使用Helm为Kubernetes 1.31.0安装Dashoard面板
安装Dashboard
# 添加Dashboard仓库
[root@masterA ~]# helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
"kubernetes-dashboard" has been added to your repositories
# 下载Dashboard包,因为各种原因服务器无法拉取,我们可以使用可以拉取的机子拉取下来后传入服务器
[root@masterA ~]# wget https://github.com/kubernetes/dashboard/releases/download/kubernetes-dashboard-7.5.0/kubernetes-dashboard-7.5.0.tgz
# 安装Dashboard
[root@masterA ~]# helm upgrade --install kubernetes-dashboard ./kubernetes-dashboard-7.5.0.tgz --namespace kube-system
Release "kubernetes-dashboard" does not exist. Installing it now.
NAME: kubernetes-dashboard
LAST DEPLOYED: Thu Sep 5 15:38:53 2024
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
*************************************************************************************************
*** PLEASE BE PATIENT: Kubernetes Dashboard may need a few minutes to get up and become ready ***
*************************************************************************************************
Congratulations! You have just installed Kubernetes Dashboard in your cluster.
To access Dashboard run:
kubectl -n kubernetes-dashboard port-forward svc/kubernetes-dashboard-kong-proxy 8443:443
NOTE: In case port-forward command does not work, make sure that kong service name is correct.
Check the services in Kubernetes Dashboard namespace using:
kubectl -n kube-system get svc
Dashboard will be available at:
https://localhost:8443
验证安装状态
# 看见全部running就表示安装好了,当然需要一点时间
[root@masterA user]# kubectl get pod -n kube-system | grep dashboard
kubernetes-dashboard-api-6b6467ddc9-lpxnd 1/1 Running 0 90m
kubernetes-dashboard-auth-bb54cd56b-t62s4 1/1 Running 0 90m
kubernetes-dashboard-kong-57d45c4f69-hvt2j 1/1 Running 0 90m
kubernetes-dashboard-metrics-scraper-57cf4c69b6-p8dl2 1/1 Running 0 90m
kubernetes-dashboard-web-6897cbbdb9-pnwmn 1/1 Running 0 90m
暴露端口(用于外部访问)
# 查看集群Service
[root@masterA ~]# kubectl get svc -n kube-system | grep dashboard
kubernetes-dashboard-api ClusterIP 10.92.135.16 <none> 8000/TCP 21h
kubernetes-dashboard-auth ClusterIP 10.92.138.37 <none> 8000/TCP 21h
kubernetes-dashboard-kong-manager NodePort 10.92.154.18 <none> 8002:30349/TCP,8445:30987/TCP 21h
kubernetes-dashboard-kong-proxy ClusterIP 10.92.193.133 <none> 443/TCP 21h # 修改这个为ClusterIP提供对外访问
kubernetes-dashboard-metrics-scraper ClusterIP 10.92.250.0 <none> 8000/TCP 21h
kubernetes-dashboard-web ClusterIP 10.92.171.30 <none> 8000/TCP 21h
# 修改Service类型
[root@masterA ~]# kubectl edit -n kube-system svc kubernetes-dashboard-kong-proxy、
...
type: NodePort # 修改类型为NodePort其他不变
...
这时候大家就可以愉快的访问Dashboard啦(但是还没完)
现在还有两个问题待解决
1、这个Token如何获得/创建
2、访问IP是masterA,怎么使用负载均衡的统一IP访问?
创建管理员角色和Token
# 编写角色和赋予权限
[root@masterA user]# cat admin-user.yaml
# 创建集群管理员角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin-role
rules:
- apiGroups: ["*"] # 对所有 API 组生效
resources: ["*"] # 允许对所有资源操作
verbs: ["*"] # 允许所有操作: get, list, create, update, delete, patch, watch, etc.
---
# 创建 ClusterRoleBinding,将集群管理员角色绑定到服务账户
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-role-binding
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system # 绑定的服务账户所在命名空间
roleRef:
kind: ClusterRole
name: cluster-admin-role
apiGroup: rbac.authorization.k8s.io
---
# 创建服务账户
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
# 编写token文件(当然也可以写一起)
[root@masterA user]# cat admin-user-token.yaml
apiVersion: v1
kind: Secret
metadata:
name: admin-user-token
namespace: kube-system
annotations:
kubernetes.io/service-account.name: admin-user
type: kubernetes.io/service-account-token
# 创建角色和token
[root@masterA user]# kubectl apply -f admin-user.yaml
[root@masterA user]# kubectl apply -f admin-user-token.yaml
获取Token并访问Dashboard
# 获取token
[root@masterA user]# kubectl describe secrets -n kube-system admin-user-token
Name: admin-user-token
Namespace: kube-system
Labels: kubernetes.io/legacy-token-last-used=2024-09-06
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 8acf5764-75c5-41e6-896f-b55c4f2ae7a9
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1107 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjB6UVl4QmRPTTM4LWZCb3lTWGljVHJRa2VPWWhGcG9Md0J3N2VucHhNOTQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4YWNmNTc2NC03NWM1LTQxZTYtODk2Zi1iNTVjNGYyYWU3YTkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.JXKlpeG6368fcnHcv5zcJqtoKQ1cwHJX4lPAvAw2C7iCyxD9fWT96htiTLXZ2mWyMhhmrX9N1o5A7i39ZnB2NbMKxWbf4xQB45VnyV_El61ZfqDRFdMgpy5PNjN7Tdl8g8GiSHxWDd64dzikjiRmU43AB7gP9Rq_r2l6Q0vqNcToWrbTt1gpFVOsSI2wjgp_4XZ0Q8fIUxSb3IXzjfHv4MML-Ul9DCNWk8pXU5dE5FaD9cCY7yzNLEHzYihSVDLrLCV9rhGZcsIXXV_yrScxiGOE0GmVoaJURGKiDqk8xTAOIETT4aFqcQsqCWIxHkEKERfDxxxxxxxxx
复制Token访问Dashboard
配置统一IP访问(高可用)
配置http代理,访问虚拟IP自动转发到master节点,这样即使master其中一个挂掉也依旧可以访问问题正常的master节点
创建ssl证书和秘钥(master其中一个节点皆可)
# 创建证书和秘钥
[root@masterA user]# openssl req -new -newkey rsa:2048 -nodes -keyout dashboard.key -out dashboard.csr
# 使用k8s的ca对证书签名
[root@masterA user]# openssl x509 -req -in dashboard.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dashboard.crt -days 365
# 把证书拷贝到两台nginx服务器
[root@masterA user]# scp -r dashboard.crt LbA:/etc/nginx/ssl #没有这个目录自己去对应服务器创建
[root@masterA user]# scp -r dashboard.key LbA:/etc/nginx/ssl #没有这个目录自己去对应服务器创建
[root@masterA user]# scp -r dashboard.crt LbB:/etc/nginx/ssl #没有这个目录自己去对应服务器创建
[root@masterA user]# scp -r dashboard.key LbB:/etc/nginx/ssl #没有这个目录自己去对应服务器创建
编写http代理
# 编写http代理
[root@LbA ~]# cat /etc/nginx/conf.d/k8s-web.conf
upstream k8s_dashboard {
server masterA.k8s.local:30397;
server masterB.k8s.local:30397;
server masterC.k8s.local:30397;
}
server {
listen 30397 ssl; # Dashboard对外访问端口
ssl_certificate /etc/nginx/ssl/dashboard.crt; # 证书
ssl_certificate_key /etc/nginx/ssl/dashboard.key; # 秘钥
location / {
proxy_pass https://k8s_dashboard;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# 复制这个文件到另外一太nginx服务器LbB中
[root@LbA ~]# scp -r /etc/nginx/conf.d/k8s-web.conf LbB:/etc/nginx/conf.d/
# 重启nginx
[root@LbA ~]# systemctl restart nginx