环境: K8s群集搭建完成
[root@master ~]# mkdir dashboard2 [root@master ~]# cd dashboard2 //上传dashboard的模块文件 [root@master dashboard]# rz -E rz waiting to receive. [root@master dashboard]# ls dashboard-configmap.yaml dashboard-rbac.yaml k8s-admin.yaml dashboard-controller.yaml dashboard-secret.yaml dashboard-service.yaml //查看rbc 角色控制 [root@master dashboard2]# cat dashboard-rbac.yaml kind: Role "资源类型:角色" apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard "资源标签" addonmanager.kubernetes.io/mode: Reconcile name: kubernetes-dashboard-minimal "资源名称" namespace: kube-system "资源空间" rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - apiGroups: [""] resources: ["configmaps"] resourceNames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # Allow Dashboard to get metrics from heapster. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster"] verbs: ["proxy"] - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster", "http:heapster:", "https:heapster:"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding "资源类型,绑定角色" metadata: name: kubernetes-dashboard-minimal namespace: kube-system labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard-minimal subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system [root@master dashboard2]# cat dashboard-secret.yaml apiVersion: v1 kind: Secret "资源类型为secret" metadata: labels: k8s-app: kubernetes-dashboard # Allows editing resource and makes sure it is created first. addonmanager.kubernetes.io/mode: EnsureExists name: kubernetes-dashboard-certs namespace: kube-system type: Opaque --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard # Allows editing resource and makes sure it is created first. addonmanager.kubernetes.io/mode: EnsureExists name: kubernetes-dashboard-key-holder namespace: kube-system type: Opaque [root@master dashboard2]# cat dashboard-controller.yaml apiVersion: v1 kind: ServiceAccount "服务账户" metadata: labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile name: kubernetes-dashboard namespace: kube-system --- apiVersion: apps/v1 kind: Deployment "无状态资源" metadata: name: kubernetes-dashboard "dashboard核心pod的名称" namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: "资源规格" selector: matchLabels: k8s-app: kubernetes-dashboard template: "pod模板" metadata: labels: k8s-app: kubernetes-dashboard annotations: scheduler.alpha.kubernetes.io/critical-pod: '' seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: "pod规格" priorityClassName: system-cluster-critical containers: - name: kubernetes-dashboard image: siriuszg/kubernetes-dashboard-amd64:v1.8.3 resources: "资源分配" limits: cpu: 100m "最大cpu0.1核" memory: 300Mi "最大内存300M" requests: cpu: 50m "请求资源信息" memory: 100Mi ports: - containerPort: 8443 "" protocol: TCP args: # PLATFORM-SPECIFIC ARGS HERE - --auto-generate-certificates volumeMounts: "挂载数据卷" - name: kubernetes-dashboard-certs mountPath: /certs "挂载点" - name: tmp-volume mountPath: /tmp "挂载点" livenessProbe: "生命探针" httpGet: "类型为httpget" scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 "初始化延时" timeoutSeconds: 30 volumes: "宿主机提供数据卷的信息" - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} "挂载宿主机空目录" serviceAccountName: kubernetes-dashboard tolerations: - key: "CriticalAddonsOnly" operator: "Exists" [root@master dashboard2]# cat dashboard-service.yaml apiVersion: v1 kind: Service "资源类型service" metadata: name: kubernetes-dashboard namespace: kube-system labels: "资源标签" k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: "资源规格" type: NodePort "暴露端口类型" selector: k8s-app: kubernetes-dashboard ports: - port: 443 targetPort: 8443 "对外协议https" nodePort: 30001 "对外暴露的端口" //创建角色 [root@master dashboard]# kubectl create -f dashboard-rbac.yaml role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created //创建证书 [root@master dashboard]# kubectl create -f dashboard-secret.yaml secret/kubernetes-dashboard-certs created secret/kubernetes-dashboard-key-holder created //创建配置文件 [root@master dashboard]# kubectl create -f dashboard-configmap.yaml configmap/kubernetes-dashboard-settings created //创建核心资源 [root@master dashboard]# kubectl create -f dashboard-controller.yaml serviceaccount/kubernetes-dashboard created deployment.apps/kubernetes-dashboard created //创建dashboard服务 [root@master dashboard]# kubectl create -f dashboard-service.yaml service/kubernetes-dashboard created [root@master dashboard]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE kubernetes-dashboard-65f974f565-826hj 0/1 ContainerCreating 0 111s kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d "主要看上面一个,上面一个是刚创建的, kuboard-78bcb484bc-6lxzm这个是之前创建的kuboard资源,也是K8S的Web界面,具体可以看上面一篇博客" [root@master dashboard]# kubectl get pods,svc -n kube-system -o wide "pods信息" NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod/kubernetes-dashboard-65f974f565-826hj 0/1 ContainerCreating 0 3m43s <none> 192.168.100.180 <none> pod/kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d 172.17.71.4 192.168.100.190 <none> "svc信息" NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes-dashboard NodePort 10.0.0.233 <none> 443:30001/TCP 2m5s k8s-app=kubernetes-dashboard service/kuboard NodePort 10.0.0.185 <none> 80:32567/TCP 8d k8s.kuboard.cn/layer=monitor,k8s.kuboard.cn/name=kuboard [root@master dashboard]# ls dashboard-configmap.yaml dashboard-rbac.yaml dashboard-service.yaml dashboard-controller.yaml dashboard-secret.yaml k8s-admin.yaml [root@master dashboard]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE kubernetes-dashboard-65f974f565-826hj 1/1 Running 0 5m23s kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d创建token令牌登陆
#Service Account为Pod中的进程和外部用户提供身份信息。所有的kubernetes集群中账户分为两类,Kubernetes管理的serviceaccount(服务账户): pod --> 访问--> apiserver 和useraccount(用户账户): 客户端--> 访问-->apiserver #RoloBinding可以将角色中定义的权限授予用户或用户组,RoleBinding包含一组权限列表(subjects),权限列表中包含有不同形式的待授予权限资源类型(users、groups、service accounts),RoleBinding适用于某个命名空间内授权,而 ClusterRoleBinding适用于集群范围内的授权。 [root@master dashboard2]# cat k8s-admin.yaml apiVersion: v1 kind: ServiceAccount "资源为服务账户类型" metadata: name: dashboard-admin "资源名称" namespace: kube-system "定义命名空间" --- kind: ClusterRoleBinding "资源类型为绑定集群角色类型" apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: dashboard-admin "资源名称" subjects: "权限列表" - kind: ServiceAccount "服务账号信息" name: dashboard-admin "用户名" namespace: kube-system "归属空间" roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io //创建认证令牌 [root@master dashboard]# kubectl create -f k8s-admin.yaml serviceaccount/dashboard-admin created clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created [root@master dashboard]# kubectl get secret -n kube-system NAME TYPE DATA AGE dashboard-admin-token-p6mbj kubernetes.io/service-account-token 3 11s default-token-5rbf4 kubernetes.io/service-account-token 3 9d kubernetes-dashboard-certs Opaque 0 6m14s kubernetes-dashboard-key-holder Opaque 2 6m14s kubernetes-dashboard-token-xm2lm kubernetes.io/service-account-token 3 5m46s kuboard-user-token-99c7z kubernetes.io/service-account-token 3 8d kuboard-viewer-token-nnhwq kubernetes.io/service-account-token 3 8d //查看token [root@master dashboard]# kubectl describe secret dashboard-admin-token-p6mbj -n kube-system token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tcDZtYmoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDRjZDEwYzgtMDk0MS0xMWViLWI1NjctMDAwYzI5YTBjYWM5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.T05TDtcbo9iG5H4A47L6iutla8BJDtkQE18RXflsJKHJicmWZJHMoGsCGde9A1hEwjT8rMEEwaDvHf4ncwoan4Njg4bqU49JvbUp5J8zZHjLjsuP7tq1xoRquUDcJJV4QFdKTEokHiDs6MOCamnBgfehMA1M-O0ttsDN4x8mEVJw5X4IIF-3OAjD5F1qmI6xoElpbL4ezKmnpL80tDAVGeZLh82KzQzHgbNK6wdTDybnd9hBASNM7IbbHO4o0okdMdNkreHrhvm6G1L52Sq8y_FlflGBuCF9plvQj8vhUb3dVbzAobYIM798dOYZhz8FyxqAyv4AiPqG0HaafIgbHg //查看kube-system所有资源,注意这里看到的资源名字会多一个 <资源类型/> [root@master ~]# kubectl get all -n kube-system NAME READY STATUS RESTARTS AGE pod/kubernetes-dashboard-65f974f565-826hj 1/1 Running 0 128m "web2" pod/kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d "web1" NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes-dashboard NodePort 10.0.0.233 <none> 443:30001/TCP 127m service/kuboard NodePort 10.0.0.185 <none> 80:32567/TCP 8d NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE deployment.apps/kubernetes-dashboard 1 1 1 1 128m deployment.apps/kuboard 1 1 1 1 8d NAME DESIRED CURRENT READY AGE replicaset.apps/kubernetes-dashboard-65f974f565 1 1 1 128m replicaset.apps/kuboard-78bcb484bc 1 1 1 8d /查看service服务 [root@master dashboard2]# kubectl get svc -n kube-system -o wide NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR kubernetes-dashboard NodePort 10.0.0.233 <none> 443:30001/TCP 6h26m k8s-app=kubernetes-dashboard kuboard NodePort 10.0.0.185 <none> 80:32567/TCP 8d k8s.kuboard.cn/layer=monitor,k8s.kuboard.cn/name=kuboard //查看证书资源 [root@master dashboard2]# kubectl get secret -n kube-system -o wide NAME TYPE DATA AGE dashboard-admin-token-p6mbj kubernetes.io/service-account-token 3 6h23m default-token-5rbf4 kubernetes.io/service-account-token 3 9d kubernetes-dashboard-certs Opaque 11 26m kubernetes-dashboard-key-holder Opaque 2 6h29m kubernetes-dashboard-token-mpft7 kubernetes.io/service-account-token 3 25m kuboard-user-token-99c7z kubernetes.io/service-account-token 3 8d kuboard-viewer-token-nnhwq kubernetes.io/service-account-token 3 8d //查看pod资源 [root@master dashboard2]# kubectl get pod -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE kubernetes-dashboard-7dffbccd68-k62p8 1/1 Running 0 25m 172.17.96.7 192.168.100.180 <none> kuboard-78bcb484bc-6lxzm 1/1 Running 0 8d 172.17.71.4 192.168.100.190 <none> //以上可以看出 pod资源会被分配到下面各个节点,而secret和service资源不会分配到节点 //节点查看 [root@node1 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 32151b0d6e02 784cf2722f44 "/dashboard --insecu…" 28 minutes ago Up 28 minutes k8s_kubernetes-dashboard_kubernetes-dashboard-7dffbccd68-k62p8_kube-system_df252093-0973-11eb-b240-000c299fee79_0 5846bae9d0cf registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 "/pause" 28 minutes ago Up 28 minutes k8s_POD_kubernetes-dashboard-7dffbccd68-k62p8_kube-system_df252093-0973-11eb-b240-000c299fee79_0 44370f163cf9 tomcat "catalina.sh run" 8 days ago Up 8 days k8s_tomcat_tomcat-5496486897-hfsmt_default_37d97252-02cb-11eb-b567-000c29a0cac9_0 4127b9764900 registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 "/pause" 8 days ago Up 8 days k8s_POD_tomcat-5496486897-hfsmt_default_37d [root@node2 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7d8e03cc3eb1 httpd "httpd-foreground" 8 days ago Up 8 days k8s_apache_apache-7f7d9c5d59-7cxc9_default_dc1177ef-02cb-11eb-b567-000c29a0cac9_0 f74805406e74 registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 "/pause" 8 days ago Up 8 days k8s_POD_apache-7f7d9c5d59-7cxc9_default_dc1177e //节点里也没有service 和 secret 的信息,节点里只有两个dashporad的容器 Edg浏览器和谷歌浏览器访问dashboard问题: 解决: 创建自签证书 //修改dashboard核心配置文件 [root@master dashboard2]# vim dashboard-controller.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile name: kubernetes-dashboard namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard annotations: scheduler.alpha.kubernetes.io/critical-pod: '' seccomp.security.alpha.kubernetes.io/pod: 'docker/default' spec: priorityClassName: system-cluster-critical containers: - name: kubernetes-dashboard image: siriuszg/kubernetes-dashboard-amd64:v1.8.3 resources: limits: cpu: 100m memory: 300Mi requests: cpu: 50m memory: 100Mi ports: - containerPort: 8443 protocol: TCP args: # PLATFORM-SPECIFIC ARGS HERE - --auto-generate-certificates - --tls-key-file=dashboard-key.pem "添加秘钥,注意这里使用的是相对路径" - --tls-cert-file=dashboard.pem "添加证书注意这里使用的是相对路径" volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs - name: tmp-volume mountPath: /tmp livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 timeoutSeconds: 30 volumes: - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard tolerations: - key: "CriticalAddonsOnly" operator: "Exists" [root@master dashboard2]# cat dashboard-cert.sh cat > dashboard-csr.json <<EOF { "CN": "Dashboard", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF K8S_CA=$1 "注意这里的地址$1,传参路径,要用到的ca证书,我构建的群集证书地址为/root/k8s/k8s-cert/" cfssl gencert -ca=$K8S_CA/ca.pem -ca-key=$K8S_CA/ca-key.pem -config=$K8S_CA/ca-config.json -profile=kubernetes dashboard-csr.json | cfssljson -bare dashboard kubectl delete secret kubernetes-dashboard-certs -n kube-system kubectl create secret generic kubernetes-dashboard-certs --from-file=./ -n kube-system [root@master dashboard2]# bash dashboard-cert.sh /root/k8s/k8s-cert/ 2020/10/08 20:12:00 [INFO] generate received request 2020/10/08 20:12:00 [INFO] received CSR 2020/10/08 20:12:00 [INFO] generating key: rsa-2048 2020/10/08 20:12:01 [INFO] encoded CSR 2020/10/08 20:12:01 [INFO] signed certificate with serial number 309539057863070921682777361742531447433771414641 2020/10/08 20:12:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). secret "kubernetes-dashboard-certs" deleted secret/kubernetes-dashboard-certs created //dashboard.csr; dashboard-csr.json; dashboard-key.pem; dashboard.pem 会生成这四个证书 [root@master dashboard2]# ls dashboard-cert.sh dashboard.csr dashboard.pem dashboard-service.yaml dashboard-configmap.yaml dashboard-csr.json dashboard-rbac.yaml k8s-admin.yaml dashboard-controller.yaml dashboard-key.pem dashboard-secret.yaml //重新加载资源配置 [root@master dashboard2]# kubectl apply -f dashboard-controller.yaml Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply serviceaccount/kubernetes-dashboard configured Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply deployment.apps/kubernetes-dashboard configured //查看证书 [root@master dashboard2]# kubectl get secret -n kube-system NAME TYPE DATA AGE dashboard-admin-token-p6mbj kubernetes.io/service-account-token 3 6h2m default-token-5rbf4 kubernetes.io/service-account-token 3 9d ... //查看token,复制令牌 [root@master dashboard2]# kubectl describe secret dashboard-admin-token-p6mbj -n kube-system
