k8s Dashboard部署
环境Rocky9.1,k8s 1.26.0
1
2
| #删除现有的dashboard服务
kubectl delete service kubernetes-dashboard --namespace=kubernetes-dashboard
|
1.根据官网教程下载部署配置文件
部署Dashboard配置官网地址: https://kubernetes.io/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/
Dashboard手动生成证书官网地址: https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/certificates/
2.创建自签名证书
1.生成一个 2048 位的 dashboard.key 文件
1
2
| mkdir dashboardcrt && cd dashboardcrt
openssl genrsa -out dashboard.key 2048
|
2.根据 dashboard.key 文件,生成 dashboard.csr 证书申请文件
1
| openssl req -new -out dashboard.csr -key dashboard.key
|
3.根据 csr 申请文件,输出 crt证书(-days是证书有效天数)
1
| openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt -days 10000
|
4.查看证书有效期
1
2
| openssl x509 -in <证书请求文件.pem> -noout -dates
#<证书请求文件.crt>也可以查询
|
3.配置Dashboard证书
1.删除自带默认secret,使用自签名证书部署secret
1
2
3
| kubectl delete secret kubernetes-dashboard-certs -n kube-system
kubectl create secret generic kubernetes-dashboard-certs --from-file=xxx/dashboardcrt/dashboard.key --from-file=xxx/dashboardcrt/dashboard.crt -n kube-system
|
如果已经部署dashboard,需要先删除kube-system命名空间里的容器
1
2
3
4
5
6
7
8
9
10
11
| #查询与dashboard相关的容器
kubectl -n kube-system get pod -o name | grep dashboard
#删除dashboard相关容器
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
kubectl delete service kubernetes-dashboard --namespace=kube-system
kubectl delete role kubernetes-dashboard-minimal --namespace=kube-system
kubectl delete rolebinding kubernetes-dashboard-minimal --namespace=kube-system
kubectl delete sa kubernetes-dashboard --namespace=kube-system
kubectl delete secret kubernetes-dashboard-certs --namespace=kube-system
kubectl delete secret kubernetes-dashboard-csrf --namespace=kube-system
kubectl delete secret kubernetes-dashboard-key-holder --namespace=kube-system
|
2.下载recommended配置文件,并将证书目录加入配置文件中
1
| wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| vim recommended.yaml
#默认配置文件
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
#增加type以及nodePort端口号
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30443
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| #默认配置文件
containers:
- name: kubernetes-dashboard
......
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
#在args最后添加证书
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --tls-key-file=xxx/dashboardcrt/dashboard.key # key
- --tls-cert-file=xxx/dashboardcrt/dashboard.crt # pem
|
应用配置文件生成dashboard容器
1
2
3
| kubectl apply -f recommended.yaml
#或
kubectl create -f recommended.yaml --namespace=kubernetes-dashboard
|
查看pod的状态为running说明dashboard部署成功
1
| kubectl get svc,pods -n kubernetes-dashboard
|
4.访问Dashboard
如果在配置文件中增加了NodePort则不需要修改TYPE类型
1.查看TYPE类型
查询TYPE类型
1
| kubectl -n kubernetes-dashboard get service kubernetes-dashboard
|
输出
1
2
| NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard ClusterIP 10.100.60.104 <none> 443/TCP 9h
|
2.修改TYPE类型
编辑服务文件
将修改 type: ClusterIP 为 type: NodePort
1
| kubectl -n kubernetes-dashboard edit service kubernetes-dashboard
|
原配置文件
1
2
3
4
5
6
7
8
9
10
11
| spec:
clusterIP: 10.100.124.90
externalTrafficPolicy: Cluster
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: ClusterIP
|
修改完成后TYPE就自动改变了,前后对照
1
| kubectl -n kubernetes-dashboard get service kubernetes-dashboard
|
修改前
1
2
| NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard ClusterIP 10.100.60.104 <none> 443/TCP 9h
|
修改后
1
2
| NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.100.60.104 <none> 443:31378/TCP 13h
|
3.访问dashboard
可以看到上面分配的是 31378 端口。
可以直接访问: https://master_ip:31378
通过命令查看dashboard部署在哪一台节点上:
1
| kubectl get pods -A -o wide | grep kubernetes-dashboard
|
输出
1
2
| kubernetes-dashboard dashboard-metrics-scraper-7bc864c59-jllwd 1/1 Running 0 12h 10.244.185.199 k8snode2 <none> <none>
kubernetes-dashboard kubernetes-dashboard-686cbbfd5b-sbdls 1/1 Running 0 3h6m 10.244.249.7 k8snode1 <none> <none>
|
dashboard部署在了node1节点上
问题:
参考网站中
https://skyao.io/learning-kubernetes/docs/installation/kubeadm/dashboard.html#nodeport
这个网站中说到
1
2
3
| 然后就是 node 的 ip 地址了,如果是单节点的集群,那么 node ip 就固定为 master node 的IP,可以通过 kubectl cluster-info 获取。如果是多节点的集群,则需要找到 kubernetes-dashboard 服务被部署到了哪个节点
kubernetes-dashboard 服务被部署到了 skyserver2 节点,skyserver2 的 IP 是 192.168.0.50,则拼合起来的地址是
https://192.168.0.50:32212
|
但我在此次环境搭建中发现并不需要特意访问dashboard所在节点的ip,直接使用master的ip上加上端口即可成功访问。(存疑)
5.登录Dashboard
登录Dashboard有两种方式
1.通过token登录
创建用户官方参考文档: https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
1.创建dashboard-adminuser.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
|
1
2
| #应用配置文件dashboard-adminuser.yaml
kubectl apply -f dashboard-adminuser.yaml
|
用户权限创建完成输出以下命令
1
2
| serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin-user created
|
2.生成token
给管理员用户创建一个token
1
| kubectl -n kubernetes-dashboard create token admin-user
|
将输出的token输入到网页的token栏里即可进入dashboard。
2.通过kubeconf文件登录
官方文档: https://kubernetes.io/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/
在 kebeconf 文件(路径为 ~/.kube/config)中加入 token 信息
本次部署暂不使用kubeconf.
