七、安裝dashboard
1、下載kubernetes-dashboard.yaml
wget https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
2、修改鏡像地址(mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1)後安裝
[root@master] ~$ kubectl create -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
3、稍等一會,pod創建好後,查看服務狀態
[root@master] ~$ kubectl get service --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default example-service NodePort 10.107.118.34 <none> 80:30952/TCP 23m
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 123m
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 123m
kube-system kubernetes-dashboard ClusterIP 10.107.116.183 <none> 443/TCP 6m5s
查看service描述
[root@master] ~$ kubectl describe service kubernetes-dashboard -n kube-system
Name: kubernetes-dashboard
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
Selector: k8s-app=kubernetes-dashboard
Type: ClusterIP
IP: 10.107.116.183
Port: <unset> 443/TCP
TargetPort: 8443/TCP
Endpoints: 10.244.2.2:8443
Session Affinity: None
Events: <none>
查看pod描述
[root@master] ~$ kubectl describe pod kubernetes-dashboard-57df4db6b-wlwl4 --namespace=kube-system
Name: kubernetes-dashboard-57df4db6b-wlwl4
Namespace: kube-system
Priority: 0
PriorityClassName: <none>
Node: slave2.hanli.com/192.168.255.122
3) 授予Dashboard賬戶集羣管理權限
這一步很關鍵,如果你缺少這一步的話,你打開dashboard後會報很多forbidden
configmaps is forbidden: User "system:serviceaccount:kube-system:service-controller" cannot list resource "configmaps" in API group "" in the namespace "default"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:service-controller" cannot list resource "persistentvolumeclaims" in API group "" in the namespace "default"
close
warning
.....
要獲得管理集羣admin的權限,先新建kubernetes-dashboard-admin.rbac.yaml文件,內容如下
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
# Create ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
執行
[root@master] ~$ kubectl create -f kubernetes-dashboard-admin.rbac.yaml
找到kubernete-dashboard-admin的token,記下這串token,等下登錄的時候會使用,這個token默認是永久的。
[root@master] ~$ kubectl -n kube-system get secret | grep admin-user
admin-user-token-2zc6r kubernetes.io/service-account-token 3 27s
[root@master] ~$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
Name: admin-user-token-2zc6r
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 0a358e70-18d2-11e9-a9d0-000c29245f60
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTJ6YzZyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwYTM1OGU3MC0xOGQyLTExZTktYTlkMC0wMDBjMjkyNDVmNjAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.nXbQv2KEkuEEJgkxQYfuMtiXOsWaMm1E_34dybyPoeSuChxlzA7HlQ13mtcTSIjmA7rVMv22XN0A2dTf6bbb-31XLLAcmWwzy1cajJCXcO5zjhUYdNHZwGb2sLE4WyDcMlXIjPLGFYflnLJQ_fkU6RfnjHU0Th3tJ_YRJvcPt7eieeG2lEF6iRl48kdF0IduOWh749AzMXqxdDbW56YlazD7dzBkyHDlrpYZvC93-a-BPYXR5MpFEYSUNQWg-PILkFgwWBP0dnpbBcS80BzmuaslEhE8bSq_JZ5h_aQjM0fhN2ogPQM-6cuKXPTmLnsQQ9NN4Vjrg0YSmsfHp9OwFw
4、 訪問dashboard
官方文檔:https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
https://github.com/kubernetes/dashboard/wiki/Creating-sample-user
參考文檔:http://www.voidcn.com/article/p-ybwenzlk-bsd.html
有三種訪問方式
1)kubectl proxy方式(開發測試使用,不推薦)
[root@master] ~$ kubectl proxy
Starting to serve on 127.0.0.1:8001
本地瀏覽器(虛擬機上)訪問,http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
儀表盤使用kubectl代理命令不應暴露公開,因爲它只允許HTTP連接。域以外的localhost和127.0.0.1將不能登錄。在登錄頁面點擊登錄按鈕什麼都不會發生後,跳過登錄後,沒有任何權限。
此方式只允許開發測試使用。爲了便於開發測試,以下配置用於提升默認權限爲超級用戶權限。
vim kubernetes-dashboard-test.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard
namespace: kube-system
---
# Create ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
2) nodeport方式(不推薦)
Service 目前是 ClusterIP 類型,爲了方便使用,我們可通過下面命令修改成 NodePort 類型。
[root@master] ~$ kubectl -n kube-system edit service kubernetes-dashboard
將type: ClusterIP 修改爲 type: NodePort
service/kubernetes-dashboard edited
上述操作也可以用一條命令來執行
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
再次查看service,發現變成nodeport類型了
[root@master] ~$ kubectl -n kube-system get service kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.107.116.183 <none> 443:31677/TCP 48m
然後就可以通過https://192.168.255.130:31677/在(虛擬機)瀏覽器上訪問了,192.168.255.130是master的ip。如果你搭建的多節點集羣,你需要通過
kubectl describe pod `kubectl get pods --all-namespaces -o wide |grep dashboard |awk '{print $2}'` -n kube-system |grep Node
找出dashboard運行在哪個節點上,然後使用https://<node-ip>:<nodePort>來訪問。
3) apiserver方式(推薦)
這種方式可以在本地電腦chrome上訪問,比較方便,但是配置稍微麻煩一點。
本節參考了:
http://www.voidcn.com/article/p-ybwenzlk-bsd.html
http://www.525.life/article?id=1510739742372
1、查看集羣信息
[root@master] ~$ kubectl cluster-info
Kubernetes master is running at https://192.168.255.130:6443
KubeDNS is running at https://192.168.255.130:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
然後在瀏覽器中訪問https://192.168.255.130:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/,輸出如下:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"kube-dns:dns\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "kube-dns:dns",
"kind": "services"
},
"code": 403
}
報錯403,說明有權限問題,這是因爲最新版的k8s默認啓用了RBAC,併爲未認證用戶賦予了一個默認的身份:anonymous。
對於API Server來說,它是使用證書進行認證的,而我們瀏覽器上沒有這個證書,所以我們要爲瀏覽器配置https證書。
3、創建證書
首先需要確認kubectl命令的配置文件,默認情況下爲/etc/kubernetes/admin.conf,而且已經自動創建在$HOME/.kube/config中,如果沒有創建則需要手動賦值。
cat $HOME/.kube/config
如果確認有集羣的配置,則運行以下命令來生成一個p12格式的瀏覽器證書
# 生成client-certificate-data
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
# 生成client-key-data
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
# 生成p12
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
按要求輸入密碼直接回車即可,密碼不要胡亂輸,後面給瀏覽器導入的時候要用。
運行完後在當前目錄會有個kubecfg.p12證書文件。
4、然後手動將證書導入chrome
正常情況下,Chrome的證書都是自動導入的。手動導入證書,只是非正常情況下才會用到,比如遇到“您打開的鏈接不是私密連接”,這個時候就需要手動導入證書了。
點擊瀏覽器 菜單-設置-高級-管理證書
選擇“受信任的根證書頒發機構”這一欄,然後點擊導入。(注意 版本的差別:chrome71選擇個人)
然後根據步驟操作完。
5、導入上面生成的p12文件後,重啓瀏覽器chrome://restart,訪問https://192.168.255.130:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/,彈出證書信息,點擊確定即可。
然後選擇token登錄方式,查看token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
通過web方式操作很方便
