一、Kubernetes Dashboard安装步骤
1. 集群master节点执行如下命令:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
2.查看pod运行情况,Runing说明正常运行
kubectl get pod -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-78f5d9f487-l8xfs 1/1 Running 0 2m19s
kubernetes-dashboard-577bd97bc-69fq5 1/1 Running 0 2m19s
3.查看dashboard的service状况,默认为ClusterIP,只能在集群内部访问
kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.96.105.243 <none> 8000/TCP 3m43s
kubernetes-dashboard ClusterIP 10.100.158.78 <none> 443/TCP 3m43s
4.修改dashboard的service为NodePort
kubectl patch svc kubernetes-dashboard -p ‘{"spec":{"type":"NodePort"}}‘ -n kubernetes-dashboard
通过打补丁的方式修改service的type为NodePort
kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.96.105.243 <none> 8000/TCP 7m28s
kubernetes-dashboard NodePort 10.100.158.78 <none> 443:30377/TCP 7m28s
再次查看service类型已经修改为NodePort,端口为30377,随机生成,用于后面登录
5.查看serviceaccount用户名字
kubectl get serviceaccount -n kubernetes-dashboard
NAME SECRETS AGE
default 1 3m2s
kubernetes-dashboard 1 3m2s
该用户用于登录dashboard,管理集群相关信息。
6.查看kubernetes-dashboard用户信息
kubectl describe serviceaccounts kubernetes-dashboard -n kubernetes-dashboard
Name: kubernetes-dashboard
Namespace: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: Image pull secrets: <none>
Mountable secrets: kubernetes-dashboard-token-kq9mm
Tokens: kubernetes-dashboard-token-kq9mm
Events: <none>
7.获取kubernetes-dashboard用户的token信息,用于ssl登录认证
kubectl describe secrets kubernetes-dashboard-token-kq9mm -n kubernetes-dashboard
Name: kubernetes-dashboard-token-kq9mm
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: 7162662b-327f-450f-9043-2f37776da296
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjRlYjhnb2ZPYndKYThsSWJJZUpCcWtOWlNtMlVESHgzQ0hvOVQ3VjIyNVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1rcTltbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjcxNjI2NjJiLTMyN2YtNDUwZi05MDQzLTJmMzc3NzZkYTI5NiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.bNqFeGg4NhZs3oVf7tUh1Nvw2yM3W6BXJ4qNVCfBKOjhHM15V_uGAU7rt22Phihy3gUW2kK9IPu_FvzdclThDYkF1d7wkaCIy_erfzFtv7t79Vv5vKuQfbNri1OP5W-V3a9d5yOHF0gAKNqKOhAb-VTuR9NtCafgpe7nulUwT1b9mEO6pjNICOBy-ilLOCPcqvo0ARufcErA6Adt9LP15fE0y43Rjq3Var7QWK22FxsiN-riuloXRPciLN9a5Z3cnFm0NRZTZK7Bv7VUV5vx6XGEddYMbYC-o9EqCaa9b-GGha1Tf0yhgX0lY90ifMMase40ya2QRFHdjmzIalMIyw
8.访问master节点30377端口,注意为https协议。
https://10.0.0.21:30377
点击继续前往,也可以直接在键盘输入thisisnotsafe,回车即可。
选择token,复制第7步查到的token,点击登录。
登录之后会发现有许多错误信息,是因为dashboard默认创建的用户所绑定的角色权限不够。
9.查看kubernetes-dashboard用户绑定的集群角色,为kubernetes-dashboard角色
kubectl describe clusterrolebinding kubernetes-dashboard -n kubernetes-dashboard
Name: kubernetes-dashboard
Labels: <none>
Annotations: Role:
Kind: ClusterRole
Name: kubernetes-dashboard
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount kubernetes-dashboard kubernetes-dashboard
10.查看kubernetes-dashboard角色权限信息,发现只有node和pod的get,list,watch权限
kubectl describe clusterrole kubernetes-dashboard
Name: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
11.创建一个新的用户dashboard-admin
kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard
12.为该用户绑定cluster-admin权限,该权限拥有管理员权限
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin
13.获取新管理员用户的token
kubectl describe sa dashboard-admin -n kubernetes-dashboard
Name: dashboard-admin
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: dashboard-admin-token-jq8t4
Tokens: dashboard-admin-token-jq8t4
Events: <none>
kubectl describe secrets dashboard-admin-token-jq8t4 -n kubernetes-dashboard
Name: dashboard-admin-token-jq8t4
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 507a6b02-7747-43f9-a7bb-38c52f2eb85f
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjRlYjhnb2ZPYndKYThsSWJJZUpCcWtOWlNtMlVESHgzQ0hvOVQ3VjIyNVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tanE4dDQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNTA3YTZiMDItNzc0Ny00M2Y5LWE3YmItMzhjNTJmMmViODVmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.UR0bmhfcPtgIVF41Ozqx6peKu-VRlIExX6Is8Xhwq0kl0vL64vP187iRXtED-WoRPCF55BR87qL9wwSe6qTr76MCFHuEFU4gycscy6A0ahRklI5nYROkEHskV4B_lCrA-Q_IcGECEwPIhL91KH47sWNxUe5D1UL3k1j0rmw98Ur3oKhTRLN96L28rir7RSk1rAEFSGjjmqoT_Xi4pbmiMHjveI-XiSKZMEtrSgnPc-txGceQxhmUqXCjMqE2VSKetKfXgTyNmTR9y4xcHsaYYg_UwaICVMmWLg-xwgQmrKHGZmpHk6x-2lQPBuKFD8YNMYNC8nj_mRLQWYPq_xegyg
14.使用新管理员用户的token登录
一切显示正常。