容器編排系統K8s之Dashboard部署

　　前文咱們瞭解了k8s的訪問控制第三關准入控制相關插件的使用，回顧請參考：https://www.cnblogs.com/qiuhom-1874/p/14220402.html；今天咱們來了解下k8s的web ui 組件的安裝和用戶受權相關話題；

　　k8s的webui是一個插件運行在k8s之上，以pod的方式提供服務；它可以給使用k8s用戶提供一個web面板，咱們能夠基於這個web面板來管理k8s集羣；好比建立pod，建立svc，部署應用等等；在部署以前，先說一下dashboard認證過程；dashboard是以pod的形式運行在k8s之上，它自己沒有作訪問權限認證相關的功能，它只是把用戶的認證信息代理到k8s集羣上，具體的認證受權仍是由k8s的apiserver進行；因此咱們登陸dashboard必須是k8s上的用戶；其次它是一個pod形式把咱們的認證信息代理到apiserver上，因此咱們登陸dashboard的用戶必須是一個sa用戶，它不支持常規用戶；簡單講dashboard就是一個代理服務；它把咱們全部操做經過https協議代理到apiserver作相應的操做；dashboard是一個多用戶的插件，它支持同時多個用戶以不一樣身份登陸到dashboard上作操做；對於dashboard自己來說，它就是k8s上的一個web服務以pod形式運行，咱們能夠經過ingrss把它發佈出來，也能夠經過service把它發佈出來；選擇其中一種方式便可；

　　dashboard部署前準備

　　dashboard對外提供服務的是一個https服務，若是咱們須要將其發佈到集羣外部供互聯網訪問，咱們須要把對應域名的證書先用secret資源加載到k8s上，而後在部署dashboard時，引用對應的secret便可；

　　生成私鑰，證書籤署請求文件csr，而後發送給對應CA簽署（若是對應域名的證書都申請好了，這一步直接跳過）

[root@master01 ~]# mkdir dashboard
[root@master01 ~]# cd dashboard
[root@master01 dashboard]# openssl genrsa -out dashboard.key 2048
Generating RSA private key, 2048 bit long modulus
................................................................................................+++
..................+++
e is 65537 (0x10001)
[root@master01 dashboard]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=test/CN=webui.test.com" 
[root@master01 dashboard]# ll
total 8
-rw-r--r-- 1 root root  920 Jan  2 14:00 dashboard.csr
-rw-r--r-- 1 root root 1679 Jan  2 13:59 dashboard.key
[root@master01 dashboard]# 

　　使用某個ca簽署對應的證書籤署請求文件，我這裏直接使用k8s上的CA籤

[root@master01 dashboard]# openssl x509 -req -in dashboard.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dashboard.crt -days 3650
Signature ok
subject=/O=test/CN=webui.test.com
Getting CA Private Key
[root@master01 dashboard]# ll
total 12
-rw-r--r-- 1 root root 1005 Jan  2 14:04 dashboard.crt
-rw-r--r-- 1 root root  920 Jan  2 14:00 dashboard.csr
-rw-r--r-- 1 root root 1679 Jan  2 13:59 dashboard.key
[root@master01 dashboard]# 

　　提示：正常狀況是找互聯網上的ca簽署，該證書只是用於使用對應域名在瀏覽器上可以經過https訪問到dashboard；

　　下載部署清單，查看對應對應清單中的名稱空間和對應secret的名稱

[root@master01 dashboard]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
--2021-01-02 14:14:48--  https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.28.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.28.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7552 (7.4K) [text/plain]
Saving to: ‘recommended.yaml’

100%[=========================================================================>] 7,552       3.08KB/s   in 2.4s   

2021-01-02 14:14:52 (3.08 KB/s) - ‘recommended.yaml’ saved [7552/7552]

[root@master01 dashboard]# ls
dashboard.crt  dashboard.csr  dashboard.key  recommended.yaml
[root@master01 dashboard]# 

　　提示：上述是dashboard的部署清單中的secret資源名稱和對應的名稱空間，咱們若是須要手動替換本身的證書，就必須提早把對應的證書作成和部署清單中相同名稱空間相同類型和相同名稱的secret資源；

　　建立kubenetes-dashboard名稱空間，把dashboard.crt和dashboard.key映射爲k8s上kubenetes-dashboard名稱空間下的generic類型的secret資源

[root@master01 dashboard]# kubectl create ns  kubernetes-dashboard
namespace/kubernetes-dashboard created
[root@master01 dashboard]# kubectl create secret generic  kubernetes-dashboard-certs --from-file=dashboard.crt --from-file=dashboard.key -n kubernetes-dashboard
secret/kubernetes-dashboard-certs created
[root@master01 dashboard]# kubectl get secret -n kubernetes-dashboard
NAME                         TYPE                                  DATA   AGE
default-token-vcw5h          kubernetes.io/service-account-token   3      2m31s
kubernetes-dashboard-certs   Opaque                                2      12s
[root@master01 dashboard]# 

　　應用dashboard部署資源清單

[root@master01 dashboard]# kubectl apply -f recommended.yaml 
Warning: resource namespaces/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
namespace/kubernetes-dashboard configured
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
Warning: resource secrets/kubernetes-dashboard-certs is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
secret/kubernetes-dashboard-certs configured
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
[root@master01 dashboard]# 

　　在線編輯對應service的配置，將clusterip類型更改成nodeport類型

　　提示：更改成nodeport類型service，對應集羣外部的客戶端才能夠正常訪問；

　　查看對應名稱空間下的pod是否啓動起來？

[root@master01 ~]# kubectl get all -n kubernetes-dashboard
NAME                                             READY   STATUS    RESTARTS   AGE
pod/dashboard-metrics-scraper-79c5968bdc-tc79t   1/1     Running   0          6m56s
pod/kubernetes-dashboard-7448ffc97b-v98gk        1/1     Running   0          6m56s

NAME                                TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
service/dashboard-metrics-scraper   ClusterIP   10.103.202.122   <none>        8000/TCP        6m56s
service/kubernetes-dashboard        NodePort    10.108.57.122    <none>        443:31635/TCP   6m57s

NAME                                        READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/dashboard-metrics-scraper   1/1     1            1           6m56s
deployment.apps/kubernetes-dashboard        1/1     1            1           6m56s

NAME                                                   DESIRED   CURRENT   READY   AGE
replicaset.apps/dashboard-metrics-scraper-79c5968bdc   1         1         1       6m56s
replicaset.apps/kubernetes-dashboard-7448ffc97b        1         1         1       6m56s
[root@master01 ~]# 

　　提示：能夠看到對應資源都已經跑起來了，對應service暴露的端口是34635端口，咱們能夠訪問k8s集羣任意節點的31635端口就能訪問到dashboard，若是使用域名訪問，請注意對應域名要解析到對應k8s集羣上的任意一個節點ip上；

　　訪問dashboard

　　提示：這裏要用https訪問，由於對應服務是提供的https服務；這裏提示咱們證書不安全，是由於對應證書不是瀏覽器承認的ca頒發，因此咱們須要本身手動信任下；

 

　　提示：可以看到上面的頁面，說明dashboard就運行起來了，接下咱們要建立一個帳號來登陸dashboard；

　　建立一個sa帳號

[root@master01 ~]# kubectl create serviceaccount webui-cluster-admin -n kubernetes-dashboard
serviceaccount/webui-cluster-admin created
[root@master01 ~]# kubectl get sa -n kubernetes-dashboard
NAME                   SECRETS   AGE
default                1         29m
kubernetes-dashboard   1         17m
webui-cluster-admin    1         11s
[root@master01 ~]# kubectl describe sa webui-cluster-admin -n kubernetes-dashboard
Name:                webui-cluster-admin
Namespace:           kubernetes-dashboard
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   webui-cluster-admin-token-bxl2z
Tokens:              webui-cluster-admin-token-bxl2z
Events:              <none>
[root@master01 ~]#

　　受權對應sa帳號爲cluster-admin角色

[root@master01 ~]# kubectl create clusterrolebinding webui-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:webui-cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/webui-cluster-admin created
[root@master01 ~]# kubectl get clusterrolebinding |grep webui
webui-cluster-admin                                    ClusterRole/cluster-admin                                                          41s
[root@master01 ~]# kubectl describe clusterrolebinding webui-cluster-admin
Name:         webui-cluster-admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name                 Namespace
  ----            ----                 ---------
  ServiceAccount  webui-cluster-admin  kubernetes-dashboard
[root@master01 ~]# 

　　提示：指定serviceaccount須要指定對應sa的名稱空間加「：」對應sa的名稱；

　　使用上面對應sa帳號對應的secret中的token登陸dashboard

　　登陸dashboard

　　提示：默認登陸到dashboard會是在default名稱空間，咱們能夠選擇上面的名稱空間查看對應名稱空間下的資源；

　　建立某個名稱空間下的管理員

[root@master01 ~]# kubectl create serviceaccount myns-admin -n myns
serviceaccount/myns-admin created
[root@master01 ~]# kubectl create rolebinding myns-admin --clusterrole=admin --serviceaccount=myns:myns-admin -n myns
rolebinding.rbac.authorization.k8s.io/myns-admin created
[root@master01 ~]#

　　提示：rolebinding須要指定名稱空間，不然不指定默認表示default名稱空間；

　　查看對應帳號的token

[root@master01 ~]# kubectl describe sa -n myns
Name:                default
Namespace:           myns
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   default-token-n6tg5
Tokens:              default-token-n6tg5
Events:              <none>


Name:                myns-admin
Namespace:           myns
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   myns-admin-token-p6gh8
Tokens:              myns-admin-token-p6gh8
Events:              <none>
[root@master01 ~]# kubectl describe secret myns-admin-token-p6gh8 -n myns
Name:         myns-admin-token-p6gh8
Namespace:    myns
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: myns-admin
              kubernetes.io/service-account.uid: ebaed1a9-4631-42cb-8af9-a14fa35a7098

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1066 bytes
namespace:  4 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4WnU0Z1Q1c0hBNmR5Q1V0ejRaMFk4d2J2WncwWjNiUTAxZk02SGN4OTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJteW5zIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15bnMtYWRtaW4tdG9rZW4tcDZnaDgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibXlucy1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImViYWVkMWE5LTQ2MzEtNDJjYi04YWY5LWExNGZhMzVhNzA5OCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpteW5zOm15bnMtYWRtaW4ifQ.JuZ9WsojEfJai-Z1uLH7AIS-kLyqqln9POzEEoV_RTBKGO4NbtDJwMOw3z4SVeLwdCSiBefh-pD03DCnHmZ-HunrUPXBix2iKRgD42fkQ2L8cZzl8LGEw88jK5mUpSOF2si0wibc1cn7Gtrc5LqMiVtOgLoBMhEXaX2_RDUXj0Q8FtNb_srIcjQe__gXsMGmXxhHuU629IVk7fM99FvHzlDOyLj4goaydMw7F9-JFpL3I-ll2lq46goKDEwB2pMEz_qvsVFHvILNzg318TilMSK4VeMpKUbje6eovvs2IYSMCfVRBtvlpsv3KixYONai1AvYRQz_iISwKzI5JWO4hw
[root@master01 ~]# 

　　使用對應的token登陸dashboard

　　提示：這裏默認登陸進來是default名稱空間，對應帳號沒有權限，因此它會提示咱們沒有權限查看當前名稱空間下的資源；

　　切換到myns名稱空間

　　提示：到此對應用戶就能在myns名稱空間下作響應的管理操做了；

　　製做kubeconfig文件登陸dashboard

[root@master01 ~]# kubectl config set-cluster mykube --server="https://192.168.0.41:6443" --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt --kubeconfig=/tmp/test-mykube.config
Cluster "mykube" set.
[root@master01 ~]# kubectl config set-credentials webui-admin --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjM4WnU0Z1Q1c0hBNmR5Q1V0ejRaMFk4d2J2WncwWjNiUTAxZk02SGN4OTgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ3ZWJ1aS1jbHVzdGVyLWFkbWluLXRva2VuLWJ4bDJ6Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6IndlYnVpLWNsdXN0ZXItYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2NDYwNWFhMi1kZmI1LTRlZjItYTQ3NC0yMzczOGUwZmNjZDgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6d2VidWktY2x1c3Rlci1hZG1pbiJ9.lIEEMbIyYDlWXxG_xSWcY595Ai3yCYTAKEYQVwybysBfNTM9ksJOhqep9M9PF6bfUGIpbFr-Y75gvAmOprrYICv-W7RKUQxMq1s_9mIY7ATlWh3xiPOjYoT9K7JWXNpFOPsl9eEOY2j_VJE7hK_7mzMg7ASPTWEbQS1YkXvoBh3nG_SDBbKgqs-SiQ5_yhx0QFK-PSdFUiBhGRq_TvqbrmZeAi1lJ6tNODcUW7zikSwO53wQDJHgjdYiYHhqm0O3GysBYp6JzgkryXdmjLri6NXvWV9qTc201SL7xrF6S09vSFQaox479r5A5qat9DJn0qq4YEUFKXzweuyxjJfdwA --kubeconfig=/tmp/test-mykube.config
User "webui-admin" set.
[root@master01 ~]# kubectl config set-context webui-admin@mykube --cluster=mykube --user=webui-admin --kubeconfig=/tmp/test-mykube.config
Context "webui-admin@mykube" created.
[root@master01 ~]# kubectl config view --kubeconfig=/tmp/test-mykube.config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.0.41:6443
  name: mykube
contexts:
- context:
    cluster: mykube
    user: webui-admin
  name: webui-admin@mykube
current-context: ""
kind: Config
preferences: {}
users:
- name: webui-admin
  user:
    token: REDACTED
[root@master01 ~]# kubectl config use-context webui-admin@mykube --kubeconfig=/tmp/test-mykube.config 
Switched to context "webui-admin@mykube".
[root@master01 ~]# kubectl config view --kubeconfig=/tmp/test-mykube.config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.0.41:6443
  name: mykube
contexts:
- context:
    cluster: mykube
    user: webui-admin
  name: webui-admin@mykube
current-context: webui-admin@mykube
kind: Config
preferences: {}
users:
- name: webui-admin
  user:
    token: REDACTED
[root@master01 ~]# 

　　提示：在設置用戶時，選擇對應用戶的token信息便可；

　　把對應配置文件導出，在瀏覽器上使用對應文件登陸dashboard

　　提示：此時登陸到dashboard用戶就是對應配置文件中的token對應的sa用戶；到此dashboard就搭建好了。。