kubernetes1.18.5安装kubernetes-dashboard2.0.0版本

Kubernetes dashboard是Kubernetes集群的基于Web的通用UI。它允许用户管理集群中运行的应用程序并对其进行故障排除,以及管理集群本身。

一、查看系统pod

[root@master69 kubernetes]# kubectl get pods -n kube-system -o wide
NAME                               READY   STATUS    RESTARTS   AGE     IP             NODE             NOMINATED NODE   READINESS GATES
coredns-66bff467f8-7kbhf           1/1     Running   0          42h     10.244.8.164   redis-02.hlqxt   <none>           <none>
coredns-66bff467f8-v6bw2           1/1     Running   0          42h     10.244.7.201   redis-01.hlqxt   <none>           <none>
etcd-master69                      1/1     Running   0          3d17h   172.28.18.69   master69         <none>           <none>
kube-apiserver-master69            1/1     Running   0          3d16h   172.28.18.69   master69         <none>           <none>
kube-controller-manager-master69   1/1     Running   1          3d17h   172.28.18.69   master69         <none>           <none>
kube-flannel-ds-5tthk              1/1     Running   0          41h     172.28.5.124   redis-02.hlqxt   <none>           <none>
kube-flannel-ds-7mr6j              1/1     Running   0          41h     172.28.18.69   master69         <none>           <none>
kube-flannel-ds-9ml9m              1/1     Running   0          41h     172.28.5.120   redis-01.hlqxt   <none>           <none>
kube-flannel-ds-ws8sc              1/1     Running   0          41h     172.28.5.125   redis-03.hlqxt   <none>           <none>
kube-proxy-6pzzk                   1/1     Running   0          41h     172.28.5.125   redis-03.hlqxt   <none>           <none>
kube-proxy-99jjj                   1/1     Running   1          41h     172.28.18.69   master69         <none>           <none>
kube-proxy-h7nl7                   1/1     Running   0          41h     172.28.5.124   redis-02.hlqxt   <none>           <none>
kube-proxy-lktgm                   1/1     Running   0          41h     172.28.5.120   redis-01.hlqxt   <none>           <none>
kube-scheduler-master69            1/1     Running   1          3d17h   172.28.18.69   master69         <none>           <none>

二、下载recommended.yaml文件

[root@master69 kubernetes]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml

三、修改recommended.yaml文件

修改service(nodeport)方式

[root@master69 kubernetes]# vim recommended.yaml 
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
type: NodePort #增加 ports: - port: 443 targetPort: 8443 nodePort: 31000 #增加 selector: k8s-app: kubernetes-dashboard

因为自动生成的证书很多浏览器无法使用,所以我们自己创建,注释掉kubernetes-dashboard-certs对象声明

#apiVersion: v1
#kind: Secret
#metadata:
#  labels:
#    k8s-app: kubernetes-dashboard
#  name: kubernetes-dashboard-certs
#  namespace: kubernetes-dashboard
#type: Opaque

四、创建证书

[root@master69 kubernetes]# mkdir /etc/kubernetes/dashboard-certs
[root@master69 kubernetes]# cd dashboard-certs/

1、创建namespace

[root@master69 dashboard-certs]# kubectl create namespace kubernetes-dashboard

2、创建私钥key文件

[root@master69 dashboard-certs]# openssl genrsa -out dashboard.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
...............................+++
e is 65537 (0x10001)
[root@master69 dashboard-certs]# ll
总用量 4
-rw-r--r-- 1 root root 1675 1月  13 13:48 dashboard.key

3、使用openssl req 生成证书请求文件

生成证书请求文件需要将申请者的私钥以及公钥放入证书请求中,但在实际操作中,只需要提供私钥,openssl会自动从私钥中提取公钥另外,还需要将提供的数据进行数字签名(使用单向加密),保证该证书请求文件的完整性和一致性,防止他人盗取后进行篡改,例如黑客将为www.baidu.com所申请的证书请求文件中的公司名改成对方的公司名称,如果能够篡改成功,则签署该证书请求时,所颁发的证书信息中将变成他人信息。

根据私钥生成一个证书请求文件

[root@master69 dashboard-certs]# openssl req -days 36000 -new -out dashboard.csr -key dashboard.key -subj '/CN=dashboard-cert' 

查看证书请求文件

[root@master69 dashboard-certs]# openssl req -in dashboard.csr -text

验证证书请求文件

[root@master69 dashboard-certs]# openssl req -verify -in dashboard.csr 
verify OK
-----BEGIN CERTIFICATE REQUEST-----
MIICXjCCAUYCAQAwGTEXMBUGA1UEAwwOZGFzaGJvYXJkLWNlcnQwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRK3gJoOGpB+cxJJNvE0dl4/6xZgVFS1Sq
sx35t6dmiysf7Za+GwYWQbfHHXOjMvRMVSmBpodyQJirXUn0pnV+q2QIihOAub9f
8jsQO2e2uTSWKZ08OnAFqGaGQLMtzwHdsG1wqytVtA82afQsBkMK/rhACHxEwz8L
jesfeUqHc5jO86rjxN/AI70ndFMhq66L9WJGVVh5AAvfttQJC2TmYMlAC/nQesBi
L60TasrqB1NvyS0ko/VWAjqEIAeO93kEL2kx0GoOVwsddfI25POEsgTGjbAx+ir1
QLa8eyfl6nqrb/zKdQHVHBd/5Bsz/2ST2sbtsjqgDXoVY9NXV5AbAgMBAAGgADAN
BgkqhkiG9w0BAQsFAAOCAQEAYisttfpJfmyrkKej6Cvxq9VaW2OwBPX8z31fECU1
sGi7nCgk97mYMUqkhuVG6VzEw6ddrVMn4yCxssmKX4cGP0yJ8WeqjzygVGY7GDRc
HFucNqF2sljYHppSPgGWzxwCVGfq9RKc2bQPndY0FZbV97m2O5I5Rl81yz3NxEoO
vlN3G6h5KahAvv6LmwCowDGoBkn7is892EMZHHyhm3qLCBvFDQTuy/xwKcbIIJc7
yS57125PxoJNf/d3Ay75d+ABtiRGCkX7BalcGvLbnoNQnhKy2+1FBxBT+yFOAHvx
geBHvVxJP1rCCsu9yPnga6/mHpAfOLDQ+wQcPusO32xi7A==
-----END CERTIFICATE REQUEST-----

4、自签证书

[root@master69 dashboard-certs]# openssl x509 -req -in dashboard.csr -signkey dashboard.key  -out dashboard.crt -days 3650
Signature ok
subject=/CN=dashboard-cert
Getting Private key
[root@master69 dashboard-certs]# 

查看证书有效期

[root@master69 dashboard-certs]# openssl x509 -in dashboard.crt -noout -dates
notBefore=Jan 13 06:47:32 2021 GMT
notAfter=Jan 11 06:47:32 2031 GMT
[root@master69 dashboard-certs]#

六、创建kubernetes-dashboard-certs对象

[root@master69 dashboard-certs]# kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kubernetes-dashboard
secret/kubernetes-dashboard-certs created
[root@master69 dashboard-certs]# kubectl get secrets -n kubernetes-dashboard
NAME                   TYPE                                  DATA   AGE
default-token-nnxdk    kubernetes.io/service-account-token   3      65m
kubernetes-dashboard-certs   Opaque                                2      22s

七、创建dashboard

[root@master69 kubernetes]# kubectl create -f recommended.yaml            
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
Error from server (AlreadyExists): error when creating "recommended.yaml": clusterroles.rbac.authorization.k8s.io "kubernetes-dashboard" already exists
Error from server (AlreadyExists): error when creating "recommended.yaml": clusterrolebindings.rbac.authorization.k8s.io "kubernetes-dashboard" already exists

结尾的报错信息,是因为前面创建证书时,已经手动建立了namespace空间。

查看kubernetes-dashboard空间的资源

[root@master69 kubernetes]# kubectl get all -n kubernetes-dashboard
NAME                                             READY   STATUS              RESTARTS   AGE
pod/dashboard-metrics-scraper-6b4884c9d5-dzhdh   1/1     Running             0          5m29s
pod/kubernetes-dashboard-7b544877d5-f9kg8        0/1     ContainerCreating   0          5m29s

NAME                                TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)         AGE
service/dashboard-metrics-scraper   ClusterIP   10.105.4.217   <none>        8000/TCP        5m29s
service/kubernetes-dashboard        NodePort    10.98.91.216   <none>        443:31000/TCP   5m29s

NAME                                        READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/dashboard-metrics-scraper   1/1     1            1           5m29s
deployment.apps/kubernetes-dashboard        0/1     1            0           5m29s

NAME                                                   DESIRED   CURRENT   READY   AGE
replicaset.apps/dashboard-metrics-scraper-6b4884c9d5   1         1         1       5m29s
replicaset.apps/kubernetes-dashboard-7b544877d5        1         1         0       5m29s
[root@master69 kubernetes]# 

八、创建dashboard管理员

1、创建dashboard-admin.yaml文件

[root@master69 kubernetes]# vim dashboard-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: dashboard-admin
  namspace: kubernetes-dashboard

保存退出,创建用户

[root@master69 kubernetes]# kubectl create -f dashboard-admin.yaml 
serviceaccount/dashboard-admin created
[root@master69 kubernetes]# 
[root@master69 kubernetes]# kubectl get ServiceAccount -n kubernetes-dashboard   
NAME                   SECRETS   AGE
dashboard-admin        1         40s
default                1         15m
kubernetes-dashboard   1         15m

2、为用户分配权限

创建dashboard-admin-bind-cluster-role.yaml文件

[root@master69 kubernetes]# vim dashboard-admin-bind-cluster-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dashboard-admin-bind-cluster-role
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin   #绑定到cluster-admin角色
subjects:
- kind: ServiceAccount
  name: dashboard-admin
  namespace: kubernetes-dashboard

执行分配权限

[root@master69 kubernetes]# kubectl create -f dashboard-admin-bind-cluster-role.yaml 
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin-bind-cluster-role created
[root@master69 kubernetes]# 

3、查看用户的token数据

首先查看kubernetes-admin用户的secret

[root@master69 kubernetes]# kubectl get secret -n kubernetes-dashboard -o wide|grep dashboard-admin
dashboard-admin-token-znrr4        kubernetes.io/service-account-token   3      23m
[root@master69 kubernetes]# 

查看详细信息

[root@master69 kubernetes]# kubectl describe secret dashboard-admin-token-znrr4 -n kubernetes-dashboard     
Name:         dashboard-admin-token-znrr4
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: dashboard-admin
              kubernetes.io/service-account.uid: 24dd4aab-75fa-40dc-9d9b-851c4efa0c2d

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImktcWNVbUZtdkZ1VGxsbEJINld0ZW9YZzdua0JJRmNmNlhrR005eERDc00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tem5ycjQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjRkZDRhYWItNzVmYS00MGRjLTlkOWItODUxYzRlZmEwYzJkIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.WaDgJJmVIUy78-YhBqDojhpG_swWUksa9bbxOHdyHX3bEitB1ccttEhD-CwonMcNPH1R0rdx5QJTZIKeKlYbIqJ_eJ7dtfKE-DO-pxnbd6JpeyKW9nIcVs5iCFgyL_rFVEiuYYgEVu-CRaIVaqb0zQCmzQPaeTiy_vzS0QCUHj4TYvpmZWclyE_BruuH57BS24-n2EA0iyvbHDwfb-t5aS87c9nhCeZ1XIPYVE8hF_nbKvbGdzd5PGUvvjV-5a2Q-SHFIau7JZFb2DenopnDlzMhPt_S_vrEOXJujCfeEV_28ovCvfgSZo1ITSRbeRkVHxoxs3O41Dd1RZ93gERtfg
ca.crt:     1025 bytes
namespace:  20 bytes
[root@master69 kubernetes]# 

将token值复制出来

九、浏览器打开https://masterip:31000

kubernetes1.18.5安装kubernetes-dashboard2.0.0版本

 

 输入token,登录

我们查看工作量-pods

kubernetes1.18.5安装kubernetes-dashboard2.0.0版本

 CPU和内存使用率没有显示,因为我们还没有安装Metrics-Server服务,请参考: kubernetes1.18安装metrics-server服务

安装以后,显示如下

kubernetes1.18.5安装kubernetes-dashboard2.0.0版本

 

上一篇:ElasticSearch集群配置密码认证


下一篇:个人线下开发机搭建https环境