One modify the configuration file
1.1 Download and unzip
1 [root @ k8smaster01 ~] # cd / opt / k8s / work / kubernetes / 2 [root @ k8smaster01 kubernetes] # tar -xzvf kubernetes-src.tar.gz
Tip: The k8smaster01 node has been decompressed, and the configuration can be modified directly.
1.2 Modify configuration
1 [root@k8smaster01 ~]# cd /opt/k8s/work/kubernetes/cluster/addons/dashboard 2 [root@k8smaster01 dashboard]# vi dashboard-service.yaml 3 …… 4 type: NodePort #Add this line, use Node access 5 …… 6 #Use node to access dashboard
1.3 Modified to domestic source
1 [root@k8smaster01 dashboard]# vi dashboard-controller.yaml 2 …… 3 image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 4 ……
Tip: Modify the image field in the yaml file to mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1.
Two create dashboard
2.1 Create dashboard and check
1 [root@k8smaster01 ~]# cd /opt/k8s/work/kubernetes/cluster/addons/dashboard 2 [root@k8smaster01 dashboard]# kubectl apply -f .
2.2 View the assigned NodePort
1 [root@k8smaster01 ~]# kubectl get deployment kubernetes-dashboard -n kube-system 2 NAME READY UP-TO-DATE AVAILABLE AGE 3 kubernetes-dashboard 1/1 1 1 84s 4 [root@k8smaster01 ~]# kubectl --namespace kube-system get pods -o wide 5 [root@k8smaster01 ~]# kubectl get services kubernetes-dashboard -n kube-system
Tip: k8smaster02 NodePort 31181 is mapped to port 443 of dashboard pod.
2.3 View dashboard parameters
1 [root@k8smaster01 ~]# kubectl exec --namespace kube-system -it kubernetes-dashboard-7848d45466-bgz94 -- /dashboard --help
Tip: The --authentication-mode of dashboard supports token and basic, and the default is token. If basic is used, kube-apiserver must be configured with --authorization-mode=ABAC and --basic-auth-file parameters.
Three dashboard verification methods
Because the Kubernetes default certificate may expire and the dashboard cannot be accessed, this experiment manually recreates the certificate after Kubernetes has been successfully deployed.
3.1 Create a certificate
1 [root@k8smaster01 ~]# cd /opt/k8s/work/ 2 [root@k8smaster01 work]# openssl genrsa -out dashboard.key 2048 3 [root@k8smaster01 work]# openssl rsa -passin pass:x -in dashboard.key -out dashboard.key 4 [root@k8smaster01 work]# openssl req -new -key dashboard.key -out dashboard.csr 5 ----- 6 Country Name (2 letter code) [XX]:CN 7 State or Province Name (full name) []:Shanghai 8 Locality Name (eg, city) [Default City]:Shanghai 9 Organization Name (eg, company) [Default Company Ltd]:k8s 10 Organizational Unit Name (eg, section) []:System 11 [root@k8smaster01 work]# openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt 12 [root@k8smaster01 work]# openssl x509 -noout -text -in ./dashboard.crt #查看证书
3.2 Distribute certificates
1 [root@k8smaster01 ~]# cd /opt/k8s/work 2 [root@k8smaster01 work]# source /opt/k8s/bin/environment.sh 3 [root@k8smaster01 work]# for all_ip in ${ALL_IPS[@]} 4 do 5 echo ">>> ${all_ip}" 6 scp dashboard.* root@${all_ip}:/etc/kubernetes/cert 7 done
3.3 Modify the default certificate configuration
1 [root@k8smaster01 work]# cd /opt/k8s/work/kubernetes/cluster/addons/dashboard 2 [root@k8smaster01 dashboard]# kubectl delete -f . #删除使用默认证书所创建的dashboard 3 [root@k8smaster01 dashboard]# ll /etc/kubernetes/cert/dashboard.* 4 -rw-r--r-- 1 root root 1.2K Jun 28 18:06 /etc/kubernetes/cert/dashboard.crt 5 -rw-r--r-- 1 root root 976 Jun 28 18:06 /etc/kubernetes/cert/dashboard.csr 6 -rw-r--r-- 1 root root 1.7K Jun 28 18:06 /etc/kubernetes/cert/dashboard.key 7 8 [root@master dashboard]# kubectl create secret generic kubernetes-dashboard-certs --from-file="/etc/kubernetes/cert/dashboard.crt,/etc/kubernetes/cert/dashboard.key "-n kube-system #Mount the new certificate to dashboard 9 [root@master dashboard]# kubectl get secret kubernetes-dashboard-certs -n kube-system -o yaml #View new certificate
3.4 Redeploy the dashboard
1 [root@k8smaster01 work]# cd /opt/k8s/work/kubernetes/cluster/addons/dashboard 2 [root@master dashboard]# kubectl apply -f . 3 [root@master dashboard]# kubectl get pods --namespace=kube-system | grep dashboard #确认验证
3.5 Confirmation verification
1 [root@k8smaster01 ~]# kubectl get deployment kubernetes-dashboard -n kube-system 2 [root@k8smaster01 ~]# kubectl --namespace kube-system get pods -o wide 3 [root@k8smaster01 ~]# kubectl get services kubernetes-dashboard -n kube-system
Tip: k8smaster03 NodePort 30938 is mapped to port 443 of dashboard pod.
Four visit dashboard
3.1 Import certificate
Import dashboard.crt into IE browser and set it to trust. The import operation is omitted.
3.2 Access method
This experiment uses nodeip: nodepord to access.
Browser access: https://172.24.8.73:30938
prompt:
For more dashboard access methods and authentication, please refer to "Attachment 004. Introduction and Use of Kubernetes Dashboard".
The entire process of dashboard login can be referred to: https://www.cnadn.net/post/2613.htm
Please refer to 3.4 for apiserver mode and 3.5 for Kubeconfig verification mode in "Attachment 006. Kubernetes Identity Authentication".
Five verification methods
5.1 Create token
1 [root@k8smaster01 ~]# kubectl create sa dashboard-admin -n kube-system 2 [root@k8smaster01 ~]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin 3 [root@k8smaster01 ~]# ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{ print $1}') 4 [root@k8smaster01 ~]# DASHBOARD_LOGIN_TOKEN=$(kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{ print $2}') 5 [root@k8smaster01 ~]# echo ${DASHBOARD_LOGIN_TOKEN} #输入登录的token 6eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmc5bWgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTlkNGRjNGUtOTk3OC0xMWU5LTkzNTItMDAwYzI5ZmE3YTc5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.X1NJsPNaAgV2TzJo0NlqOWFofDYOsSdkeiYHFGQFk5nNy0nbbnfnnoH0yumj_Ld0nGPakIjEpsUq9dqgCazeCpgk5EsygD6UlSg5sYA2sTLswbDoZdS3QzrOjY5MXWD3VDc_OQofD94MZqHMMw7IABVlfVsZ0vMEvHe-Qtyt6EQlFlHq5QjwDX8dCQDKRbwuiCr-Iy_dCWHHIhaT25BREf2viei8sZ497D8h4TXgO_u2CGf3qXRGNXj26VSdD8bT-BFGiDdyuXPbDHPU5LalvxF4WThChRfjO4zHLI2fOXq8BBF6DjbjhtG4X8fLuvJaxF4YWAmVS_78eJHhA3nvRg
3.4 Create kubeconfig file
Using tokens is relatively complicated. You can add tokens to the kubeconfig file and use the KubeConfig file to access the dashboard.
1 [root@k8smaster01 ~]# cd /opt/k8s/work/ 2 [root@k8smaster01 work]# source /opt/k8s/bin/environment.sh 3 [root@k8smaster01 work]# kubectl config set-cluster kubernetes \ 4 --certificate-authority=/etc/kubernetes/cert/ca.pem \ 5 --embed-certs= true \ 6 --server=${KUBE_APISERVER} \ 7 --kubeconfig=dashboard.kubeconfig # Set cluster parameters 8 [root@k8smaster01 work]# kubectl config set-credentials dashboard_user \ 9 --token=${DASHBOARD_LOGIN_TOKEN} \ 10 --kubeconfig=dashboard.kubeconfig # Set the client authentication parameters, use the Token 11 created above [root@k8smaster01 work]# kubectl config set-context default \ 12 --cluster=kubernetes \ 13 --user=dashboard_user \ 14 --kubeconfig=dashboard.kubeconfig # Set context parameter 15 [root@k8smaster01 work]# kubectl config use-context default --kubeconfig=dashboard.kubeconfig # Set the default context and import the dashboard.kubeconfig file so that the browser can log in using this file.
Six official login
6.1 kubeconfig access
Browser access: https://172.24.8.73:30938
Tip: Due to the lack of Heapster plug-in, the current dashboard cannot display statistics and charts such as Pod, Nodes CPU, memory, etc.