一、Dashboard简介
在 Kubernetes 社区中,有一个很受欢迎的 Dashboard 项目,它可以给用户提供一个可视化的 Web 界面来查看当前集群的各种信息。用户可以用 Kubernetes Dashboard 部署容器化的应用、监控应用的状态、执行故障排查任务以及管理 Kubernetes 各种资源。
二、部署Dashboard
官方参考文档:
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
github项目地址:
https://github.com/kubernetes/dashboard
当前部署dashboard版本:v2.1.0,注意检查dashboard版本与kubernetes版本兼容性:
https://github.com/kubernetes/dashboard/releases
部署dashboard
[root@master ~]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
报错:
The connection to the server raw.githubusercontent.com was refused - did you specify the right host or port?
发现DNS能正常解析但是就是不能访问
[root@master ~]# dig https://raw.githubusercontent.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> https://raw.githubusercontent.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20023
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;https://raw.githubusercontent.com. IN A
;; ANSWER SECTION:
https://raw.githubusercontent.com. 3600 IN CNAME github.map.fastly.net.
github.map.fastly.net. 17 IN A 151.101.108.133
;; Query time: 292 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: 日 1月 31 12:43:21 CST 2021
;; MSG SIZE rcvd: 102
[root@master ~]# ping raw.githubusercontent.com
PING github.map.fastly.net (151.101.228.133) 56(84) bytes of data.
64 bytes from 151.101.228.133 (151.101.228.133): icmp_seq=1 ttl=52 time=169 ms
64 bytes from 151.101.228.133 (151.101.228.133): icmp_seq=2 ttl=52 time=179 ms
64 bytes from 151.101.228.133 (151.101.228.133): icmp_seq=3 ttl=52 time=176 ms
原因:外网不可访问
解决方法,
1、找到域名对应的ip地址
打开网站 https://www.ipaddress.com/,在里面输入raw.githubusercontent.com,获得域名对应的ip。
2、/etc/hosts中添加主机ip映射信息
重新部署
[root@master ~]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
查看dashboard运行状态,它是在kubernetes-dashboard这个namespace中运行(从上面的部署信息可以看出,在部署时会创建kubernetes-dashboard这个namespace),以deployment方式部署,运行2个pod及2个service:
[root@master dashboard]# kubectl get deployment -n kubernetes-dashboard | grep dashboard
dashboard-metrics-scraper 1/1 1 1 4h50m
kubernetes-dashboard 1/1 1 1 4h50m
[root@master ~]# kubectl -n kubernetes-dashboard get pods
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-78f5d9f487-ncbwm 1/1 Running 0 27m
kubernetes-dashboard-59ddbcfdcb-jvnkj 1/1 Running 0 27m
kubernetes-dashboard-59ddbcfdcb-jvnkj 1/1 Running 0 27m
[root@master ~]# kubectl -n kubernetes-dashboard get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.105.45.196 <none> 8000/TCP 48m
kubernetes-dashboard ClusterIP 10.111.9.50 <none> 443/TCP 48m
三、访问dashboard
由于默认的service是 ClusterIP类型,为了能在外部访问,这里将其改为nodeport方式。
[root@master ~]# kubectl -n kubernetes-dashboard edit service kubernetes-dashboard
在 ports下面添加nodePort: 32576,将 clusterIp改为NodePort
spec:
clusterIP: 10.111.9.50
ports:
- port: 443
protocol: TCP
targetPort: 8443
nodePort: 30808
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: NodePort
也可以采用打补丁的方式实现
[root@master ~]# kubectl patch svc kubernetes-dashboard -n kubernetes-dashboard -p '{"spec":{"type":"NodePort","ports":[{"port":443,"targetPort":8443,"nodePort":30808}]}}'
service/kubernetes-dashboard patched
查看暴露的service,已修改为nodeport类型:
[root@master ~]# kubectl -n kubernetes-dashboard get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.105.45.196 <none> 8000/TCP 78m
kubernetes-dashboard NodePort 10.111.9.50 <none> 443:30808/TCP 78m
也可以下载yaml文件手动修改service部分
[root@master ~]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
--2021-01-31 14:24:02-- https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
正在解析主机 raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133, 151.101.228.133, 199.232.96.133
正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... 失败:拒绝连接。
正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|151.101.228.133|:443... 失败:拒绝连接。
正在连接 raw.githubusercontent.com (raw.githubusercontent.com)|199.232.96.133|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:7552 (7.4K) [text/plain]
正在保存至: “recommended.yaml”
100%[=================================================================================================>] 7,552 --.-K/s 用时 0s
2021-01-31 14:24:05 (63.7 MB/s) - 已保存 “recommended.yaml” [7552/7552])
修改servcie部分
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30808
selector:
k8s-app: kubernetes-dashboard
更新配置
kubectl apply -f recommended.yaml
登录dashboard
在k8s中 dashboard可以有两种访问方式:kubeconfig(HTTPS)和token(http)
可以参考官方文档:
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
1、token认证
创建dashboard-adminuser.yaml,通过ClusterRoleBinding使ServiceAccount和集群某个ClusterRole相关联。
注意:认证时的账号必须是ServiceAccount
[root@master dashboard]# vim dashboard-adminuser.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
~
[root@master dashboard]# kubectl apply -f dashboard-adminuser.yaml
serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin-user created
说明:上面创建了一个属于kubernetes-dashboard名称空间的ServiceAccount,其名称为admin-user的,并通过ClusterRoleBinding将cluster-admin角色绑定到admin-user上,这样admin-user账户就有了管理员的权限。默认情况下,kubeadm创建集群时已经创建了cluster-admin角色,我们直接绑定即可。
查看admin-user这个ServiceAccount的token信息
[root@master dashboard]# kubectl -n kubernetes-dashboard get secret | grep admin-user
admin-user-token-xtfgl kubernetes.io/service-account-token 3 5m47s
[root@master dashboard]# kubectl -n kubernetes-dashboard describe secret admin-user-token-xtfgl
Name: admin-user-token-xtfgl
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: cafcd92b-5c9e-431f-a85d-29ff4a660c7d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Imh4cjVOQmVzamZna09LYzdJS1dWcWJQc0pEb3NJVDVPWVRZVjlQakhxLXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXh0ZmdsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjYWZjZDkyYi01YzllLTQzMWYtYTg1ZC0yOWZmNGE2NjBjN2QiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.fr71g_v9HSHdRurcjMT29SHN9t-QIbqDsT0gaAN21LrLMeOW34TVgY4kk-hF1ui9vB0KqmK55WVQ6H3WanAIiJ5lM417aCvZKz3rjlXsYC9b1g2nr0ijhYNomiHb6hhRRBb-heOmoCTdOTTqAi4oF4mjv7iwTAiQGoO5eVu7g-tzvL8ZrNMhRgg38hmfZ6VF2OhXE_g-T9y8I9El1YY_dwE-b0FYCBaY1YI855Pny5ZascCaOgv0DL3HyJIcVc20ULl79Cdm50UqfeDABTMCaHfsgm2zKBV5beo5jxzu6-Usn3j5JmejsxP-lfsDXcHJaeLK0MiMWagCJ2WKem0faw
把获取到的Token复制到登录界面的Token输入框中,成功登陆dashboard:
上面创建的是具有所有名称空间的管理权限的账户,接下来使用token认证的方式创建只有default名称空间管理权限的账户,这是使用命令式创建。
##创建serviceaccount,属于default名称空间
[root@master dashboard]# kubectl create serviceaccount def-admin -n default
serviceaccount/def-admin created
##创建rolebinding,将service account账户绑定到集群角色admin
[root@master dashboard]# kubectl create rolebinding def-admin --clusterrole=admin --serviceaccount=default:def-admin
rolebinding.rbac.authorization.k8s.io/def-admin created
#查看def-admin这个serviceaccount的token
[root@master dashboard]# kubectl get secret | grep def-admin
def-admin-token-mjhwn kubernetes.io/service-account-token 3 6m42s
[root@master dashboard]# kubectl describe secret def-admin-token-mjhwn
Name: def-admin-token-mjhwn
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: def-admin
kubernetes.io/service-account.uid: 0d68d8c9-9e70-49b6-a836-7d497e255b06
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Imh4cjVOQmVzamZna09LYzdJS1dWcWJQc0pEb3NJVDVPWVRZVjlQakhxLXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1hZG1pbi10b2tlbi1tamh3biIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwZDY4ZDhjOS05ZTcwLTQ5YjYtYTgzNi03ZDQ5N2UyNTViMDYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtYWRtaW4ifQ.LtPzBUwLlBiU9tv1_hGLud3Of3_SEzrH7k3MTHincoui0Jrp5noFnmU6ptIu5PsvBvywzdyE4-SSRchNUiPs3XtOfvdu47Dfac_5fT0PMqKQsAyd7HRMu7KgQs6nUovv1cEVAeGJ7-8MpB8c7-H6LwVDWYK3PLO_5Xm9zvo4N7iDPAgl2E-ZZLQYKQvNCZys0ewtmMgLIBgzmfhSgHE1Z2FJluXyKL4kC6B9pFBv_0v_lVDQB0sSxdKtpk7EY8_OwFWWNgd_m56CGgrOIaCp4kuw801HqnDs8go1znVvfeKWQDujvmzYKTc9vCvExp4vo6lIQ17Bg1wmVdA7qBTkKA
复制token信息登录界面的Token输入框中
建议:为了方便下次登录建议把token信息保存到一个文件中
2、kubeconfig认证
1、配置集群信息
[root@master dashboard]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="https://10.10.20.207:6443" --embed-certs=true --kubeconfig=/root/dashboard-admin.conf
Cluster "kubernetes" set.
2、使用上面token认证方式中的token信息(这里选用具有所有名称空间管理权限的那个token)写入集群验证
[root@master dashboard]# kubectl -n kubernetes-dashboard get secret | grep admin-user
admin-user-token-xtfgl kubernetes.io/service-account-token 3 19h
[root@master dashboard]# kubectl -n kubernetes-dashboard describe secret admin-user-token-xtfgl
Name: admin-user-token-xtfgl
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: cafcd92b-5c9e-431f-a85d-29ff4a660c7d
Type: kubernetes.io/service-account-token
Data
====
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Imh4cjVOQmVzamZna09LYzdJS1dWcWJQc0pEb3NJVDVPWVRZVjlQakhxLXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXh0ZmdsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjYWZjZDkyYi01YzllLTQzMWYtYTg1ZC0yOWZmNGE2NjBjN2QiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.fr71g_v9HSHdRurcjMT29SHN9t-QIbqDsT0gaAN21LrLMeOW34TVgY4kk-hF1ui9vB0KqmK55WVQ6H3WanAIiJ5lM417aCvZKz3rjlXsYC9b1g2nr0ijhYNomiHb6hhRRBb-heOmoCTdOTTqAi4oF4mjv7iwTAiQGoO5eVu7g-tzvL8ZrNMhRgg38hmfZ6VF2OhXE_g-T9y8I9El1YY_dwE-b0FYCBaY1YI855Pny5ZascCaOgv0DL3HyJIcVc20ULl79Cdm50UqfeDABTMCaHfsgm2zKBV5beo5jxzu6-Usn3j5JmejsxP-lfsDXcHJaeLK0MiMWagCJ2WKem0faw
ca.crt: 1025 bytes
##这里的token是base64编码,此处需要进行解码
[root@master dashboard]# kubectl get secret admin-user-token-xtfgl -n kubernetes-dashboard -o jsonpath={.data.token} | base64 -d
eyJhbGciOiJSUzI1NiIsImtpZCI6Imh4cjVOQmVzamZna09LYzdJS1dWcWJQc0pEb3NJVDVPWVRZVjlQakhxLXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXh0ZmdsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjYWZjZDkyYi01YzllLTQzMWYtYTg1ZC0yOWZmNGE2NjBjN2QiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.fr71g_v9HSHdRurcjMT29SHN9t-QIbqDsT0gaAN21LrLMeOW34TVgY4kk-hF1ui9vB0KqmK55WVQ6H3WanAIiJ5lM417aCvZKz3rjlXsYC9b1g2nr0ijhYNomiHb6hhRRBb-heOmoCTdOTTqAi4oF4mjv7iwTAiQGoO5eVu7g-tzvL8ZrNMhRgg38hmfZ6VF2OhXE_g-T9y8I9El1YY_dwE-b0FYCBaY1YI855Pny5ZascCaOgv0DL3HyJIcVc20ULl79Cdm50UqfeDABTMCaHfsgm2zKBV5beo5jxzu6-Usn3j5JmejsxP-lfsDXcHJaeLK0MiMWagCJ2WKem0faw
##建议把token信息保存到一个变量中方便后面引用
[root@master dashboard]# DASHBOARD_ADMIN_TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6Imh4cjVOQmVzamZna09LYzdJS1dWcWJQc0pEb3NJVDVPWVRZVjlQakhxLXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXh0ZmdsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjYWZjZDkyYi01YzllLTQzMWYtYTg1ZC0yOWZmNGE2NjBjN2QiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.fr71g_v9HSHdRurcjMT29SHN9t-QIbqDsT0gaAN21LrLMeOW34TVgY4kk-hF1ui9vB0KqmK55WVQ6H3WanAIiJ5lM417aCvZKz3rjlXsYC9b1g2nr0ijhYNomiHb6hhRRBb-heOmoCTdOTTqAi4oF4mjv7iwTAiQGoO5eVu7g-tzvL8ZrNMhRgg38hmfZ6VF2OhXE_g-T9y8I9El1YY_dwE-b0FYCBaY1YI855Pny5ZascCaOgv0DL3HyJIcVc20ULl79Cdm50UqfeDABTMCaHfsgm2zKBV5beo5jxzu6-Usn3j5JmejsxP-lfsDXcHJaeLK0MiMWagCJ2WKem0faw
##配置token信息
[root@master dashboard]# kubectl config set-credentials dashboard-admin --token=$DASHBOARD_ADMIN_TOKEN --kubeconfig=/root/dashboard-admin.conf
User "dashboard-admin" set.
3、配置context
[root@master dashboard]# kubectl config set-context dashboard-admin@kubernetes --cluster=kubernetes --user=dashboard-admin --kubeconfig=/root/dashboard-admin.conf
Context "dashboard-admin@kubernetes" created.
##选择context
[root@master dashboard]# kubectl config use-context dashboard-admin@kubernetes --kubeconfig=/root/dashboard-admin.conf
Switched to context "dashboard-admin@kubernetes".
[root@master dashboard]# kubectl config view --kubeconfig=/root/dashboard-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.10.20.207:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: dashboard-admin
name: dashboard-admin@kubernetes
current-context: dashboard-admin@kubernetes
kind: Config
preferences: {}
users:
- name: dashboard-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Imh4cjVOQmVzamZna09LYzdJS1dWcWJQc0pEb3NJVDVPWVRZVjlQakhxLXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXh0ZmdsIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJjYWZjZDkyYi01YzllLTQzMWYtYTg1ZC0yOWZmNGE2NjBjN2QiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.fr71g_v9HSHdRurcjMT29SHN9t-QIbqDsT0gaAN21LrLMeOW34TVgY4kk-hF1ui9vB0KqmK55WVQ6H3WanAIiJ5lM417aCvZKz3rjlXsYC9b1g2nr0ijhYNomiHb6hhRRBb-heOmoCTdOTTqAi4oF4mjv7iwTAiQGoO5eVu7g-tzvL8ZrNMhRgg38hmfZ6VF2OhXE_g-T9y8I9El1YY_dwE-b0FYCBaY1YI855Pny5ZascCaOgv0DL3HyJIcVc20ULl79Cdm50UqfeDABTMCaHfsgm2zKBV5beo5jxzu6-Usn3j5JmejsxP-lfsDXcHJaeLK0MiMWagCJ2WKem0faw
4、将/root/dashboard-admin.conf文件发送到主机,浏览器访问时选择Kubeconfig认证,载入该配置文件,点击登陆,即可实现访问。
四、总结
1、从GitHub上部署dashboard。(注意:若镜像不能下载,可以选择国内的镜像源,下载到本地)
[root@master ~]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
2、将Service改为Node Port方式进行访问:
3、访问认证:
认证时的账号必须为ServiceAccount:其作用是被dashboard pod拿来由kubenetes进行认证;认证方式有2种:
token:
(1)创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
(2)获取此ServiceAccount的secret,查看secret的详细信息,其中就有token;
(3)复制token到认证页面即可登录。
kubeconfig:把ServiceAccount的token封装为kubeconfig文件
(1)创建ServiceAccount,根据其管理目标,使用rolebinding或clusterbinding绑定至合理的role或clusterrole;
(2)kubectl get secret |awk '/^ServiceAccount/{print KaTeX parse error: Expected 'EOF', got '}' at position 2: 1}̲' KUBE_TOKEN=(kubectl get secret SERVICEACCOUNT_SECRET_NAME -o jsonpath={.data.token} | base64 -d)
(3)生成kubeconfig文件
kubectl config set-cluster
kubectl config set-credentials NAME --token=$KUBE_TOKEN
kubectl config set-context
kubectl config use-context