文章目录
Kubernetes1.13集群安装dashboard 1.10.1
搭建的环境是Kubernetes版本1.13,搭建的集群的教程可以参考我的上一篇博文:
Ubuntu环境搭建Kubernetes1.13.1集群
然后dashboard 的版本选择的是1.10.1
dashboard 有三种访问方式
1)kubectl proxy方式(开发测试使用,不推荐)
2)NodePort方式(不推荐)
3)APIServer方式(推荐)
这种方式可以在本地电脑chrome上访问,比较方便,但是配置稍微麻烦一点。
本文也是主要介绍APIServer这种方式
安装dashboard
下载kubernetes-dashboard.yaml
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
下载镜像
master@master:~$ docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
v1.10.1: Pulling from mirrorgooglecontainers/kubernetes-dashboard-amd64
63926ce158a6: Pull complete
Digest: sha256:d6b4e5d77c1cdcb54cd5697a9fe164bc08581a7020d6463986fe1366d36060e8
Status: Downloaded newer image for mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
master@master:~$ docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
master@master:~$
注意需要把node1和node2节点的docker 镜像也下载下来!!
创建pod
master@master:~$ kubectl create -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
master@master:~$
稍等一会,pod创建好后,查看服务状态
master@master:~$ kubectl get service --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 27h
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 27h
kube-system kubernetes-dashboard ClusterIP 10.96.79.215 <none> 443/TCP 28s
master@master:~$
查看service描述
master@master:~$ kubectl describe service kubernetes-dashboard -n kube-system
Name: kubernetes-dashboard
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
Selector: k8s-app=kubernetes-dashboard
Type: ClusterIP
IP: 10.96.79.215
Port: <unset> 443/TCP
TargetPort: 8443/TCP
Endpoints:
Session Affinity: None
Events: <none>
master@master:~$
查看pod
master@master:~$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-59b69b999c-d9rjr 1/1 Running 11 25h
kube-system coredns-59b69b999c-wr724 1/1 Running 11 25h
kube-system etcd-master 1/1 Running 0 27h
kube-system kube-apiserver-master 1/1 Running 0 27h
kube-system kube-controller-manager-master 1/1 Running 0 27h
kube-system kube-flannel-ds-amd64-4jb2p 1/1 Running 0 25h
kube-system kube-flannel-ds-amd64-8psq9 1/1 Running 0 25h
kube-system kube-flannel-ds-amd64-wlhmx 1/1 Running 0 25h
kube-system kube-proxy-bzccc 1/1 Running 0 27h
kube-system kube-proxy-jq968 1/1 Running 0 25h
kube-system kube-proxy-pqshb 1/1 Running 1 25h
kube-system kube-scheduler-master 1/1 Running 0 27h
kube-system kubernetes-dashboard-57df4db6b-5s6pp 1/1 Running 0 4m1s
master@master:~$
查看pod描述
kubectl describe pod kubernetes-dashboard-57df4db6b-5s6pp --namespace=kube-system
授予Dashboard账户集群管理权限
这一步很关键,如果你缺少这一步的话,你打开dashboard后会报很多forbidden
configmaps is forbidden: User "system:serviceaccount:kube-system:service-controller" cannot list resource "configmaps" in API group "" in the namespace "default"
close
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:service-controller" cannot list resource "persistentvolumeclaims" in API group "" in the namespace "default"
close
warning
要获得管理集群admin的权限,先新建kubernetes-dashboard-admin.rbac.yaml文件,内容如下
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
# Create ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
执行
master@master:~$ kubectl create -f kubernetes-dashboard-admin.rbac.yaml
serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin-user created
找到kubernete-dashboard-admin的token,记下这串token,等下登录的时候会使用,这个token默认是永久的。
master@master:~$ kubectl -n kube-system get secret | grep admin-user
admin-user-token-trv94 kubernetes.io/service-account-token 3 46s
master@master:~$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
Name: admin-user-token-trv94
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 859e1e45-bac2-11e9-943d-000c29d9f9d7
Type: kubernetes.io/service-account-token
Data
====
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXRydjk0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4NTllMWU0NS1iYWMyLTExZTktOTQzZC0wMDBjMjlkOWY5ZDciLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.Z8TbniS8FY0_8dY0W3qzGv_fAClLJ8_Fa1T_anoKGbq7F0uA2KZiSLEgZqufCsnMV8SMs9G5WkAs3mw7S0_k5KcNLG8RBpccTOJGeS-i9UzT-yf7sK9DFe6Ch0MT6wF0oWgHRsTEaS4yuxHxq8xQqCVZfKWFVvuthIdIbJHpuyFP8fqFDR_bpqPtVoSfoay7VcmgzsQwdWtF4SML1Imp3xpQdWPtombYQ9svZ60iEjZjmxvI1vExXKS7yyPFLLVvXLzk_XGUtXfKWLVk-_JgtJXI_KVaHD3m8OQdo59c7UkiIoWLjkxKjy4sjPw-WMExDQ0xaXI-DHOdTMpTyFTdXA
ca.crt: 1025 bytes
master@master:~$
APIServer方式
查看集群信息
master@master:~$ kubectl cluster-info
Kubernetes master is running at https://192.168.174.133:6443
KubeDNS is running at https://192.168.174.133:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
master@master:~$
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "https:kubernetes-dashboard:",
"kind": "services"
},
"code": 403
}
报错403,说明有权限问题,这是因为最新版的k8s默认启用了RBAC,并为未认证用户赋予了一个默认的身份:anonymous。
对于API Server来说,它是使用证书进行认证的,而我们浏览器上没有这个证书,所以我们要为浏览器配置https证书。
创建证书
首先需要确认kubectl命令的配置文件,默认情况下为/etc/kubernetes/admin.conf,而且已经自动创建在$HOME/.kube/config中,如果没有创建则需要手动赋值。
cat $HOME/.kube/config
如果确认有集群的配置,则运行以下命令来生成一个p12格式的浏览器证书
# 生成client-certificate-data
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
# 生成client-key-data
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
# 生成p12
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
按要求输入密码直接回车即可,密码不要胡乱输,后面给浏览器导入的时候要用。
运行完后在当前目录会有个kubecfg.p12证书文件。
证书导入chrome
然后我们通过secureCRT 的SFTP工具来下载我们的kubecfg.p12文件
然后我们找到下载路径:C:\Users\c\Documents\kubecfg.p12,然后打开chrome浏览器
点击浏览器 菜单-设置-高级-管理证书
所以我这里选择个人,然后导入我们的kubecfg.p12
然后直接默认一直下一步就完成了。
导入上面生成的p12文件后,重启浏览器chrome://restart
然后浏览器访问:https://192.168.174.133:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
弹出证书信息,点击确定即可。
如果发现出现如下问题:
Error: 'dial tcp 10.244.2.3:8443: connect: connection refused'
Trying to reach: 'https://10.244.2.3:8443/'
可以把整个浏览器关掉重开,不行的话可以尝试把每个节点都重启docker试试,然后在重开浏览器,反正我通过上面的尝试就能正常打开UI的界面了。
master@master:~$ systemctl restart docker
然后选择token登录方式,查看token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
参考
感谢下面的文章的帮助,本文也是通过下面文章参考摸索安装出来的,十分感谢~~
Kubernetes的三种外部访问方式:NodePort、LoadBalancer 和 Ingress(介绍了三种外部访问方式)
kubernetes1.13安装dashboard(可以稍微参考一下,格式不太好看)
k8s集群配置dashboard(最先版1.13.3 1.10.1)(介绍token和config的认证)
Kubernetes安装Dashboard的方法和思路(和本文的搭建方式相同,主要介绍了API Server的方式)
kubernetes-1.12.2安装web-ui附件dashboard v1.10.1(里面包含了Dashboard多种方式访问的搭建)
K8S关于Dashboard浏览器访问填坑
Kubernetes web界面kubernetes-dashboard安装(里面包含了Dashboard多种方式访问的搭建)
kubernetes1.13安装dashboard(本文主要参考了这篇文章)
https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml (本文dashboard 1.10.1的配置)