背景
想要直观地管理和监控k8s集群状况,kubernets-dashboard是一个比较大众的方式。dashboard提供了一个UI界面,使我们可以在页面上查看kubernetes的集群状态以及对集群进行相关的操作,大大便利了我们管理k8s集群。
在k8s中 dashboard可以有两种访问方式:kubeconfig(HTTPS)和token(http)本篇先来介绍下Token方式的访问。
Token访问是无登录密码的,简单方便
1、从官方网站上下载dashboard的yaml编排文件,并进行相应的修改。
# 官网版https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
2、下载完之后开始修改YAML文件,修改镜像内容如下
image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
修改文件里面的镜像为自己可用的镜像
3、修改通过NodePort方式来进行访问dashboard:
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort #增加type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 31620 #增加nodePort: 31620
selector:
k8s-app: kubernetes-dashboard
4、官方提供的创建dashboard的yaml文件,由于创建的用户kubernetes-dashboard绑定的角色为kubernetes-dashboard-minimal,由于该角色并没有访问和操作集群的权限,因此登陆dashboard的时候,会提示权限错误:“configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard"。因此需修改RoleBinding的相关参数,绑定权限更高的角色:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
5、master上通过kubernetes-dashboard.yaml文件,创建dashboard:
kubectl create -f kubernetes-dashboard.yaml
6、获取dashboard token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token|awk '{print $1}')|grep token:|awk '{print $2}'
7、通过火狐浏览器访问实例地址和服务端口(https://10.1.245.239:31620/#!/login)如下,拷贝步骤6中获取的token输入到令牌框,点击 登录 即可访问dashboard;
附录:修改后的yaml文件
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort #增加type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 31620 #增加nodePort: 31620
selector:
k8s-app: kubernetes-dashboard
8、通过上述创建的dashboard只能通过火狐访问,无法通过chrome等浏览器访问,是由于证书过期问题,如下解决证书过期。
a: 由于证书无效,需要重新生成自签名证书,首先需要生成证书,生成证书通过openssl生成自签名证书即可,默认证书有效期为1个月,如果需要修改证书时间,可以增加-days参数,参考如下所示:
[ips@ips81 cert]$ openssl genrsa -out dashboard.key 2048 -days 365
Generating RSA private key, 2048 bit long modulus
...........................+++
.........+++
e is 65537 (0x10001)
[ips@ips81 cert]$ openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN='10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239'' -days 365
[ips@ips81 cert]$ openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt -days 365
Signature ok
subject=/CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239
Getting Private key
[ips@ips81 cert]$ openssl x509 -in dashboard.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 12978830105745149643 (0xb41e11376515cecb)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239
Validity
Not Before: Apr 1 08:02:30 2019 GMT
Not After : May 1 08:02:30 2019 GMT
Subject: CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9f:4b:01:3c:d6:05:5c:1d:64:5e:e0:07:eb:3b:
c8:b5:d5:4b:1c:ca:5a:5c:44:49:93:b5:75:4a:e5:
b8:56:42:25:92:69:f1:09:d3:cf:31:75:7d:41:ed:
ea:92:68:e7:39:53:75:e5:92:be:db:da:ff:f9:63:
82:1e:58:32:54:5f:e6:b4:bc:5f:33:d5:c8:c0:eb:
2b:30:4d:ce:b0:22:50:7b:9a:f8:0e:ca:e9:a5:f5:
01:cf:8d:76:35:4a:38:12:a9:bd:85:26:f7:76:01:
a6:9f:8c:39:94:40:b2:10:fa:b2:fd:7a:bc:ce:0c:
33:cf:2d:b2:07:76:1e:55:05:e7:8d:95:95:d5:c7:
72:44:ff:b5:39:ae:b4:8d:83:40:05:a9:db:5e:ea:
6c:27:03:0b:65:a0:af:44:1e:f8:17:75:76:a9:66:
3d:56:04:51:fd:e1:1a:2e:ac:7b:9c:3a:f3:95:49:
d5:95:83:76:da:df:eb:41:d9:3f:4e:1e:3d:06:24:
fe:31:32:88:e8:4d:95:68:db:75:14:fa:6b:e6:5b:
f1:91:c0:12:82:65:ad:92:0d:48:b1:4a:d7:81:a1:
b4:53:c5:a2:99:f2:3f:25:33:3d:f7:a5:b0:bc:21:
ad:0b:7f:5f:06:aa:0e:ec:1b:a4:04:70:63:2f:d7:
21:9f
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
37:28:4b:7e:4a:54:e1:5c:15:7c:e7:c0:71:c8:2f:ae:1b:ce:
10:67:0a:c2:53:72:67:64:b3:4c:48:6b:bf:79:a0:cd:dd:c5:
41:5a:0b:de:ff:78:04:10:ef:c1:4b:02:fb:ab:7e:88:f5:eb:
6a:0d:d8:50:4f:ea:ba:73:06:2b:dd:6f:8a:28:6f:9a:20:73:
76:42:c2:1e:54:d9:bd:4e:d5:ec:a0:13:c8:49:86:25:1b:e2:
b0:03:fe:0c:0a:72:6f:f1:0b:4e:2b:0b:b9:63:07:a9:10:29:
f6:a7:b4:c5:fb:e4:ee:86:97:e5:78:8a:51:2c:c5:8d:a9:33:
85:7f:35:fb:78:80:de:70:f7:3e:c0:73:dd:4e:61:ab:22:b6:
3f:90:7b:2b:6e:dc:7f:5e:cc:c9:8e:37:7c:b4:5b:30:fb:fb:
8f:ed:a2:2c:ca:9e:9f:10:33:81:e2:e4:54:20:29:0c:85:8c:
44:24:ee:c5:2d:1c:ca:1e:ba:31:46:cf:2d:80:13:05:70:5d:
5e:76:b3:38:c3:d4:1a:b9:9c:57:49:90:4f:e1:14:9d:e3:33:
fe:67:96:df:75:5d:55:da:a5:12:89:9e:4b:21:63:4a:5f:db:
13:fd:2f:56:8f:25:ea:10:4e:66:04:0f:5d:96:8f:dd:56:f4:
d3:f3:f5:d3
[ips@ips81 cert]$ ls
dashboard.crt dashboard.csr dashboard.key kubernetes-dashboard.yaml
[ips@ips81 cert]$ ll
total 20
-rw-r--r-- 1 ips ips 1082 Apr 1 16:02 dashboard.crt
-rw-r--r-- 1 ips ips 944 Apr 1 16:02 dashboard.csr
-rw-r--r-- 1 ips ips 1679 Apr 1 16:02 dashboard.key
-rw-r--r-- 1 ips ips 5093 Apr 1 15:53 kubernetes-dashboard.yaml
[ips@ips81 cert]$
b: 将该配置文件中创建secret的配置文件信息去掉,将以下内容 从配置文件中去掉:
------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
c: 重新生成secret,创建同名称的secret,名称为: kubernetes-dashboard-certs
kubectl create secret generic kubernetes-dashboard-certs --from-file=/data/ylh/k8sdashboard/cert/dashboard.key --from-file=/data/ylh/k8sdashboard/cert/dashboard.crt -n kube-system
kubectl describe secret kubernetes-dashboard-certs -n kube-system
d: 重新apply yaml文件或者删除之前已经在k8s创建的dashboard,重新create
kubectl apply -f kubernetes-dashboard.yaml 或者
kubectl create -f kubernetes-dashboard.yaml
e: 此时通过chrome浏览器,可以跟火狐一样访问dashboard,首先获取token
[ips@ips81 cert]$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token|awk '{print $1}')|grep token:|awk '{print $2}'
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi16bjh4ciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjYwNWMwMzE2LTU0NTMtMTFlOS04ODhmLWZhMTYzZWU2YTljOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.JIsJb0lcgs7sXFyHQAZnRlxamILSiixjjjSX0J3QZOYyXCIoFTlWgVlU-IANV-zZShnEHOtOsLsniJf5VxXGCZJ-uCLfU0RhcgtsUEBLbWLw45X3o3wl6j8D9yZgKYPywzapwNxttO0wsJd5ribNn5bmcnPsqQ2HqrUyRhnDwtb3TZiUKb0LQh9vyossiE9Vhv-_TbJJbvx8Z3dJWxb6Fp6vGak7jq4EhHH1tEbSmQCvBbZpXtzdOad_V5Nfr2uHUkFb8FjhbQqf0ItSCsO7xlwRvmdgzFHvH9HyVgDqninHyZxn-VDt85pPTBRilrYFQ3Dzs33MgShmSNzVs9DUlA
f: 访问dashboard的URL链接,(https://10.1.245.239:31620/#!/login)忽略提示,选择继续前往不安全的链接,令牌处输入上一步获取到的token,就可以正常访问dashboard。
g、查看chrome以及火狐的证书发现,证书有效期时间已经修改,不再为超过有效期的证书,不再是如下的0001年
