kubernetesHelm-dashboard搭建

技术2022-07-10 131

kubernetes dashboard

Helm 安装部署 dashboard一、下载 dashborad - helm 到本地二、node节点下载阿里云的 dashboard 镜像三、自定义 dashboard.yaml 文件替代 values.yaml 四、执行 dashboard - Helm五、访问 web-UI dashboard 权限不够一、创建 ServiceAccount(SA)二、将 SA(dashboard-admin)绑定给 dashboard-cluster-admin用户，并授于clusterrole权限，访问管理整个集群三、获取serviceaccount的secret信息，可得到token（令牌）的信息四、kubeconfig配置文件登录

Helm 安装部署 dashboard

一、下载 dashborad - helm 到本地

mkdir -p /kubernetes/helm/dashboard;cd /kubernetes/helm/dashboard helm repo update helm fetch aliyuncs/kubernetes-dashboard tar -zxvf kubernetes-dashboard-1.10.1.tgz

二、node节点下载阿里云的 dashboard 镜像

阿里云 K8S 镜像 dashboard地址: https://cr.console.aliyun.com/images/cn-hangzhou/kubeapps/k8s-gcr-kubernetes-dashboard-amd64/detail

registry.cn-hangzhou.aliyuncs.com/kubeapps/k8s-gcr-kubernetes-dashboard-amd64:v1.8.3

docker pull registry.cn-hangzhou.aliyuncs.com/kubeapps/k8s-gcr-kubernetes-dashboard-amd64:v1.8.3

三、自定义 dashboard.yaml 文件替代 values.yaml

image: repository: registry.cn-hangzhou.aliyuncs.com/kubeapps/k8s-gcr-kubernetes-dashboard-amd64 tag: v1.8.3 ingress: enabled: true hosts: - k8s.frognew.com annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" tls: - secretName: frognew-com-tls-secret hosts: - k8s.frognew.com rbac: clusterAdminRole: true

四、执行 dashboard - Helm

helm install dashboard . –namespace kube-system -f kubernetes-dashboard.yaml

NAME: dashboard LAST DEPLOYED: Fri Jun 26 18:22:14 2020 NAMESPACE: kube-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: ********************************************************************************* *** PLEASE BE PATIENT: kubernetes-dashboard may take a few minutes to install *** ********************************************************************************* From outside the cluster, the server URL(s) are: https://k8s.frognew.com

Pod 验证: kubectl get pod -n kube-system

查看 Pod 详细信息：kubectl get pod -n kube-system dashboard-kubernetes-dashboard-746c5869f9-bj9hx -o wide

SVC 验证: kubectl get svc -n kube-system

暴露外网，修改其 type 类型

kubectl edit svc -n kube-system dashboard-kubernetes-dashboard

type: NodePort

五、访问 web-UI

火狐浏览器访问：https://192.168.168.11:32304 选择采用令牌 (token) 的方式来进行登录

获取 dashboard 的 token码名(key) ：

kubectl -n kube-system get secret | grep dashboard

根据 token名(key) 查看具体的 token值(value)

kubectl describe secret -n kube-system dashboard-kubernetes-dashboard-token-2mkj8

dashboard 权限不够

有时候会出现因为权限不够，通过 token 值登录后查看集群，但是并没有查看集群信息权限。

需要做的是创建一个可以访问集群全部权限的 token，或者是某个超级管理员使用这个用户的 token。

一、创建 ServiceAccount(SA)

[root@k8s-master kubernetes-dashboard]# kubectl create serviceaccount dashboard-admin -n kube-system serviceaccount/dashboard-admin created [root@k8s-master kubernetes-dashboard]# kubectl get sa -n kube-system | grep dashboard-admin dashboard-admin 1 23s

二、将 SA(dashboard-admin)绑定给 dashboard-cluster-admin用户，并授于clusterrole权限，访问管理整个集群

[root@kubernetes01 pki]# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created

三、获取serviceaccount的secret信息，可得到token（令牌）的信息

[root@k8s-master kubernetes-dashboard]# kubectl get secret -n kube-system |grep dash dashboard-admin-token-2fb94 kubernetes.io/service-account-token 3 dashboard-kubernetes-dashboard-token-n2sxp kubernetes.io/service-account-token 3 [root@k8s-master kubernetes-dashboard]# kubectl describe secrets -n kube-system dashboard-admin-token-2fb94 Name: dashboard-admin-token-2fb94 Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: c44a068c-9620-4fc0-a293-393b2b96b3eb Type: kubernetes.io/service-account-token Data ==== token: eyJhbGciOiJSUzI1NiIsImtpZCI6Im1YdzVaVTlhNV80dUFjMXNmTmsxNmtQVmpPeGpUaDRMbjM0VFhxdHlnQjQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tMmZiOTQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYzQ0YTA2OGMtOTYyMC00ZmMwLWEyOTMtMzkzYjJiOTZiM2ViIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.KrUc1jvzxQUzCiDlwpFpY8OwHNCe81L_yyMeKahqr8UMOSyz1aRK7QPG7QxlhWjSLIMBOWi-dvir4u7Loxr3jDACLVyOZptq0tUZpBHuSDqsa4hIc18Hq7dHnGw94BGJKn5s8_lmHGTHKM4gYlmdFeg2vOQbFKDcQIwlEa0C8u_WLn4NRoL_tu_Zhfy7KJEvRAm-H0RnlwYfxPjcNiZB3Q2MsQbWApaU3gVkUAKe-ymrfGTirbQgcBCjD6h6t-KFwstnSyz9EBrHVPKZ5kAeO4gyXNTghHA9iv1myqJAoBeX15JUv78W4GLwCk7GbYa_-1tCwanyKlqk7sH9WwlRAA ca.crt: 1025 bytes namespace: 11 bytes

四、kubeconfig配置文件登录

创建一个只能对default名称空间有权限的serviceaccount

[root@kubernetes01 pki]# kubectl create serviceaccount def-ns-admin -n defaultserviceaccount/def-ns-admin created [root@kubernetes01 pki]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin rolebinding.rbac.authorization.k8s.io/def-ns-admin [root@kubernetes01 pki]# kubectl get secretNAME TYPE DATA AGEadmin-token-bwrbg kubernetes.io/service-account-token 3 5d1hdef-ns-admin-token-xdvx5 kubernetes.io/service-account-token 3 2m9sdefault-token-87nlt kubernetes.io/service-account-token 3 49dtomcat-ingress-secret kubernetes.io/tls 2 21d [root@master1 pki]# kubectl describe secret def-ns-admin-token-xdvx5 Name: def-ns-admin-token-xdvx5 Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: def-ns-admin kubernetes.io/service-account.uid: 928bbca1-245c-11e9-81cc-000c291e37c2 Type: kubernetes.io/service-account-token Data==== ca.crt: 1025 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi14ZHZ4NSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5MjhiYmNhMS0yNDVjLTExZTktODFjYy0wMDBjMjkxZTM3YzIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.EzUF13MElI8b-kuQNh_u1hGQpxgoffm4LdTVoeORKUBTADwqHEtW2arj76oZuI-wQyy5P0v5VvOoefr6h3NpIgbAze8Lqyrpg9wO0Crfi30IE1kZ2wUPYU9P_5inMxmCPLttppyPyc8mQKDkOOB1xFUmEebC63my-dG4CZljsd8zwNU6eXnhaThSUUn12UTvRsbSBLD-dvau1OY6YgDL6mgFl3cVqzCPd7ELpEyNYWCh3x5rcRfCcjcHGfUOrWY2NvdW50Iiwia3ViZXJpby9-CI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2

这种情况下的权限较小，用token登陆后只能对default名称空间有权限

[root@kubernetes01 pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://10.0.0.100:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf Cluster "kubernetes" set. [root@kubernetes01 pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf apiVersion: v1 clusters:- cluster: certificate-authority-data: DATA+OMITTED server: https://10.0.0.100:6443 name: kubernetes contexts: [] current-context: "" kind: Config preferences: {} users: [] [root@kubernetes01 pki]# kubectl get secret NAME TYPE DATA AGE def-ns-admin-token-xdvx5 kubernetes.io/service-account-token 3 5d [root@kubernetes01 pki]# kubectl describe secret def-ns-admin-token-xdvx5 Name: def-ns-admin-token-xdvx5 Namespace: default Labels: <none> Annotations: kubernetes.io/service-account.name: def-ns-admin kubernetes.io/service-account.uid: 928bbca1-245c-11e9-81cc-000c291e37c2 Type: kubernetes.io/service-account-token Data==== ca.crt: 1025 bytes namespace: 7 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi14ZHZ4NSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5MjhiYmNhMS0yNDVjLTExZTktODFjYy0wMDBjMjkxZTM3YzIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.EzUF13MElI8b-kuQNh_u1hGQpxgoffm4LdTVoeORKUBTADwqHEtW2arj76oZuI-wQyy5P0v5VvOoefr6h3NpIgbAze8Lqyrpg9wO0Crfi30IE1kZ2wUPYU9P_5inMxmCPLttppyPyc8mQKDkOOB1xFUmEebC63my-dG4CZljsd8zwNU6eXnhaThSUUn12UTvRsbSBLD-dvau1OY6YgDL6mgFl3cVqzCPd7ELpEyNYWCh3x5rcRfCcjcHGfUOrWY2NvdW50Iiwia3ViZXJpby9-CI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2 [root@master1 pki]# kubectl config set-credentials def-ns-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi14ZHZ4NSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5MjhiYmNhMS0yNDVjLTExZTktODFjYy0wMDBjMjkxZTM3YzIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.EzUF13MElI8b-kuQNh_u1hGQpxgoffm4LdTVoeORKUBTADwqHEtW2arj76oZuI-wQyy5P0v5VvOoefr6h3NpIgbAze8Lqyrpg9wO0Crfi30IE1kZ2wUPYU9P_5inMxmCPLttppyPyc8mQKDkOOB1xFUmEebC63my-dG4CZljsd8zwNU6eXnhaThSUUn12UTvRsbSBLD-dvau1OY6YgDL6mgFl3cVqzCPd7ELpEyNYWCh3x5rcRfCcjcHGfUOrWY2NvdW50Iiwia3ViZXJpby9-CI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2 --kubeconfig=/root/def-ns-admin.conf User "def-ns-admin" set. 设置context [root@kubernetes01 pki]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf Context "def-ns-admin@kubernetes" created. use-context [root@kubernetes01 pki]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf Switched to context "def-ns-admin@kubernetes". 查看conf文件，此时已经完整了 [root@kubernetes01 pki]# kubectl config view --kubeconfig=/root/def-ns-admin.conf

Processed: 0.010, SQL: 9