-crt的secret
