安装 dashboard
1.1 下载 yaml 文件
[root@uk8s-a ~]# mkdir web-ui
[root@uk8s-a ~]# cd web-ui/
[root@uk8s-a web-ui]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
1.2 制作证书
因为要使用 ingress 通过域名的方式对外暴露访问,所以需要自己制作证书
准备证书生成脚本
[root@uk8s-a web-ui]# mkdir certs
[root@uk8s-a web-ui]# cd certs
[root@uk8s-a certs]# vim create_cert.sh
#!/bin/bash
# author: [email protected]
# bash create_cert.sh kubernetes-dashboard-certs dashboard dashboard.5179.top kubernetes-dashboard
if [ $# -ne 4 ];then
echo "please user in: `basename $0` SECRET_NAME CERT_NAME DOMAIN NAMESPACE"
exit 1
fi
SECRET_NAME=$1
CERT_NAME=$2
DOMAIN=$3
NAMESPACE=$4
# TLS Secrets
# Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.
# You can generate a self-signed certificate and private key with:
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERT_NAME}.key -out ${CERT_NAME}.crt -subj "/CN=${DOMAIN}/O=${DOMAIN}"
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERT_NAME}.key -out ${CERT_NAME}.crt -subj "/CN=${DOMAIN}/O=${DOMAIN}"
# 创建 NAMESPACE
kubectl get namespace |grep ${NAMESPACE}
if [ $? -eq 0 ]; then
echo "[INFO] ${NAMESPACE} is already exists"
else
kubectl create namespace ${NAMESPACE}
echo "[INFO] create ${NAMESPACE} success!"
fi
# Then create the secret in the cluster via:
# kubectl create secret tls ${SECRET_NAME} --key ${CERT_NAME}.key --cert ${CERT_NAME}.crt
# 如果你使用--key --cert方式则创建的secret中data的默认2个文件名就是tls.key和tls.crt
kubectl create secret generic ${SECRET_NAME} --from-file=${CERT_NAME}.crt --from-file=${CERT_NAME}.key -n ${NAMESPACE}
# The resulting secret will be of type kubernetes.io/tls.
执行一下
[root@uk8s-a certs]# bash create_cert.sh kubernetes-dashboard-certs dashboard dashboard.5179.top kubernetes-dashboard
Generating a 2048 bit RSA private key
........+++
....................................................+++
writing new private key to 'dashboard.key'
-----
kubernetes-dashboard Active 2m48s
[INFO] kubernetes-dashboard is already exists
secret/kubernetes-dashboard-certs created
1.3 修改配置文件
修改文件,使用自己制作的证书
[root@uk8s-a web-ui]# vim ./recommended.yaml
#将以下内容注释,因为要用我们自己生成的证书
# ---
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kubernetes-dashboard
#type: Opaque
...
# 修改启动参数,添加证书路径
...
kind: Deployment
apiVersion: apps/v1
metadata:
spec:
...
spec:
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.3
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
command: # 新增
- /dashboard # 新增
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --token-ttl=3600 # 新增
- --bind-address=0.0.0.0 # 新增
- --tls-cert-file=dashboard.crt # 新增
- --tls-key-file=dashboard.key # 新增
其中auto-generate-certificates
不能注释,因为我看到过有帖子说要注释掉(这个参数不仅仅是自动证书的开关,还是总的HTTPS的开关,当我们手工配置了证书后,容器不会自动生成)。
另外两个 tls
参数指定的是被挂载到容器中的证书的名字
执行一下该文件
[root@uk8s-a web-ui]# kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard unchanged
serviceaccount/kubernetes-dashboard unchanged
service/kubernetes-dashboard unchanged
secret/kubernetes-dashboard-csrf configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
secret/kubernetes-dashboard-key-holder configured
configmap/kubernetes-dashboard-settings unchanged
role.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
deployment.apps/kubernetes-dashboard unchanged
service/dashboard-metrics-scraper unchanged
deployment.apps/dashboard-metrics-scraper unchanged
创建 ingress
文件
[root@uk8s-a ingress]# vim ingress-dashboard.yaml
[root@uk8s-a ingress]# cat ingress-dashboard.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-dashboard
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "nginx"
# 开启use-regex,启用path的正则匹配
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- dashboard.5179.top
secretName: kubernetes-dashboard-certs
rules:
- host: dashboard.5179.top
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
创建用户
[root@uk8s-a web-ui]# cat create-user.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
[root@uk8s-a web-ui]# kubectl apply -f create-user.yaml
serviceaccount/admin-user unchanged
clusterrolebinding.rbac.authorization.k8s.io/admin-user unchanged
获取登陆token
[root@uk8s-a web-ui]# cat get-user-token.sh
#!/bin/bash
USER=${1:-admin-user}
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep $USER | awk '{print $1}')
# 执行一下脚本
[root@uk8s-a web-ui]# bash get-user-token.sh
Name: admin-user-token-dhx6r
Namespace: kubernetes-dashboard
Labels:
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 84583c60-2c95-4118-9158-6341962d917f
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1363 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImZlaXFTZERBdjhGLWwyZ0xLTzljaHdhSlJ1OWdfeTNDWU4wRzhuS3MyYTAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWRoeDZyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4NDU4M2M2MC0yYzk1LTQxMTgtOTE1OC02MzQxOTYyZDkxN2YiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.tPgicyWaMDfN5GkLY8XX2S-jhS-pvNC6eNvZ1FCIgZi3quWQND_JASqUr4Y9nyzdFtt-Jog1QbBCRGOE1YMrc3CX27TZttsbJNgq_PqlSjJ8NpmQfUzL5EAaYEUk7bcTRsePrGpECLqih7OOMN1lXO3WYiMJLfeDvkSaUweuUQzSTGtdkzbjVmVY-DksejyXSO_DI_-DMa4lq8zTnegwywdNUkFu06J_DXTTZZIpyKBKvpKz0pny2JIS4x9rI6v4g4Ljw47U7GM30CkQeletagQ8tjXf8g2QTp7Puc9NIpK39u8H1SIqbEZCBtRTJEfLTibDXXnlNplZF5FQ5bms1g
参考
https://blog.csdn.net/catoop/article/details/105046078/