Kubernetes dashboard1.8.0 WebUI安装与配置

kubernetes-dashboard.yaml

apiVersion: v1kind: ServiceAccountmetadata:  labels:    k8s-app: kubernetes-dashboard    addonmanager.kubernetes.io/mode: Reconcile  name: kubernetes-dashboard  namespace: kube-system---apiVersion: apps/v1beta2kind: Deploymentmetadata:  name: kubernetes-dashboard  namespace: kube-system  labels:    k8s-app: kubernetes-dashboard    kubernetes.io/cluster-service: "true"    addonmanager.kubernetes.io/mode: Reconcilespec:  selector:    matchLabels:      k8s-app: kubernetes-dashboard  template:    metadata:      labels:        k8s-app: kubernetes-dashboard      annotations:        scheduler.alpha.kubernetes.io/critical-pod: ''    spec:      serviceAccountName: kubernetes-dashboard      containers:      - name: kubernetes-dashboard        image: 10.0.11.222:5000/bigdata/kubernetes-dashboard-amd64:v1.8.0        resources:          limits:            cpu: 100m            memory: 300Mi          requests:            cpu: 100m            memory: 100Mi        ports:        - containerPort: 8443          protocol: TCP        args:          - --auto-generate-certificates        volumeMounts:        - name: kubernetes-dashboard-certs          mountPath: /certs        - name: tmp-volume          mountPath: /tmp        livenessProbe:          httpGet:            scheme: HTTPS            path: /            port: 8443          initialDelaySeconds: 30          timeoutSeconds: 30      volumes:      - name: kubernetes-dashboard-certs        secret:          secretName: kubernetes-dashboard-certs      - name: tmp-volume        emptyDir: {}      serviceAccountName: kubernetes-dashboard      tolerations:      - key: "CriticalAddonsOnly"        operator: "Exists"---apiVersion: v1kind: Servicemetadata:  name: kubernetes-dashboard  namespace: kube-system  labels:    k8s-app: kubernetes-dashboard    kubernetes.io/cluster-service: "true"    addonmanager.kubernetes.io/mode: Reconcilespec:  type: NodePort  selector:    k8s-app: kubernetes-dashboard  ports:  - port: 443    targetPort: 8443

spec.containers.image：填写dashboard的镜像路径。我这里填写的是本地私有库的dashboard镜像。大家可以通过docker search查询1.8.0版本的dashboard。

spec.containers.args：此处填写的是一些参数，由于我的kubernetes1.8.0是通过HTTPS安全验证的安装，访问的是http://masterip:6443，因此，此处我填写了- --auto-generate-certificates，用以自动生成dashboard证书，此处不需要填写apiserver地址。

kubernetes-rbac.yaml

因为kubernetes1.8.0开启了 RBAC 所以这里需要创建一个 RBAC 认证。

apiVersion: v1kind: ServiceAccountmetadata:  name: kubernetes-dashboard  namespace: kube-system---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: kubernetes-dashboardsubjects:  - kind: ServiceAccount    name: kubernetes-dashboard    namespace: kube-systemroleRef:  kind: ClusterRole  name: cluster-admin  apiGroup: rbac.authorization.k8s.io

dashboard安装启动

kubernetes-dashboard-certs创建

新建一个空目录：certs，然后执行下面命令：

kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kube-system

将上面两个文件kubernetes-dashboard.yaml、kubernetes-rbac.yaml放置到同一个目录，该目录只要这两个文件，然后执行下面的命令：

安装启动

# 读取当前目录配置文件进行安装启动kubectl apply -f .

查看pod

查看namespace为kube-system下的pod

kubectl get pods --namespace="kube-system"NAME                                   READY     STATUS    RESTARTS   AGEkubernetes-dashboard-77bd6c79b-sc5wb   1/1       Running   1          56m

查看指定pod详情

pods/后面跟指定pod name

kubectl describe pods/kubernetes-dashboard-77bd6c79b-sc5wb --namespace="kube-system" 

由于详情过多，此处截图只展示部分信息：

查看dashboard界面

访问以下链接（1.8.0访问 https://masterip:6443/ui 无法访问）：

https://MasterIP:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

MasterIP：kubernetes集群master节点ip

kubernetes-dashboard界面：

出现的问题

首次安装，如果没有做apiserver参数配置，则可能会出现一些问题。下面就看下常见问题的解决方法

system:anonymous问题

访问dashboard网页时，可能出现下面这种报错：

{  "kind": "Status",  "apiVersion": "v1",  "metadata": {  },  "status": "Failure",  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"kube-system\"",  "reason": "Forbidden",  "details": {    "name": "https:kubernetes-dashboard:",    "kind": "services"  },  "code": 403}

Kubernetes API Server新增了–anonymous-auth选项，允许匿名请求访问secure port。没有被其他authentication方法拒绝的请求即Anonymous requests， 这样的匿名请求的username为system:anonymous, 归属的组为system:unauthenticated。并且该选线是默认的。这样一来，当采用chrome浏览器访问dashboard UI时很可能无法弹出用户名、密码输入对话框，导致后续authorization失败。为了保证用户名、密码输入对话框的弹出，需要将–anonymous-auth设置为false。

解决方法：

在api-server配置文件中添加--anonymous-auth=false

vi /etc/systemd/system/kube-apiserver.service[Unit]Description=Kubernetes API ServerDocumentation=https://github.com/GoogleCloudPlatform/kubernetesAfter=network.target[Service]User=rootExecStart=/usr/local/bin/kube-apiserver \  --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \  --advertise-address=10.0.11.222 \  --allow-privileged=true \  --apiserver-count=3 \  --audit-policy-file=/etc/kubernetes/audit-policy.yaml \  --audit-log-maxage=30 \  --audit-log-maxbackup=3 \  --audit-log-maxsize=100 \  --audit-log-path=/var/log/kubernetes/audit.log \  --authorization-mode=Node,RBAC \  --anonymous-auth=false \ # 不接受匿名访问，若为true，则表示接受，此处设置为false，便于dashboard访问  --bind-address=0.0.0.0 \  --secure-port=6443 \  --client-ca-file=/etc/kubernetes/ssl/ca.pem \  --enable-swagger-ui=true \  --etcd-cafile=/etc/kubernetes/ssl/ca.pem \  --etcd-certfile=/etc/kubernetes/ssl/etcd.pem \  --etcd-keyfile=/etc/kubernetes/ssl/etcd-key.pem \  --etcd-servers=https://10.0.11.222:2379 \  --event-ttl=1h \  --kubelet-https=true \  --insecure-bind-address=127.0.0.1 \  --insecure-port=8080 \  --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \  --service-cluster-ip-range=10.254.0.0/16 \  --service-node-port-range=30000-32000 \  --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \  --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \  --enable-bootstrap-token-auth \  --token-auth-file=/etc/kubernetes/token.csv \  --v=2Restart=on-failureRestartSec=5Type=notifyLimitNOFILE=65536[Install]WantedBy=multi-user.target

Unauthorized问题

解决了上面那个问题之后，再度访问dashboard页面，发现还是有问题，出现下面这个问题：

{  "kind": "Status",  "apiVersion": "v1",  "metadata": {  },  "status": "Failure",  "message": "Unauthorized",  "reason": "Unauthorized",  "code": 401}

解决方法：
新建/etc/kubernetes/basic_auth_file文件，并在其中添加：

admin,admin,1002

文件内容格式：password,username,uid

然后在api-server配置文件（即上面的配置文件）中添加--basic-auth-file=/etc/kubernetes/basic_auth_file \

保存重启kube-apiserver：

systemctl daemon-reloadsystemctl enable kube-apiserversystemctl start kube-apiserversystemctl status kube-apiserver

getsockopt: connection timed out’问题

如果安装的docker版本为1.13及以上，并且网络畅通，flannel、etcd都正常，但还是会出现getsockopt: connection timed out'的错误，则可能是iptables配置问题。具体问题：

Error: 'dial tcp 10.233.50.3:8443: getsockopt: connection timed out

docker从1.13版本开始，可能将iptables FORWARD chain的默认策略设置为DROP，从而导致ping其他Node上的Pod IP失败，遇到这种问题时，需要手动设置策略为ACCEPT：

sudo iptables -P FORWARD ACCEPT

使用iptables -nL命令查看，发现Forward的策略还是drop，可是我们明明执行了iptables -P FORWARD ACCEPT。原来，docker是在这句话执行之后启动的，需要每次在docker之后再执行这句话。。。这么做有点太麻烦了，所以我们修改下docker的启动脚本：

 vi /usr/lib/systemd/system/docker.service[Service]Type=notify# the default is not to use systemd for cgroups because the delegate issues still# exists and systemd currently does not support the cgroup feature set required# for containers run by dockerExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS $DOCKER_DNS_OPTIONS# 添加这行操作，在每次重启docker之前都会设置iptables策略为ACCEPTExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPTExecReload=/bin/kill -s HUP $MAINPID

在启动文件中的 [Service] 下添加一行配置，即上面代码中的配置即可。

然后重启docker，再次查看dashboard网页。

参考文章：
1. 解决Kubernetes 1.6.4 Dashboard无法访问的问题
2. Kubernetes集群Dashboard插件安装
3. 解决Centos7下Kubernetes(k8s)部署好之后无法访问dashboard