一 修改配置文件 1.1 下載解壓 1 [root@k8smaster01 ~]# cd /opt/k8s/work/kubernetes/ 2 [root@k8smaster01 kubernetes]# tar -xzvf kubernetes-src.tar.gz 提示:k8smaster01 ...
一 修改配置文件
1.1 下載解壓
1 [root@k8smaster01 ~]# cd /opt/k8s/work/kubernetes/ 2 [root@k8smaster01 kubernetes]# tar -xzvf kubernetes-src.tar.gz提示:k8smaster01節點已解壓完畢,可直接修改配置。
1.2 修改配置
1 [root@k8smaster01 ~]# cd /opt/k8s/work/kubernetes/cluster/addons/dashboard 2 [root@k8smaster01 dashboard]# vi dashboard-service.yaml 3 …… 4 type: NodePort #增加此行,使用node形式訪問 5 …… 6 #使用node方式訪問dashboard
1.3 修改為國內源
1 [root@k8smaster01 dashboard]# vi dashboard-controller.yaml 2 …… 3 image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 4 ……提示:將yaml文件中的image欄位修改為mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1。
二 創建 dashboard
2.1 創建dashboard並檢查
1 [root@k8smaster01 ~]# cd /opt/k8s/work/kubernetes/cluster/addons/dashboard 2 [root@k8smaster01 dashboard]# kubectl apply -f .
2.2 查看分配的NodePort
1 [root@k8smaster01 ~]# kubectl get deployment kubernetes-dashboard -n kube-system 2 NAME READY UP-TO-DATE AVAILABLE AGE 3 kubernetes-dashboard 1/1 1 1 84s 4 [root@k8smaster01 ~]# kubectl --namespace kube-system get pods -o wide 5 [root@k8smaster01 ~]# kubectl get services kubernetes-dashboard -n kube-system
提示:k8smaster02 NodePort 31181 映射到 dashboard pod 443 埠。
2.3 查看dashboard參數
1 [root@k8smaster01 ~]# kubectl exec --namespace kube-system -it kubernetes-dashboard-7848d45466-bgz94 -- /dashboard --help
提示:dashboard 的 --authentication-mode 支持 token、basic,預設為 token。如果使用 basic,則 kube-apiserver 必須配置 --authorization-mode=ABAC 和 --basic-auth-file 參數。
三 dashboard驗證方式
由於Kubernetes預設證書可能過期導致無法訪問dashboard,本實驗在已成功部署Kubernetes後手動重新創建證書。3.1 創建證書
1 [root@k8smaster01 ~]# cd /opt/k8s/work/ 2 [root@k8smaster01 work]# openssl genrsa -out dashboard.key 2048 3 [root@k8smaster01 work]# openssl rsa -passin pass:x -in dashboard.key -out dashboard.key 4 [root@k8smaster01 work]# openssl req -new -key dashboard.key -out dashboard.csr 5 ----- 6 Country Name (2 letter code) [XX]:CN 7 State or Province Name (full name) []:Shanghai 8 Locality Name (eg, city) [Default City]:Shanghai 9 Organization Name (eg, company) [Default Company Ltd]:k8s 10 Organizational Unit Name (eg, section) []:System 11 [root@k8smaster01 work]# openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt 12 [root@k8smaster01 work]# openssl x509 -noout -text -in ./dashboard.crt #查看證書
3.2 分發證書
1 [root@k8smaster01 ~]# cd /opt/k8s/work 2 [root@k8smaster01 work]# source /opt/k8s/bin/environment.sh 3 [root@k8smaster01 work]# for all_ip in ${ALL_IPS[@]} 4 do 5 echo ">>> ${all_ip}" 6 scp dashboard.* root@${all_ip}:/etc/kubernetes/cert 7 done
3.3 修改預設證書配置
1 [root@k8smaster01 work]# cd /opt/k8s/work/kubernetes/cluster/addons/dashboard 2 [root@k8smaster01 dashboard]# kubectl delete -f . #刪除使用預設證書所創建的dashboard 3 [root@k8smaster01 dashboard]# ll /etc/kubernetes/cert/dashboard.* 4 -rw-r--r-- 1 root root 1.2K Jun 28 18:06 /etc/kubernetes/cert/dashboard.crt 5 -rw-r--r-- 1 root root 976 Jun 28 18:06 /etc/kubernetes/cert/dashboard.csr 6 -rw-r--r-- 1 root root 1.7K Jun 28 18:06 /etc/kubernetes/cert/dashboard.key 7 8 [root@master dashboard]# kubectl create secret generic kubernetes-dashboard-certs --from-file="/etc/kubernetes/cert/dashboard.crt,/etc/kubernetes/cert/dashboard.key" -n kube-system #掛載新證書到dashboard 9 [root@master dashboard]# kubectl get secret kubernetes-dashboard-certs -n kube-system -o yaml #查看新證書
3.4 重新部署dashboard
1 [root@k8smaster01 work]# cd /opt/k8s/work/kubernetes/cluster/addons/dashboard 2 [root@master dashboard]# kubectl apply -f . 3 [root@master dashboard]# kubectl get pods --namespace=kube-system | grep dashboard #確認驗證
3.5 確認驗證
1 [root@k8smaster01 ~]# kubectl get deployment kubernetes-dashboard -n kube-system 2 [root@k8smaster01 ~]# kubectl --namespace kube-system get pods -o wide 3 [root@k8smaster01 ~]# kubectl get services kubernetes-dashboard -n kube-system
提示:k8smaster03 NodePort 30938 映射到 dashboard pod 443 埠。
四 訪問dashboard
3.1 導入證書
將dashboard.crt導入IE瀏覽器,並設置為信任,導入操作略。3.2 訪問方式
本實驗採用nodeip:nodepord方式訪問。 瀏覽器訪問:https://172.24.8.73:30938
提示:
更多dashboard訪問方式及認證可參考《附004.Kubernetes Dashboard簡介及使用》。
dashboard登錄整個流程可參考:https://www.cnadn.net/post/2613.htm
apiserver方式見3.4,Kubeconfig驗證方式見《附006.Kubernetes身份認證》中的3.5。
五 驗證方式
5.1 創建token
1 [root@k8smaster01 ~]# kubectl create sa dashboard-admin -n kube-system 2 [root@k8smaster01 ~]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin 3 [root@k8smaster01 ~]# ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}') 4 [root@k8smaster01 ~]# DASHBOARD_LOGIN_TOKEN=$(kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{print $2}') 5 [root@k8smaster01 ~]# echo ${DASHBOARD_LOGIN_TOKEN} #輸入登錄的token 6 eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmc5bWgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTlkNGRjNGUtOTk3OC0xMWU5LTkzNTItMDAwYzI5ZmE3YTc5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.X1NJsPNaAgV2TzJo0NlqOWFofDYOsSdkeiYHFGQFk5nNy0nbbnfnnoH0yumj_Ld0nGPakIjEpsUq9dqgCazeCpgk5EsygD6UlSg5sYA2sTLswbDoZdS3QzrOjY5MXWD3VDc_OQofD94MZqHMMw7IABVlfVsZ0vMEvHe-Qtyt6EQlFlHq5QjwDX8dCQDKRbwuiCr-Iy_dCWHHIhaT25BREf2viei8sZ497D8h4TXgO_u2CGf3qXRGNXj26VSdD8bT-BFGiDdyuXPbDHPU5LalvxF4WThChRfjO4zHLI2fOXq8BBF6DjbjhtG4X8fLuvJaxF4YWAmVS_78eJHhA3nvRg
3.4 創建kubeconfig文件
使用token相對複雜,可將token添加至kubeconfig文件中,使用KubeConfig 文件訪問dashboard。1 [root@k8smaster01 ~]# cd /opt/k8s/work/ 2 [root@k8smaster01 work]# source /opt/k8s/bin/environment.sh 3 [root@k8smaster01 work]# kubectl config set-cluster kubernetes \ 4 --certificate-authority=/etc/kubernetes/cert/ca.pem \ 5 --embed-certs=true \ 6 --server=${KUBE_APISERVER} \ 7 --kubeconfig=dashboard.kubeconfig # 設置集群參數 8 [root@k8smaster01 work]# kubectl config set-credentials dashboard_user \ 9 --token=${DASHBOARD_LOGIN_TOKEN} \ 10 --kubeconfig=dashboard.kubeconfig # 設置客戶端認證參數,使用上面創建的 Token 11 [root@k8smaster01 work]# kubectl config set-context default \ 12 --cluster=kubernetes \ 13 --user=dashboard_user \ 14 --kubeconfig=dashboard.kubeconfig # 設置上下文參數 15 [root@k8smaster01 work]# kubectl config use-context default --kubeconfig=dashboard.kubeconfig # 設置預設上下文,將dashboard.kubeconfig文件導入,以便於瀏覽器使用該文件登錄。
六 正式登錄
6.1 kubeconfig訪問
瀏覽器訪問:https://172.24.8.73:30938
提示:由於缺少 Heapster 插件,當前 dashboard 不能展示 Pod、Nodes 的 CPU、記憶體等統計數據和圖表。
