背景

想要直观地管理和监控k8s集群状况，kubernets-dashboard是一个比较大众的方式。dashboard提供了一个UI界面，使我们可以在页面上查看kubernetes的集群状态以及对集群进行相关的操作，大大便利了我们管理k8s集群。

在k8s中 dashboard可以有两种访问方式：kubeconfig（HTTPS）和token（http）本篇先来介绍下Token方式的访问。

Token访问是无登录密码的，简单方便

1、从官方网站上下载dashboard的yaml编排文件，并进行相应的修改。

# 官网版https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

2、下载完之后开始修改YAML文件，修改镜像内容如下

image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1

修改文件里面的镜像为自己可用的镜像

3、修改通过NodePort方式来进行访问dashboard：

# ------------------- Dashboard Service ------------------- #

kind: Service

apiVersion: v1

metadata:

labels:

k8s-app: kubernetes-dashboard

name: kubernetes-dashboard

namespace: kube-system

spec:

type: NodePort #增加type: NodePort

ports:

- port: 443

targetPort: 8443

nodePort: 31620 #增加nodePort: 31620

selector:

k8s-app: kubernetes-dashboard

4、官方提供的创建dashboard的yaml文件，由于创建的用户kubernetes-dashboard绑定的角色为kubernetes-dashboard-minimal，由于该角色并没有访问和操作集群的权限，因此登陆dashboard的时候，会提示权限错误：“configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard"。因此需修改RoleBinding的相关参数，绑定权限更高的角色：

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

name: kubernetes-dashboard

subjects:

- kind: ServiceAccount

name: kubernetes-dashboard

namespace: kube-system

roleRef:

kind: ClusterRole

name: cluster-admin

apiGroup: rbac.authorization.k8s.io

5、master上通过kubernetes-dashboard.yaml文件，创建dashboard：

kubectl create -f kubernetes-dashboard.yaml

6、获取dashboard token

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token|awk '{print $1}')|grep token:|awk '{print $2}'

7、通过火狐浏览器访问实例地址和服务端口(https://10.1.245.239:31620/#!/login)如下，拷贝步骤6中获取的token输入到令牌框，点击登录即可访问dashboard；

附录：修改后的yaml文件

# Copyright 2017 The Kubernetes Authors.

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

# http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1

kind: Secret

metadata:

labels:

k8s-app: kubernetes-dashboard

name: kubernetes-dashboard-certs

namespace: kube-system

type: Opaque

---

# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1

kind: ServiceAccount

metadata:

labels:

k8s-app: kubernetes-dashboard

name: kubernetes-dashboard

namespace: kube-system

---

---

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

name: kubernetes-dashboard

subjects:

- kind: ServiceAccount

name: kubernetes-dashboard

namespace: kube-system

roleRef:

kind: ClusterRole

name: cluster-admin

apiGroup: rbac.authorization.k8s.io

---

# ------------------- Dashboard Deployment ------------------- #

kind: Deployment

apiVersion: apps/v1

metadata:

labels:

k8s-app: kubernetes-dashboard

name: kubernetes-dashboard

namespace: kube-system

spec:

replicas: 1

revisionHistoryLimit: 10

selector:

matchLabels:

k8s-app: kubernetes-dashboard

template:

metadata:

labels:

k8s-app: kubernetes-dashboard

spec:

containers:

- name: kubernetes-dashboard

image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1

ports:

- containerPort: 8443

protocol: TCP

args:

- --auto-generate-certificates

# Uncomment the following line to manually specify Kubernetes API server Host

# If not specified, Dashboard will attempt to auto discover the API server and connect

# to it. Uncomment only if the default does not work.

# - --apiserver-host=http://my-address:port

volumeMounts:

- name: kubernetes-dashboard-certs

mountPath: /certs

# Create on-disk volume to store exec logs

- mountPath: /tmp

name: tmp-volume

livenessProbe:

httpGet:

scheme: HTTPS

path: /

port: 8443

initialDelaySeconds: 30

timeoutSeconds: 30

volumes:

- name: kubernetes-dashboard-certs

secret:

secretName: kubernetes-dashboard-certs

- name: tmp-volume

emptyDir: {}

serviceAccountName: kubernetes-dashboard

# Comment the following tolerations if Dashboard must not be deployed on master

tolerations:

- key: node-role.kubernetes.io/master

effect: NoSchedule

---

---

# ------------------- Dashboard Service ------------------- #

kind: Service

apiVersion: v1

metadata:

labels:

k8s-app: kubernetes-dashboard

name: kubernetes-dashboard

namespace: kube-system

spec:

type: NodePort #增加type: NodePort

ports:

- port: 443

targetPort: 8443

nodePort: 31620 #增加nodePort: 31620

selector:

k8s-app: kubernetes-dashboard

8、通过上述创建的dashboard只能通过火狐访问，无法通过chrome等浏览器访问，是由于证书过期问题，如下解决证书过期。

a: 由于证书无效，需要重新生成自签名证书，首先需要生成证书，生成证书通过openssl生成自签名证书即可，默认证书有效期为1个月，如果需要修改证书时间，可以增加-days参数，参考如下所示：

[ips@ips81 cert]$ openssl genrsa -out dashboard.key 2048 -days 365

Generating RSA private key, 2048 bit long modulus

...........................+++

.........+++

e is 65537 (0x10001)

[ips@ips81 cert]$ openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN='10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239'' -days 365

[ips@ips81 cert]$ openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt -days 365

Signature ok

subject=/CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239

Getting Private key

[ips@ips81 cert]$ openssl x509 -in dashboard.crt -text -noout

Certificate:

Data:

Version: 1 (0x0)

Serial Number: 12978830105745149643 (0xb41e11376515cecb)

Signature Algorithm: sha1WithRSAEncryption

Issuer: CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239

Validity

Not Before: Apr 1 08:02:30 2019 GMT

Not After : May 1 08:02:30 2019 GMT

Subject: CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:9f:4b:01:3c:d6:05:5c:1d:64:5e:e0:07:eb:3b:

c8:b5:d5:4b:1c:ca:5a:5c:44:49:93:b5:75:4a:e5:

b8:56:42:25:92:69:f1:09:d3:cf:31:75:7d:41:ed:

ea:92:68:e7:39:53:75:e5:92:be:db:da:ff:f9:63:

82:1e:58:32:54:5f:e6:b4:bc:5f:33:d5:c8:c0:eb:

2b:30:4d:ce:b0:22:50:7b:9a:f8:0e:ca:e9:a5:f5:

01:cf:8d:76:35:4a:38:12:a9:bd:85:26:f7:76:01:

a6:9f:8c:39:94:40:b2:10:fa:b2:fd:7a:bc:ce:0c:

33:cf:2d:b2:07:76:1e:55:05:e7:8d:95:95:d5:c7:

72:44:ff:b5:39:ae:b4:8d:83:40:05:a9:db:5e:ea:

6c:27:03:0b:65:a0:af:44:1e:f8:17:75:76:a9:66:

3d:56:04:51:fd:e1:1a:2e:ac:7b:9c:3a:f3:95:49:

d5:95:83:76:da:df:eb:41:d9:3f:4e:1e:3d:06:24:

fe:31:32:88:e8:4d:95:68:db:75:14:fa:6b:e6:5b:

f1:91:c0:12:82:65:ad:92:0d:48:b1:4a:d7:81:a1:

b4:53:c5:a2:99:f2:3f:25:33:3d:f7:a5:b0:bc:21:

ad:0b:7f:5f:06:aa:0e:ec:1b:a4:04:70:63:2f:d7:

21:9f

Exponent: 65537 (0x10001)

Signature Algorithm: sha1WithRSAEncryption

37:28:4b:7e:4a:54:e1:5c:15:7c:e7:c0:71:c8:2f:ae:1b:ce:

10:67:0a:c2:53:72:67:64:b3:4c:48:6b:bf:79:a0:cd:dd:c5:

41:5a:0b:de:ff:78:04:10:ef:c1:4b:02:fb:ab:7e:88:f5:eb:

6a:0d:d8:50:4f:ea:ba:73:06:2b:dd:6f:8a:28:6f:9a:20:73:

76:42:c2:1e:54:d9:bd:4e:d5:ec:a0:13:c8:49:86:25:1b:e2:

b0:03:fe:0c:0a:72:6f:f1:0b:4e:2b:0b:b9:63:07:a9:10:29:

f6:a7:b4:c5:fb:e4:ee:86:97:e5:78:8a:51:2c:c5:8d:a9:33:

85:7f:35:fb:78:80:de:70:f7:3e:c0:73:dd:4e:61:ab:22:b6:

3f:90:7b:2b:6e:dc:7f:5e:cc:c9:8e:37:7c:b4:5b:30:fb:fb:

8f:ed:a2:2c:ca:9e:9f:10:33:81:e2:e4:54:20:29:0c:85:8c:

44:24:ee:c5:2d:1c:ca:1e:ba:31:46:cf:2d:80:13:05:70:5d:

5e:76:b3:38:c3:d4:1a:b9:9c:57:49:90:4f:e1:14:9d:e3:33:

fe:67:96:df:75:5d:55:da:a5:12:89:9e:4b:21:63:4a:5f:db:

13:fd:2f:56:8f:25:ea:10:4e:66:04:0f:5d:96:8f:dd:56:f4:

d3:f3:f5:d3

[ips@ips81 cert]$ ls

dashboard.crt dashboard.csr dashboard.key kubernetes-dashboard.yaml

[ips@ips81 cert]$ ll

total 20

-rw-r--r-- 1 ips ips 1082 Apr 1 16:02 dashboard.crt

-rw-r--r-- 1 ips ips 944 Apr 1 16:02 dashboard.csr

-rw-r--r-- 1 ips ips 1679 Apr 1 16:02 dashboard.key

-rw-r--r-- 1 ips ips 5093 Apr 1 15:53 kubernetes-dashboard.yaml

[ips@ips81 cert]$

b: 将该配置文件中创建secret的配置文件信息去掉，将以下内容从配置文件中去掉：

------------------- Dashboard Secret ------------------- #

apiVersion: v1

kind: Secret

metadata:

labels:

k8s-app: kubernetes-dashboard

name: kubernetes-dashboard-certs

namespace: kube-system

type: Opaque

---

c: 重新生成secret，创建同名称的secret，名称为： kubernetes-dashboard-certs

kubectl create secret generic kubernetes-dashboard-certs --from-file=/data/ylh/k8sdashboard/cert/dashboard.key --from-file=/data/ylh/k8sdashboard/cert/dashboard.crt -n kube-system

kubectl describe secret kubernetes-dashboard-certs -n kube-system

d: 重新apply yaml文件或者删除之前已经在k8s创建的dashboard，重新create

kubectl apply -f kubernetes-dashboard.yaml 或者

kubectl create -f kubernetes-dashboard.yaml

e: 此时通过chrome浏览器，可以跟火狐一样访问dashboard,首先获取token

[ips@ips81 cert]$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token|awk '{print $1}')|grep token:|awk '{print $2}'

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi16bjh4ciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjYwNWMwMzE2LTU0NTMtMTFlOS04ODhmLWZhMTYzZWU2YTljOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.JIsJb0lcgs7sXFyHQAZnRlxamILSiixjjjSX0J3QZOYyXCIoFTlWgVlU-IANV-zZShnEHOtOsLsniJf5VxXGCZJ-uCLfU0RhcgtsUEBLbWLw45X3o3wl6j8D9yZgKYPywzapwNxttO0wsJd5ribNn5bmcnPsqQ2HqrUyRhnDwtb3TZiUKb0LQh9vyossiE9Vhv-_TbJJbvx8Z3dJWxb6Fp6vGak7jq4EhHH1tEbSmQCvBbZpXtzdOad_V5Nfr2uHUkFb8FjhbQqf0ItSCsO7xlwRvmdgzFHvH9HyVgDqninHyZxn-VDt85pPTBRilrYFQ3Dzs33MgShmSNzVs9DUlA

f: 访问dashboard的URL链接，(https://10.1.245.239:31620/#!/login)忽略提示，选择继续前往不安全的链接，令牌处输入上一步获取到的token，就可以正常访问dashboard。