kubernetes addons dashboard

一、准备

• 官方文档

• kubernetes 1.8.3

• dashboard 1.8.0

二、安装

下载官方yaml文件

wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

在service添加

kubernetes.io/cluster-service: "true"

# ------------------- Dashboard Service ------------------- #apiVersion: v1kind: Servicemetadata:  labels:    k8s-app: kubernetes-dashboard    kubernetes.io/cluster-service: "true"  name: kubernetes-dashboard  namespace: kube-systemspec:  ports:    - port: 443      targetPort: 8443  selector:    k8s-app: kubernetes-dashboard

安装

kubectl apply -f /etc/kubernetes/addons/dashboard/kubernetes-dashboard.yaml

三、验证

安装成功后的状态

[root@node1 ~]# kubectl cluster-info Kubernetes master is running at https://192.168.1.121:6443dnsmasq is running at https://192.168.1.121:6443/api/v1/namespaces/kube-system/services/dnsmasq/proxyKubeDNS is running at https://192.168.1.121:6443/api/v1/namespaces/kube-system/services/kube-dns/proxykubernetes-dashboard is running at https://192.168.1.121:6443/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxyTo further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

[root@node1 ~]# kubectl get po -o wide -n kube-systemNAME                                    READY     STATUS    RESTARTS   AGE       IP              NODEcalico-node-7mvzn                       1/1       Running   1          23h       192.168.1.123   node3calico-node-hgqm2                       1/1       Running   1          23h       192.168.1.124   node4calico-node-jpd8g                       1/1       Running   1          23h       192.168.1.121   node1calico-node-x7krm                       1/1       Running   1          23h       192.168.1.122   node2dnsmasq-775767cfd7-mqcpf                1/1       Running   1          23h       10.233.74.68    node4dnsmasq-775767cfd7-qwgd6                1/1       Running   1          23h       10.233.71.50    node3dnsmasq-autoscaler-856b5c899b-cr8xg     1/1       Running   1          23h       10.233.71.48    node3kube-apiserver-node1                    1/1       Running   2          23h       192.168.1.121   node1kube-controller-manager-node1           1/1       Running   2          23h       192.168.1.121   node1kube-dns-cf9d8c47-krxnb                 3/3       Running   3          23h       10.233.75.2     node2kube-dns-cf9d8c47-ww4lk                 3/3       Running   3          23h       10.233.74.67    node4kube-proxy-node1                        1/1       Running   1          23h       192.168.1.121   node1kube-proxy-node2                        1/1       Running   1          23h       192.168.1.122   node2kube-proxy-node3                        1/1       Running   1          23h       192.168.1.123   node3kube-proxy-node4                        1/1       Running   1          23h       192.168.1.124   node4kube-scheduler-node1                    1/1       Running   2          23h       192.168.1.121   node1kubedns-autoscaler-86c47697df-dh4lr     1/1       Running   1          23h       10.233.71.51    node3kubernetes-dashboard-7486b894c6-rshss   1/1       Running   0          51m       10.233.71.58    node3nginx-proxy-node2                       1/1       Running   1          23h       192.168.1.122   node2nginx-proxy-node3                       1/1       Running   1          23h       192.168.1.123   node3nginx-proxy-node4                       1/1       Running   1          23h       192.168.1.124   node4

[root@node1 ~]# kubectl get svc -n kube-system  NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGEdnsmasq                ClusterIP   10.233.0.2    <none>        53/TCP,53/UDP   23hkube-dns               ClusterIP   10.233.0.3    <none>        53/UDP,53/TCP   23hkubernetes-dashboard   NodePort    10.233.0.93   <none>        443:31805/TCP   52m

四、访问

Dashboard大多数问题就出现在访问上

1.7及以上访问

我们这里直接使用API Server访问

地址是：

https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

我这里的地址就是：

https://192.168.1.121:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

结果是：Unauthorized未授权

{  "kind": "Status",  "apiVersion": "v1",  "metadata": {      },  "status": "Failure",  "message": "Unauthorized",  "reason": "Unauthorized",  "code": 401}

这时我们只需要把admin证书导入浏览器就可以，上传之前转换一下

openssl pkcs12 -export -in admin-node1.pem -out admin.p12 -inkey admin-node1-key.pem

五、授权

dashboard1.7及以上版本支持使用token或kubeconfig文件做登录认证

token

创建一个 admin 用户并授予 admin 角色绑定，使用下面的 yaml 文件创建 admin 用户并赋予他管理员权限，然后可以通过 token 登陆 dashbaord

kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: admin  annotations:    rbac.authorization.kubernetes.io/autoupdate: "true"roleRef:  kind: ClusterRole  name: cluster-admin  apiGroup: rbac.authorization.k8s.iosubjects:- kind: ServiceAccount  name: admin  namespace: kube-system---apiVersion: v1kind: ServiceAccountmetadata:  name: admin  namespace: kube-system  labels:    kubernetes.io/cluster-service: "true"    addonmanager.kubernetes.io/mode: Reconcile

对于其他命名空间的其他用户只要修改上述 yaml 中的 name 和 namespace 字段即可

[root@node1 ~]# kubectl -n kube-system get secret|grep admin-tokenadmin-token-m7m8b                             kubernetes.io/service-account-token   3         41s[root@node1 ~]# kubectl -n kube-system describe secret admin-token-m7m8bName:         admin-token-m7m8bNamespace:    kube-systemLabels:       <none>Annotations:  kubernetes.io/service-account.name=admin              kubernetes.io/service-account.uid=6ceade3d-dcdc-11e7-b30c-080027926e0aType:  kubernetes.io/service-account-tokenData====ca.crt:     1090 bytesnamespace:  11 bytestoken:      eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1tN204YiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjZjZWFkZTNkLWRjZGMtMTFlNy1iMzBjLTA4MDAyNzkyNmUwYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Nlcmuv6e8A78y8XKr-Qv2Bj1jddPvC6rYiHYqwfkf0IwzTIqM1mTyY34XEuuOTzE0pxAoI_uBlFyT7uadw9_cQhGEHNXRvtbr4J_K1bUAV-o1cQ_s9tiTeT4CJY_X2q72uVV5xfcrNKEgcbX1B2g5FzwaQ3N57Q5UiNyh4mI4hj5nmmZksHgnh9UAJaQF7wX83JKPHIy_ectuPJbdfRunARymWkl4hd7uvPBDJi5XV9VnC4HzUMV-k4SWU815OhkPhk5M0bkisDe-WOTvZIxTwCAwvWzJZB4tyzb9UHu0fpHv-XYG0M1eumj6vRCpHDd_gsEw66m1N3Nzxys6P_tCg

使用获取的token登录即可。