1、镜像
docker pull kubernetesui/dashboard:v2.4.0
2、tag
docker images | grep dashboard
kubernetesui/dashboard v2.4.0 72f07539ffb5 3 months ago 221M
docker tag 72f07539ffb5 registry.cn-shenzhen.aliyuncs.com/hqyinfra/dashboard:v2.4.0
3、推送
docker push registry.cn-shenzhen.aliyuncs.com/hqyinfra/dashboard:v2.4.0
4、ns.yaml
kubectl apply -f ns.yaml
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
5、secret.yaml
kubectl apply -f secret.yaml
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
6、rbac.yaml
kubectl apply -f rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
7、dp.yaml
kubectl apply -f dp.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: registry.cn-shenzhen.aliyuncs.com/hqyinfra/dashboard:v2.4.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
8、svc.yaml
kubectl apply -f svc.yaml
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
9、ingress.yaml
kubectl apply -f ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: dashboard.candy.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
10、生成dashboard证书
ca-csr.json
{
"CN": "CandyHome",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BJ",
"L": "Beijing",
"O": "CandyHome",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
dashboard-csr.json
{
"CN": "dashboard.candy.com",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BJ",
"L": "Beijing",
"O": "candyHome",
"OU": "ops"
}
]
}
cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server dashboard-csr.json | cfssl-json -bare dashboard
11、配置nginx卸载证书
docker cp dashboard.pem nginx:/dashboard.pem
docker cp dashboard-key.pem nginx:/dashboard-key.pem
docker exec -it nginx sh
vi /etc/nginx/conf.d/dashboard.candy.com.conf
dashboard.candy.com.conf
server {
listen 80;
server_name dashboard.candy.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
listen 443 ssl;
server_name dashboard.candy.com;
ssl_certificate "/dashboard.pem";
ssl_certificate_key "/dashboard-key.pem";
# ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
nginx -s reload
exit
12、获取Token
kubectl get secret -n kubernetes-dashboard
default-token-mw474 kubernetes.io/service-account-token 3 11d
kubernetes-dashboard-certs Opaque 0 11d
kubernetes-dashboard-csrf Opaque 1 11d
kubernetes-dashboard-key-holder Opaque 2 11d
kubernetes-dashboard-token-95lrt kubernetes.io/service-account-token 3 11d
kubectl describe secret kubernetes-dashboard-token-95lrt -n kubernetes-dashboard
13、配置hosts
vi /etc/hosts
127.0.0.1 dashboard.candy.com
14、浏览器访问:dashboard.candy.com