0%

部署kubernetes-dashboard_apiserver方式

部署kubernetes-dashboard的方式,也可以理解为归纳为访问kubernetes服务的方式,目前有下面4种方式:

  1. kubectl proxy (官方推荐,最简单,但必须在master节点上有图形界面)
  2. 通过集群APISERVER访问(适用于集群多节点,推荐)
  3. NodePort端口映射(暴露master节点端口号,安全性不好,只适用于开发环境或单节点环境,不推荐)
  4. ingress (通过反向代理集成,还没实践过)

这里介绍第二种,通过API访问方式来部署

前提:kubernetes基本组件已正确安装
# kubectl get cs

1
2
3
4
5
NAME                 STATUS    MESSAGE              ERROR
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health":"true"}

$ kubectl get nodes -o wide

1
2
3
master1   Ready    master   7h15m   v1.15.10   192.168.0.6    <none>        CentOS Linux 7 (Core)   3.10.0-862.el7.x86_64   docker://18.6.3
worker1 Ready <none> 5h35m v1.15.10 192.168.0.7 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.6.3
worker2 Ready <none> 3h42m v1.15.10 192.168.10.8 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.6.3

kubernetes-dashboard.yaml(官方链接已失效,
https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml)文件进行了如下修改:

  1. 本地找不到镜像时才从网上拉取(imagePullPolicy: IfNotPresent )
  2. 登录token过期时间改为28800分钟 (- –token-ttl=28800 )

拉取dashboard镜像

以下操作必须在所有节点上执行
拉取镜像
# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
链接镜像
# docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

部署dashboard插件

以下操作只需在master节点上执行

# kubectl apply -f kubernetes-dashboard.yaml

创建管理用户

创建服务账号

admin-user.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 创建服务账号
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system

---

# 为账号绑定角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system

# kubectl create -f admin-user.yaml

证书操作

生成crt证书文件
# grep 'client-certificate-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
生成key公钥文件
# grep 'client-key-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
生成p12证书文件,用于稍后导入到客户端chrome浏览器(密码为空)
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"

获取登录秘钥

上面创建完用户后,会自动生成秘钥
$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

1
2
3
4
5
6
7
8
9
10
11
12
13
Name:         admin-user-token-77fw4
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: ae6bbbc1-e805-48c4-a3ea-c83c3fcc67fe

Type: kubernetes.io/service-account-token

Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTc3Znc0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhZTZiYmJjMS1lODA1LTQ4YzQtYTNlYS1jODNjM2ZjYzY3ZmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.IKm_IB-B94ng_EOVHCMFMIEBSfnpFrIu5IoA07A5MWptIJO-fvLW-Y6mg4igJlJGAOym_uGYpwTo4xN0upsZYgDfFeNxjo84KW_qQPfDOy04mlcDK3lVSka0FtyA5FOJtWYWmTUrhqarFutXRsGfujeP0ERB2ilBdZAg-6TM7G15aKQ24ZmWtQfhiugS4UvU9O7Ho5Z4FF9uu_0CbNKR9NmWN6MmcGzD47_qATR-wk8kIOXKIaBW5a32UMYxTAhkxxMf_o2djwVr3Sg47Q2JRi87FprJoYu-QlUXPIVaZ8tfurmyNFAgVrL8kAiC1qJGujrTICyCMt8YKaY8DSoWmw

token就是上面 token字段的值

登录kubernetes-dashboard

查看集群的API端口号
$ kubectl cluster-info

1
2
3
4
Kubernetes master is running at https://192.168.0.6:6443
KubeDNS is running at https://192.168.0.6:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

导入kubecfg.p12文件到浏览器, 打开浏览器,输入地址(
https://192.168.0.6:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy),选择“令牌”复制token到文本框,点击“登录”即可


复制token到文本框

kubernetes-dashboard.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Configuration to deploy release version of the Dashboard UI compatible with
# Kubernetes 1.8.
#
# Example usage: kubectl create -f <this_file>

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
imagePullPolicy: IfNotPresent # 本地找不到镜像时才从网上拉取
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --token-ttl=28800 # 登录token过期时间改为28800分钟
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard

参考资料:

https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/
https://www.jianshu.com/p/3fdcfbeb65d1