安装K8S的dashboard
我们在安装的K8S是Kubernetes v1.20.2版本,我们在安装dashborad的时候,需要确认dashboard跟K8S之间的兼容性:
查看dashborad对kubernetes版本的兼容性
下载dashboard的yaml文件
cd /etc/ansible/manifests/ && mkdir dashboard && cd dashboard
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml
mv recommended.yaml dashboard_v2.4.0.yml
修改dashboard的yaml文件
# 默认yaml文件是没有做宿主机端口映射的,需要我们手动添加宿主机端口映射
cd /etc/ansible/manifests/dashboard
vim +42 dashboard_v2.4.0.yml
...
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: 8443
nodePort: 30004
selector:
k8s-app: kubernetes-dashboard
...
编写创建用户文件
cd /etc/ansible/manifests/dashboard
vim admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
下载镜像到本地打包后上传至harbor镜像仓库
cd /etc/ansible/manifests/dashboard
cat dashboard_v2.4.0.yml | grep image
# image: kubernetesui/dashboard:v2.4.0
# imagePullPolicy: Always
# image: kubernetesui/metrics-scraper:v1.0.7
# 下载镜像
dokcer pull kubernetesui/dashboard:v2.4.0
docker pull kubernetesui/metrics-scraper:v1.0.7
# 给镜像打标签,注意踩坑。打tag格式: 域名/目录/新的镜像名字。否则镜像上传失败
docker tag kubernetesui/dashboard:v2.4.0 harbor.nana.com/library/dashboard:v2.4.0
docker tag kubernetesui/metrics-scraper:v1.0.7 harbor.nana.com/library/metrics-scraper:v1.0.7
# 将配置文件修改成本地镜像
cat dashboard_v2.4.0.yml | grep image
# image: harbor.nana.com/library/dashboard:v2.4.0
# imagePullPolicy: Always
# image: harbor.nana.com/library/metrics-scraper:v1.0.7
# 重新执行yaml文件
docker push harbor.nana.com/library/dashboard:v2.4.0
docker push harbor.nana.com/library/metrics-scraper:v1.0.7
# 指向本地镜像仓库,更新pod
kubectl apply -f dashboard_v2.4.0.yml
访问K8S集群的dashboard
# 在K8S中任意一个节点的IP(master和node节点都可以访问到K8S的dashboard)
kubectl get nodes
# NAME STATUS ROLES AGE VERSION
# 192.168.15.101 Ready,SchedulingDisabled master 3d1h v1.20.2
# 192.168.15.102 Ready,SchedulingDisabled master 3d1h v1.20.2
# 192.168.15.109 Ready node 3d1h v1.20.2
# 192.168.15.110 Ready node 3d1h v1.20.2
例如url地址: https://192.168.15.101:30004/
查询token值
secret解决了密码、token、密钥等敏感数据的配置问题
kubectl get secret -A
# ...
# kubernetes-dashboard admin-user-token-fvxvv kubernetes.io/service-account-token 3 92m
# ...
kubectl describe secret admin-user-token-fvxvv -n kubernetes-dashboard
# Name: admin-user-token-fvxvv
# Namespace: kubernetes-dashboard
# Labels: <none>
# Annotations: kubernetes.io/service-account.name: admin-user
# kubernetes.io/service-account.uid: 29dba3d0-7947-4883-b34f-5e036c25b05f
# Type: kubernetes.io/service-account-token
# Data
# ====
# ca.crt: 1350 bytes
# namespace: 20 bytes
# token: eyJhbGciOiJSUzI1NiIsImtpZCI6IklYSldvNGtkQ08wVVRpR1EwSTk1MUNpLUxpZGk5aHNza0FVSzB6NEVOZlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWZ2eHZ2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyOWRiYTNkMC03OTQ3LTQ4ODMtYjM0Zi01ZTAzNmMyNWIwNWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.KkdJ6tg-r8JhSNZAPL3pn0ye7FsfEP6REE07_fXzH2MC7pLiaUX637INqP22L1qTKI5DPDzVl-AMst3ImT-fO5LXBlKC0udvwi6MHP8kWjweSvOMAaF38KroilV2tSMd0vSquo3Fif0F17wA8fdNUY767OL0F-9Hn7_ngna-HIgBOD1fIMccRhn45f8RTRFY7ROUVFVeim13jZ5YQneX6jd3MTIW3JRcL1APkDsvGgbdTNVL0OA2vljOT7hopwVsqfvquT941by5vT2bPIbBmkU5PUg0kkpbpB-9g75LMgNQd6P4Phdm9ncUOah45GKtkIPknaToXm4_cUbjX9JD1Q
制作kubeconfig文件
# /root/.kube目录下默认有config文件,记录了K8S集群的认证信息
cp /root/.kube/config /opt/k8s-config
...
# 默认是本机地址,我们可以修改成VIP地址(这样我们K8S集群就是通过VIP地址访问我们的etcd节点和node节点,与上一篇文章架构保持一致)
...
server: https://192.168.15.188:6443
...
# 在文件尾加入token值,注意格式对齐
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IklYSldvNGtkQ08wVVRpR1EwSTk1MUNpLUxpZGk5aHNza0FVSzB6NEVOZlUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWZ2eHZ2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyOWRiYTNkMC03OTQ3LTQ4ODMtYjM0Zi01ZTAzNmMyNWIwNWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.KkdJ6tg-r8JhSNZAPL3pn0ye7FsfEP6REE07_fXzH2MC7pLiaUX637INqP22L1qTKI5DPDzVl-AMst3ImT-fO5LXBlKC0udvwi6MHP8kWjweSvOMAaF38KroilV2tSMd0vSquo3Fif0F17wA8fdNUY767OL0F-9Hn7_ngna-HIgBOD1fIMccRhn45f8RTRFY7ROUVFVeim13jZ5YQneX6jd3MTIW3JRcL1APkDsvGgbdTNVL0OA2vljOT7hopwVsqfvquT941by5vT2bPIbBmkU5PUg0kkpbpB-9g75LMgNQd6P4Phdm9ncUOah45GKtkIPknaToXm4_cUbjX9JD1Q
我们做完kube-config文件后,可以将文件拉到我们自己的本地电脑。尝试用kube-config文件进行登陆
设置token会话保持时间
cd /etc/ansible/manifests/dashboard
vim dashboard_v2.4.0.yml
...
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --token-ttl=36000 # 输入token值后,如果web页面无操作,10个小时后断开连接
...
kubectl apply -f dashboard_v2.4.0.yml