k8s三部曲(2)——kubernetes(TSL)非主節點安裝dashboard

環境準備

0. 安裝注意(防止誤導)

   以下案例是k8s的apiserver只能通過證書訪問，如果k8s能通過service
   account訪問則只需要運行相應的dashboard.yml文件即可

1. 安裝規劃

   節點IP	角色	安裝的組件
   192.168.0.111	Master	etcd、kube-apiserver、kube-controller-manager、kube-scheduler、cfssl、kubectl
   192.168.0.112	Node1	docker 、kubelet、kube-proxy、flanneld 、cfssl、kubectl
   192.168.0.113	Node2	docker 、kubelet、kube-proxy flanneld、cfssl 、kubectl

2. 準備證書(各個工作節點)

   #dashboard證書放在這
   $ mkdir -p /etc/kubernetes/ca/dashboard
   
   #沒有dashboard-csr.json則創建相應文件並填寫下方內容
   $ cat dashboard-csr.json 
   {
     "CN": "system:dashboard",
     "hosts": [],
     "key": {
       "algo": "rsa",
       "size": 2048
     },
     "names": [
       {
         "C": "CN",
         "ST": "Beijing",
         "L": "XS",
         "O": "k8s",
         "OU": "System"
       }
     ]
   }
   $ cp dashboard-csr.json  /etc/kubernetes/ca/dashboard/
   $ cd /etc/kubernetes/ca/dashboard/
   
   #使用根證書(ca.pem)簽發calico證書
   $ cfssl gencert \
           -ca=/etc/kubernetes/ca/ca.pem \
           -ca-key=/etc/kubernetes/ca/ca-key.pem \
           -config=/etc/kubernetes/ca/ca-config.json \
           -profile=kubernetes kube-dashboard.json | cfssljson -bare dashboard
   #我們最終要的是dashboard-key.pem和dashboard.pem
   $ ls
   dashboard.csr  dashboard-key.pem  dashboard.pem  kube-dashboard.json
   

3. 準備kube-dashboard.kubeconfig配置(各個工作節點)

   #--server kube-apiserver地址
   $ kubectl config set-cluster kubernetes \
           --certificate-authority=/etc/kubernetes/ca/ca.pem \
           --embed-certs=true \
           --server=https://192.168.0.111:6443 \
           --kubeconfig=kube-dashboard.kubeconfig
   
   $ kubectl config set-credentials kube-proxy \
           --client-certificate=/etc/kubernetes/ca/dashboard/dashboard.pem \
           --client-key=/etc/kubernetes/ca/dashboard/dashboard-key.pem \
           --embed-certs=true \
           --kubeconfig=kube-dashboard.kubeconfig
       
   $ kubectl config set-context default \
           --cluster=kubernetes \
           --user=kube-dashboard \
           --kubeconfig=kube-dashboard.kubeconfig
           
   $ kubectl config use-context default --kubeconfig=kube-dashboard.kubeconfig
   
   $ mv kube-dashboard.kubeconfig /etc/kubernetes/kube-dashboard.kubeconfig
   

4. 準備TSL證書

   $ mkdir /certs
   $ openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
   Generating a 2048 bit RSA private key
   ................+++
   ..............................................+++
   writing new private key to 'certs/dashboard.key'
   -----
   No value provided for Subject Attribute C, skipped
   No value provided for Subject Attribute ST, skipped
   No value provided for Subject Attribute L, skipped
   No value provided for Subject Attribute O, skipped
   No value provided for Subject Attribute OU, skipped
   [root@elasticsearch01 /]# ls /certs
   dashboard.csr  dashboard.key
   
   $ openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt
   Signature ok
   subject=/CN=kubernetes-dashboard
   Getting Private key
   $ ls certs/
   dashboard.crt  dashboard.csr  dashboard.key
   
   [root@elasticsearch01 /]# kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kubernetes-dashboard
   secret/kubernetes-dashboard-certs created
   

安裝準備

1. 官網安裝Web UI

   (Dashboard)的入口爲 https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
   雖然官網上一鍵部署非常華麗，但是往往輪到我們自己部署的時候就沒有這麼簡單啦，所以我們先下載下載進行部分修改

2. 將部署文件下載到本地

   $ wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
   

3. 修改kubernetes-dashboard的deployment(總共三處地方)

   $ vim recommended.yaml
   

4. 第一處(關鍵)

   配置tls是爲了能夠訪問相關的https服務
   配置kubeconfig是爲了能夠訪問主節點上的kube-apiserver地址

   args:
   	  #- --auto-generate-certificateskubernetes-dashboard-7479fc4647-qzhpj
   	  - --namespace=kubernetes-dashboard
   	  - --tls-key-file=dashboard.key    # 配置密鑰文件
   	  - --tls-cert-file=dashboard.crt
   	  # Uncomment the following line to manually specify Kubernetes API server Host
   	  # If not specified, Dashboard will attempt to auto discover the API server and connect
   	  # to it. Uncomment only if the default does not work.
   	  # - --apiserver-host=https://192.168.0.111:6443
   	  - --kubeconfig=/etc/kubernetes/kube-dashboard.kubeconfig
   

5. 第二處(關鍵)

   將所需文件掛載到容器中，不然將會提示找不到相應文件

    volumeMounts:
   	            - name: kubernetes-dashboard-certs
   	              mountPath: /certs
   	              # Create on-disk volume to store exec logs
   	            - mountPath: /tmp
   	              name: tmp-volume
   	              ###################修改開始#######################
   	            - mountPath: /etc/kubernetes/kube-dashboard.kubeconfig
   	              name: config
   	              ###################修改結束#######################
   	         
   	      volumes:
   	        - name: kubernetes-dashboard-certs
   	          secret:
   	            secretName: kubernetes-dashboard-certs
   	        - name: tmp-volume
   	          emptyDir: {}
   	          ###################修改開始#######################
   	        - hostPath:
   	            path: /etc/kubernetes/kube-dashboard.kubeconfig
   	          name: config
   	           ##################修改結束#######################
   	      serviceAccountName: kubernetes-dashboard
   	      nodeSelector:
   	        "beta.kubernetes.io/os": linux
   

6. 第三處(關鍵)

   將dashboard類型改爲NodePort方便訪問

   kind: Service
   	apiVersion: v1
   	metadata:
   	  labels:
   	    k8s-app: kubernetes-dashboard
   	  name: kubernetes-dashboard
   	  namespace: kubernetes-dashboard
   	spec:
   	  ports:
   	    - port: 443
   	      targetPort: 8443
   	  type: NodePort
   	  selector:
   	    k8s-app: kubernetes-dashboard
   	
   

7. 配置權限角色

   kubectl create clusterrolebinding system:anonymous --clusterrole=cluster-admin --user=system:anonymous
   

開始安裝

1. 加載部署文件

   $ kubectl apply -f recommended.yaml
   

2. 查看服務端口

   $ kubectl get svc -n kubernetes-dashboard
   NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
   dashboard-metrics-scraper   ClusterIP   192.168.0.44    <none>        8000/TCP        30h
   kubernetes-dashboard        NodePort    192.168.0.167   <none>        443:25773/TCP   30h
   

3. 遊覽器安裝證書

   #生成crt文件
   grep 'client-certificate-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
   #生成key文件
   grep 'client-key-data' /etc/kubernetes/admin.conf | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
   #生成p12證書文件(證書的生成和導入需要一個密碼)
   openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
   #將該證書文件導入到chrome瀏覽器中(自行百度)
   

4. 訪問dashboard
   

5. 獲取token認證

   #部署賬號
   $ cat <<EOF | kubectl create -f -
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: admin-user
     namespace: kubernetes-dashboard
   EOF
   #角色綁定
   $ cat <<EOF | kubectl create -f -
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: admin-user
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: cluster-admin
   subjects:
   - kind: ServiceAccount
     name: admin-user
     namespace: kubernetes-dashboard
   EOF
   
   #獲取token
   $ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
   

   #實例如下，複製token值即可
   $ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
   Name:         admin-user-token-rtpnj
   Namespace:    kubernetes-dashboard
   Labels:       <none>
   Annotations:  kubernetes.io/service-account.name: admin-user
                 kubernetes.io/service-account.uid: 5ea34466-b4ae-4764-8888-ce21193dd913
   
   Type:  kubernetes.io/service-account-token
   
   Data
   ====
   namespace:  20 bytes
   token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkZIQ3RSNGR4aFJXMV9sRzFMRnhrdEdNbUFlYlRya1F6alg5Nmg2S0x0NWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC
   9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXJ0cG5qIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWF
   jY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1ZWEzNDQ2Ni1iNGFlLTQ3NjQtODg4OC1jZTIxMTkzZGQ5MTMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291
   bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.enf2-uLp_Kg6wUYrWQRNyh11TeZLQ1xuxj_Ykll5Gvix9zxZ7e4oppPVzkaq4AukEXvWbraR8LCKmapRu10wu8l2Nt8n5qxAUM6ECgBT8sDki1IFDpZMw9XE8F4nJqjLYGRRMiQ-4two
   XcrjRmvq7mDLmzA-sEv0Iq7dO-tLeEh6iB-IWLyh5VlmNgIecPVFyjzgg3arJj414SF31PGSUT2D68jYu1zgjjLHL-tl54r0lWuG91pPnvwaiOBD8ec0aej0ULnXA376Ap1ZtAHsNd3iwtQvBYQjGUtwJH8hzF_DkKW_TTdX91Q1-TVJcgv8opXr5y0TE
   DA-i9kgEQ4owQ
   ca.crt:     1346 bytes
   

6. 輸入token
   
   

深淵巨坑

1. 無法找到kubeconfig

    no file or directory
   

   解決: 進行目錄掛載

2. 連接不到api-server

   [root@elasticsearch01 yaml]# kubectl logs kubernetes-dashboard-7649fbd576-r4wn2 --namespace=kube-system
   2018/12/29 05:52:10 Starting overwatch
   2018/12/29 05:52:10 Using apiserver-host location: https://10.2.8.44:6443
   2018/12/29 05:52:10 Skipping in-cluster config
   2018/12/29 05:52:10 Using random key for csrf signing
   2018/12/29 05:52:10 Error while initializing connection to Kubernetes apiserver. This most likely means that the cluster is misconfigured (e.g., it has invalid apiserver certificates or service account's configuration) or the --apiserver-host param points to a server that does not exist. Reason: Get https://192.168.0.111:6443/version: x509: failed to load system roots and no roots provided
   Refer to our FAQ and wiki pages for more information: https://github.com/kubernetes/dashboard/wiki/FAQ
   

   解決：使用kubeconfig進行安全驗證

3. dashboard http服務沒問題(9090端口)，https服務有問題(8443端口)

   查看相關日誌可以發現連接8443端口拒絕連接

   解決： 配置tls的key和證書