kubernetes 部署dashboard

1. kubernetes v1.17.0 部署Dashboard v2.0.0-beta8

1.1 部署

执行命令：

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml

可能存在国内无法直接访问，可以去dashboard github下载recommended.yaml文件，再执行命令：

$ kubectl apply -f recommended.yaml

1.2 验证

查看pod的状态为running说明dashboard部署成功

$ kubectl get svc,pods  -n kubernetes-dashboard
NAME                                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/dashboard-metrics-scraper   ClusterIP   10.96.192.164   <none>        8000/TCP   4h42m
service/kubernetes-dashboard        ClusterIP   10.96.75.42     <none>        443/TCP    4h42m

NAME                                             READY   STATUS    RESTARTS   AGE
pod/dashboard-metrics-scraper-76585494d8-c98nl   1/1     Running   0          4h42m
pod/kubernetes-dashboard-5996555fd8-tmb6f        1/1     Running   0          4h42m

2 访问Dashboard

根据官方文档，目前访问Dashboard有四种方式：

• kubectl proxy
• NodePort
• API Server
• ingress

2.1 kubectl proxy

kubectl proxy 在主机和kubernetes API服务之间创建代理吴福气。默认情况下，只能在本地访问它。
注意： Dashboard不建议用kubectl proxy去访问，因为仅仅允许HTTP连接。对除了localhost和127.0.0.1以外的将无法登陆

• 检查kubectl是否已经正确配置，并可以访问集群。

$ kubectl cluster-info
# Example output
Kubernetes master is running at https://192.168.30.148:6443
KubeDNS is running at https://192.168.30.148:6443/api/v1/namespaces/kube-system/services/kube-dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

• 启动本地代理服务器

$ kubectl proxy
Starting to serve on 127.0.0.1:8001

• 访问Dashboard
  在启动代理服务器后，就可以从游览器访问Dashboard: http://localhost:8001
  想要访问Dashboard的Https端， 可以通过：http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
  登录界面如下：
  
  Dashboard 支持 Kubeconfig 和 Token 两种认证方式，我们这里选择Token认证方式登录：

1. 创建登录用户：
   创建dashboard-adminuser,yaml:

[root@k8s-master dashboard]# vim dashboard-adminuser.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

2. 应用dashboard-adminuser,yaml:

kubectl create -f dashboard-adminuser.yaml

3. 查看admin-user用户的token

[root@k8s-master dashboard]# kubectl get secret -n kubernetes-dashboard
NAME                               TYPE                                  DATA   AGE
admin-user-token-57p5z             kubernetes.io/service-account-token   3      45s
default-token-stbqb                kubernetes.io/service-account-token   3      119m
kubernetes-dashboard-certs         Opaque                                0      119m
kubernetes-dashboard-csrf          Opaque                                1      119m
kubernetes-dashboard-key-holder    Opaque                                2      119m
kubernetes-dashboard-token-blwvn   kubernetes.io/service-account-token   3      119m

[root@k8s-master dashboard]# kubectl describe secret admin-user-token-57p5z -n kubernetes-dashboard
Name:         admin-user-token-57p5z
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: 397cf7b0-a127-42cc-86bf-b3ee8e5c126d

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6Ilk4Q0RDU3B6SXBCQzZqcHRSRUlndHZ0eGM0WVNTaVlOME1TVW1EZmVCVDAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTU3cDV6Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzOTdjZjdiMC1hMTI3LTQyY2MtODZiZi1iM2VlOGU1YzEyNmQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.ISVRpPpGlM-mrQJqXg9b48_sLR6CQdDYUtChil4hfJ9nF7nEMDOx9jDeCY054Dn9ZlJ471f46n1CwbMt_Ga9GMEbj-6E1ZuApv6updueY2BQvP-U6cNJM1U-rE04O4vP3WSFicsg7DwUVBi2tDcindr5kDPvTa9ie_asQOLFGff9jsNHJb5B4zdB0ibyDHbmvRIRidnukiOp4oBPUIHE3YfbEK0SMcYfaHgomqX211nz9TULpw5KC85K0PkunR01vOWN5REoCYgX-cg8KNKAcKkdwtXYM3xpYukjpVqj07vPQ8kHpPNaK_IOKEkHUJxT-Y_5ahEwL-D0v13DPlMvFw

把获取到的Token复制到登录界面的Token输入框中:

2.2 NodePort

*注意： 仅在单节点设置中的开发环境中才建议使用这种访​​问Dashboard的方式。
*

• 编辑kubernetes-dashboard服务

$ kubectl -n kubernetes-dashboard edit service kubernetes-dashboard

您应该看到yaml服务的表示形式。

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
...
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
  resourceVersion: "343478"
  selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes-dashboard
  uid: 8e48f478-993d-11e7-87e0-901b0e532516
spec:
  clusterIP: 10.100.124.90
  externalTrafficPolicy: Cluster
  ports:
 - port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

• 编辑并修改recommended.yaml文件中的service

[root@k8s-master dashboard-ingress]# vim recommended.yaml 
.....
.....
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort  #增加type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30033  #增加nodePort:30033
  selector:
    k8s-app: kubernetes-dashboard

• 重新应用部署Dashboard

删除启动的dashboard

$ kubectl delete -f recommended.yaml

重新应用recommended.yaml文件

$ kubectl apply -f recommended.yaml

查看service

$ kubectl -n kubernetes-dashboard get service kubernetes-dashboard
NAME                   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   NodePort   10.96.218.123   <none>        443:30033/TCP   43m

• 访问Dashboard

Dashboard已经暴露在端口30033(HTTPS),游览器访问： https://master-ip:30033

recommended.yaml应用的dashboard默认证书是自动生成的，由于时间和名称存在问题，导致谷歌和ie浏览器无法打开登录界面,经过测试Firefox可以正常打开，如下图所示：

解决方法：Kubernetes Dashboard由于自身证书问题导致一些浏览器不能打开的问题

2.2 Ingress

ingress-nginx安装

Ingress-nginx简介

Pod的IP以及service IP只能在集群内访问，如果想在集群外访问kubernetes提供的服务，可以使用nodeport、proxy、loadbalacer以及ingress等方式，由于service的IP集群外不能访问，就是使用ingress方式再代理一次，即ingress代理service，service代理pod.
Ingress nginx 结构图如下：

部署Ingress-nginx

Github地址：https://github.com/kubernetes/ingress-nginx

• 下载nginx-ingress-controller配置文件mandatory.yaml
  mandatory.yaml

• 修改mandatory.yaml中的镜像路径

[root@k8s-master ingress-nginx]# vim mandatory.yaml 
......
 containers:
        - name: nginx-ingress-controller
          #image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1
        - image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:0.26.1
......

• 应用部署ingress nginx

[root@k8s-master ingress-nginx]# kubectl apply -f mandatory.yaml

• nodeport方式对外提供服务

手动给ingress-controller建立一个servcie，接收集群外部流量

[root@k8s-master ingress-nginx]# vim service-nodeport.yaml 
apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
    - name: https
      port: 443
      targetPort: 443
      protocol: TCP
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx

应用部署service

[root@k8s-master ingress-nginx]# kubectl create -f service-nodeport.yaml 

• 检查ingress-nginx组件状态

[root@k8s-master ingress-nginx]# kubectl get pods,svc -n ingress-nginx
NAME                                           READY   STATUS    RESTARTS   AGE
pod/nginx-ingress-controller-8bd99d95f-8lbg5   1/1     Running   0          3h2m

NAME                    TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
service/ingress-nginx   NodePort   10.96.153.40   <none>        80:32666/TCP,443:31140/TCP   3h

通过 Ingress 访问 kubernetes dashboard（ HTTPS 访问）

• 生成自签名证书

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout kube-dashboard.key -out kube-dashboard.crt -subj "/CN=dashboard.kube.com/O=dashboard.kube.com"

• 创建secret

kubectl create secret tls kube-dasboard-ssl --key kube-dashboard.key --cert kube-dashboard.crt -n kubernentes-dashboard

• 创建 Ingress 资源对象（HTTPS 访问）

[root@k8s-master dashboard-ingress]# vim ingress-dashbooard.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: k8s-dashboard
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - dashboard.kube.com
    secretName: kube-dasboard-ssl
  rules:
  - host: dashboard.kube.com
    http:
      paths:
      - path:
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
~                                         

• 检查ingress资源

[root@k8s-master dashboard-ingress]# kubectl get ingress -n kubernetes-dashboard
NAME            HOSTS                ADDRESS        PORTS     AGE
k8s-dashboard   dashboard.kube.com   10.96.153.40   80, 443   3d2h

• 访问Dashboard

检查ingress-nginx外部暴露的HTTPS端口

[root@k8s-master dashboard-ingress]# kubectl get svc -n ingress-nginx
NAME            TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx   NodePort   10.96.153.40   <none>        80:32666/TCP,443:31140/TCP   3d3h

将域名 dashboard.kube.com 绑定到 k8s 任意节点 ip 即可访问：https://dashboard.kube.com:31140