Kubernetes web界面kubernetes-dashboard安裝
本文講述的是如何部署K8s的web UI,前提是已經有一個k8s集羣后,按照以下步驟進行便可。(以下步驟都是在master節點上進行操做)node
一、下載kubernetes-dashboard.yaml文件git
二、修改kubernetes-dashboard.yaml文件github
# ------------------- Dashboard Deployment ------------------- # kind: Deployment apiVersion: apps/v1beta2 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: containers: - name: kubernetes-dashboard image: registry.cn-hangzhou.aliyuncs.com/kube_containers/kubernetes-dashboard-amd64 ports: - containerPort: 8443 protocol: TCP args: - --auto-generate-certificates
# ------------------- Dashboard Service ------------------- # kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: type: NodePort ports: - port: 443 targetPort: 8443 nodePort: 30001 selector: k8s-app: kubernetes-dashboard
上面代碼紅色字爲kubernetes-dashboard.yaml文件中須要修改的地方,否則拉取不了鏡像,以及使用Nodeport方式作映射,使其餘主機可以訪問該dashboard。web
三、建立kubernetes-dashboard.yamldocker
kubectl create -f kubernetes-dashboard.yaml
四、查看kubernetes-dashboard容器是否已經運行bootstrap
[root@docker-master1 ~]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-576cbf47c7-l5wlh 1/1 Running 1 3d8h coredns-576cbf47c7-zrl66 1/1 Running 1 3d8h etcd-docker-master1 1/1 Running 1 3d8h kube-apiserver-docker-master1 1/1 Running 2 3d8h kube-controller-manager-docker-master1 1/1 Running 2 3d8h kube-flannel-ds-amd64-c7wz6 1/1 Running 0 3d8h kube-flannel-ds-amd64-hqvz9 1/1 Running 0 3d8h kube-flannel-ds-amd64-w7n4s 1/1 Running 2 3d8h kube-proxy-8gj2w 1/1 Running 1 3d8h kube-proxy-mt6dk 1/1 Running 0 3d8h kube-proxy-qtxz7 1/1 Running 0 3d8h kube-scheduler-docker-master1 1/1 Running 2 3d8h kubernetes-dashboard-5f864b6c5f-5s2rw 1/1 Running 0 62m
如上紅色字體已經顯示kubernetes-dashboard已經成功在node節點上運行。固然,你也能夠前往node節點上執行docker ps查看kubernetes-dashboard容器是否已經啓動,netstat -ptln命令查看30001端口是否已經開放。api
五、建立kubernetes-dashboard管理員角色瀏覽器
[root@docker-master1 ~]# vi k8s-admin.yaml apiVersion: v1 kind: ServiceAccount metadata: name: dashboard-admin namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: dashboard-admin subjects: - kind: ServiceAccount name: dashboard-admin namespace: kube-system roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io
六、加載管理員角色安全
kubectl create -f k8s-admin.yaml
七、獲取dashboard管理員角色tokenapp
#獲取dashboard secret kubectl get secret -n kube-system [root@docker-master1 ~]# kubectl get secret -n kube-system NAME TYPE DATA AGE attachdetach-controller-token-d9w8c kubernetes.io/service-account-token 3 3d8h bootstrap-signer-token-jdjwt kubernetes.io/service-account-token 3 3d8h bootstrap-token-9n6rpz bootstrap.kubernetes.io/token 6 149m bootstrap-token-n962df bootstrap.kubernetes.io/token 7 3d8h certificate-controller-token-lktt8 kubernetes.io/service-account-token 3 3d8h clusterrole-aggregation-controller-token-7stf6 kubernetes.io/service-account-token 3 3d8h coredns-token-kbz5z kubernetes.io/service-account-token 3 3d8h cronjob-controller-token-b647q kubernetes.io/service-account-token 3 3d8h daemon-set-controller-token-tzlpk kubernetes.io/service-account-token 3 3d8h dashboard-admin-token-jc8t5 kubernetes.io/service-account-token 3 17m
#獲取token [root@docker-master1 ~]# kubectl describe secret dashboard-admin-token-jc8t5 -n kube-system Name: dashboard-admin-token-jc8t5 Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: cdfb442a-f48b-11e8-80e8-000c29c3dca5 Type: kubernetes.io/service-account-token Data ==== namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tamM4dDUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiY2RmYjQ0MmEtZjQ4Yi0xMWU4LTgwZTgtMDAwYzI5YzNkY2E1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.FZCsonMyEdcDDvbzIz7rMxm8vvlk0Ck6O5ooqzaJRWkggwMoqf92qYBsNxMxxT5BdAtxB_iPUD7rEagR7sLTqixHeC0HdTnGCcTnNU1fq2KJA5ssNyi9P4XGJqsGuf4mAmF5L56uBh43X4hQ41rFYPQwIrmVnknTAbAWf3biiKWkN9Az8NsCulRSSCsJSOwfPoGlo7aSbMYTyRXlmzLuLbkMpMvyMHChBJ_MIYbH9dBj_hL3L9iwo9gpNTfB-0_uYHPEPdQcib8qUkC5NxgXdBuQPug5y1kLUVFNgq45ozLTibZuVihK_gza-WKVpBRPY5PaYCN1Gu0-tFObUYDUow
八、使用管理員角色登錄kubernetes-dashboard web界面
客戶端瀏覽器輸入:https://nodeIP:nodeport ,也就是kubernetes-dashboard容器在哪臺node節點上跑,以及上面設置的nodeport端口(我這裏是https://192.168.20.214:30001)
出現以下界面,選擇令牌——輸入令牌,(令牌爲上面的token)
九、dashboard訪問方式
根據官方文檔,目前訪問Dashboard有四種方式:
- NodePort
- API Server
- kubectl proxy
- Ingress
以上四種方式,我測試了前三種,目前只有NodePort和kubectl proxy可用,API Server暫時沒有解決。
- 使用NodePort
爲kubernetes-dashboard.yaml添加Service後,就可使用NodePort訪問Dashboard。在咱們的物理機上,使用Chrome訪問https://192.168.20.214:30001/,如上2步驟。(2步驟使用的就是nodeport方式訪問)
如訪問提示了證書錯誤NET::ERR_CERT_INVALID,緣由是因爲物理機的瀏覽器證書不可用。咱們能夠生成一個私有證書或者使用公有證書,下面開始配置證書。
#一、查看kubernetes-dashboard 容器跑在哪臺node節點上,這裏跑在docker-slave2上
root@docker-master1 pki]# kubectl get pod -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE coredns-576cbf47c7-l5wlh 1/1 Running 1 9d 10.244.0.5 docker-master1 <none> coredns-576cbf47c7-zrl66 1/1 Running 1 9d 10.244.0.4 docker-master1 <none> etcd-docker-master1 1/1 Running 1 9d 192.168.20.210 docker-master1 <none> kube-apiserver-docker-master1 1/1 Running 2 9d 192.168.20.210 docker-master1 <none> kube-controller-manager-docker-master1 1/1 Running 2 9d 192.168.20.210 docker-master1 <none> kube-flannel-ds-amd64-c7wz6 1/1 Running 0 9d 192.168.20.213 docker-slave1 <none> kube-flannel-ds-amd64-hqvz9 1/1 Running 0 9d 192.168.20.214 docker-slave2 <none> kube-flannel-ds-amd64-w7n4s 1/1 Running 2 9d 192.168.20.210 docker-master1 <none> kube-proxy-8gj2w 1/1 Running 1 9d 192.168.20.210 docker-master1 <none> kube-proxy-mt6dk 1/1 Running 0 9d 192.168.20.213 docker-slave1 <none> kube-proxy-qtxz7 1/1 Running 0 9d 192.168.20.214 docker-slave2 <none> kube-scheduler-docker-master1 1/1 Running 2 9d 192.168.20.210 docker-master1 <none> kubernetes-dashboard-5f864b6c5f-5s2rw 1/1 Running 0 5d21h 10.244.3.9 docker-slave2 <none>
#二、在docker-slave2節點上查看kubernetes-dashboard容器ID
root@docker-slave2 ~]# docker ps | grep dashboard 384d9dc0170b registry.cn-hangzhou.aliyuncs.com/kube_containers/kubernetes-dashboard-amd64 "/dashboard --insecu…" 5 days ago Up 44 hours k8s_kubernetes-dashboard_kubernetes-dashboard-5f864b6c5f-5s2rw_kube-system_94c8c50b-f484-11e8-80e8-000c29c3dca5_0
#三、查看kubernetes-dashboard容器certs所掛載的宿主主機目錄
[root@docker-slave2 ~]# docker inspect -f {{.Mounts}} 384d9dc0170b "Mounts": [ { "Type": "bind", "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/volumes/kubernetes.io~empty-dir/tmp-volume", "Destination": "/tmp", "Mode": "", "RW": true, "Propagation": "rprivate" }, { "Type": "bind", "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/volumes/kubernetes.io~secret/kubernetes-dashboard-token-tbctd", "Destination": "/var/run/secrets/kubernetes.io/serviceaccount", "Mode": "ro", "RW": false, "Propagation": "rprivate" }, { "Type": "bind", "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/etc-hosts", "Destination": "/etc/hosts", "Mode": "", "RW": true, "Propagation": "rprivate" }, { "Type": "bind", "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/containers/kubernetes-dashboard/0e84c511", "Destination": "/dev/termination-log", "Mode": "", "RW": true, "Propagation": "rprivate" }, { "Type": "bind", "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/volumes/kubernetes.io~secret/kubernetes-dashboard-certs", "Destination": "/certs", "Mode": "ro", "RW": false, "Propagation": "rprivate" } ],
#四、這裏以私有證書配置,生成dashboard證書 openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048 openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key openssl req -new -key dashboard.key -out dashboard.csr openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
#5、將生成的dashboard.crt dashboard.key放到certs對應的宿主主機souce目錄 scp dashboard.crt dashboard.key 192.168.20.214:/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/volumes/kubernetes.io~secret/kubernetes-dashboard-certs
#6、重啓kubernetes-dashboard容器 docker restart 384d9dc0170b
完成以上步驟便可訪問kubernetes-dashboard web了,因爲使用的是私有證書,因此仍是會彈出不安全的鏈接,須要添加例外。
二、使用API Server
在咱們的物理機上,使用Chrome訪問地址:https://192.168.20.210:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/,返回以下錯誤:
{ "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"", "reason": "Forbidden", "details": { "name": "https:kubernetes-dashboard:", "kind": "services" }, "code": 403 }
緣由是因爲kube-apiserver使用了TLS認證,而咱們的真實物理機上的瀏覽器使用匿名證書(由於沒有可用的證書)去訪問Dashboard,致使受權失敗而不沒法訪問。官方提供的解決方法是將kubelet的證書轉化爲瀏覽器可用的證書,而後導入進瀏覽器。可是該方法目前彷佛不適用於kubeadm方式安裝的集羣,參見:https://github.com/opsnull/follow-me-install-kubernetes-cluster/issues/5 。看來,不管物理機仍是K8S節點上的瀏覽器,都須要導入這個證書,暫時無解。
三、使用kubectl proxy
這裏,我主要介紹一下最便捷的kubectl proxy方式。在Master上執行nohup kubecll proxy &,而後使用以下地址訪問Dashboard:
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
但限制就是必須在Master上訪問,這顯然是個坑,咱們的目標是在咱們真實的物理機上去訪問Master的Dashboard。
因此,在主節點上,咱們執行nohup kubectl proxy --address=192.168.20.210 --disable-filter=true & 開啓代理。
其中:
address表示外界可使用192.168.20.210來訪問Dashboard,咱們也可使用0.0.0.0disable-filter=true表示禁用請求過濾功能,不然咱們的請求會被拒絕,並提示Forbidden (403) Unauthorized。- 咱們也能夠指定端口,具體請查看
kubectl proxy --help
此時proxy默認對Master的8001端口進行監聽:
這樣,咱們就可使用以下地址訪問登陸界面:
http://192.168.20.210:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
相關文章
- 1. Dashboard - Kubernetes的全功能Web界面
- 2. Kubernetes集羣web界面搭建
- 3. centos7安裝zabbix3.0及web界面配置
- 4. 安裝saltstack-web管理界面
- 5. rabbitmq 安裝web管理界面出錯
- 6. linux下安裝rocketmq web界面
- 7. redis web管理界面工具安裝
- 8. 針對LDAP安裝web管理界面
- 9. linux7 centOS 7.6 安裝 zookeeper應用web管理界面,ui界面
- 10. 安裝weblogic界面安裝
- 更多相關文章...
- • Docker 安裝 Nginx - Docker教程
- • Docker 安裝 Node.js - Docker教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
