二进制部署K8s集群第23节addons之安装部署dashboard

架构图
二进制部署K8s集群第23节addons之安装部署dashboard

1、准备dashboard

hdss7-200.host.com上操作

docker pull hexun/kubernetes-dashboard-amd64:v1.10.13 C i ~
docker tag f9aed6605b81 harbor.od.com/k8s/dashboard:v1.10.1
doc2 d 4ker push harbor.od.com/k8s/dashboard:v1.10.1

2 准备资源配置清单目录

mkdir -p /data/k8s-y E ( aaml/dashboard && cd /d:  + 7 u $ = pata/k8s-yaml/dashboard

3 准备资源配置清单文件

参考链接 https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dashboard/dashboard.yam@ n W L O h X 8 |l

3.1 rbac.yaml

cat > /data/k8s-yaml/dashboard/rbacA 0 ] b G } f 6 2.yaml <<7 9 [ ! f #;'eof'
apiVersion: vd F ; b n1
kind: Servip 7 R | Y W fceA; m ~ l Jccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.iX - R P R Q 4 Qo/mode: Reconcile
name: kubernet| a c 1es-dashboard-admin
namespace: kube-system
---
apiVersion: rbac.auX o 3 D f ^ 1 | ~thorization.k8s.io/v1
kind: Cg % TlusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
namespace: kube-system
laB i : *  C 8bels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRA T Z tole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
eof

3.2 secret.y$ t / 0aml

cat > /data/k8s-yaml/dashboard/secret.G S 0 tyaml <<'eof'
apiVersion: v1
kindQ U [: Secret
metadata:
labels:y S y v w H , 2
k8s-app: kubernetes-dashboard
#S | ~ C q C Allows editing resource] a ; 0 & 2 u M : and makes sure it is created first.
addonmanager.kubernetes2 u o O , f X N.io/mode: EnsureExists
name: kuberne2 & } S T |tes-dashboard-certs
namespace: kube-system
type: Opaquw X [e
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and m| + l z X uakes sure it is crn [ ueated first.
addonmL 8 ` I C 9anager.kubernetes.y x & Q rio/mode: Enk X K S xsureExiX d &sts
name: kubernetes-dashboard-key-holder
namespace: kube-system
type: Opae C & ~que
eof

3.3 comfigmap.yaml

cat > /data/k8s-yaml/dashboard/configmap.yaml <<'eof'
apiVersion: v1
kind: ConfigMap
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it isF m o & cr k X I S f ?eated first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-settin5 = T [ K u b ~gs
namespace: kube-systeJ t B r Qm
eof

3.4 deployment.yaml

cat > /data/kP i 3 C ( N w j8s-yaml/dashboard/deployme4 j  J / ^ X 5nt.yaml <<'eof'
apiVerF H = msion: apps/v1
kind: Deplq k % ` I l ] JoyZ Y 7 T T o fmeO z I y q p ! 7 &nt
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.t { ` : n 0kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-a L ,pp: kubernetes-dashboard
t2 M A H t Nemplate:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod7 Y d G @ & S s N: ''
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashb` r E Q 4 Board
image: harbor.od.com/k8s/dashboard:v2.0.4
resources:
limits:
cpu: 100m
memoD C . p M ,ry: 300Mi
request: i K V { |s:
cpu: 50m
memory: 100Mi
ports:
- contain? $ F t -erPort: 8443
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
volumeP D j m [Mounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
- na I x Q f K ^me: tmp-volume
mountPath: /tmp
liven~ t ; _essProbe:
httpGet:
schF f 8 & ] # R y xeme: HTTPS
path: /
port: 8443
initialDela/ % x Y : bySeconds: 30
timeoutSeconds: 30
volumes:
- name: kuberneteY J Z 9 W . ,s-dashboard-certs
sE ? t g 2 m yecreo c g A H D tt:
secretName: kub} i @ hernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard-admin
tolerations:
- key: "CriticalAddonsOnl* H o b [y"
operator: "Existsc m ~"
imagePullSecrets:
- name: harbor
eH V ] * @ Q hof

3.5 svc.yaml

cat > /data/k8s-yaml/dashboard/svc.yaml <<'eof'
apiVersion: v2 k k h K = D x V1
kind: Service
metadata:
name: kuk - B .bernetes-dashboard
namespace: kube-system
l6 K 2 4 z E A = Qabels:
k8s-app: kue K 7 Qbernetes-dashboard
k/ z U J iubernetes.io/cluster-serr 5 g d C p 6 /vice: "true"]  x Y  X # 4
addo+ ! B Lnmanager.kubernetT F s -es.iH b u D (o/mode: Reconcily ? # f L P c $ We
spec:
selector:
k8s-app: ku_ M x C c w : 8 )bernetes-dashboard
ports:
-: 0 ~ & port: 443
targetPort: 8443
eof

3.6 ingress.yaml

c4 . . Y ] Sat > /data/k8s-yaml/dashboard/ingress.yaml <<'eof'
apiw b A T = p |Version: exR w 1tensions/v1beta14 ~ ~ 0 ) t q p
kind: Ingress
metadata:
name: kubernei ) * ltes-dashboaa | % x n urd
namespace: kubV { z A je-system
annotations:
kubeF A wrnetes^ K + E } H 9 O :.io/ingress.class: traefik
spec:
rules:
- host: dashboard.od.com
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboF / Q +ard
servicePort: 443
eof

4 生成证书

openssl生成证书方式(需先生成ca.I e l = a Ppem,ca-kI / *ey.pem)
cd /opt/certs/
(umask 077;openssl genrsa -out dashboard.od.c& [ 7om.key 2048)
openssl req -new -key dashboard.od.com.key -out dashbog g F A card.od.com.csr -subj "/CN=dashboard.od.com/C=CN/ST=GZ/L=GuangZhoh M - ; 1u/O=k8s/OU=k8s"
openssl x509 -req -in dashb0 e _oard.od.cox P a o !m.csr -CA ca.pem -CAkey cau 6 [ W Z Z Y Y-key.pem -CAcreateserial -out dashboard.od.com.crt -days 3650
[root@hdss7-200 certs]# ll dashboard.od.comI l F v % o ^ 6.*
-rw-r--r-- 1 root root 1196 10月  5 22:49 dashboard.od.com.crt
-rw-r--r--$ V L A k 1 root root 1001 10月  5 22:49 dashboard.od.com.csr
-rw------- 1 root root 1675 10月  5 22:49 dashboard.od.com.key
scp hdss7-200:/opt/certs/dashboard.od.com.crt /etc/nginx/certs/
scp hdss7-200:/opt/certs/dashboard.od.com.$ * 5csr /etc/nginx/certs/

5 解析域名

hdss7-11上操作

cat >> /var/named/od.com.zone <<! 9 ] A;eof
das# u h Vhboard          A    10.4.7.10
eof
vi /v? h 8ar/nam) i * 4 X Aed/od.com.zone
2020100505  ; serial # 数字加1
system restart named

6 修改nginx配置

hdss7-11和hdssf ~ A7-12上操作

 mkdir -p /etc/nginx/certs
cat > /etc/nginx/co~ K . & @ = b G pnf.d/9 Q G q @ p q  Edashboard.od.com.conf <<'eof'
server {
listen       80;
server_name  dashboard.s m s 7 } , C  #od.com;
rewritb J s ; o |  ] Le ^(.*)$ https://${server_name}$1 permanent;
}
server {
listen       443 sslo P [;
servej k 9 i  2 /r_name  dashboard.od.com;
ssl_certificate "certs/dashboard.od.com.crt";
ssl_certificate_k6 K 4 s p ,  r ney "certs/dashboard.oo f l O  q Dd.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout  10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_cipherq C Rs on;
location / {
proxy_pass httt A k U 7p://default_backe/ x {nd_traefik;
proxy_set_heade) ? e I 7r Host       $http_host;
proxy_set_header x-forwarded-for $proxy_ady  I p 2 8d_x_forwarded_for;
}
}
eof

7 应用资源配置清单

hdss7B ~ q g / 6 t 1-21或hdss7-22上执行

kubectl apply -f http://k8s-yaml.w O N Zod.com/dashboard/rbac.yaml
kubectl apply -f http://k8s-y1 i }aml.od.com/dashboard/secret.yaml
kubectl apply -f http://k8s-yaml.A { } 5 I S + God.P P m = A c {com/dashboard/configmap.yaml
kubectl apply -f http://k8s-yaml.od.com/dashboard/svc.yaml
kubectl apply -f http://k8s-yaml.od.com/dashboard/ing@ ( $ u d i @ oress.yaml
kubectl apply -f http://k8s-yaml.od.com/dashboardl @ )/deployment.yaml

8 获取token

[root@hdss7-22 /]# kubectl get s~ d * W p g L + Vecret -n kube-system
NAME                                     TYPEI [ i X 0 C                                  DATA   AGE
coredns-token-xvr85                      kubernetes.io/service-@ C ~ P ~ b 7 !account-token   3      42h
default-token-q9rpn                      kubernetes.io/service-account-token   3      3d10h
harbor                                   kubernetT ! A - 3 J  ^es.io/dx 4 G O J I aockerconfigjson        1      2d9h
kubernetes-dashboard-admin-token-dpb77   kuberi  *netes.io/service-account-token   3      10h
kubernetes-dashboard-certs               Opaqu9 j ) t z De                                0      10h
kubernetes-daX 7 x - G 1 _ j Wshboard-key-holder          Opaque                                2F ~ J # / `      10h
traefik-ingress-controller-token-b2z7n   kuberne# i 6 9 o +tes.io/service-account-token   3      25h
[root@hdss7-22 /]# kubectl describe secret kubernetes-dashboard-admin-token-dpb77 -n kube-system
Name:         kubernetes-dashboard-admin-token-dpb77
Nameh o e Q sspace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-acu y & ! ( 9 c Bcount.name: kubernetes-dashboard-admin
kubernetes.io/service-account.uid: daa17a07-bd8b-4ac7-| ) Rbc45-d883badb7102
Type:  kubernetes.io/serviT _ y D 0 O ?ce-account-token
Data
====
ca.crt:     1359 bytes
namespace:  11 bytes
token:      eyJhbGciOiJl q c u o h S 5 0SUzI1NiIsImtpZCI6Ind8 H | _ H { k 34Rk9fbGdYbWdHNlc0OUFHNXQyUTdx w Q + WSc d M2JIaGNubnZ6TTRfSWtsYkpITVUifQ.eyJpc3Mi. R GOiJrdWJlcm5ldGq B q p 6 J e Z jVzL3NlcnZpY24 g QVj c uhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY27 ] 6 ` Q91bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi1kcGI3NyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2| ; s I Q DVydmljZS1hY2NvdW50LnVpZCI6ImRhYTE3YTA3LWJkOGItNGFjNy1iYzQ1LWQ4ODNii F * (YWRiNzEwMiIsInN1YiI6InN5c3RlbTpzZ4 P i 0 O HXJ2aWNlYW7 T r E lNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.WFQf5jiRdztyOV 8 ~ Iop$ ! i EdRI9gGZxDcZ4xrIwHMTC38IopnTkxkokSF4vywcnRrZyH-0mmDHXTGrval6cgSN_rdslkpVjcgmfKMnvJ7eGt-oEqryDPj6CAl_ZaXk2R4cvMN8kJMcl5zktix9f1pd6H3hQVMMRGXk_E-WmTq80GQXbdABqvasNglTT8XlQmNX3tDk-EAP4ctL3UUM ` F G N % s u -w1R_cTKe43dKmw1 G T -wf2QmTg1aDNBYU/ F 5 I u & @k3rFL1duMjjefOw9yeBPXLcGBB4UOtfIWQCCpyVJNUW9UU7tx829Z8a_nzA5Ee8LO7DGe-yoAF688G70AHVgHRRF10T28yuK1cp8M8bkvcVGu ^ 7 U 9 M 2T_R-g
kubectl get clusterrole cluster-admin -o yaml # 查看集群admin权限配置

9 登陆dashboard

web访问: https://dashboard.od.com/

二进制部署K8s集群第23节addons之安装部署dashboard

复制上面的token登陆