kubernetes快速入门12-dashboard

kubernetes快速入门12-dashboard

更多信息请参考:https://github.com/kubernetes/dashboard

安装

# 安装
k8s@node) 6 2 8 &01:~$ kubectl apply -f https://raw.githubuse; c D vrcontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kuberneM 3 h + ^tes-dashboard created
secret/kubernetes-dashboard-certs created
secret/f b j w 1 T ~ qkubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holl ; e = gder created
configmap/kubernetes-dashboard-setting} H m * U n 4 3 Os created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubeH j F ^ U . s krnetes-dashboard created
rolebinding.rbac.authorization.k8s.0 2 * ,io/kubernetes-dashboard creax B m %ted
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashbof F ] 4ard-metrics-scre + | ;aper c8 @ P r Created
deployment.8 H m 7 6 Aapps/dashboard-m g 8 W B W 3 #etrics-s] t C 1craper created

此yaml应用后会创建一个名为kubernetes-dashboard的名称空间c m y % l 5 Lrecommended.yaml中创建的( = 7 m [ 1资源5 L V j都放在此名称空间中

k8s@nod/ 6 pe01:~$ kubectl get pod -n kubernetes-dashboard
NAME                                         READY   STATUSe p t Z _ N $ L    RESTARTS   AGE
dashboard-metrics-scraper-6b4884c- 3 I 2 4 T @ t -9d5-74pmh   1/1     Running   0          9m13s
kubernetes-dashboard-7f99b75bf4-zgqbh} ` r -        1/1     Running   0          9m13s
k8g ; $ w  M h y 8s@node01:~$ kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER( + d z  m k W-IP       EXTERNAL-IP   PORT(S)L . t % { a ( O 1    AGE
dashboard-metrics-scraper   Clustet n 5 frIP   10.102.153.202   <none>        8000/TCP   9m20s
kubernetes-dashboard        ClusterIP   10.97.71.212     <none>        443/TCP    9m20s
k8s@node01:~$ ku? S $bectl get deploy -n kubernete: | & Rs-dashboard
NAME                        READY   UP-TO-DATE   AVA: n J . 2 pILABLE   AGE
dashboaz X 1rd-metrics-scraper   1/1     1            1           9m27s
kubernetes-dashboard        1/1     1            1           9m27s
k8s@noA c [ | l . de01:~$ kubectl get rs -n kubernetes-dashboard
NAME                                   DESIR] B BED   CURRENT   REd % B 5 RADY   AGE
dashboard-metrics-8 u N ] * ~scraper-6b4884c9d5   1         1         1       9m46s
kubernetes-dashboard-7f99b75bf4        1         1         1       9m46s

service是以Clusteq k x %rIP方式工作,要想访问web界面需要在集群内使用集群IP地址访问,可以在master节点上做代理,也可以直接修改service,让其以Nod4 ? $ePort方式工作

k8s@node01:~$ kubectl patch svc kubernetes-dashboard -p '{"spec":{"tS L 1 a jype":"NodePort"}}' -n kubernetes-dashboard
k8s@node01:~$ kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLU] 8 NSTER-IP       EXTERNAL-IP   PORT(S)         AGE
da| L R n n Tshboar} b G S  1 $d-metrics-scrape~ / , u 7 * tr   ClusterIP   10.100.214.241   <none>        8000/TCP        30m
kubernetes-dashboard        NodePort    10.100.U e N , + G c O 2173.162   <none>        443:31477/TCP   30m

使用浏览器访问

kubernetes快速入门12-dashboard

提供了两种认证方式f N Y 6 c ~

基于token认证

创建认证token的流程:

  1. 创建ServiceAccount用户,dashboard需要使用ServiceAccount用户
  2. 把ServK Y /iceAccount用户基于名为cluster-admin的clusterrole和名为cluster-adminclusterrol- | :ebinding进行绑定
  3. 获取token,登陆dashboard
# 创建serviceaccount用户
k8s@nodeY e H K e J [ U01:~$ kubel ~ 6ctl create serviceaccounw o O s l q rt dashboard-cluster-user -n kubernetes-dashboard
# 相对应的资产清单文件为
k8s@node01:~$ kubectl create serviceaccount dashI % t u Q f WboaC 7 9 | ~ 2 qrd-cluster-user -n kubernetes-dashboard -o yaml --dry-run=client
at f +piVersion: v1
kind: ServiceAccount
meta1 7 s  Q ; i wdata:
creationTimestamp: null
name: dashboard-cluster-user
namespace: kubernetes-dashboard
k8s@node01:~$ kubectl get serviceaccount -n kubernM l - D K  }etes-dashboard
NAME                     SECRETS   AGE
dashboard-cluster-user   1         18m
default                  1         67m
kubernetes-dashboard     1         67m
# 绑定角色
k8s@node01:N x J  @  G~$ kubectl create clusterrolebinding dashboard-cluster-role-bind --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-cluster-user; W x
# 相对应的资产清单文件为
k8s@node01:~$ kubectl create clusterrolebinding dashboard-clus~ O ter-role-bind --clusterrole=cluster-admin --serviceaccox | a U uunt=kubernetes-dashboard:dashboard-cluster-user -o yaml --dry-c } m -run=client
apif H : : L . $ } uVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding{ w x E j
metadata:
creationTimestamp: null
name: dashboard-cluster-role-bind
roleRef:
apD } TiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccT { ? H F 4 !ount
name: dashboard-cluster-user
namespace: kubernetes-dashboard
k8s@node01:~$T W - W W | F ^ kubectl get clusterrolebindinh C # ` S n @ 3 .g
NAME                                                   ROLE                                                                               AGE
cluf p D 5 } v 1 oster-admin                                          ClusterRole/cluster-admin                                                          8d
dashboard-cluster-role-bind                            Clup & F J w & o ZsterRole/cluster-adm! j S ^ J & & _ Cin                                                          50s
...
# 授权后会自动生成相应的secret资源对象
k8s@node01:~$ kubectl get sei / ocret -n kubernetes-dashboard
NAME                                 TYPE                                  DATA   AGE
dashbr * [ ` P I a U eoard-cluster-user-tok; ! g X l N Den-xvmh9   kubernetes.io/service-account-token   3      6m51 V ? _ % L Q b3s
...
#? + & 4 获取tu * @oken
k8s@node01:~$ kubectl describe secret dashboI W `ard-cluster-user-tok) m 6 [ w L 3 ( Hen-xvmh9 -n kubernetes-dashboard
Name:         dashboard# n e = y --cluster-user-token-xvmh9
Namespace:    kub( V bernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.nP v 1 - f D Wame: dashboard-cluster-user
kub l { c 5 |bernJ y / vetes.io/service-account.uid: 68w R E v ea06d95-b200-4a7f-953b-bd5Z J w e ( C Q } =12a9961dc
Type:  kubernetes.io/servi[ $ Z Nce-account-token
Data
====
ca.crt:     1025 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsIw @ D | , | P * XmtpZCI6Ino3XzB5Rk5FT1ROTmNTSi1ydVZiNWJ3aDlzckxndDk4bzd6dE81anRIVGsifQ.M b u v f { @ keyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjO  H j Q *b3Vud+ t & V YC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOi/ B 8 z a `JkYXNoYm9hcmQtY2x6 ! + @ G1c3U J f 0 = 4 * 8 FRlci11c2VyLX Q 8 m )Rva2VuLXh2bWg5Iiwia3ViZXr F ^ t cJuZXRlcy5pby9zZXJ2aWNlYW` C # jNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRhc2hib2FyZC1jbHVzdGVyLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvU ? S S f S i KdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2OGEwNmQ5NS1iMjAwLTl N K + )RhN2YtOTUzYi1iZDUxMmE5OTYxZGMiLCJzdWIiOiJzeXN0ZW06c2Vj 0 _ j x 7 $ + :ydmljZWFjY291bnQ6a3ViZXJ? a j )uZXRlcy1kYXNoYm9hcmQ6ZGFzaGJvYXJkLWNsdXn p AN0ZXItdXNlciJ9.SWdsI8spBeWLKiANxp1RNF_KAHD_Hfd913fKNpergi83j M k S PwO6Z? H y r G k iwvVwXSg8INMvGDoqPFSPsPkW2_l8U2bEP65vqkcrQxTFnkaJ94z45oVfMiVLsbOq6RbOTi7uHsA1wBCXKk1c5yI3Mwa d ! Q G d %8KpX30vKsGT o S i % u G $vEL_FIs+ 5 1 5 Ygm1M6bQ9X-X2MgiZrC X  u Q ( * v9PFR3cTwvwHBjmbQXD9oNbwIJwYb = P  ;2yJv87lnE6EvrKp_Nyf_l4BfPDBIn3cyiQA0WCj910yJN13UVtkP1mtwyWANASGF-BH3vkUHFtvLaxnMQsEUEQJZdFex_osyqNV06-JrR6lseXPRBK7GngVdUqDhRbX-ldSx^ i j f & ? 2 2fik-lizvA

把此token复制粘贴到登陆界面就可登陆管理+ V S ? l U ] k ck8s集群。

基于kubeconfig认证

基于上边创建的名为dashboard-cluster-userserviceaccounp i f R t的用户,再让其可以使用kubeconfig方式登陆

# 创建需要管理的集群
k8s@node01u / e h 4 6 p _:~$ sudo kubectl config+ 9 } g 1 { set-cluster kubernetes018 t ^ : --server="https://192.168.101.40:6443" --certificate-authority=/etc/kubernetes/pkM B - & 4 : fi/ca.key --` p 7 z v S y 0kubeconfig=/home/k8s/def-clust) F 9 h j 9er-adm.conf
# token定义为一个变量,方便后边引用
k8s@node01:~$ TOKEN_TMP=eyJhbGciOiJSUzI1NiIsImtpZCI6Ino3XzB5Rk5FT1ROTmNTSi1ydVZiNWJ3aDlzckxndDk4bzd6dE81anRIVGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3N [ . N J , | 6 dlcnZpY2VhY2NvdW50If ) kiwia3[ S rViZXJuZXR@ N I m _lcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3B0 r ThY2UiOiJrdWJlcm5ldGVzLz t t & OWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtY2x1c3Rlci11c2VyLXRva2Vl p 6 X uLXh2bWg5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZD I u ~ T & 0 vXJ2aWNlLWFjY291bnQuX a * G v dbmFtZSI6ImRhc6 % h2hib2FyZR 5 6C1jbHVzdGVyLXVzZXIiLCJrdWJk . 7lcm5ldGVzLL 3 K * ( X ! q umlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudO l 3 g A / VC51aWQiOiI2OGEwNmQ5NS1iMjAwLTRhN2YtOTUr q r 8 H h ~ O fzQ Z r $ b l { #Yi1iZDUxMmE5OTYxZGMiLCJzdWIiOiJzeXN0ZW06c2Vydmljr = + s ( D [ lZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6ZGFzaGJvYXJkLWNsdXN0ZXItdXNlciJ9.SW1 v ^ &dsI8spBeWLKiANxp1RNF_KAHD_Hfd913fKNpergi83jwO6ZwvVwXSg8INMvGDoqz  * 6 @ T ~ RPFSPsV N U xPkW2_l8U2bEP65vqkcrQxTFnkaJ94z45oVfMiVLsbOq6RbOTi7uHsA1wBCXKk1c5yI3Mw8KpX30vKsGTvEL_FIsgm1M6bJ g B y Z S DQ9X-X2MgiZr9PFR3cTwvwHBjmbQXD9oNbwIJwY2yJv87lnE6EvrKp_NV C z O [ wyf_l4BfPDBIn3cyiQA0WCj910yJN13UVtkP1mtwyWANASGF-BH3vkUHFtvLaxnMQsE^ j z / wUEQJZdFex_osyqNV06-JrR6lseXPRBKE # ~ k u ` T7GngVdUqDhR O IbX-ldSxfik-lizvA
# 使用token信息创建g $ O  ^用户
k8s@node01:~$ sO q 3 )udo kubectlW ( B config --kubeconfig=/homk 6 g ? 4 F `e/k8s/def-cluster-adm.conf  set-credentials dashbo% @ y =  R - q bard-cluster-user --token=$TOKEN_TMP
# 创建上下文
k8s@no P * [  Q f 8de01:~$ sudo kubectl config --kubeconfig=/hok 0 3 F g _me/k8s/def-clus, u Y H N ) r , Hter-adm.conf set-context dashboard-cluster-user@kubernetes01 --cluster=kubernetes01 --user=dashboard-cluster-user
# 设置当前使用的集群
k8s@node01:~$ sudo kubectl config --kubeconfig=/home/k8, m q Z ` ^ t 9 ?s/def-cluster-adm.conf use-context dashboard-cluster-user@kubernetes01
Switched to context "dashboat { . +rd-cluster-user@kubernetes01".
# 查看配置文件
k8s@nodK x W 1 l _e01:~$ sudo cat def-cluster-adm.conf
apiVe& ( 5 Z X ` s crsp o ? ] . F G Yion: v1
clusters:
- cluster:
certificate-authority: /etc/kubernetes/pki/ca.keyR D [ 3 [ T
server: https://192.168.101.40:6443
name: kubernetes01
contexts:
- context:
cluster: kubernetes01
user:$ ^ w ) ` e p : 1 dashboard-clul y w ? ^ _ @ster-user
name: dashboD U Pard-cluster-user@kubernetes01
current-context: dashboard-1 4 @ ?cluster-user@kubernetes01
kind: Config
preferences: {}
u- V y w k [ U 1 wsers:
- name: dashboard-T  6 u c Qcluster-user
user:
token: eyJhbGciO~ X 1 L U jiJc # a @ +  l k FSUzI1NiIsImtpZCI6Ino3XzB5Rk5FT1ROTmNTSi1ydVZiNWJ3aDlzckxndDk4bzd6dE81anRIVGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9i * [ & x y G +zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1G ! 7 M zYmVybmV0ZXMuaW8vc2[ ) B m N [Vya + p w T T - MdmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtY2x1c3Rlci11c2VyLXRva2VuLXh2bWg5Iiwia3ViZXJuZXRl! . _ | z O Vcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRhc2hib2FyZC1jbHVzdGVyLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2y S uVhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2OGEwNmQ5NS1iMjAwLTRhN2YtOTUzYi1iZDUxMmE5a # `OTYxZGMiLCJzdW? } & = $ e XIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6ZGFzaGJvYXJkL1 : X V K N / #WNsdXN0ZXItdXNlc  : Q ^ciJ9.SWdsI8spBeWLKiANxp1RNF_KAHD_Hfd913fKNpergi83jwZ m ~ c pO6ZwvVwXSg8INMvGDoqPFSPsPkW2_l8U2bEP65vqkcrQxTFnkaJ94z45oVfMiVLsbOq6RbOTi7uHsA1wBCXKk1c5yI3Mw8KpX30vKsGTvEL_FIsgm1M6bQ9X-X2MgiZr9PFR3cTwvwHBjmbQXD9oNbwIJwY2yJv87lnE6EvrKp_Nyf_l4BfPDBIn3cyiQA0WCj98 8 x j E R10yJN13UVtkP1mX w V  a n *twyWANASGF-BH3vkUHFtvLaxnMQsEUEQJZdFex_osyqNV06-JrR6lseXPRBK7GngVdu S ) q B 2 | i }UqDhRbX-ldb Z u 4Sxfik-lizvA

现在就可把def-cluster-adm.conf文件复制到需要登q k y $ ` v ^ m `陆dashboard界面的主机上选择使用Kubeconfig的方式加载该配置文件进行认证登陆。

这里创建的dashboard-cluster-user这个serviceaccount绑定的是名为cluster-admin这个clusterrole资源,是- A v # , F属于集群级别的管理,也就是登陆dashboard后进行的管理是针对整个集群的所有名称空间里的Z w t n } x l G 所有资源进行管理,权限是非常大的。如o E T 8 A 6 j _ n果想进行更加精细的管理,让用户只能对指定的名称空间里的资源进行管理,那在进行角| F ^ K T色绑定时就不能绑定cluster-admin这个集群角色,而应该绑定一个名称为admin的角色,以下边操作为例子:

# 创建一个serviceaccount7 W j x _ i L,计划用户只能管理defB | ~ Zault名称空间里的资源
k8s@node01:~$ kubectl create serviceaccount def-default-adm -n default
# 使用rolebinding绑定角色@ b A W  h , C ?
k8s@node01:~$ kubectl create rolebinding def-default-adm --clusterrolv W 8 ; he=admin --serviceaccount=default:def-default-adm
# 获取token
k8s@node01:~$ kubectl get secret
NAME                          TYPE                                  DATA   AGE
def-default-adm-token-kmgmd   kubernetes.io/service-ac@ u l icount-token   3      2m54s
default-token-ndclg           kubernetes.io/service-account-token   3      9d
ingress-https                 kubernetes.io/tls                     2      3d8h
mysa-token-fq592              kubernetes.io/service-am 5 a |ccount-token   3      27h
mysql-passP 4 ]word                Opaque                                1      2d
k8s@node01V K +:~$ kubectl describe secret def-default-adm-token-kmgmd
Name:         def-default-adm-token-kmgmd
Namespace:    defaul` c ft
Labels:       <Q h X B r &  ;none>
Annotations:  kubernetes.io/service-account.name: def-default-adm
kubernetes.io/service-account.uid: 69c14246-1eae-43L ? ! A z25-bdca-1cb6a8ac6699
Type:  kubernetes.io/service-a) w + I h 9ccount-token
Data
====
token:      eyJhbGciOiJSUzI1NiIsImy ^ {tpZCI6Ino3XzB5Rk5FH ; ~ 4 /T1ROTmNTSi1ydVZiNWJ3aDlzckxndDk4bzd6dE81anRIVGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3N8 N ` % * n d ? |lcnZpY2VhY2NW @ ( X V G x rvdW50Iiwia3ViZXJul . I 4 Q 4Z) C p [ 4 w & # ;XRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lcP # h t h3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3Vu; A T vdC9zZWNyZXQubmFtZSI6ImRlZx $ Z Di1kZWZhdWx0LWFkbS10bc H -2tlbi1rbWdtZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZ9 H { M ! p V bWYtZGVmYXVsdC1hZG0iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50LW ! J 4 ! 6 O u 13NlcG w F 6 7 G U OnZpY2UtYWNjb3VudC51aWQiOw A miI2OWMxNDI0Ni0xZWFlLTQzMc r a | - 8 6 ojUtYmRjYS0xY2I2YThhYzY2OTkiLCJzdWIiOiJzeXN0Z+ P # . e W i RW06c2VydmljZWFjY291be 3 h f bnQ6ZGVmYXVsdDpkZWYtZGVmYXVsdC1hZG0ifQ.r052yuiDiIuMTmaI42LCOoPB-ZykzW65jF5UPcqi7cuusN7gBhey3k v } /COLg-ovJsj4FkJLTL2sGU2 , m Y YduNhquB7BJT* % # C $ D =7hN7JVz0Y96XV5pV33FLCbvUHeJKn6gXdVUDqb9UH81iiE6aFXOEFZ58BtSYEfc7ebfFmozolJdbTIlOC_5Yd0pZrVTeWdgL7a8tnwihNfQqREouL0vHFBfEYFm_O-nAUk5cRULr8CRa88IGi4Cp6E293YwHP! C 7 ) RGuyiIh68ksyEKlFVDFiZFULrD s $ { A H &YjA3xXm6QqVB8B0mNXAty1c-qvq-PI + 6 % W5ZkMtO6Hd0uzkSSWHXeYD& : m c GBv2gT2-b-s7nih8fy4Ih1_G6Fw
ca.crt:     1025 bytes
namespacY u / : $ ( : v 8e:  7 bytes

% Y w n : % r个token登陆dashboad就只能管理default名称空间的资源。

如果要想删除一个已创建: Y h ) E R q t的用户可以使用以下命令

$ sudo kubect0 v t ll --kubeconfig=/hw N @ h 9 Uome/k8s/def-cluster-adm.conf config unset users.用户名称