一、下载dashboard部署yaml文件
dashboard托管在github上,项目地址:https://github.com/kubernetes/dashboard
下载文件命令
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml -O dashboard.yaml
raw.githubusercontent.com域名被墙了的话,进行一下dns查询,手动绑个香港的ip就可以了
二、配置从外部访问dashboard
设置 NodePort,编辑dashboard.yaml,修改dashboard的Service
因为这个镜像拉取的特别慢,还可以修改下镜像拉取策略,避免第二次部署时还下载
部署
[root@node-1 dashboard]# kubectl create -f dashboard.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
查看service,可以看到暴露到外部的端口
[root@node-1 dashboard]# kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.99.83.68 <none> 8000/TCP 3m13s
kubernetes-dashboard NodePort 10.111.217.204 <none> 443:32567/TCP 3m13s
dashboard需要用 https 访问,访问任一 node 的32567端口即可,这里访问https://192.168.1.81:32567/
三、解决不能通过浏览器访问https协议的dashboard
如果遇到如下提示
解决办法:
直接输入 thisisunsafe 然后回车,虽然看不到输入,但是其实已经输入进去了
这个时候我们就可以通过谷歌浏览器打开kubernetes dashboard了
四、dashboard认证
因为是通过 dashboard 这个 pod 去访问 APIServer 的,所以要用 ServiceAccount 来进行认证,而不是 UserAccount
1.1、使用token认证(通过yaml文件)
在dashboard.yaml中,随便找个位置添加一下内容后再执行kubectl apply -f,执行完后转到1.3步骤
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: dashboard-admin
name: dashboard-admin
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
1.2、使用token认证(命令)
执行完后转到1.3步骤
# 创建sa
[root@node-1 ~]# kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard
serviceaccount/dashboard-admin created
# 将dashboard-admin和cluster-admin(一个clusterrole)绑定
[root@node-1 ~]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
1.3查看token
# 查找dashboard-admin的secret
[root@node-1 ~]# kubectl get secret -n kubernetes-dashboard | grep dashboard-admin
dashboard-admin-token-9kdff kubernetes.io/service-account-token 3 71s
# 查看这个secret的token
[root@node-1 ~]# kubectl describe secret dashboard-admin-token-9kdff -n kubernetes-dashboard
Name: dashboard-admin-token-9kdff
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: c9656909-407c-44d4-9122-a8f5636439dd
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1029 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InFNWHI0eXpiZ3R6QmtvWGJFQjczbUtGNzJrSml5djFvNU45UlBRME12RWMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tOWtkZmYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYzk2NTY5MDktNDA3Yy00NGQ0LTkxMjItYThmNTYzNjQzOWRkIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.ZQ-zKjQRoeII4gSTUcTo2rGU6Yc36pVxhWRv6AknbpbFysCzGWFReIORYINtsbpC5D6CT8ijaQsF8mzaVjRPSDW3UMbnmAt0e4IUXwoBRsuNOWsnYV7pyWfAHISbEfafSinHXEsphhQsOpne3tRssLp1kFqAUNEjRpbDnqhIn30DSg8yHZw4kkpb-wLHaqyPE5D5GIJH1ZZGFyvCTsArgP49IPpe527W4WnwPu26K9a8eIhpYKUZRgysn7Anc7PZ6WKzPYk6rMepogXr9Own3bfPY1Nr-FnWCMB4kEMtZS0hIlGkhfpnFFVk5ToBBHVqMpdwIgEYC0IZk3727VQ5gw
在网页上选择token,然后将上面命令看到的 token 拷贝进去即可登录
注,通过 kubectl get clusterrole 可以查看系统中有的 clusterrole ,可以选择一个进行绑定