0%

部署kubernetes-dashboard_NodePort方式

部署kubernetes-dashboard的方式,也可以理解为归纳为访问kubernetes服务的方式,目前有下面4种方式:

  1. kubectl proxy (官方推荐,最简单,但必须在master节点上有图形界面)
  2. 通过集群APISERVER访问(适用于集群多节点,推荐)
  3. NodePort端口映射(暴露master节点端口号,安全性不好,只适用于开发环境或单节点环境,不推荐)
  4. ingress (通过反向代理集成,还没实践过)

这里介绍第三种,通过NodePort端口映射方式来部署

前提:kubernetes基本组件已正确安装
# kubectl get cs

1
2
3
4
NAME                 STATUS    MESSAGE              ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health": "true"}

# kubectl get nodes -o wide

1
2
NAME         STATUS   ROLES    AGE     VERSION    INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION          CONTAINER-RUNTIME
centos75-2 Ready master 4h48m v1.13.12 192.168.0.7 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.6.3

kubernetes-dashboard.yaml(官方链接已失效,
https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml)文件进行了如下修改:

  1. 不用官方默认证书(只能在Firefox浏览器上能打开),改用自签名证书
  2. 本地找不到镜像时才从网上拉取(imagePullPolicy: IfNotPresent )
  3. 登录token过期时间改为28800分钟 (- –token-ttl=28800 )
  4. NodePort端口设置(type: NodePort nodePort: 32532 )

拉取dashboard镜像

拉取镜像
# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
链接镜像
# docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

生成自签名证书

生成证书请求的key
# openssl genrsa -out dashboard.key 2048

生成证书请求
# openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.0.7'

生成自签名证书,过期时间为3650天
# openssl x509 -days 3650 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt

部署dashboard插件

# kubectl apply -f kubernetes-dashboard.yaml

确认NodePort端口已经开放
# kubectl --namespace=kube-system get service kubernetes-dashboard

1
2
NAME                   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard NodePort 10.109.196.25 <none> 443:32532/TCP 5h5m

如果没开放,可以重新编辑(# kubectl --namespace=kube-system edit service kubernetes-dashboard

创建证书

# kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system

查看dashaboard的pod是否处于running状态
# kubectl get pods --all-namespaces

1
kube-system   kubernetes-dashboard-5b765cfb57-ts9d8   1/1     Running   0          4h18m

如果不是running状态,可以删掉pod (kubectl delete pod -n kubernetes-dashboard <pod名> )重新部署dashboard插件

排错命令
# kubectl describe pod kubernetes-dashboard-5b765cfb57-vmlw6 --namespace=kube-system

创建管理用户

创建服务账号

admin-user.yaml

1
2
3
4
5
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system

kubectl create -f admin-user.yaml

为用户绑定角色

admin-user-role-binding.yaml

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system

# kubectl create -f admin-user.yaml

也可以把两个yaml文件合成一个,中间用”—“隔开,用一个”kubectl create”语句即可

获取登录秘钥

上面创建完用户后,会自动生成秘钥
`# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk ‘{print $1}’)

1
2
3
4
5
6
7
8
9
10
11
12
13
Name:         admin-user-token-44dt9
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: eb2bb262-5498-11ea-8b9d-080027720348

Type: kubernetes.io/service-account-token

Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTQ0ZHQ5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlYjJiYjI2Mi01NDk4LTExZWEtOGI5ZC0wODAwMjc3MjAzNDgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.A8CTyYWgBbWTkbOLBzpdw0ConJ6mjBOn-OSGeVL0GlUWWEnfHq8HvII4m8s7sILDKVIx3YLwLpIw8xgpIl1OhrHcTJ-Z28dnxEL-5AWNMhZUErp47gYf5Ij4oq7Up0eiNE9UwXgnPEjWsiKuCdcW8k_537Ns7MKgToXOVB_uA8t89h5ozznF8EWIavOC_ZH238OpOmyPbeI7zoitZhB0jhY1Dzo05QqGL3teklv-GEcZdo-_5Z90jIwqFGEH8b3n4Q-XI5ZZEljC0mVSd4rdse8WeLV7DR0WTUfGS7noBETmeiO31MBBCbRAf-5JG01jkiaZ8HCkzo4Ik1_fcGgX9g

token就是上面 token字段的值

登录kubernetes-dashboard

打开浏览器,输入地址(https://192.168.0.7:32532/),选择“令牌”复制token到文本框,点击“登录”即可

复制token到文本框

kubernetes-dashboard.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Configuration to deploy release version of the Dashboard UI compatible with
# Kubernetes 1.8.
#
# Example usage: kubectl create -f <this_file>

# ------------------- Dashboard Secret ------------------- #

#apiVersion: v1 # 不使用官方默认证书(只能在Firefox浏览器上打开)
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kube-system
#type: Opaque
#
---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
imagePullPolicy: IfNotPresent # 本地找不到镜像时才从网上拉取
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --token-ttl=28800 # 登录token过期时间改为28800分钟
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort # NodePort, 不用注释
ports:
- port: 443
targetPort: 8443
nodePort: 32532 # NodePort端口号
selector:
k8s-app: kubernetes-dashboard

参考资料:

https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
https://www.cnblogs.com/life-of-coding/p/11794993.html