kubeadm部署dashboard-2.0.0版本
#创建dashboard的secret的私钥
[root@yunwei CA]# openssl genrsa -out od.com.key 2048
#创建dashboard的secret的证书,这个secret配置CN=泛域名,
[root@yunwei CA]# openssl req -new -x509 -days 3650 -key od.com.key -out od.com.crt -subj /C=CN/ST=Beijing/O=DevOps/CN=*.od.com
#先安装dashboard,
[root@master01 deploy]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
#修改image为harbor下载的地址,私有仓库事先创建harbor的imagepullsecret的,这里就省略。
[root@master01 deploy]# kubectl apply -f recommended.yaml
#如果要dashbord被外部访问,需要添加证书
#修改recommended.yaml文件
[root@master01 deploy]# vi recommended.yaml
。。。。。。。。。。。。。。。。。。。。。。。。。。
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort #指定nodeport类型。
ports:
- port: 443
targetPort: 8443
nodePort: 30008 #指定nodeport为3008端口。
selector:
k8s-app: kubernetes-dashboard
。。。。。。。。。。。。。。。。。。。。。。。。。。。。
spec:
containers:
- name: kubernetes-dashboard
image: harbor.od.com/kubeadm/dashboard:v2.0.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
command: # 新增
- /dashboard # 新增
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --token-ttl=3600 # 新增,token的登录
- --bind-address=0.0.0.0 # 新增
- --tls-cert-file=od.com.crt # 新增,这里证书名字一定要跟创建的secret指定时同名,
- --tls-key-file=od.com.key # 新增,这里证书私钥名字一定要跟创建的secret指定时同名,
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs #默认pod的secret挂载到volumeMounts指定的mountPath: /certs,但是上面配置command跟args,所以pod里的默认就不执行了,不使用默认的secret
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
在kubernetes-dashboard名称空间创建secret,作为配置dashboard的ingress
[root@master01 tls]# kubectl create secret generic dashboard-ingress-secret --from-file=od.com.crt --from-file=od.com.key -n kubernetes-dashboard
#对修改配置,重新加载
[root@master01 deploy]# kubectl apply -f recommended.yaml
#查看dashboard创建的svc,类型为nodeport,端口30008
[root@master01 tls]# kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.97.189.115
kubernetes-dashboard NodePort 10.101.20.126
#由于配置了nodeport。所以可以在集群外部通过nodeip+nodeport访问:10.4.7.51:3008
#由于人习惯浏览器访问,所以需要配置域名。
#配置dashboard的ingress
[root@master01 deploy]# cat dashboard-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
# 开启use-regex,启用path的正则匹配
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- dashboard.od.com
secretName: dashboard-ingress-secret #创建的dashboard的secret的名字
rules:
- host: dashboard.od.com
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard #dashboard创建的svc
servicePort: 443
#默认是dashboard的文件定义serviceaccount只有list,get,watch权限,创建dashboard管理账号
[root@master01 deploy]# cat dashboard-admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard #一定要指定dashboard部署的同一名称空间,sa账号是对namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin #绑定k8s系统的默认cluster-admin的角色
subjects:
- kind: ServiceAccount #用户类型是serviceaccount,因为是用pod在集群认证的,
name: dashboard-admin
namespace: kubernetes-dashboard
[root@master01 deploy]# kubectl apply -f dashboard-admin-user.yaml
serviceaccount/dashboard-admin created
#生成一个serviceaccount的名字开头的token
[root@master01 tls]# kubectl get secret -n kubernetes-dashboard|grep dashboard-admin
dashboard-admin-token-zfmh9 kubernetes.io/service-account-token 3 3m36s
[root@master01 tls]# kubectl describe secret dashboard-admin-token-zfmh9 -n kubernetes-dashboard
Name: dashboard-admin-token-zfmh9
Namespace: kubernetes-dashboard
Labels:
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: f89cf609-c18a-4309-8ce5-04d5968600a9
Type: kubernetes.io/service-account-token
Data
====
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlVZQzIwM1NmeVlCS3JGRDFHR1oycnJwRU9seTRZMGpJNkI1SVlRbUZHc28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4temZtaDkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZjg5Y2Y2MDktYzE4YS00MzA5LThjZTUtMDRkNTk2ODYwMGE5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.wJ5fq6VPt7jBIrXC9iDkQAt_chCWrYks0-jr3FLRemGNGpYuwuGxiZd-moJhHPxhtMXyLrEdAW9VsxiXwGad5qreE3iKLy_YWcPby5oW8_01b3j3Frie4A9UnvMsES4m9I9DnWM-xY1yPvzSPXzBxwSP2S-uiXSC6hdsgXuMNEZCKIE0WNW_J4VK5uXf0fp3BRDNFokFblUfV44gpA5E39QDl-1F2jAXrfFpxAPDd4lTuG0un-07qFU1a0XlhY27vq8VgCzQckJZbV_WsE2bs7THaPK2tEkU3kH6u8lIbtknEJ0hE9a1To2qa4pgbbBxF4Ngejp_4-QCaE5Pf1VkDw
ca.crt: 1029 bytes
#解释dashboard域名.解析到节点ip
[root@master01 deploy]# vi /var/named/od.com.zone
dashboard A 10.4.7.51
[root@master01 deploy]# systemctl restart named
#浏览器访问:https://dashboard.od.com ,通过token登录
2.通过生成的kubeconfig认证方式登录k8s集群,在dashboard管理页面。
#创建一个新的serviceaccount,只能管理default名称空间
[root@master01 tls]# kubectl create serviceaccount def-ns-admin -n default
#通过rolebinding把serviceaccount绑定到admin的集群角色,因为rolebinding只授权在指定的namespace名称空间里。
[root@master01 tls]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin -n default
rolebinding.rbac.authorization.k8s.io/def-ns-admin created
[root@master01 tls]# kubectl get rolebinding -n default
NAME ROLE AGE
def-ns-admin ClusterRole/admin 15s
#由于创建一个serviceaccount账号,会自动生成一个对应的secret,是以serviceaccount账号名字开头token
[root@master01 tls]# kubectl get secret -n default
NAME TYPE DATA AGE
def-ns-admin-token-prjpc kubernetes.io/service-account-token 3 7m23s
#这个token账号,只能访问k8s的defaut名称空间,因为robebinding只定义在default名称空间。
[root@master01 tls]# kubectl describe secret def-ns-admin-token-prjpc -n default
Name: def-ns-admin-token-prjpc
Namespace: default
Labels:
Annotations: kubernetes.io/service-account.name: def-ns-admin
kubernetes.io/service-account.uid: 01fe5a9f-cc3b-4192-bd69-d61bdfd1a703
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1029 bytes
namespace: 7 bytes #下面创建kubeconfig文件访问k8s集群,通过dashboard。使用的token值。
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlVZQzIwM1NmeVlCS3JGRDFHR1oycnJwRU9seTRZMGpJNkI1SVlRbUZHc28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wcmpwYyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMWZlNWE5Zi1jYzNiLTQxOTItYmQ2OS1kNjFiZGZkMWE3MDMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.k4n3n8rGpaMdHEq3cNgsoFeA-xc3JuqPZOdBDMIw39RBdZvLeaWsYzRBh1ooBE5nZ1wMiTCVLd7z6OBRB7SHEKEuDXNI8Sm2eH1kMwRlYe5IIYCPc7kpHWSdq-CTAYoImJ4MVc1kflxWaWUAopnHOGAJllaqXZ4O3Dq11MT_yhFNEzV6_g3lP9ShrBcHgXbmWxDVRkunM9QJcc3VMThKcyc4zl8rQibyI2NDWwpSCmvrBDlyvFpPA9zYjqdlNCNYBMIvSOdHNGHEDTt84WKrZh-GHJmR0tVvo3rkvaHAAlfmxwCm9TdbusjqDpTtrvruJSwEpitLozbL1bg1UTJtMg
#通过生成kubeconfig,管理default名称空间
#创建一个集群名称,指定要管理的集群,生成一个kubeconfig文件。
[root@master01 tls]# kubectl config set-cluster kubernetes --server="https://10.4.7.48:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.
#查看kubeconfig文件
[root@master01 tls]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.4.7.48:6443
name: kubernetes
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
#set-credentials创建的用户所使用的token,这里是使用上面创建的serviceaccount账号def-ns-admin的token
[root@master01 tls]# kubectl config set-credentials def-ns-admin --token="eyJhbGciOiJSUzI1NiIsImtpZCI6IlVZQzIwM1NmeVlCS3JGRDFHR1oycnJwRU9seTRZMGpJNkI1SVlRbUZHc28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wcmpwYyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMWZlNWE5Zi1jYzNiLTQxOTItYmQ2OS1kNjFiZGZkMWE3MDMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.k4n3n8rGpaMdHEq3cNgsoFeA-xc3JuqPZOdBDMIw39RBdZvLeaWsYzRBh1ooBE5nZ1wMiTCVLd7z6OBRB7SHEKEuDXNI8Sm2eH1kMwRlYe5IIYCPc7kpHWSdq-CTAYoImJ4MVc1kflxWaWUAopnHOGAJllaqXZ4O3Dq11MT_yhFNEzV6_g3lP9ShrBcHgXbmWxDVRkunM9QJcc3VMThKcyc4zl8rQibyI2NDWwpSCmvrBDlyvFpPA9zYjqdlNCNYBMIvSOdHNGHEDTt84WKrZh-GHJmR0tVvo3rkvaHAAlfmxwCm9TdbusjqDpTtrvruJSwEpitLozbL1bg1UTJtMg" --kubeconfig=/root/def-ns-admin.conf
#设置context上下文。就是定义用户绑定集群的信息
[root@master01 tls]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --namespace=default --kubeconfig=/root/def-ns-admin.conf
Context "def-ns-admin@kubernetes" created.
#使context上下文。指定用户绑定集群context上下文切换到当前。
#未设置之前,定义的上下文用户绑定集群不生效,
[root@master01 tls]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.4.7.48:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: default
user: def-ns-admin
name: def-ns-admin@kubernetes
current-context: "" #未设置之前,当前上下文为空,也就没有开启。
kind: Config
preferences: {}
users:
- name: def-ns-admin
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlVZQzIwM1NmeVlCS3JGRDFHR1oycnJwRU9seTRZMGpJNkI1SVlRbUZHc28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1wcmpwYyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMWZlNWE5Zi1jYzNiLTQxOTItYmQ2OS1kNjFiZGZkMWE3MDMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.k4n3n8rGpaMdHEq3cNgsoFeA-xc3JuqPZOdBDMIw39RBdZvLeaWsYzRBh1ooBE5nZ1wMiTCVLd7z6OBRB7SHEKEuDXNI8Sm2eH1kMwRlYe5IIYCPc7kpHWSdq-CTAYoImJ4MVc1kflxWaWUAopnHOGAJllaqXZ4O3Dq11MT_yhFNEzV6_g3lP9ShrBcHgXbmWxDVRkunM9QJcc3VMThKcyc4zl8rQibyI2NDWwpSCmvrBDlyvFpPA9zYjqdlNCNYBMIvSOdHNGHEDTt84WKrZh-GHJmR0tVvo3rkvaHAAlfmxwCm9TdbusjqDpTtrvruJSwEpitLozbL1bg1UTJtMg
#切换上下文
[root@master01 tls]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf
Switched to context "def-ns-admin@kubernetes".
#使用kubeconfig文件来访问k8s集群,把这个/root/def-ns-admin.conf 导出去电脑,
#浏览器上面,https://dashboard.od.com ,登录页面选择"kubeconfig"方式进行验证
