Kubernetes集群中部署dashboard

部署 dashboard 插件

下载k8s后的解压缩目录结构：kubernetes/cluster/addons/dashboard

使用的文件：

$ ls *.yamldashboard-controller.yaml  dashboard-rbac.yaml  dashboard-service.yaml

• 新加了 dashboard-rbac.yaml 文件，定义 dashboard 使用的 RoleBinding。

由于 kube-apiserver 启用了 RBAC 授权，而官方源码目录的 dashboard-controller.yaml 没有定义授权的 ServiceAccount，所以后续访问 kube-apiserver 的 API 时会被拒绝.

解决办法是：定义一个名为 dashboard 的 ServiceAccount，然后将它和 Cluster Role view 绑定。参考下面修改的文件。

dashboard-controller.yaml

apiVersion: extensions/v1beta1kind: Deploymentmetadata:  name: kubernetes-dashboard  namespace: kube-system  labels:    k8s-app: kubernetes-dashboard    kubernetes.io/cluster-service: "true"    addonmanager.kubernetes.io/mode: Reconcilespec:  selector:    matchLabels:      k8s-app: kubernetes-dashboard  template:    metadata:      labels:        k8s-app: kubernetes-dashboard      annotations:        scheduler.alpha.kubernetes.io/critical-pod: ''    spec:      serviceAccountName: dashboard      containers:      - name: kubernetes-dashboard        image: cokabug/kubernetes-dashboard-amd64:v1.6.0        resources:          limits:            cpu: 100m            memory: 50Mi          requests:            cpu: 100m            memory: 50Mi        ports:        - containerPort: 9090        livenessProbe:          httpGet:            path: /            port: 9090          initialDelaySeconds: 30          timeoutSeconds: 30      tolerations:      - key: "CriticalAddonsOnly"        operator: "Exists"

dashboard-service.yaml

apiVersion: v1kind: Servicemetadata:  name: kubernetes-dashboard  namespace: kube-system  labels:    k8s-app: kubernetes-dashboard    kubernetes.io/cluster-service: "true"    addonmanager.kubernetes.io/mode: Reconcilespec:  type: NodePort   selector:    k8s-app: kubernetes-dashboard  ports:  - port: 80    targetPort: 9090

dashboard-rbac.yaml

apiVersion: v1kind: ServiceAccountmetadata:  name: dashboard  namespace: kube-system---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1alpha1metadata:  name: dashboardsubjects:  - kind: ServiceAccount    name: dashboard    namespace: kube-systemroleRef:  kind: ClusterRole  name: cluster-admin  apiGroup: rbac.authorization.k8s.io

配置dashboard-service

$ diff dashboard-service.yaml.orig dashboard-service.yaml10a11>   type: NodePort

• 指定端口类型为 NodePort，这样外界可以通过地址 nodeIP:nodePort 访问 dashboard；

配置dashboard-controller

20a21>       serviceAccountName: dashboard23c24<         image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.6.0--->         image: cokabug/kubernetes-dashboard-amd64:v1.6.0

• 使用名为 dashboard 的自定义 ServiceAccount；

执行所有定义文件

$ pwd/home/app/kubernetes/cluster/addons/dashboard$ ls *.yamldashboard-controller.yaml  dashboard-rbac.yaml  dashboard-service.yaml$ kubectl create -f  .$

检查执行结果

查看分配的 NodePort

$ kubectl get services kubernetes-dashboard -n kube-systemNAME                   CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGEkubernetes-dashboard   10.254.224.130   <nodes>       80:30312/TCP   25s

• NodePort 30312映射到 dashboard pod 80端口；

检查 controller

$ kubectl get deployment kubernetes-dashboard  -n kube-systemNAME                   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGEkubernetes-dashboard   1         1         1            1           3m$ kubectl get pods  -n kube-system | grep dashboardkubernetes-dashboard-1339745653-pmn6z   1/1       Running   0          4m

访问dashboard

1. kubernetes-dashboard 服务暴露了 NodePort，可以使用 http://NodeIP:nodePort 地址访问 dashboard；
2. 通过 kube-apiserver 访问 dashboard；
3. 通过 kubectl proxy 访问 dashboard：

通过 kubectl proxy访问dashboard

启动代理

$ kubectl proxy --address='10.501.101.41' --port=8086 --accept-hosts='^*$'Starting to serve on 10.501.101.41:8086

• 需要指定 --accept-hosts 选项，否则浏览器访问 dashboard 页面时提示 “Unauthorized”；

浏览器访问 URL：http://10.501.101.41:8086/ui
自动跳转到：http://10.501.101.41:8086/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=default

通过 kube-apiserver 访问dashboard

获取集群服务地址列表

$ kubectl cluster-infoKubernetes master is running at https://10.501.101.41:6443KubeDNS is running at https://10.501.101.41:6443/api/v1/proxy/namespaces/kube-system/services/kube-dnskubernetes-dashboard is running at https://10.501.101.41:6443/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard

由于 kube-apiserver 开启了 RBAC 授权，而浏览器访问 kube-apiserver 的时候使用的是匿名证书，所以访问安全端口会导致授权失败。这里需要使用非安全端口访问 kube-apiserver：

浏览器访问 URL：http://10.501.101.41:8080/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard

由于缺少 Heapster 插件，当前 dashboard 不能展示 Pod、Nodes 的 CPU、内存等 metric 图形；

欢迎订阅微信公众号