kubernetes 部署bashboard可视化插件
Dashboard简介
在 Kubernetes 社区中,有一个很受欢迎的 Dashboard 项目,它可以给用户提供一个可视化的 Web 界面来查看当前集群的各种信息。用户可以用 Kubernetes Dashboard 部署容器化的应用、监控应用的状态、执行故障排查任务以及管理 Kubernetes 各种资源。
这里部署dashboard v1.10.1版本。
由于yaml配置文件中指定镜像从google拉取,先下载yaml文件到本地,修改配置从阿里云仓库拉取镜像。
$ wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
修改yaml配置文件image部分,指定镜像从阿里云镜像仓库拉取:
vim kubernetes-dashboard.yaml
#image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
为了访问方便 我们这里使用NodePort来访问,修改kubernetes-dashboard.yml 再最后增加一个type:NodePort
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
部署dashboarh镜像
[root@master k8s]# kubectl apply -f kubernetes-dashboard.yaml
[root@master k8s]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 53/UDP,53/TCP 16h
kubernetes-dashboard NodePort 10.99.195.255 443:31701/TCP 14h
端口31701
身份认证
登录 dashboard 的时候支持 Kubeconfig 和token 两种认证方式,Kubeconfig 中也依赖token 字段,所以生成token 这一步是必不可少的。
我们创建一个admin用户并授予admin角色绑定,使用下面的yaml文件创建admin用户并赋予他管理员权限,然后就可以通过token 登陆dashbaord,这种认证方式本质实际上是通过Service Account 的身份认证加上Bearer token请求 API server 的方式实现
增加admin-acount.yaml文件
[root@master dashboard]# cat admin-acount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: admin
namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
说明:上面创建了一个叫admin的服务账号,并放在kube-system命名空间下,并将cluster-admin角色绑定到admin账户,这样admin账户就有了管理员的权限。默认情况下,kubeadm创建集群时已经创建了cluster-admin角色,我们直接绑定即可。
查看admin账户的token
[root@master k8s]# kubectl get serviceaccount -n kube-system | grep admin
admin 1 15h
[root@master k8s]# kubectl describe serviceaccount admin -n kube-system
Name: admin
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: kubectl.kubernetes.io/last-applied-configuration={“apiVersion”:“v1”,“kind”:“ServiceAccount”,“metadata”:{“annotations”:{},“labels”:{“k8s-app”:“kubernetes-dashboard”},“name”:“admin”,“namespace”:"kube-sy…
Image pull secrets:
Mountable secrets: admin-token-sx7qr
Tokens: admin-token-sx7qr
Events:
[root@master k8s]# kubectl describe secret admin-token-sx7qr -n kube-system
Name: admin-token-sx7qr
Namespace: kube-system
Labels:
Annotations: kubernetes.io/service-account.name=admin
kubernetes.io/service-account.uid=536a4f21-8391-11e9-80e0-005056b2366f
Type: kubernetes.io/service-account-token
Data
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1zeDdxciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjUzNmE0ZjIxLTgzOTEtMTFlOS04MGUwLTAwNTA1NmIyMzY2ZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.Qt3_uzOR8FS-q3leD8sZIEJPKIwYJf0f00GlpGno2j00Cdx8Tdzs31SXlxt_ueV1xTp15HFYBRtYg5FKdRreJjjp0MFqF1teYBY_fMQyf3x1-s3MHG1Ile2bFFUbSeyKZaEnu8RRiPhguaymcuZhOuTvOgQ7EBKDa6xfRa6RAMv0MR37c2cqz6gBgeKdjZSUM8zbuv753gBBJUzxjqx_byIiuce-taRnMVYvDBr1zmvGdDhGJDSHhhVfH6e21ubd4hfV6pT8AonKLNCnLnYmVA36uiJPqNRS_ix0dgtimQUhMriHzLlkB9RKPMMKCuLaVTAYvhqV-lyAQyXc1Er7JA
然后我们可以查看 dashboard 的外网访问端口:
[root@master k8s]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 53/UDP,53/TCP 16h
kubernetes-dashboard NodePort 10.99.195.255 443:31701/TCP 14h
通过浏览器访问31701端口就可以了
https://192.168.20.111:31701