0%

部署Kubernetes Dashboard

在K8S v1.15.6环境下部署Kubernetes Dashboard。

查看官网

先查看Dashboard的版本,进入官网:https://github.com/kubernetes/dashboard

1
2
3
To deploy Dashboard, execute following command:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

我们在Releases页面,v1.10.1版本是不支持K8S v1.15的。就算安装上以后页面也是打不开的。

Compatibility

Kubernetes version 1.11 1.12 1.13 1.14 1.15
Compatibility ? ? ? ?

所以我们选择v2.0.0-beta4

下载yml文件

1
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml -O kubernetes-dashboard.yaml

编辑/root/k8s/dashboard/kubernetes-dashboard.yaml文件,在名为kubernetes-dashboard的Service这块,加两行。

增加type: NodePortnodePort: 30001,最终内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
noePort: 30001
selector:
k8s-app: kubernetes-dashboard

安装kubernetes dashboard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kubectl apply -f kubernetes-dashboard.yaml
namespace/kubernetes-dashboard unchanged
serviceaccount/kubernetes-dashboard unchanged
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

查看pod状态

1
2
3
4
kubectl get po -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-fb986f88d-n2fkv 1/1 Running 0 115s
kubernetes-dashboard-6bb65fcc49-bm676 1/1 Running 0 115s

验证

这时,使用Firefox浏览器,通过https://<NodeIP>:30001就可以访问到页面了。

如果使用的是IE或Chrome浏览器,还是打不开的。解决方案请参考:解决Google Chrome浏览器无法打开Kubernetes(K8S) Dashboard页面

创建Dashboard管理员

创建一个ServiceAccount

1
kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard

查看一下详情

1
2
3
4
5
6
7
8
9
kubectl describe sa dashboard-admin -n kubernetes-dashboard
Name: dashboard-admin
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: dashboard-admin-token-trt79
Tokens: dashboard-admin-token-trt79
Events: <none>

dashboard-admin-token-trt79将成为Secret的名字。

创建Clusterrolebinding

我们可以先看看有哪些clusterrole

1
2
3
4
5
6
7
8
9
10
11
12
13
14
kubectl get clusterrole
NAME AGE
admin 18h
cluster-admin 18h
edit 18h
flannel 17h
kubernetes-dashboard 15h
system:aggregate-to-admin 18h
system:aggregate-to-edit 18h
system:aggregate-to-view 18h
system:auth-delegator 18h
system:basic-user 18h
system:certificates.k8s.io:certificatesigningrequests:nodeclient 18h
...

绑定

1
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin

查看一下绑定关系

1
2
3
4
5
6
7
8
9
10
11
kubectl describe  clusterrolebinding dashboard-admin
Name: dashboard-admin
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount dashboard-admin kubernetes-dashboard

获取登录Token

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
kubectl describe secret -n kubernetes-dashboard $(kubectl get secrets -n kubernetes-dashboard | awk '/dashboard-admin/{print $1}' )
Name: dashboard-admin-token-trt79
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 084970f9-48cd-44db-8106-887ee76db771

Type: kubernetes.io/service-account-token

Data
====
ca.crt: 1025 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZ
XJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8
vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdHJ0NzkiLCJrdWJlcm5ldGVzLmlvL
3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ
2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDg0OTcwZjktNDhjZC00NGRiLTgxMDYtODg3ZWU3NmRiNzcxIiwic
3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.m1twrtEAUC
zup9vc0xVJwL3lOKwa4Pizyj4iMNoUctHKBfHD6vKO-NlxJo-jyCwvpDg-Pe8E82haUYQDu5L_HgA_Qa7xyTXSOXAwKVfcifdZ
yhAjkXJSmZCpklqnAfp91rp7iaCPow8LKTNBkvreSVGEtQO6Fta-fWeQtqdn-4FGCoXX2ICbGTp-j3MTCeE2b2PfkhKcZcaEYu
3fho2P6rFvjxH-Xp8pHl6fDDdw01IJHqSGcUmmvE-qkuEMSRkJ9x1P6mAR12w6LbEJH9C5qyq4d-P55zDHYTACsMls0elaHrHY
wAURVT2OJjLmkcW38p73uADAIYBLtuTv67phPQ

把这个token复制后,拷贝到登录Dashboard的token输入框中,就能以cluster-admin的角色成功登录了。如图: