简介
Dashboard 是 kubernetes 的图形化管理工具,可直观的看到k8s中各个类型控制器的当前运行情况,以及Pod的日志,另外也可直接在 dashboard 中对已有的资源进行资源清单的修改。
安装
# 安装 helm 的 repo源
helm repo add k8s-dashboard https://kubernetes.github.io/dashboard
# 安装Dashboard,注意:要安装到kube-system名称空间下才可以操控整个集群
[root@Centos8 ~]# helm install k8s-dashboard/kubernetes-dashboard --version 2.6.0 -n k8s-dashboard --namespace kube-system
NAME: k8s-dashboard
LAST DEPLOYED: Sat Sep 12 11:43:46 2020
NAMESPACE: kube-system
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRole
NAME AGE
k8s-dashboard-kubernetes-dashboard-metrics 0s
==> v1/ClusterRoleBinding
NAME AGE
k8s-dashboard-kubernetes-dashboard-metrics 0s
==> v1/ConfigMap
NAME DATA AGE
k8s-dashboard-kubernetes-dashboard-settings 0 1s
==> v1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
k8s-dashboard-kubernetes-dashboard 0/1 1 0 1s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
k8s-dashboard-kubernetes-dashboard-6d5c6c747f-zgz79 0/1 ContainerCreating 0 1s
==> v1/Role
NAME AGE
k8s-dashboard-kubernetes-dashboard 0s
==> v1/RoleBinding
NAME AGE
k8s-dashboard-kubernetes-dashboard 0s
==> v1/Secret
NAME TYPE DATA AGE
k8s-dashboard-kubernetes-dashboard-certs Opaque 0 1s
kubernetes-dashboard-csrf Opaque 0 1s
kubernetes-dashboard-key-holder Opaque 0 1s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
k8s-dashboard-kubernetes-dashboard ClusterIP 10.111.75.108 <none> 443/TCP 1s
==> v1/ServiceAccount
NAME SECRETS AGE
k8s-dashboard-kubernetes-dashboard 1 1s
NOTES:
*********************************************************************************
*** PLEASE BE PATIENT: kubernetes-dashboard may take a few minutes to install ***
*********************************************************************************
Get the Kubernetes Dashboard URL by running:
export POD_NAME=$(kubectl get pods -n kube-system -l "app.kubernetes.io/name=kubernetes-dashboard,app.kubernetes.io/instance=k8s-dashboard" -o jsonpath="{.items[0].metadata.name}")
echo https://127.0.0.1:8443/
kubectl -n kube-system port-forward $POD_NAME 8443:8443
回显中可以看到,在kube-system名称空间下为k8s集群创建ClusterRole、ClusterRoleBinding、ConfigMap、Deployment、Pod(related)、Role、RoleBinding、Secret、Service和ServiceAccount等资源
详细可参考helm官方手册:https://hub.helm.sh/charts/k8s-dashboard/kubernetes-dashboard
查看是Pod是否正常启动
[root@Centos8 dashboard]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE k8s-dashboard-kubernetes-dashboard-6d5c6c747f-zgz79 0/1 ImagePullBackOff 0 2m59s
发现 Pod 状态为 ImagePullBackOff ,因为镜像的原因,查看下所需镜像:
[root@Centos8 dashboard]# kubectl describe pod k8s-dashboard-kubernetes-dashboard-6d5c6c747f-zgz79 -n kube-system Normal BackOff 72s (x7 over 3m13s) kubelet, testcentos7 Back-off pulling image "kubernetesui/dashboard:v2.0.3"
自己手动导入镜像,并传入所有的node节点即可:
[root@Centos8 dashboard]# docker pull kubernetesui/dashboard:v2.0.3 v2.0.3: Pulling from kubernetesui/dashboard d5ba0740de2a: Pull complete Digest: sha256:45ef224759bc50c84445f233fffae4aa3bdaec705cb5ee4bfe36d183b270b45d Status: Downloaded newer image for kubernetesui/dashboard:v2.0.3
再次查看Pod状态,正常运行:
[root@Centos8 ~]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE k8s-dashboard-kubernetes-dashboard-6d5c6c747f-zgz79 1/1 Running 0 102s
配置
修改service的type类型为Nodeport,使其可以外部访问
# 默认为 ClusterIp
[root@Centos8 ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
k8s-dashboard-kubernetes-dashboard ClusterIP 10.111.75.108 <none> 443/TCP
# 修改
[root@Centos8 ~]# kubectl edit svc k8s-dashboard-kubernetes-dashboard -n kube-system
...
ports:
- name: https
nodePort: 30001
type: NodePort
...
service/k8s-dashboard-kubernetes-dashboard edited
#修改成功
[root@Centos8 ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
k8s-dashboard-kubernetes-dashboard NodePort 10.111.75.108 <none> 443:30001/TCP
Dashboard默认为https
访问
提示选择是使用Token方式连接还是Kubeconfig方式连接,看个人心情。
在此使用Token连接,查看Token方法:
[root@Centos8 ~]# kubectl get secret -n kube-system |grep dashboard k8s-dashboard-kubernetes-dashboard-certs Opaque 0 k8s-dashboard-kubernetes-dashboard-token-xpjj8 kubernetes.io/service-account-token 3 [root@Centos8 ~]# kubectl describe secret k8s-dashboard-kubernetes-dashboard-token-xpjj8 -n kube-system | grep token Name: k8s-dashboard-kubernetes-dashboard-token-xpjj8 Type: kubernetes.io/service-account-token token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrOHMtZGFzaGJvYXJkLWt1YmVybmV0ZXMtZGFzaGJvYXJkLXRva2VuLXhwamo4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Ims4cy1kYXNoYm9hcmQta3ViZXJuZXRlcy1kYXNoYm9hcmQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1YjRjMzViYi02Mzc3LTRhY2EtYWY0Yy1mZmQyYjg2OWFmM2YiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06azhzLWRhc2hib2FyZC1rdWJlcm5ldGVzLWRhc2hib2FyZCJ9.WTibcCYSOqTpfyTBT6vqsHULTfmWh3TU3NcQHIf-yZw-r5pdd2H5Edz4VqG6d_Ef1zwCzD6Burvdq80gQps7Ju9FdxLl_cjNgq6r9fycaYUMIedrgof7w43BIyBiwh064f3SFpJuZToVxErdHBnLToDpiNjJ0rbsn79oRufA6VRbqA0ogstcFfZ55lWGuEZ7JoDOUH_vno1geZQvk8LJLfd75EeMEBaq_F7I_7go5cydPvi11Sm3hKigOY53wwsBlvNJ3FlTfZMAxPb5IP024cJB-zXXdZjiUDGzeagcwAqrKdKwZl78RW1q0VXM5QwtL08dOBDgoOHMFeiSkeEjyw
将Token的值粘贴进网页,点击登录即可。
但是,默认情况下,直接进入,它本身没有访问整个集群的权限,所以要先对 dashborad 的SA进行一个ClusterRoleBinding 的操作:
vim dashbindins.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dashboard-1 subjects: - kind: ServiceAccount name: k8s-dashboard-kubernetes-dashboard namespace: kube-system roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io
将 cluster-admin 的权限赋予给名称为 k8s-dashboard-kubernetes-dashboard 的 SA,cluster-admin是集群默认的的角色,具有整个集群的所有权限,如果有个性化需求,自己定义一个ClusterRole也是可以的
进行绑定:
[root@Centos8 dashboard]# kubectl create -f dashbindins.yaml clusterrolebinding.rbac.authorization.k8s.io/dashboard-1 created
绑定完成后,再次刷新 dashboard 的界面,就可以看到整个集群的资源情况。
个性化定制参数
Dashboard 默认采用 https 的形式进行访问,众所周知,https是需要绑定证书的,咱们以上直接通过 helm 方法安装的是自动绑定了config文件里的证书:
crt:grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d
kry:grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
但是如果我们想要定义自己的https证书,我们可以在创建 dashboard 的时候采用指定变量的方法:
先将 dashboard 文件下载下来:
[root@Centos8 dashboard]# helm fetch k8s-dashboard/kubernetes-dashboard [root@Centos8 dashboard]# ls kubernetes-dashboard-2.6.0.tgz [root@Centos8 dashboard]# tar zxvf kubernetes-dashboard-2.6.0.tgz [root@Centos8 kubernetes-dashboard]# ls charts Chart.yaml README.md requirements.lock requirements.yaml templates values.yaml
创建变量文件:
vim dashboardvaluse.yaml
image:
repository: k8s.gcr.io/kubernetes-dashboard-amd64 # 指定存储库
tag: v1.10.1 #指定版本
ingress:
enabled: true #ingress是否开启
hosts:
- k8s.vfancloud.com #指定域名
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
tls: #指定secret,也就是指定你的证书
- secretName: repository-ssl
hosts:
- k8s.vfancloud.com
rbac:
clusterAdminRole: true
创建tls:kubectl create secret tls repository-ssl --key server.key --cert server.crt
编辑完毕后,创建时使用 -f 指定此变量文件即可:
[root@Centos8 kubernetes-dashboard]# helm install . --version 2.6.0 -n k8s-dashboard --namespace kube-system -f dashboardvaluse.yaml
NAME: k8s-dashboard
LAST DEPLOYED: Wed Sep 23 21:58:42 2020
NAMESPACE: kube-system
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRole
NAME AGE
k8s-dashboard-kubernetes-dashboard-metrics 0s
==> v1/ClusterRoleBinding
NAME AGE
k8s-dashboard-kubernetes-dashboard-metrics 0s
==> v1/ConfigMap
NAME DATA AGE
k8s-dashboard-kubernetes-dashboard-settings 0 2s
==> v1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
k8s-dashboard-kubernetes-dashboard 0/1 1 0 2s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
k8s-dashboard-kubernetes-dashboard-6d5c6c747f-5dkhj 0/1 ContainerCreating 0 1s
==> v1/Role
NAME AGE
k8s-dashboard-kubernetes-dashboard 0s
==> v1/RoleBinding
NAME AGE
k8s-dashboard-kubernetes-dashboard 0s
==> v1/Secret
NAME TYPE DATA AGE
k8s-dashboard-kubernetes-dashboard-certs Opaque 0 2s
kubernetes-dashboard-csrf Opaque 0 2s
kubernetes-dashboard-key-holder Opaque 0 2s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
k8s-dashboard-kubernetes-dashboard ClusterIP 10.97.71.25 <none> 443/TCP 2s
==> v1/ServiceAccount
NAME SECRETS AGE
k8s-dashboard-kubernetes-dashboard 1 2s
==> v1beta1/Ingress
NAME HOSTS ADDRESS PORTS AGE
k8s-dashboard-kubernetes-dashboard hub.vfancloud.com 80, 443 2s
NOTES:
*********************************************************************************
*** PLEASE BE PATIENT: kubernetes-dashboard may take a few minutes to install ***
*********************************************************************************
From outside the cluster, the server URL(s) are:
https://hub.vfancloud.com
至此,后边的步骤就和上边演示的一样了,绑定ClusterRole即可使用https://hub.vfancloud.com进行访问,以上变量文件仅仅是指定了部分值,具体其他可选变量可以去官网上查看。