K8S Dashboard是官方的一個基於WEB的用戶界面,專門用來管理K8S集羣,並可展示集羣的狀態。K8S集羣安裝好後默認沒有包含Dashboard,需要額外創建它。如下操作:
1、下載Dashboard項目清單文件
[root@k8s-master-dev dashboard]# wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
[root@k8s-master-dev dashboard]# ls
kubernetes-dashboard-amd64.tar kubernetes-dashboard.yaml
[root@k8s-master-dev dashboard]# docker load < kubernetes-dashboard-amd64.tar
5f222ffea122: Loading layer [==================================================>] 123MB/123MB
Loaded image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
[root@k8s-master-dev dashboard]# kubectl apply -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
[root@k8s-master-dev dashboard]#
[root@k8s-master-dev ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78fcdf6894-9t2x5 1/1 Running 7 10d
coredns-78fcdf6894-tvbtd 1/1 Running 6 10d
etcd-k8s-master-dev 1/1 Running 6 10d
kube-apiserver-k8s-master-dev 1/1 Running 4 10d
kube-controller-manager-k8s-master-dev 1/1 Running 7 10d
kube-flannel-ds-amd64-9tmns 1/1 Running 1 10d
kube-flannel-ds-amd64-cn8v5 1/1 Running 7 10d
kube-flannel-ds-amd64-gwf76 1/1 Running 1 10d
kube-flannel-ds-amd64-v4g6w 1/1 Running 1 10d
kube-proxy-4ks89 1/1 Running 1 10d
kube-proxy-b47qm 1/1 Running 2 10d
kube-proxy-dz778 1/1 Running 5 10d
kube-proxy-mg5rr 1/1 Running 2 10d
kube-scheduler-k8s-master-dev 1/1 Running 7 10d
kubernetes-dashboard-5dd89b9875-9v7bm 1/1 Running 0 15h
[root@k8s-master-dev ~]#2、由於Dashboard項目創建的service類型爲ClusterIP,無法提供外部訪問。爲了讓cluster外部用戶訪問Dashboard,需將service的類型修改爲NodePort。如下所示:
[root@k8s-master-dev ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 10d
kubernetes-dashboard ClusterIP 10.103.192.236 <none> 443/TCP 15h
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
service/kubernetes-dashboard patched
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 10d
kubernetes-dashboard NodePort 10.103.192.236 <none> 443:6774/TCP 15h
[root@k8s-master-dev ~]#然後就可以在cluster 外部 訪問集羣中任何一個node的IP 的 6774端口(https方式訪問)。如下圖所示:
3、Dashboard 作爲一個Pod運行,它自己不做認證。當client 以https的方式訪問 dashboard pod時,必須提供一個ServiceAccount ,然後由 Dashboard 這個Pod 將該ServiceAccount 的info發送至 k8s cluser認證。
所以本例中創建serviceaccount,並綁定至cluster-admin role,如下所示:
[root@k8s-master-dev ~]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@k8s-master-dev ~]# kubectl describe sa dashboard-admin -n kube-system
Name: dashboard-admin
Namespace: kube-system
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: dashboard-admin-token-7dx6b
Tokens: dashboard-admin-token-7dx6b
Events: <none>
[root@k8s-master-dev ~]# kubectl create clusterrolebinding dashboard-cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin-binding created
[root@k8s-master-dev ~]# kubectl get secret -n kube-system | grep dashboard-admin
dashboard-admin-token-7dx6b kubernetes.io/service-account-token 3 2m
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl describe secret dashboard-admin-token-7dx6b -n kube-system
Name: dashboard-admin-token-7dx6b
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=dashboard-admin
kubernetes.io/service-account.uid=02237028-49e9-11e9-a017-000c295011ce
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9w
[root@k8s-master-dev ~]#使用該serviceAccount的token 即可以訪問Dashboard,如下所示:
4、由於token過長,使用不方便,爲此將配置kubeconfig 以方便用戶訪問,如下所示:
[root@k8s-master-dev ~]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="http://192.168.20.79:6443" --embed-certs=true --kubeconfig=/root/cluster-admin.conf
Cluster "kubernetes" set.
[root@k8s-master-dev ~]# kubectl config view --kubeconfig=/root/cluster-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: http://192.168.20.79:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# DASHBOARD_ADMIN_TOKEN=$(kubectl describe secret dashboard-admin-token-7dx6b -n kube-system | tail -1|awk '{print $2}')
[root@k8s-master-dev ~]# kubectl config set-credentials dashboard-cluster-admin --token=$DASHBOARD_ADMIN_TOKEN --kubeconfig=/root/cluster-admin.conf
User "dashboard-cluster-admin" set.
[root@k8s-master-dev ~]# kubectl config view --kubeconfig=/root/cluster-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: http://192.168.20.79:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: dashboard-cluster-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9w
[root@k8s-master-dev ~]#注:以下兩種方法都可以獲取serviceAccount的token
[root@k8s-master-dev ~]# kubectl get secret dashboard-admin-token-7dx6b -o jsonpath={.data.token} -n kube-system | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9w[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl describe secret dashboard-admin-token-7dx6b -n kube-system | tail -1|awk '{print $2}'
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9w
[root@k8s-master-dev ~]#創建context 上下文,並切換當前上下文件。如下所示:
[root@k8s-master-dev ~]# kubectl config set-context dashboard-cluster-admin@kubernetes --cluster=kubernetes --user=dashboard-cluster-admin --kubeconfig=/root/cluster-admin.conf
Context "dashboard-cluster-admin@kubernetes" created.
[root@k8s-master-dev ~]# kubectl config view --kubeconfig=/root/cluster-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: http://192.168.20.79:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: dashboard-cluster-admin
name: dashboard-cluster-admin@kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: dashboard-cluster-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9w
[root@k8s-master-dev ~]#
[root@k8s-master-dev ~]# kubectl config use-context dashboard-cluster-admin@kubernetes --kubeconfig=/root/cluster-admin.conf
Switched to context "dashboard-cluster-admin@kubernetes".
[root@k8s-master-dev ~]# kubectl config view --kubeconfig=/root/cluster-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: http://192.168.20.79:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: dashboard-cluster-admin
name: dashboard-cluster-admin@kubernetes
current-context: dashboard-cluster-admin@kubernetes
kind: Config
preferences: {}
users:
- name: dashboard-cluster-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tN2R4NmIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDIyMzcwMjgtNDllOS0xMWU5LWEwMTctMDAwYzI5NTAxMWNlIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KH3V6eLmBo1VvvrpO7qtCOObNadjWya-yA1ALoYgjQLWszg8ifOedzjUcqKJ13Gxh4AMcQyYQRrEffb8PlMsaTZhXcISja7PY3QounNmcj35aTgLwarDX6zJj4FN6wZrUAQ2K0SZz591tVNl2JO1SumKJk7tAqgn9KX9ZYERzHBLO8HXQp5hRQvpyuj73Djcp1UW--N_Meih8kmcV2x3lA0w28FZGJdqC7iniv2btCVOvk5brBd0z_qUc58E7DKII4QnJwD9zu1yfZ1vRRyv2Vz-K_5fkKs87TEo_sy7CsCnc5TtF8Cj9BjVUQ_wMb22i4CPY4VakXA05DNbCuOf9w
[root@k8s-master-dev ~]#5、至此kubeconfig 配置完畢,將配置完成的文件複製到用戶所在的計算機上即可使用。如下所示:
yuandeMacBook-Pro:~ yuanjicai$ scp [email protected]:/root/cluster-admin.conf Desktop/
cluster-admin.conf 100% 2640 867.5KB/s 00:00
yuandeMacBook-Pro:~ yuanjicai$
6、如果希望創建 default 名稱空間的管理員,而不是整個集羣的管理員,可參考如下命令:
kubectl create serviceaccount def-ns-admin -n default
kubectl create rolebinding def-ns-bingding-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
kubectl get secret
kubectl describe secret def-ns-admin-token-nlq7c
cd /etc/kubernetes/pki/
kubectl config set-cluster kubernetes --certificate-authority=ca.crt --server="http://192.168.20.79:6443" --embed-certs=true --kubeconfig=/root/default-ns-admin.conf
DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-nlq7c -o jsonpath={.data.token} | base64 -d)
kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/default-ns-admin.conf
kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/default-ns-admin.conf
kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/default-ns-admin.conf