【Kubernetes詳解】（三）搭建Kubernetes Dashboard

一、前言

上一篇文章介紹了從零開始搭建Kubernetes集羣，本文將介紹一下如何搭建K8S的Dashboard。

簡單的說，K8S Dashboard是官方的一個基於WEB的用戶界面，專門用來管理K8S集羣，並展示集羣的狀態。K8S集羣安裝好後默認沒有包含Dashboard，我們需要額外創建它。

Dashboard設計的還不錯，界面友好，功能也比較強大。如果你厭倦了命令行的操作，全程使用Dashboard也是可行的。

因爲我們使用kubeadm搭建的集羣會默認開啓RABC（角色訪問控制機制），所以我們必須要進行額外的設置。關於RABC的概念，網上資料很多，大家務必提前瞭解。

二、RBAC簡介

RBAC（Role-Based Access Control ）基於角色的訪問控制，不懂的可以百度看下
K8S 1.6引進，是讓用戶能夠訪問 k8S API 資源的授權方式【不授權就沒有資格訪問K8S的資源】

2.1、用戶

K8S有兩種用戶：User和Service Account。其中，User給人用，Service Account給進程用，讓進程有相關權限。如Dashboard就是一個進程，我們就可以創建一個Service Account給它

2.2、角色

Role是一系列權限的集合，例如一個Role可包含讀取和列出 Pod的權限【 ClusterRole 和 Role 類似，其權限範圍是整個集羣】

2.3、角色綁定

RoleBinding把角色映射到用戶，從而讓這些用戶擁有該角色的權限【ClusterRoleBinding 和RoleBinding 類似，可讓用戶擁有 ClusterRole 的權限】

2.4、Secret

Secret是一個包含少量敏感信息如密碼，令牌，或祕鑰的對象。把這些信息保存在 Secret對象中，可以在這些信息被使用時加以控制，並可以降低信息泄露的風險
如下圖，灰色是“角色”，藍色是“用戶”，綠色是“角色綁定”，黃色是該角色擁有的權限。簡言之 ，角色綁定將角色和用戶進行掛鉤：

三、安裝Kubernetes-Dashboard

官方文檔：Web UI (K8S Dashboard)

3.1、部署

參考官方文檔，在部署好了 k8s 集羣環境的前提下，要安裝 Kubernetes-Dashboard 只需要一條命令就可以搞定，如下：

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml

確實如此，但是要通過頁面訪問還需要進行其他操作

3.2、訪問

要想通過頁面訪問，我們可以先大致看下 recommended.yaml，理解下其中的內容

3.2.1、recommended.yaml 內容

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.0
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.4
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}

3.2.1.1、recommended中包括了下面幾個組件

• Dashboard Service
• Dashboard Deployment
• Dashboard Role
• RoleBinding
• Dashboard Service Account
• Dashboard Secret

Dashboard Service

kind: Service
...
k8s-app: kubernetes-dashboard
...
spec:
  type: NodePort
  ports:
    - port: 443 
      targetPort: 8443
      nodePort: 30000

Dashboard 對外提供服務設置，也指定了nodePort，這樣我們可以通過物理機上的30000端口進行訪問

Dashboard Deployment

kind: Deployment
...
k8s-app: kubernetes-dashboard
....

Dashboard的Deployment指定了其使用的ServiceAccount是kubernetes-dashboard。並且還將Secret kubernetes-dashboard-certs通過volumes掛在到pod內部的/certs路徑。爲何要掛載Secret ？原因是創建Secret 時會自動生成token。請注意參數–auto-generate-certificates，其表示Dashboard會自動生成證書。

Dashboard Role

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
...

如上定義了Dashboard 的角色，其角色名稱爲 kubernetes-dashboard，rules中清晰的列出了其擁有的多個權限。

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

Dashboard的角色綁定，其名稱爲 kubernetes-dashboard，roleRef 中爲被綁定的角色，subjects中爲綁定的用戶：kubernetes-dashboard

Dashboard Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

如上定義了Dashboard的用戶，其類型爲ServiceAccount，名稱爲kubernetes-dashboard

Dashboard Secret

apiVersion: v1
kind: Secret
...

3.3.2、web 頁面

通過暴露的NodePort: 30000 訪問 dashboard，頁面如圖(我這裏通過 firefox 才能訪問，chrome 都不行)：https://localhost:30000/

這裏有兩種登錄方式：

• Token
• Kubeconfig

我們使用 Token 的方式登錄，獲取 Token 方式如下：

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep kubernetes-dashboard | awk '{print $1}')

複製token，點擊登錄即可

3.3、到這裏還沒有完

通過3.2的步驟會出現下面問題：

出現上述問題的原因是因爲，kubernetes-dashboard 這個賬戶的角色權限不夠

解決：

3.3.3、創建dashboard-adminuser.yaml

cat > dashboard-adminuser.yaml << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard  
EOF

3.3.2、創建登錄用戶

kubectl apply -f dashboard-adminuser.yaml

說明：上面創建了一個叫 admin-user 的服務賬號，並放在kubernetes-dashboard 命名空間下，並將 cluster-admin 角色綁定到admin-user賬戶，這樣admin-user賬戶就有了管理員的權限。默認情況下，kubeadm創建集羣時已經創建了cluster-admin角色，我們直接綁定即可。

3.3.3、查看admin-user賬戶的token

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

重新登錄即可

四、一些命令

# 查看dashboard的角色(Role)
kubectl get role -n kubernetes-dashboard
# 查看dashboard的賬戶
kubectl get ServiceAccount -n kubernetes-dashboard
# 查看secret
kubectl get secret -n kuberntes-dashboard
# 查看集羣的角色(ClusterRole)
kubectl get ClusterRole -n kubernetes-dashboard