環境準備
-
安裝注意(防止誤導)
以下案例是k8s的apiserver只能通過證書訪問,如果k8s能通過service
account訪問則只需要運行相應的dashboard.yml文件即可 -
安裝規劃
節點IP 角色 安裝的組件 192.168.0.111 Master etcd、kube-apiserver、kube-controller-manager、kube-scheduler、cfssl、kubectl 192.168.0.112 Node1 docker 、kubelet、kube-proxy、flanneld 、cfssl、kubectl 192.168.0.113 Node2 docker 、kubelet、kube-proxy flanneld、cfssl 、kubectl -
準備證書(各個工作節點)
#dashboard證書放在這 $ mkdir -p /etc/kubernetes/ca/dashboard #沒有dashboard-csr.json則創建相應文件並填寫下方內容 $ cat dashboard-csr.json { "CN": "system:dashboard", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "XS", "O": "k8s", "OU": "System" } ] } $ cp dashboard-csr.json /etc/kubernetes/ca/dashboard/ $ cd /etc/kubernetes/ca/dashboard/ #使用根證書(ca.pem)簽發calico證書 $ cfssl gencert \ -ca=/etc/kubernetes/ca/ca.pem \ -ca-key=/etc/kubernetes/ca/ca-key.pem \ -config=/etc/kubernetes/ca/ca-config.json \ -profile=kubernetes kube-dashboard.json | cfssljson -bare dashboard #我們最終要的是dashboard-key.pem和dashboard.pem $ ls dashboard.csr dashboard-key.pem dashboard.pem kube-dashboard.json
-
準備kube-dashboard.kubeconfig配置(各個工作節點)
#--server kube-apiserver地址 $ kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ca/ca.pem \ --embed-certs=true \ --server=https://192.168.0.111:6443 \ --kubeconfig=kube-dashboard.kubeconfig $ kubectl config set-credentials kube-proxy \ --client-certificate=/etc/kubernetes/ca/dashboard/dashboard.pem \ --client-key=/etc/kubernetes/ca/dashboard/dashboard-key.pem \ --embed-certs=true \ --kubeconfig=kube-dashboard.kubeconfig $ kubectl config set-context default \ --cluster=kubernetes \ --user=kube-dashboard \ --kubeconfig=kube-dashboard.kubeconfig $ kubectl config use-context default --kubeconfig=kube-dashboard.kubeconfig $ mv kube-dashboard.kubeconfig /etc/kubernetes/kube-dashboard.kubeconfig
-
準備TSL證書
$ mkdir /certs $ openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard" Generating a 2048 bit RSA private key ................+++ ..............................................+++ writing new private key to 'certs/dashboard.key' ----- No value provided for Subject Attribute C, skipped No value provided for Subject Attribute ST, skipped No value provided for Subject Attribute L, skipped No value provided for Subject Attribute O, skipped No value provided for Subject Attribute OU, skipped [root@elasticsearch01 /]# ls /certs dashboard.csr dashboard.key $ openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt Signature ok subject=/CN=kubernetes-dashboard Getting Private key $ ls certs/ dashboard.crt dashboard.csr dashboard.key [root@elasticsearch01 /]# kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kubernetes-dashboard secret/kubernetes-dashboard-certs created
安裝準備
-
官網安裝Web UI
(Dashboard)的入口爲 https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
雖然官網上一鍵部署非常華麗,但是往往輪到我們自己部署的時候就沒有這麼簡單啦,所以我們先下載下載進行部分修改 -
將部署文件下載到本地
$ wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
-
修改kubernetes-dashboard的deployment(總共三處地方)
$ vim recommended.yaml
-
第一處(關鍵)
配置tls是爲了能夠訪問相關的https服務
配置kubeconfig是爲了能夠訪問主節點上的kube-apiserver地址args: #- --auto-generate-certificateskubernetes-dashboard-7479fc4647-qzhpj - --namespace=kubernetes-dashboard - --tls-key-file=dashboard.key # 配置密鑰文件 - --tls-cert-file=dashboard.crt # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. # - --apiserver-host=https://192.168.0.111:6443 - --kubeconfig=/etc/kubernetes/kube-dashboard.kubeconfig
-
第二處(關鍵)
將所需文件掛載到容器中,不然將會提示找不到相應文件
volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume ###################修改開始####################### - mountPath: /etc/kubernetes/kube-dashboard.kubeconfig name: config ###################修改結束####################### volumes: - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} ###################修改開始####################### - hostPath: path: /etc/kubernetes/kube-dashboard.kubeconfig name: config ##################修改結束####################### serviceAccountName: kubernetes-dashboard nodeSelector: "beta.kubernetes.io/os": linux
-
第三處(關鍵)
將dashboard類型改爲NodePort方便訪問
kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: ports: - port: 443 targetPort: 8443 type: NodePort selector: k8s-app: kubernetes-dashboard
-
配置權限角色
kubectl create clusterrolebinding system:anonymous --clusterrole=cluster-admin --user=system:anonymous
開始安裝
-
加載部署文件
$ kubectl apply -f recommended.yaml
-
查看服務端口
$ kubectl get svc -n kubernetes-dashboard NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE dashboard-metrics-scraper ClusterIP 192.168.0.44 <none> 8000/TCP 30h kubernetes-dashboard NodePort 192.168.0.167 <none> 443:25773/TCP 30h
-
遊覽器安裝證書
#生成crt文件 grep 'client-certificate-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt #生成key文件 grep 'client-key-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key #生成p12證書文件(證書的生成和導入需要一個密碼) openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client" #將該證書文件導入到chrome瀏覽器中(自行百度)
-
訪問dashboard
-
獲取token認證
#部署賬號 $ cat <<EOF | kubectl create -f - apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard EOF #角色綁定 $ cat <<EOF | kubectl create -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard EOF #獲取token $ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
#實例如下,複製token值即可 $ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}') Name: admin-user-token-rtpnj Namespace: kubernetes-dashboard Labels: <none> Annotations: kubernetes.io/service-account.name: admin-user kubernetes.io/service-account.uid: 5ea34466-b4ae-4764-8888-ce21193dd913 Type: kubernetes.io/service-account-token Data ==== namespace: 20 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkZIQ3RSNGR4aFJXMV9sRzFMRnhrdEdNbUFlYlRya1F6alg5Nmg2S0x0NWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC 9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXJ0cG5qIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWF jY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1ZWEzNDQ2Ni1iNGFlLTQ3NjQtODg4OC1jZTIxMTkzZGQ5MTMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291 bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.enf2-uLp_Kg6wUYrWQRNyh11TeZLQ1xuxj_Ykll5Gvix9zxZ7e4oppPVzkaq4AukEXvWbraR8LCKmapRu10wu8l2Nt8n5qxAUM6ECgBT8sDki1IFDpZMw9XE8F4nJqjLYGRRMiQ-4two XcrjRmvq7mDLmzA-sEv0Iq7dO-tLeEh6iB-IWLyh5VlmNgIecPVFyjzgg3arJj414SF31PGSUT2D68jYu1zgjjLHL-tl54r0lWuG91pPnvwaiOBD8ec0aej0ULnXA376Ap1ZtAHsNd3iwtQvBYQjGUtwJH8hzF_DkKW_TTdX91Q1-TVJcgv8opXr5y0TE DA-i9kgEQ4owQ ca.crt: 1346 bytes
-
輸入token
深淵巨坑
-
無法找到kubeconfig
no file or directory
解決: 進行目錄掛載
-
連接不到api-server
[root@elasticsearch01 yaml]# kubectl logs kubernetes-dashboard-7649fbd576-r4wn2 --namespace=kube-system 2018/12/29 05:52:10 Starting overwatch 2018/12/29 05:52:10 Using apiserver-host location: https://10.2.8.44:6443 2018/12/29 05:52:10 Skipping in-cluster config 2018/12/29 05:52:10 Using random key for csrf signing 2018/12/29 05:52:10 Error while initializing connection to Kubernetes apiserver. This most likely means that the cluster is misconfigured (e.g., it has invalid apiserver certificates or service account's configuration) or the --apiserver-host param points to a server that does not exist. Reason: Get https://192.168.0.111:6443/version: x509: failed to load system roots and no roots provided Refer to our FAQ and wiki pages for more information: https://github.com/kubernetes/dashboard/wiki/FAQ
解決:使用kubeconfig進行安全驗證
-
dashboard http服務沒問題(9090端口),https服務有問題(8443端口)
查看相關日誌可以發現連接8443端口拒絕連接
解決: 配置tls的key和證書