下载dashboard的yaml文件
可详见Github的Dashboard 链接下载最新的配置文件,也可参考官方Dashboard UI部署文档 。
1 wget https:// raw.githubusercontent.com/kubernetes/ dashboard/v2.0.0/ aio/deploy/ recommended.yaml
修改kubernetes-dashboard的service类型为NodePort类型
修改kubernetes-dashboard的service类型为NodePort类型,使用nodeport方式(即ip+端口)访问Dashboard。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 [root@node-0 yaml ] ... kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: type: NodePort ports: - port: 443 targetPort: 8443 nodePort: 30443 selector: k8s-app: kubernetes-dashboard
安装Dashboard
使用kubectl命令基于调整后的官方配置文件部署Dashboard UI:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [root@node-0 yaml]# kubectl create -f recommended.yaml namespace/kubernetes-dashboard created serviceaccount/kubernetes-dashboard created service/kubernetes-dashboard created secret/kubernetes-dashboard-certs created secret/kubernetes-dashboard-csrf created secret/kubernetes-dashboard-key-holder created configmap/kubernetes-dashboard-settings created role .rbac.authorization .k8s.io/kubernetes-dashboard createdclusterrole.rbac.authorization .k8s.io/kubernetes-dashboard created rolebinding.rbac.authorization .k8s.io/kubernetes-dashboard created clusterrolebinding.rbac.authorization .k8s.io/kubernetes-dashboard created deployment.apps/kubernetes-dashboard created service/dashboard-metrics-scraper created deployment.apps/dashboard-metrics-scraper created
确认 Dashboard 关联pod和service的状态
1 2 3 4 5 6 7 8 [root@node-0 yaml] NAME READY STATUS RESTARTS AGE pod/dashboard-metrics-scraper-c79c65bb7-8rwd4 1/ 1 Running 0 41 m pod/kubernetes-dashboard-56484d4c5-fd6hj 1/ 1 Running 0 41 m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/dashboard-metrics-scraper ClusterIP 10.64.62.122 <none> 8000/ TCP 41 m service/kubernetes-dashboard NodePort 10.65.53.250 <none> 443:30443/ TCP 41 m
到这一步Dashboard UI已经搭建完毕,通过浏览器访问:https://服务器IP:32058,如下图:
token认证
默认Dashboard为最小RBAC权限,使用默认配置文件创建的kubernetes-dashboard
用户登录Dashboard UI,会发现无法加载出pod等权限不够的信息。所以创建一个集群管理员,以便从Dashboard中操作集群资源:
创建serviceaccount
资源:
1 2 [root@node -0 yaml] serviceaccount/dashboard-admin created
此处的sa为serviceaccount的缩写,即查看serviceaccount是否创建成功:
1 2 3 [root@node-0 yaml]# kubectl get sa/dashboard-admin -n kube-system NAME SECRETS AGEdashboard-admin 1 15 s
创建clusterrolebinding
,将角色cluster-admin
与serviceaccount
资源(dashboard-admin
)进行绑定,简单理解,就是给新创建的用于赋予集群管理员权限:
1 2 [root@node-0 yaml]# kubectl create clusterrolebinding dashboard-admin clusterrolebinding.rbac.authorization .k8s.io/dashboard-admin created
查看绑定信息,可以发现新创建的用户已经拥有了集群管理员权限:
1 2 3 4 5 6 7 8 9 10 11 [root@node-0 yaml]# kubectl describe clusterrolebinding/dashboard-admin Name: dashboard-adminLabels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-adminSubjects: Kind Name Namespace ---- ---- --------- ServiceAccount dashboard-admin kube-system
查看token值并进行登录验证
获取token,用于登录Dashboard UI:
1 2 3 [root @node -0 yaml ] # ADMIN_SECRET=$(kubectl -n kube -system get secret |awk '/ ^dashboard -admin / {print $1}') [root @node -0 yaml ] # kubectl describe secrets $ADMIN_SECRET -n kube-system |grep ^token token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkZ4RVZSSF9mSS1GU1ZFSER4N1ZUX2FGS1lneElJT3FLaWo4VDN4cVpKUGsifQ .eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tenNwemgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDUwNDNkODEtYmM1MC00ZWI3LTgyYmEtZmZiZmVhNGRmM2E4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9 .fqmMb -2CBNAOKuLOQo4Sj -cfMGdCrBuGcqE_MIj522isgu0u0u50iNZ6fl4S_exRD2vdPBw_PK8GHAsD03RDKU6a8Wdu736oQMMI2EA1UZ0aEdc2InB3wiNqbInZO9Eo3ZniqfW3t_zPwYeJHZXjyL29XwoDvUJH_xmb4RyRcoYNepgLprbXu7d1q6M8KhtNwJBFhFyAZZ8QHDNpHahV5aEug4otF0pto8yXq7JV_y3TQ1IkmsFkG2xQEVFjqazE8Lqx3RbbBBGFCjBBdyW -Boch6IPyeyvX72qI2EwYd57NHMeJv3uI9QXRd8T1aMetjNXSa6JNqom9HKSOI5jcBQ
登录Dashboard UI
输入上获取到的token进行登录:
Kubeconfig认证
上面采取的是token认证登录的方式,有个弊端,需要时刻进行登录,但是token那么长又不好保存,所以采取Kubeconfig配置文件的方式进行登录Dashboard。
查看生成的secret:
1 2 [root@node -0 yaml] dashboard-admin-token-zspzh kubernetes.io/service-account-token 3 20h
查看secret资源详细信息:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 [root@node-0 yaml ] Name: dashboard-admin-token-zspzh Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: 45043d81-bc50-4eb7-82ba-ffbfea4df3a8 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkZ4RVZSSF9mSS1GU1ZFSER4N1ZUX2FGS1lneElJT3FLaWo4VDN4cVpKUGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tenNwemgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDUwNDNkODEtYmM1MC00ZWI3LTgyYmEtZmZiZmVhNGRmM2E4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.fqmMb-2CBNAOKuLOQo4Sj-cfMGdCrBuGcqE_MIj522isgu0u0u50iNZ6fl4S_exRD2vdPBw_PK8GHAsD03RDKU6a8Wdu736oQMMI2EA1UZ0aEdc2InB3wiNqbInZO9Eo3ZniqfW3t_zPwYeJHZXjyL29XwoDvUJH_xmb4RyRcoYNepgLprbXu7d1q6M8KhtNwJBFhFyAZZ8QHDNpHahV5aEug4otF0pto8yXq7JV_y3TQ1IkmsFkG2xQEVFjqazE8Lqx3RbbBBGFCjBBdyW-Boch6IPyeyvX72qI2EwYd57NHMeJv3uI9QXRd8T1aMetjNXSa6JNqom9HKSOI5jcBQ
初始化集群信息,提供API Server的URL,以及验证API Server证书所用到的CA证书等。
1 2 [root@node-0 yaml]# kubectl config set-cluster kubernetes --certificate-authority =/etc/kubernetes/pki/ca.crt --server ="https://192.168.235.20:6443" --embed-certs =true --kubeconfig =/tmp/dashboard-admin.conf Cluster "kubernetes" set.
查看生成的配置文件信息:
1 2 3 4 5 6 7 8 9 10 11 12 [root@node-0 yaml ] apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.235.20:6443 name: kubernetes contexts: []current-context: "" kind: Config preferences: {}users: []
获取dashboard-admin的token,并将其作为认证信息。由于直接得到的token是base64编码格式,故采用“base -d”命令将其解码。 获取token并将其解码:
1 2 [root@node -0 yaml] eyJhbGciOiJSUzI1NiIsImtpZCI6IkZ4RVZSSF9mSS1GU1ZFSER4N1ZUX2FGS1lneElJT3FLaWo4VDN4cVpKUGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tenNwemgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDUwNDNkODEtYmM1MC00ZWI3LTgyYmEtZmZiZmVhNGRmM2E4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.fqmMb-2 CBNAOKuLOQo4Sj-cfMGdCrBuGcqE_MIj522isgu0u0u50iNZ6fl4S_exRD2vdPBw_PK8GHAsD03RDKU6a8Wdu736oQMMI2EA1UZ0aEdc2InB3wiNqbInZO9Eo3ZniqfW3t_zPwYeJHZXjyL29XwoDvUJH_xmb4RyRcoYNepgLprbXu7d1q6M8KhtNwJBFhFyAZZ8QHDNpHahV5aEug4otF0pto8yXq7JV_y3TQ1IkmsFkG2xQEVFjqazE8Lqx3RbbBBGFCjBBdyW-Boch6IPyeyvX72qI2EwYd57NHMeJv3uI9QXRd8T1aMetjNXSa6JNqom9HKSOI5jcBQ
这里将上面得到的token保存为一个变量,方便调用:
1 [root @node -0 yaml ] # DEFNS_ADMIN_TOKEN=$(kubectl -n kube -system get secret / dashboard -admin -token -zspzh -o jsonpath ={.data .token } |base64 -d )
1 2 [root@node -0 yaml] User "dashboard-admin " set.
设置cotext列表,定义一个名为dashboard-admin的context:
1 2 [root@node-0 yaml]# kubectl config set-context dashboard-admin@kubernetes --cluster =kubernetes --user =dashboard-admin --kubeconfig =/tmp/dashboard-admin.conf Context "dashboard-admin@kubernetes" created.
最后指定要使用的context为前面定义的名为dashboard-admin的context:
1 2 [root@node-0 tmp]# kubectl config use -context dashboard-admin@kubernetes Switched to context "dashboard-admin@kubernetes" .
查看最终生成的配置文件信息:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [root@node-0 tmp ] apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.235.20:6443 name: kubernetes contexts: - context: cluster: kubernetes user: dashboard-admin name: dashboard-admin@kubernetes current-context: dashboard-admin@kubernetes kind: Config preferences: {}users: - name: dashboard-admin user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkZ4RVZSSF9mSS1GU1ZFSER4N1ZUX2FGS1lneElJT3FLaWo4VDN4cVpKUGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tenNwemgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDUwNDNkODEtYmM1MC00ZWI3LTgyYmEtZmZiZmVhNGRmM2E4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.fqmMb-2CBNAOKuLOQo4Sj-cfMGdCrBuGcqE_MIj522isgu0u0u50iNZ6fl4S_exRD2vdPBw_PK8GHAsD03RDKU6a8Wdu736oQMMI2EA1UZ0aEdc2InB3wiNqbInZO9Eo3ZniqfW3t_zPwYeJHZXjyL29XwoDvUJH_xmb4RyRcoYNepgLprbXu7d1q6M8KhtNwJBFhFyAZZ8QHDNpHahV5aEug4otF0pto8yXq7JV_y3TQ1IkmsFkG2xQEVFjqazE8Lqx3RbbBBGFCjBBdyW-Boch6IPyeyvX72qI2EwYd57NHMeJv3uI9QXRd8T1aMetjNXSa6JNqom9HKSOI5jcBQ
将这个配置文件保存client上,通过加装该配置文件进行登录:
这里通过测试可以发现,这里的dashboard-admin用户登录进来可以看到所有名称空间的内容。也可以对所有名称空间的资源进行管理。