kubernetes dashboard
dashboard是一个以AddOnes附件运行的Pod,运行在系统命名空间 kube-system 中。
部署 dashboard:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
查看:
kubectl get pods -n kube-system
kubectl get svc -n kube-system
要想外部访问 dashboard 需要设置 nodePort
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
查看服务的端口后打开浏览器访问任意一个节点即可。
Token 认证方式:
创建 serviceaccount :
kubectl create serviceaccount dashboard-admin -n kube-system
查看 serviceaccount :
kubectl get sa -n kube-system
创建的这个serviceaccount 需要访问整个集群资源,所以要用clusterrolebinding 去绑定 clusterrole 。
绑定serviceaccount 到 clusterrole:
kubectl create clusterrolebinding admin-k8s-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
查看创建后的secret:
kubectl get secret -n kube-system
查看token:
kubectl describe secret dashboard-admin-token-cxls2 -n kube-system
把一长串Token 信息填入 dashboard 中即可。
dashboard新版本安装流程
官方github位置:
https://github.com/kubernetes/dashboard
部署dashboard:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.1/aio/deploy/recommended.yaml
查看token:自带yaml文件创建的token没有任何权限,只能用来测试登陆。
kubectl describe secrets -n kubernetes-dashboard kubernetes-dashboard-token-dftj8
复制token字段内的token,粘贴到web端选择token方式登陆即可。
创建admin权限的token:
主要是用 kubernetes-dashboard 名称空间下的serviceaccount 绑定名为 cluster-admin 这个ClusterRole,这样这个账号就拥有管理员的权限了。
具体参考:
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
应用下面的文件:
cat > admin-user.yaml <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard EOF
查看token:
kubectl describe secrets -n kubernetes-dashboard admin-user-token-27xjl
复制token粘贴到登陆处即可。
创建kubeconfig文件登陆dashboard:
kubectl config set-cluster kubernetes --server="https://192.168.0.40:6443" --certificate-authority=/etc/kubernetes/cert/ca.crt --embed-certs=true --kubeconfig=config kubectl config set-credentials k8s --token="上面登陆用的token" --kubeconfig=config kubectl config set-context k8s@kubernetes --cluster=kubernetes --user=k8s --kubeconfig=config kubectl config use-context k8s@kubernetes --kubeconfig=config
格式如下:
~]# kubectl config view --kubeconfig=config apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://192.168.0.40:6443 name: kubernetes contexts: - context: cluster: kubernetes user: k8s name: k8s@kubernetes current-context: k8s@kubernetes kind: Config preferences: {} users: - name: k8s user: client-certificate-data: REDACTED client-key-data: REDACTED token: "一大串token"
生成了config文件之后就可以用来登陆了。
创建只能查看日志的账号:
apiVersion: v1 kind: ServiceAccount metadata: name: dev-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dev-clusterrule namespace: kubernetes-dashboard rules: - apiGroups: [""] resources: ["pods","pods/log"] verbs: ["get","list","watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: dev-rolebinding namespace: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dev-clusterrule subjects: - kind: ServiceAccount name: dev-user namespace: kubernetes-dashboard
查看token:
kubectl describe secrets -n kubernetes-dashboard dev-user-token-vv6xz
用这个token登陆dashboard只有查看日志的权限,需要手动输入名称空间。