百度网盘链接:https://pan.baidu.com/s/1ZL07VO3ysXpyr5qMpMEHiw提取码: aa86
一、安装dashboard
(1)首先我们需要准备一个dashboard.yaml,首先访问dashboard的github官网,
https://github.com/kubernetes/dashboard/releases
(2)下载tar.gz包,将dashboard-2.0.0-rc6.tar.gz放到虚拟机上,创建一个k8s文件夹,把dashboard-2.0.0-rc6.tar.gz放入k8s文件夹中
(3)再浏览器复制连接打开yaml,复制yaml文件上的内容,复制到dashboard-deployment.yaml,并且把文件放到k8s文件夹中
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc6/aio/deploy/recommended.yaml
dashboard-deployment(v2.0.0-rc6)版本的yaml文件内容,标红色的注意地方
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- nodePort: 30888
port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
#此处可以修改为自己可以访问的镜像地址
image: kubernetesui/dashboard:v2.0.0-rc6
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.3
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
介绍下三种port:
nodePort:实际物理机上的端口,供外部访问
port: service端口,访问nodePort会被代理到service端口
targetPort: pod端口
client访问:nodeIP:port->serviceIP:port->podIP:port
介绍下imagePullPolicy
#总是拉取镜像
imagePullPolicy: Always
#默认值,本地有则使用本地镜像,不拉取
imagePullPolicy: IfNotPresent
#只使用本地镜像,从不拉取
imagePullPolicy: Never
(4)把dashboard-2.0.0-rc6.tar.gz加载到docker 镜像中
[root@master k8s]# docker load -i dashboard-2.0.0-rc6.tar.gz
如果以上docker load -i 方式无法导入,使用以下方式导入也是可以得
(5)或者执行加载yaml文件命令
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc6/aio/deploy/recommended.yaml
(6)然后我们还需要一个用户权限的user.yaml,它用来绑定角色权限:文件放到k8s文件夹上
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: default
namespace: default
(7)运行user.yaml
kubectl apply -f user.yaml
(8)查看dashborad的端口:找到yaml中的 namedata 和端口号
# kubectl get svc -n [yaml 中 metadata]
kubectl get svc -n kubernetes-dashboard
(9)输入dashborad的网址:网址地址为https:// + 本地ip + 服务设置的端口号
必须要添加https,页面会被阻止,然后点击高级,点击继续访问。
(10)进入到登录界面
(11)配置登录用户,通过命令获取令牌信息
kubectl get secret
或者
kubectl describe secret default-token-w9z4x
将token保存起来。此默认用户权限较低。
用于用户登录的token:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjY2WGVrRlBoSVVyaWpwOVFDQnpTVjVqblJ2UjA2T2xaamx0a0FMQUNGRUEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tdzl6NHgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFiN2M1NGIwLWMyNjQtNDZhMC04YjkyLWY0MDEyMWE2NmMzOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.gKbH47pvKK5NbMGbMllQpIfkwNlfCJZUcxugS1hUPs-Ypw_fiBWd_J9g72xUD2uN1YRjes2x3ytRE26q4_WOoKDnS46ksrjKG9Sm5hQ9OoRMexIwlPqwLB5ByL3UMV_UmXx-VvXdx18sSrB9VcACsBSl0R-gr2A8BWXIff61K6aQ2BWDTRg_BnclGX818TKxjCp84pMbo3VuXwJLgAk9Wh8dPA5bWgZdy8yg4kwrclIZ2gxbbCrs6g7mrf1nQSKeUliQPCosZAWTjXO0JQdg8VHUEf8dJWsuevpJbdbeagyyPL6q9SRAnt6E1bs7V5lApJ7zT7UjSMjQOAkvCV9tMA
创建一个用户权限比较高的用户:就是上面第(6)(7)步。然后执行查询用户token操作
创建一个文件create-admin-user.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
创建一个文件binding-admin-user.yml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
#红色部分代表空间(下一章讲解namespace),admin-user代码哪个用户
kubectl -nkube-systemdescribe secret $(kubectl -nkube-systemget secret | grepadmin-user| awk '{print $1}')
保存admin-user的token:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjY2WGVrRlBoSVVyaWpwOVFDQnpTVjVqblJ2UjA2T2xaamx0a0FMQUNGRUEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXJrN3J4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzMjQ2NzY2Mi1lYjg2LTQzODktYTUxNC0yMTA0NzY4ODFiZjAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.W8diRB65WJ0Kj6hY0gMFWqEzN-jbenZvjWCO9DkGiEvV3UP_fCrGMTIYCNBBbyi7RZCHHTx8moFgm4LSqgwlaH4UlPtU_imOiz4KXPXMTpYkEoDb1RQGg1iQFlNqmva3aBfVXYUy63JtI3m7R7kuN-tTzWQElhti2APpDac5RZUXESZgcqxiLd5KKYvub12y2VkjQwrG40LH_iw-S-PQMqvycrKOsA5bfiyZs3OqyfpDJ2zWV0qc7X36DJ6XxvRm1rkCzyrouQq6reARmvBE3jEg6uD0s-8mciIXPK32fWI8LeRhPb9r9qrwLbbvK_PajnJGjtENRv3KmZf1QdPgUA
首页
网友评论