Kunernetes 安装Dashboard v2.0.0 的WEB UI
一.Dashboard简介
dashboard是基于Web的Kubernetes用户界面。可以使用dashboard将容器化应用程序部署到Kubernetes集群,对容器化应用程序进行故障排除,以及管理集群资源。可以使用dashboard来概述群集上运行的应用程序,以及创建或修改单个Kubernetes资源。dashboard还提供有关群集中Kubernetes资源状态以及可能发生的任何错误的信息。
kubernetes中管理集群中资源的方式通常有四种:命令行、YAML、API和图形界面,四种不同的方式适用于不同的人群和场景,对比如下:
- 命令行kubectl,kubectl提供了命令行管理kubernetes资源
- 优点:使用方便、便捷、快速管理集群资源
- 缺点:功能相对有限,部分操作无法支持,有一定的门槛
- YAML资源定义,kubernetes中最终转换形式,推荐使用方式
- 优点:功能齐备,能够定义kubernetes的所有对象和资源
- 缺点:门槛较高,需要具备专业技术能力,使用排障难度大
- API管理接入,提供各种编程语言SDK接口,方便各种编程语言应用程序接入
- 优点:适配各种编程语言,如Java,Go,Python,C等,方便开发kubernetes
- 缺点:门槛较高,适用于开发人员
- 图形kubernetes-dashboard,提供图形化管理界面,能够利用metric-server实现node和pod的监控
- 优点:使用简单,便捷,适合大众。
- 缺点:功能相对简单,功能原生,适用于demo
二.安装Dashboard
1.下载安装
1.下载
官网地址:https://github.com/kubernetes/dashboard
下载yaml文件,注意:这里一定要选择对应K8s版本的Dashboard,目前Dashboard相比于Kunernetes更新较慢,很多版本都已不兼容主流的Kunernetes版本,这里选择部署v2.0-beta3版本
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta3/aio/deploy/recommended.yaml
2.修改recommended.yaml 文件
修改yml文件,加入以下配置,目的是让Pod资源固定分配到server88服务器,server88服务器目前的内存还比较多。
将svc默认的ClusterIP类型修改为NodePort类型,添加宿主机端口31009,目的是让宿主机与给容器Dashboard形成端口映射,通过访问宿主机的31009端口访问容器Dashboard。
配置文件如下:vim recommended.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 31009
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
nodeName: server88
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.0-beta3
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
nodeName: server88
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.1
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
开始启动Dashboard
进入到recommended.yaml目录中,执行 kubectl create -f .
查看启动是否成功,执行 kubectl get pod -o wide -n kubernetes-dashboard
访问页面 https:192.168.0.88:31009
注意:这里需要https访问
2.token令牌认证登录
1.创建 Dashboard ServiceAccount 部署文件
k8s-dashboard-token.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
2.部署访问的 ServiceAccount
kubectl apply -f k8s-dashboard-token.yaml
3.获取 Token
单解释一下:小括号中的命令只是为了获得与admin-user(即之前生成的用户)有关的secret,然后整个命令是显示该secret的详细信息。你也可以分开来执行,先执行kubectl -n kube-system get secret | grep admin-user找的secret名字,然后执行kubectl -n kube-system describe secret xxx(代表前面找到的secret名字)。
kubectl describe secret $(kubectl get secret -n kube-system |grep admin|awk '{print $1}') -n kube-system
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lbCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hYWJlLXN5c3RlbTphZG1pbiJ9.XZK1G-olW99kuFc53ToXKS-nTCI-Ns14HDRrEubKRNJGa4GSZSle8V4wov9DRKqE7afJ80woBKoRmed-3j9dM2prusmF2w6JksGSlO22Z5FRUcI3yEPiMxwMHuBBc0FbYuhYdasjIecgIHeeC6Sj92Ic8F0OGcs41X7hjp1fSsEsCaNZAr2mRSH0Wn2HBb2lSzrfkhHIpwuVQ7pTwma1l9bK0e8OiyEf0mEb8RJDzQ
三.访问测试
四.Dashboard使用
1.登录
地址:https:192.168.0.88:31009 (注意:目前只能使用火狐浏览器打开web)
在server88服务器执行命令获取token
[docker@server88 dashboard]$ kubectl describe secret $(kubectl get secret -n kube-system |grep admin|awk '{print $1}') -n kube-system
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi14bWp6bCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgxNjU2ODhiLTZmZjItNDVmNC1hZjRkLWZkYjlmYmRmN2JmOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.XZK1G-olW99kuFc53ToXKS-nTCI-Ns14HDRrEubKRNJGa4GSZSle8V4wov9DRKqE7afJ80woBKoRmed-3j9dM2prusmF2w6JksGSlO22Z5FRUcI3y75dhvZptbBS6MpASatBW6cNRagUP3LqTt7wgVFfK6uX406xfuY0xa0CsFiojz3hh-fgMc88-s3fVj3rebbvzsV53Na6bQRFr19zmVSAXqj7pEPiMxwMHuBBc0FbYuhYdasjIecgIHeeC6Sj92Ic8F0OGcs41X7hjp1fSsEsCaNZAr2mRSH0Wn2HBb2lSzrfkhHIpwuVQ7pTwma1l9bK0e8OiyEf0mEb8RJDzQ
2.启动与关闭
关闭dashboard:删除所有部署的资源
[docker@server88 ~]$ cd k8s_yaml/dashboard
[docker@server88 dashboard]$ kubectl delete -f .
启动dashboard:
[docker@server88 ~]$ cd k8s_yaml/dashboard
[docker@server88 dashboard]$ kubectl create -f .
3.使用
1、查看集群整体概览资源,可以看到整体集群资源
2.删除资源
3.增加副本数
4.提供在线编辑yaml
5.查看容器日志
五.报错总结:
1.最重要的最隐蔽一个报错:版本不兼容问题
报错现象:ashboard部署一切顺利,无报错,但是无法访问Dashboard的WEB界面。
这里一定要选择对应K8s版本的Kunernetes,目前Dashboard相比于Kunernetes更新较慢,很多版本都已不兼容主流的Kunernetes版本。
Dashboard与Kunernetes对应的兼容版本可以在github中找到:https://github.com/kubernetes/dashboard/releases?after=v2.0.0-beta4
之前安装的是v1.10.1版本,只兼容1.8 1.9 1.13版本,改成v2.0.0解决问题
2.进入Dashboard的web页面后,无任何数据,无法查看任何资源
为什么集群信息没有显示,是因为权限不够,简单说就是登录token字符串命令,并没有查看集群信息的权限,我们要做的是创建一个可以访问集群全部权限的token,或者说某个用户是超级管理员使用这个用户的token.
解决:用以下配置文件,生成具有访问整个集群的权限
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
3.k8s dashboard token 过期时间修改
在args下面添加 --token-ttl=43200,点击更新重新部署deloyment
.io/autoupdate: “true”
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
labels:
kubernetes.io/cluster-service: “true”
addonmanager.kubernetes.io/mode: Reconcile
##### 3.k8s dashboard token 过期时间修改
[外链图片转存中...(img-7LRI8CVO-1585798258524)]
在args下面添加 --token-ttl=43200,点击更新重新部署deloyment
