1、版本信息
版本:kubernetes dashboard v2.0.4
地址:https://github.com/kubernetes/dashboard/releases/tag/v2.0.4
支持Kubernetes版本:1.19
使用的镜像版本:
kubernetesui/dashboard:v2.0.4
kubernetesui/metrics-scraper:v1.0.4
2、下载cd /tmp
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml
将Dashboard Service改为nodePort方式
修改点1:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
kubectl apply -f recommended.yaml
service服务端口443,对应pod端口8443,对外暴露端口30001
3、安装后pod起不来,报错Initializing csrf token from kubernetes-dashboard-csrf secret
panic: Get "https://10.96.0.1:443/api/v1/namespaces/kubernetes-dashboard/secrets/kubernetes-dashboard-csrf": dial tcp 10.96.0.1:443: i/o timeout
原因为dashboard要与apiserver建立通讯,认证失败
curl -k https://10.96.0.1:443/api/v1/namespaces/kubernetes-dashboard/secrets/kubernetes-dashboard-csrf
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "secrets \"kubernetes-dashboard-csrf\" is forbidden: User \"system:anonymous\" cannot get resource \"secrets\" in API group \"\" in the namespace \"kubernetes-dashboard\"",
"reason": "Forbidden",
"details": {
"name": "kubernetes-dashboard-csrf",
"kind": "secrets"
},
"code": 403
}
4、网上查了有两个办法
1)将dashboard装在master节点上
2)让工作节点能访问apiServer
修改为装在master节点上,因为一般面板都是监控工作节点的,工作节点会横向扩展和缩小
5、recommended.yaml添加nodeName: k8s-master
修改点1:
修改点2: spec:
nodeName: k8s-master
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.4
imagePullPolicy: Always
spec:
nodeName: k8s-master
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.4
重新部署:kubectl apply -f recommended.yaml
6、但是浏览器还是打不开
经查是默认证书浏览器认证有问题,需要自定义证书mkdir /home/key
cd /home/key
openssl genrsa -out dashboard.key 2048
openssl req -new -sha256 -out dashboard.csr -key dashboard.key -subj '/CN=192.168.201.1'
openssl x509 -req -sha256 -days 3650 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
cat dashboard.crt | base64
cat dashboard.key | base64
修改recommended.yaml,将base64编码的证书文本填入
修改点1:
重新部署:apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
data:
dashboard.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNyRENDQVpRQ0NRQ2hxczVZVkJUai96QU5CZ2txaGtpRzl3MEJBUXNGQURBWU1SWXdGQVlEVlFRRERBMHgKT1RJdU1UWTRMakl3TVM0eE1CNFhEVEl3TVRFeU16QXlORFV6TTFvWERUTXdNVEV5TVRBeU5EVXpNMW93R0RFVwpNQlFHQTFVRUF3d05NVGt5TGpFMk9DNHlNREV1TVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUt5RDBaemRTdXJpZ3A2SjVxNE5lOGpLcG1mOU9BM0JlNUQ0cmxpRk1FTHhIeG9sc0RSbDhRUmgKNi82SmNYSWRDTnQ3OCtBWU5PdUJwR2duLzFVazlyUEdJZmYwZU9OU3QrK2J5b2Vzcm8zSnhweTB5VWNaN0lwMwpHTVNOZGdodWZONXNMeS80VW1pbW1KV2l4S1VOOG00WTdwUFVXN2podStPN2hRb2FXZ3dUUGMwYmV2Z21LRSsrCkJnMWVsVzMrNTNuSWFWN2J6SU9sY3FheDljWml0VlB5Zm9GcnBvWUNFeHNWOThEMWxFb2hOK1FtdjdjZms3S3AKczFEb1JDQ1hDSGFpWG0vSmF3aWVHb1lGaWhUcGpNRUJ5YWdNY1JQcEI4Q1lGcWNEUDF5NVZ0TnZuTG1TVTY0bAo1NVdKdHhOU0ZrRFQxME1UekRyTDNEb0hVZUJlbjBjQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBCks5bVh4UEZSaS8wcnlEbW1PenZHNVdobnFFM01UUklyL2ozZWYzc2p2dlpFSnZkZyt5dTUxQnBCdUloR0FZWGsKcXBnUlg0R3hWQ2laZVFCMmxqWjFjaExkc2Z0SXFXVjdiSWNBMUJpOUVvVW9HeVlJSWhwTG1yUWh3K0ZTT1c1aApxM04vb3FaKzgyUnRxcE5PY3BqZk1rZk5PQzZNUjBsa1c3Um93QjdZbzdCL1N3MDl5VXdGTW0xV29FV0M2YlBBCmdqOGg2dVFrSnJpSzVzdExrQlNWeFZkcVUvNDd2VUt6aHRMQnFMRmN6QVVndU1zVE0ya3FpekxkeFB2UE4wSWcKOVJNMUN3L1hNT3hhN2RyVlF0YVZXa3cyc1FPUExjWnZtTnpmRllTUmVSS1RLUmtxSXB1YnNzQmp2cmhtNlUxUwowdlRSY1FZQ1FTTGY5NGdnY0FScWtBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
dashboard.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBcklQUm5OMUs2dUtDbm9ubXJnMTd5TXFtWi8wNERjRjdrUGl1V0lVd1F2RWZHaVd3Ck5HWHhCR0hyL29seGNoMEkyM3Z6NEJnMDY0R2thQ2YvVlNUMnM4WWg5L1I0NDFLMzc1dktoNnl1amNuR25MVEoKUnhuc2luY1l4STEyQ0c1ODNtd3ZML2hTYUthWWxhTEVwUTN5YmhqdWs5UmJ1T0c3NDd1RkNocGFEQk05elJ0NgorQ1lvVDc0R0RWNlZiZjduZWNocFh0dk1nNlZ5cHJIMXhtSzFVL0orZ1d1bWhnSVRHeFgzd1BXVVNpRTM1Q2EvCnR4K1RzcW16VU9oRUlKY0lkcUplYjhsckNKNGFoZ1dLRk9tTXdRSEpxQXh4RStrSHdKZ1dwd00vWExsVzAyK2MKdVpKVHJpWG5sWW0zRTFJV1FOUFhReFBNT3N2Y09nZFI0RjZmUndJREFRQUJBb0lCQUVLeFV6L0piVVVRL0Y0KwpBYWdZSGxxcHZWdEdVWDAvNTMxTUpscWlZdDMrU1gvYVFoeC9ySVY5TmJiWmU3b1o3MnFxcU1WaGxsUFZjckd4CmhNeHQxZEg2THZlazAzZE9hejEraFBXZWxIek1ITFJJVCtmazVjVkI5WmxHOXZLYmhEcVlxRVZyUXJDaWR5cWkKR2xPVTZMd1hkMlEvSEphRTdoWkVVRkp2alpCTTNZS1UxRVpQNW85b0NWWlFpZFJaSjc2UEZxYXJwUStJZ1hYYQpWVlBDMzQvWEFqaUhrYXFWYW1FWGFwZ3hzTnU0RCtLSzVZeU5XNloxMk5aY05WOGFnYTFBZ3lvTVduVVZxQTViCnQ3OFJRYVhJYnRXZjhMM3pXODUyWEwrZHNEYkxPeGl2L3o4MGg5bHowc0k2SzRZTjJKbWUyZzhwTU1TMytDeFYKMlYrbFVnRUNnWUVBMGkxTDQxc0luRDVqV2tudG4wSnVzd3Y4STFKKzhPcXJoZDZ0Sy9VUEVtWUZYbmNpTlRLSgorZGZlTzIzcko4bEZ3VHp6eDh0NEpJd3pucWZGNnhQbllXR0JubnZSSWFweUV0dWVxa0t4WlRDdGFEVFQ4WEdCClNGRDMrN0x3ZnBtNzV6d1RFR094UklRTFdqQTdCR1FnYVlCQTlzZm5vZk9SRDV5UlJwbmgwK2NDZ1lFQTBpQjUKYjJoZXBsaUFmbG9ENm1aaFI2dVJEUUNlWUV0UjNLR1ZuQ3A3OEZjdm9XRHNJM1luOFVQWW8xbkpsYXgvaE84eApsK1ZSMUZDNDJ6bnYzcmNBOXFBUEN3V0VBSnBrVWFzc0MrMmNuNXlEczliUjcrNytmQlZQOTN6bVlJWS94L3ZPCmNZRzd6Zk8vRmtSSENxRUl5VjlxMDdyQmR5d1A2SFdNbnFrSmJhRUNnWUJSZjlrT2gyMVdVT2JyeXdFR29aY1YKZk04L3p5eUVOU3RmMU5JbjJuWUd0MkxibDZ5L0hpTGNxL1Z6N0JLa3NlcUhuU0FXMkhKMUVaeXVwL1lhU3ZTTgpFV2RXMGtKdElJL3RlaFlUaFpzT1Z3clcvcTAwMGNQRkRBaXRKRjBYYW51dmxkNzZtdjNSU0xheU9VT1pWMDR1Ck90cDJGMXhkczNvTHFMVzR2OUVPL3dLQmdEZjVjcC9jMjZuUVZacFMvRXdLcmN0YnhxNENCaTU4b2ZmMkMxYW8KY28rWmloU2hMd1piU1ZTWjBESGpqekdSMi81YmdZaUhDLzlVNllsc3E1dFdnS2t5QmcvWGpreGkxR3AxQUt6RQp4VDQzZ1ZYODJidmluR1FOZ1ZuYUtieDR4ckROUVRjM2FnSDQ5bVJHRis2YTZ5NUpmcm1jUEVFMHVhQWhBQzZiCnRPbEJBb0dBV2ZmVGpodS81NWxONWlwTmYyVXRlN0NreUhNSHlVUzNiV0l6RDVTZHpiLy9vYmZvQnp5Z2IxSGYKTStTc2RtTEN3WW8yaTU5N01UM09DSEZYYWdpeHphWmJNQW1iUDNRNEVJRDk5QU44TW1qV1k2eHh4dEJ5SE9RMwpPZ2cydzdnNkRSK1dSMVJmRldGcVJmTVd6SDI5VnowU05hbFptaGdZRzJFR3c1RnZlLzQ9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kubectl apply -f recommended.yaml
7、页面可以打开了
访问:https://192.168.201.1:30001/
选择token认证方式:
Token
每个 Service Account 都有一个合法的 Bearer Token ,可用于登录 Dashboard 。 要了解有关如何配置和使用 Bearer Tokens 的更多信息,请参阅 Authentication 部分.
8、建立一个serviceAccount
创建admin-user的用户,将其设置为cluster-admin角色vi admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
部署:kubectl apply -f admin-user.yaml
9、获取tokenkubectl get secret -n kubernetes-dashboard
NAME TYPE DATA AGE
admin-user-token-ppjdc kubernetes.io/service-account-token 3 24m
填入即可登录kubectl describe secret/admin-user-token-ppjdc -n kubernetes-dashboard
Name: admin-user-token-ppjdc
Namespace: kubernetes-dashboard
Labels: