table of Contents
dashboard installation and deployment
Because the wall is, so to add a step to pull the mirror
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
#把镜像copy到其他节点
docker save k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 -o dashboard.tar
scp dashboard.tar 10.0.0.51:/root/
#在其他node节点导入镜像
docker load -i dashboard.tar
docker image ls|grep k8s.gcr.io/kubernetes-dashboard-amd64
Formal deployment, a command
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
[root@master ~]# kubectl get svc -n kube-system #可以看到svc类型为ClusterIP
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 15d
kubernetes-dashboard ClusterIP 10.111.228.197 <none> 443/TCP 20m
uses a default dashboard ClusterIP
, Patch modify NodePort
, so that can be accessed directly (may also be used ingress
)
kubectl patch svc -n kube-system kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'
[root@master ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 15d
kubernetes-dashboard NodePort 10.111.228.197 <none> 443:32094/TCP 23m
Pit, you can not normally access encountered, suggesting NET :: ERR_CERT_INVALID
Solution, we have taken manually generate a certificate
The Secret can see no certificate is null, Data Office |
kubectl describe secret kubernetes-dashboard-certs -n kube-system
Name: kubernetes-dashboard-certs
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations:
Type: Opaque
Data
====
Create a dashboard certificate
mkdir -pv /etc/kubernetes/pki/dashboard && cd /etc/kubernetes/pki/
cp ca.crt ca.key dashboard/ && cd dashboard/
(umask 077;openssl genrsa -out dashboard.key 2048)
openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=wangtianpei/CN=dashboard" #如果要用域名访问, CN一定要和域名保持一致
openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650
#拷贝到各个节点
scp -r /etc/kubernetes/pki/dashboard/ node01:/etc/kubernetes/pki/
Here to hostpath
mount the pod in a form
# 下载dashboard的yaml文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
The documents and all secret
related are commented out
The following two lines of code commented out |
17 #apiVersion: v1
18 #kind: Secret
19 #metadata:
20 # labels:
21 # k8s-app: kubernetes-dashboard
22 # name: kubernetes-dashboard-certs
23 # namespace: kube-system
24 #type: Opaque
25 #
26 #---
136 # - name: kubernetes-dashboard-certs
137 # secret:
138 # secretName: kubernetes-dashboard-certs
Add the following two lines of code |
139 - name: kubernetes-dashboard-certs
140 hostPath:
141 path: /etc/kubernetes/pki/dashboard
142 type: Directory
165 type: NodePort
Create a dashboard
[root@master ~]# kubectl apply -f kubernetes-dashboard.yaml
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
[root@master ~]# kubectl get pod kubernetes-dashboard-64fc96f8b4-bm999 -n kube-system
NAME READY STATUS RESTARTS AGE
kubernetes-dashboard-64fc96f8b4-bm999 1/1 Running 0 28s
[root@master ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 26d
kubernetes-dashboard NodePort 10.101.252.179 <none> 443:31515/TCP 77s
accesshttps://10.0.0.50:31515
dashboard of authentication modes
- kubeconfig
- token
token authentication token
Create a file called dashboard-admin in kube-system namespace ServiceAccount the dashboard-admin this ServiceAccount and cluster-admin Bind |
cat > dashboard-admin.yaml << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: dashboard-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
EOF
[root@master ~]# kubectl apply -f dashboard-admin.yaml
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
View serviceaccount
the generated secret
files
[root@master ~]# kubectl get secret -n kube-system |grep dashboard-admin
dashboard-admin-token-twrjp kubernetes.io/service-account-token 3 80s
[root@master ~]# kubectl describe secret dashboard-admin-token-twrjp -n kube-system
Name: dashboard-admin-token-twrjp
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 4c2caffd-37fe-49ae-a443-d0b3e345da07
Type: kubernetes.io/service-account-token
Data
====
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdHdyanAiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNGMyY2FmZmQtMzdmZS00OWFlLWE0NDMtZDBiM2UzNDVkYTA3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.OEaz9gm3ZB3jVxc4sp4peD4XwO-zPg5on4yV0u4UKpKa6mQcNF0qJ5f1mMO6AztZUPLSgsd46tu1p1ZOEh3FFCdlw7fRT2DSZsPFHP-4ahlJcEVD1egBHnQlvdoEo1Rhxkji157QjegCIu09TPe8m-2cd5Mlw_5rlOnMcJyJuGvyUIIqUi00AHXilEZ1kiI939HhKfqzJtnXwgNUEhmKcNHboGPt7yoKEaMHio-uHQoyQVUXSPXUWhvFtCq1La25oDJBV5SMO5cq3PqqDnCaPMNDLslMh8lv5mYzMvdrz-47hdhuMvc1-pR7LbD2J8hI0XxeAVWt9c4oATaQtj8vLA
ca.crt: 1025 bytes
namespace: 11 bytes
View above the token is used to login dashboard token |
Kubeconfig document authentication
Get token, token attention is base64 encryption
[root@master ~]# kubectl get secret dashboard-admin-token-twrjp -n kube-system -o jsonpath={.data.token}
Decryption token
[root@master ~]# echo "上述命令获取到的token" | base64 -d
Cluster configuration information dashboard-admin, and configuration information to a/root/dashboard-admin.conf
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="https://10.0.0.50:6443" --embed-certs=true --kubeconfig=/root/dashboard-admin.conf
Configuring user token information, and save the configuration information to a `/root/dashboard-admin.conf
kubectl config set-credentials dashboard-admin --token="上述命令获取到的token" --kubeconfig=/root/dashboard-admin.conf
Configuration context and the current context
kubectl config set-context dashboard-admin@kubernetes --cluster=kubernetes --user=dashboard-admin --kubeconfig=/root/dashboard-admin.conf
Configuration context currently used
kubectl config use-context dashboard-admin@kubernetes --kubeconfig=/root/dashboard-admin.conf
View profile information
kubectl config view --kubeconfig=/root/dashboard-admin.conf
You can login dashboard through dashboard-admin.conf this file |
Create only rights to the default namespache token
And front difference is very small, not described in detail here
Create Create ServiceAccount in the specified namespace, then rolebinding
bind and clusterrole of admin
kubectl create serviceaccount def-ns-admin -n default
kubectl create rolebinding df-ns-amdin --clusterrole=admin --serviceaccount=default:def-ns-admin #注意这里用的是rolebinding
[root@master ~]# kubectl get secrets -n default
NAME TYPE DATA AGE
admin-token-zwzps kubernetes.io/service-account-token 3 47h
def-ns-admin-token-ftl5t kubernetes.io/service-account-token 3 100s
[root@master ~]# kubectl describe secrets def-ns-admin-token-ftl5t
Name: def-ns-admin-token-ftl5t
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: def-ns-admin
kubernetes.io/service-account.uid: 7da89bde-2c1f-4dd0-87a5-79ca9b9e5454
Type: kubernetes.io/service-account-token
Data
====
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1mdGw1dCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI3ZGE4OWJkZS0yYzFmLTRkZDAtODdhNS03OWNhOWI5ZTU0NTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.utBN-Pc9ggRZAcfmQEW6sgHIxIGL8-m4xRy_YKw9LpGmfYMU9aGJcNh02fI4cPsoQhImisK36s3KqHudhD-Hdt9IsV0BnAMZsGYyjtdz_B8Z63MfobJO1EdpXQhXowtFDisVNdwJoyqgn9u8292gF2xOcUM6wG5MJMqvfzGoKVjlb-e4NUMrIj7GBN9rhiEj27dzh3jtjXlYB3hAOZh_sakh1Teuw1RQuiAlkQYNf6ixliYkT6Pz9_XRrpluLUVtVIC6Su7hTzvUn9MX6EzPs3ik8GqGw1O3AyEfxCb5390V6qsEd9iWLYoSZ-Ixl73QfGqls-cF3BBI9dSalYNbpQ
ca.crt: 1025 bytes
View above the token is used to log in to the dashboard token, and can only see the default resource |
Reference links
https://www.ipyker.com/2019/06/16/kubernetes-dashboard