kubenetes-Dashboard
- kubenetes-Dashboard
- 1、部署和访问 Kubernetes 仪表板(Dashboard)
- 1.1、dashboard 仪表板
- 2、安装dashboard
- 1.下载
- 2.启动dashboard
- 3.在浏览器里访问,使用https协议去访问
- 授权kubernetes-dashboard,防止找不到namespace资源
- 4.token的超时时间修改
kubenetes-Dashboard
1、部署和访问 Kubernetes 仪表板(Dashboard)
1.1、dashboard 仪表板
对整个k8s集群的资源对象全盘掌控
Dashboard 是基于网页的 Kubernetes 用户界面。 你可以使用 Dashboard 将容器应用部署到 Kubernetes 集群中,也可以对容器应用排错,还能管理集群资源。 你可以使用 Dashboard 获取运行在集群中的应用的概览信息,也可以创建或者修改 Kubernetes 资源 (如 Deployment,Job,DaemonSet 等等)。 例如,你可以对 Deployment 实现弹性伸缩、发起滚动升级、重启 Pod 或者使用向导创建新的应用。
Dashboard 是基于网页的 Kubernetes 用户界面,可以在web界面上操作k8s集群,不需要使用命令。
官方文档:
https://kubernetes.io/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/
2、安装dashboard
1.下载
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
使用的dashboard的版本是v2.7.0
'下载yaml文件'
recommended.yaml
'修改配置文件,将service对应的类型设置为NodePort'
[root@master dashboard]# vim recommended.yaml
---kind: Service
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
spec:type: NodePort #指定类型ports:- port: 443targetPort: 8443nodePort: 30088 #指定宿主机端口号selector:k8s-app: kubernetes-dashboard---
其他的配置都不修改应用上面的配置,启动dashboard相关的实例
2.启动dashboard
[root@master dashboard]# kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
[root@master dashboard]#
查看是否启动dashboard的pod
[root@master dashboard]# kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default sc-nginx-deploy-3-7496c84fcf-4489n 1/1 Running 0 5h52m
default sc-nginx-deploy-3-7496c84fcf-msgm6 1/1 Running 0 5h52m
default sc-nginx-deploy-3-7496c84fcf-q58lm 1/1 Running 0 5h52m
default sc-nginx-deploy-4-766c99dd77-dgzq5 1/1 Running 0 5h52m
default sc-nginx-deploy-4-766c99dd77-pljdw 1/1 Running 0 5h52m
default sc-nginx-deploy-4-766c99dd77-s9qkc 1/1 Running 0 5h52m
default sc-nginx-deploy-7bb895f9f5-7ttq9 1/1 Running 1 22h
default sc-nginx-deploy-7bb895f9f5-mlhqt 1/1 Running 1 22h
default sc-nginx-deploy-7bb895f9f5-prbvf 1/1 Running 1 22h
halou-gh gh-nginx-busybox 2/2 Running 26 15d
ingress-nginx ingress-nginx-admission-create-fwrjt 0/1 Completed 0 22h
ingress-nginx ingress-nginx-admission-patch-m7ftw 0/1 Completed 0 22h
ingress-nginx ingress-nginx-controller-589dccc958-pz6s8 1/1 Running 1 22h
ingress-nginx ingress-nginx-controller-589dccc958-zhrpq 1/1 Running 1 22h
kube-system calico-kube-controllers-6949477b58-48hcx 1/1 Running 9 12d
kube-system calico-node-48bw7 1/1 Running 16 20d
kube-system calico-node-lwvsk 1/1 Running 16 20d
kube-system calico-node-zjvg8 1/1 Running 16 20d
kube-system coredns-7f89b7bc75-pncxv 1/1 Running 16 20d
kube-system coredns-7f89b7bc75-zrzp2 1/1 Running 9 12d
kube-system etcd-master 1/1 Running 16 20d
kube-system kube-apiserver-master 1/1 Running 18 20d
kube-system kube-controller-manager-master 1/1 Running 16 20d
kube-system kube-proxy-48lqm 1/1 Running 16 20d
kube-system kube-proxy-7kfxj 1/1 Running 16 20d
kube-system kube-proxy-lwlxq 1/1 Running 16 20d
kube-system kube-scheduler-master 1/1 Running 16 20d
kube-system metrics-server-769f6c8464-ctxl7 1/1 Running 24 16d
kubernetes-dashboard dashboard-metrics-scraper-66dd8bdd86-gg2c6 1/1 Running 0 2m17s
kubernetes-dashboard kubernetes-dashboard-785c75749d-7vglw 1/1 Running 0 2m17s
mem-example memory-demo 1/1 Running 14 16d
mem-example memory-demo-3 1/1 Running 13 16d
sc pod-nodename 1/1 Running 6 8d
sc pod-nodeselector 0/1 NodeAffinity 0 8d
[root@master dashboard]#
[root@master dashboard]# kubectl get pod --all-namespaces|grep dashboard
kubernetes-dashboard dashboard-metrics-scraper-66dd8bdd86-gg2c6 1/1 Running 0 2m59s
kubernetes-dashboard kubernetes-dashboard-785c75749d-7vglw 1/1 Running 0 2m59s
[root@master dashboard]#
查看服务是否创建
[root@master dashboard]# kubectl get svc --all-namespaces|grep dash
kubernetes-dashboard dashboard-metrics-scraper ClusterIP 10.111.14.32 <none> 8000/TCP 3m37s
kubernetes-dashboard kubernetes-dashboard NodePort 10.109.54.232 <none> 443:30088/TCP 3m37s
[root@master dashboard]#
3.在浏览器里访问,使用https协议去访问
https://192.168.182.133:30088/
出现一个登录画图,需要输入token
获取dashboard 的secret的名字
kubectl get secret -n kubernetes-dashboard|grep dashboard-token
[root@master dashboard]# kubectl get secret -n kubernetes-dashboard|grep dashboard-token
kubernetes-dashboard-token-w2fzn kubernetes.io/service-account-token 3 7m4s
[root@master dashboard]#
获取secret里的token
kubectl describe secret kubernetes-dashboard-token-w2fzn -n kubernetes-dashboard
[root@master dashboard]# kubectl describe secret kubernetes-dashboard-token-w2fzn -n kubernetes-dashboard
Name: kubernetes-dashboard-token-w2fzn
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboardkubernetes.io/service-account.uid: c916b21d-bdf3-4299-a976-3c7f736dc9fbType: kubernetes.io/service-account-tokenData
====
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InhDSFBDR1Zqa0l3a2hHWW1wVmZhc3lpZm1nOUxYVFBOanM3dUVfd2NSZDgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi13MmZ6biIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImM5MTZiMjFkLWJkZjMtNDI5OS1hOTc2LTNjN2Y3MzZkYzlmYiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.LOod4iSE_j9x32OmFgVH_s6NpppxDcQSTeKEax9KIU-6Bj_XAwwByg4RCp2wDo1EYy21ofXlza3waQF7NncsLhbETnCqwT-3tXyyybv-wzIpjkuk-EnUIoKLHtv3BEEG1VaS71yaPq2m5I8Wu2vVyAnO90gdKMWkHzNl-jO10eNb4XXqBO1Ps__IRcVg8TlCWco21dSxFwSTb6WSKgF38k4XPOhxy8jNsznHoTqjE0f2uaLx7q11WKGc-T5s1g6K41FhXUtos5sDu6UjROaE-tu3fVO5cQ1foSXNaThC1OpOk5RIkDIVgxyZvEM3yGrCvhP_B_8eLsuGtYd8tm_VUg
ca.crt: 1066 bytes
namespace: 20 bytes
[root@master dashboard]#
获取dashboard 的服务对应的端口
[root@master dashboard]# kubectl get svc --all-namespaces|grep dash
kubernetes-dashboard dashboard-metrics-scraper ClusterIP 10.111.14.32 <none> 8000/TCP 9m33s
kubernetes-dashboard kubernetes-dashboard NodePort 10.109.54.232 <none> 443:30088/TCP 9m33s
[root@master dashboard]#
访问:https://192.168.182.133:30088/
登录成功后,发现dashboard不能访问任何的资源对象,因为没有权限,需要RBAC鉴权
授权kubernetes-dashboard,防止找不到namespace资源
[root@master dashboard]# kubectl create clusterrolebinding serviceaccount-cluster-admin --clusterrole=cluster-admin --user=system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard
clusterrolebinding.rbac.authorization.k8s.io/serviceaccount-cluster-admin created
[root@master dashboard]#
然后刷新一下页面就有了
如果要删除角色绑定:
[root@master ~]#kubectl delete clusterrolebinding serviceaccount-cluster-admin
用yaml创建这个角色绑定
[root@master dashboard]# kubectl get clusterrolebinding serviceaccount-cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:creationTimestamp: "2024-03-23T08:15:27Z"managedFields:- apiVersion: rbac.authorization.k8s.io/v1fieldsType: FieldsV1fieldsV1:f:roleRef:f:apiGroup: {}f:kind: {}f:name: {}f:subjects: {}manager: kubectl-createoperation: Updatetime: "2024-03-23T08:15:27Z"name: serviceaccount-cluster-adminresourceVersion: "583594"uid: bcc29869-fa2c-4878-bd9c-f19c415805d1
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.iokind: Username: system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard
[root@master dashboard]#
把角色绑定也写到yaml文件中去
[root@master dashboard]# cat recommended-sc-2023.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.apiVersion: v1
kind: Namespace
metadata:name: kubernetes-dashboard---apiVersion: v1
kind: ServiceAccount
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: serviceaccount-cluster-admin
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.iokind: Username: system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
spec:type: NodePortports:- port: 443targetPort: 8443nodePort: 30088selector:k8s-app: kubernetes-dashboard---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-certsnamespace: kubernetes-dashboard
type: Opaque---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-csrfnamespace: kubernetes-dashboard
type: Opaque
data:csrf: ""---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-key-holdernamespace: kubernetes-dashboard
type: Opaque---kind: ConfigMap
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-settingsnamespace: kubernetes-dashboard---kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
rules:# Allow Dashboard to get, update and delete Dashboard exclusive secrets.- apiGroups: [""]resources: ["secrets"]resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]verbs: ["get", "update", "delete"]# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.- apiGroups: [""]resources: ["configmaps"]resourceNames: ["kubernetes-dashboard-settings"]verbs: ["get", "update"]# Allow Dashboard to get metrics.- apiGroups: [""]resources: ["services"]resourceNames: ["heapster", "dashboard-metrics-scraper"]verbs: ["proxy"]- apiGroups: [""]resources: ["services/proxy"]resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]verbs: ["get"]---kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard
rules:# Allow Metrics Scraper to get metrics from the Metrics server- apiGroups: ["metrics.k8s.io"]resources: ["pods", "nodes"]verbs: ["get", "list", "watch"]---apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: kubernetes-dashboard
subjects:- kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: kubernetes-dashboard
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: kubernetes-dashboard
subjects:- kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: Deployment
apiVersion: apps/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: kubernetes-dashboardtemplate:metadata:labels:k8s-app: kubernetes-dashboardspec:securityContext:seccompProfile:type: RuntimeDefaultcontainers:- name: kubernetes-dashboardimage: kubernetesui/dashboard:v2.7.0imagePullPolicy: Alwaysports:- containerPort: 8443protocol: TCPargs:- --auto-generate-certificates- --namespace=kubernetes-dashboard# Uncomment the following line to manually specify Kubernetes API server Host# If not specified, Dashboard will attempt to auto discover the API server and connect# to it. Uncomment only if the default does not work.# - --apiserver-host=http://my-address:portvolumeMounts:- name: kubernetes-dashboard-certsmountPath: /certs# Create on-disk volume to store exec logs- mountPath: /tmpname: tmp-volumelivenessProbe:httpGet:scheme: HTTPSpath: /port: 8443initialDelaySeconds: 30timeoutSeconds: 30securityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001volumes:- name: kubernetes-dashboard-certssecret:secretName: kubernetes-dashboard-certs- name: tmp-volumeemptyDir: {}serviceAccountName: kubernetes-dashboardnodeSelector:"kubernetes.io/os": linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedule---kind: Service
apiVersion: v1
metadata:labels:k8s-app: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboard
spec:ports:- port: 8000targetPort: 8000selector:k8s-app: dashboard-metrics-scraper---kind: Deployment
apiVersion: apps/v1
metadata:labels:k8s-app: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboard
spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: dashboard-metrics-scrapertemplate:metadata:labels:k8s-app: dashboard-metrics-scraperspec:securityContext:seccompProfile:type: RuntimeDefaultcontainers:- name: dashboard-metrics-scraperimage: kubernetesui/metrics-scraper:v1.0.8ports:- containerPort: 8000protocol: TCPlivenessProbe:httpGet:scheme: HTTPpath: /port: 8000initialDelaySeconds: 30timeoutSeconds: 30volumeMounts:- mountPath: /tmpname: tmp-volumesecurityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001serviceAccountName: kubernetes-dashboardnodeSelector:"kubernetes.io/os": linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedulevolumes:- name: tmp-volumeemptyDir: {}
[root@master dashboard]#
大佬的文章:
https://blog.51cto.com/yangxingzhen/5980340
4.token的超时时间修改
