上一章讲述了安装k8s的过程。虽然DashBoard可以算作k8s的一部分。但是考虑到和k8s核心部件地位有一定的距离,并且并不是所有人都需要DashBoard,因此就单独摘出一章。
K8S Dashboard是官方的一个基于WEB的用户界面,专门用来管理K8S集群的部件,可展示集群的状态。
安装DashBoard
安装其实也是非常简单,通过yaml文件安装dashboard, dashboard自身也是k8s的服务,这个yaml文件创建了deployment、service等。在主节点执行命令:
kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
执行结果不出意外,应该很顺利:
[root@master-node ~]# kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
但是上面输出并不代表就成功了。我们执行查看pod的命令,看看pod状态:
[root@master-node ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-fb8b8dccf-ggw6c 1/1 Running 1 9h
coredns-fb8b8dccf-xwgl5 1/1 Running 1 9h
etcd-master-node 1/1 Running 1 9h
kube-apiserver-master-node 1/1 Running 1 9h
kube-controller-manager-master-node 1/1 Running 1 9h
kube-flannel-ds-amd64-6x9db 1/1 Running 0 9h
kube-flannel-ds-amd64-dc92s 1/1 Running 1 9h
kube-flannel-ds-amd64-hx96r 1/1 Running 0 9h
kube-proxy-5bxj8 1/1 Running 0 9h
kube-proxy-rdpv9 1/1 Running 1 9h
kube-proxy-s7bjt 1/1 Running 0 9h
kube-scheduler-master-node 1/1 Running 1 9h
kubernetes-dashboard-5f7b999d65-6cm2x 0/1 ImagePullBackOff 0 48s
果然,dashboard的pod启动失败了,原因是拉取镜像失败。因为镜像在墙外。
如果你还记得我们在上一章是如何安装k8s的docker镜像的,你应该指导思路。
首选,在打开网址:命令行中的网址:
在该yaml中搜索关键字:image,目的是我们获取到镜像名字。
分别在主节点、两个工作节点上手动pull阿里镜像到本地,然后再改为yaml文件中镜像的名字。
[root@master-node ~]# docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
v1.10.1: Pulling from google_containers/kubernetes-dashboard-amd64
9518d8afb433: Pull complete
Digest: sha256:0ae6b69432e78069c5ce2bcde0fe409c5c4d6f0f4d9cd50a17974fea38898747
Status: Downloaded newer image for registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
[root@master-node ~]# docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
[root@master-node ~]#
再次查看主节点中的pods状态:
[root@master-node ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-fb8b8dccf-ggw6c 1/1 Running 1 9h
coredns-fb8b8dccf-xwgl5 1/1 Running 1 9h
etcd-master-node 1/1 Running 1 9h
kube-apiserver-master-node 1/1 Running 1 9h
kube-controller-manager-master-node 1/1 Running 1 9h
kube-flannel-ds-amd64-6x9db 1/1 Running 0 9h
kube-flannel-ds-amd64-dc92s 1/1 Running 1 9h
kube-flannel-ds-amd64-hx96r 1/1 Running 0 9h
kube-proxy-5bxj8 1/1 Running 0 9h
kube-proxy-rdpv9 1/1 Running 1 9h
kube-proxy-s7bjt 1/1 Running 0 9h
kube-scheduler-master-node 1/1 Running 1 9h
kubernetes-dashboard-5f7b999d65-6cm2x 1/1 Running 0 19m
发现dashboard已经正常启动,但是这时候我们还无法访问到。
访问Dashboard
通过上述操作后,可以在虚拟机master-node的浏览器中打开Dashboard,但是我们想要的是在宿主机也能访问Dashboard。
为此,我们需要对kubernetes-dashboard.yaml文件进行一番修改。
首先下载文件
放到虚拟机共享盘。
解决证书过期问题
打开yaml文件,对以下代码进行屏蔽,注意屏蔽用“#”号。
# ------------------- Dashboard Secrets ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
屏幕后:
# ------------------- Dashboard Secrets ------------------- #
#
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kube-system
#type: Opaque
#
#---
解决外网访问问题
修改以下代码部分,修改的时候注意,每一行的空白部分都是空格,而不是‘tab’,,换行符使用“\n”而不是“\r\n”,yaml文件中每一个k-v的“:”后面要紧跟一个空格。
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
修改后如下:
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
nodePort: 30001
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
重新apply yaml文件
为了解决上述解决证书过期问题和外网连接问题,需要重新apply以下yaml文件。
[root@master-node ~]# kubectl apply -f /mnt/share/kubernetes-dashboard.yaml
secret/kubernetes-dashboard-csrf unchanged
serviceaccount/kubernetes-dashboard unchanged
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal unchanged
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal unchanged
deployment.apps/kubernetes-dashboard unchanged
service/kubernetes-dashboard configured
此时查看服务状态:
[root@master-node ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 5d20h
kubernetes-dashboard NodePort 10.105.49.186 <none> 443:30001/TCP 5d10h
发现dashboard已经是Nodeport类型了,并且有一个对外接口30001,在浏览器打开这个网址:https://192.168.56.109:30001,注意IP改成自己主节点的IP。并且一定要选用https。如果浏览器显示无法连接或者提示不是私密连接,果断选择安装火狐浏览器。显示界面如下:
之所以不同浏览器显示的结果不同,是因为对待证书过期的处理方式不同导致的,在火狐中查看证书方法如图:
果然,证书的起始时间是公元0001年。证书日期问题先放在一边。先来解决如何登录的问题。
获取token的方法
首先创建yaml文件:
[root@elasticsearch01 ~]# cat /k8s/yaml/admin-token.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: admin
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
然后创建:
[root@master-node /]# kubectl create -f /mnt/share/admin-token.yaml
clusterrolebinding.rbac.authorization.k8s.io/admin created
显示token
[root@master-node /]# kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system
Name: admin-token-6kdch
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin
kubernetes.io/service-account.uid: aad5d9b0-77ef-11e9-8974-0800275044ee
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZX
Rlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZ
WFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi02a2RjaCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291
bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2Vydml
jZS1hY2NvdW50LnVpZCI6ImFhZDVkOWIwLTc3ZWYtMTFlOS04OTc0LTA4MDAyNzUwNDRlZSIsInN1YiI6InN5c3RlbT
pzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Qz2A97X5QRlNsTBjpuhvQkwJy4PYK2Cdf5gZODAGfJXL
jmACVEbRfTCeMUozZ030SOmeQH8DQPCUTKzzbMcgw602jwNjBtUHStV4agsIU26PBJdiQjECOsP51KAq1Y-
eUzPyyKtHlN0np4irjq1YX5xVeuRHssMO8QIwXVYkL-
j6QKVcs2xZLt01mOVxTr1nrY3fDBJw0FBZ8UmBl8Ox0He3gA2qfgC80sPmFx7DZJzYWB7nuASBKEnnhYWUwFO-
w6gTMkCKEQ5fIWssDl5IGA4EtlDLdjBGGhuuUrHLCu8W9Ps9LOpX_9S5UVkvLeFER3FZ1_lNv-ZjDV2X4Z51NA
以上token只对我的机器有效,请在自己机器上生成token。
在登录界面粘贴token后,就进入了dashboard界面:
本文完。
参考: