(十三)Kubernetes Dashboard

Dashboard概述

Github地址git

DashboardKubernetesWeb GUI,可用於在Kubernetes集羣上部署容器化應用、應用排障、管理集羣自己及附加的資源等。經常使用於集羣及應用速覽、建立或修改單個資源(如DeploymentJobsDaemonSet等),以及擴展Deployment、啓動滾動更新、重啓Pod或使用部署嚮導部署一個應用等。github

Dashboard的認證和受權都可由Kubernetes集羣實現,它自身僅是一個代理,全部的相關操做都將發給API Server進行,而非由Dashboard自行完成。目前僅支持使用的認證方式有令牌(token)認證和kubeconfig兩種,在訪問以前都須要準備好相應的認證憑證。docker

Dashboard部署

因爲用到鏡像k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1,是國外的,咱們拉取不下來,這裏能夠使用下面兩種方式。json

# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
或者是
# docker pull blwy/kubernetes-dashboard-amd64:v1.10.1

1)這裏將資源清單文件下載本地,編輯使用的鏡像vim

[root@k8s-master ~]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

2)將鏡像地址進行更改api

[root@k8s-master ~]# vim kubernetes-dashboard.yaml
......
    spec:
      containers:
      - name: kubernetes-dashboard
        image: blwy/kubernetes-dashboard-amd64:v1.10.1    #將鏡像地址改成能夠下載的地址
        ports:
......

3)部署瀏覽器

[root@k8s-master ~]# kubectl apply -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created

[root@k8s-master ~]# kubectl get pods -n kube-system
NAME                                  READY   STATUS    RESTARTS   AGE
coredns-bccdc95cf-9gsn8               1/1     Running   0          10d
coredns-bccdc95cf-x7m8g               1/1     Running   0          10d
etcd-k8s-master                       1/1     Running   0          10d
kube-apiserver-k8s-master             1/1     Running   0          10d
kube-controller-manager-k8s-master    1/1     Running   0          10d
kube-flannel-ds-amd64-gg55s           1/1     Running   0          10d
kube-flannel-ds-amd64-ssr7j           1/1     Running   5          10d
kube-flannel-ds-amd64-w6f9h           1/1     Running   4          10d
kube-proxy-77pbc                      1/1     Running   3          10d
kube-proxy-qs655                      1/1     Running   3          10d
kube-proxy-xffq4                      1/1     Running   0          10d
kube-scheduler-k8s-master             1/1     Running   0          10d
kubernetes-dashboard-d977fcf6-d25xz   1/1     Running   0          4s

4)查看svc,並將類型改成NodePort安全

[root@k8s-master ~]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                  AGE
kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP,9153/TCP   9d
kubernetes-dashboard   ClusterIP   10.99.151.238   <none>        443/TCP                  7m25s

#能夠像下面直接打補丁進行更改。
[root@k8s-master ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
service/kubernetes-dashboard patched
[root@k8s-master ~]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                  AGE
kube-dns               ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP,9153/TCP   9d
kubernetes-dashboard   NodePort    10.99.151.238   <none>        443:32058/TCP            8m45s

#或者也能夠修改資源清單修改類型爲NodePort
[root@k8s-master ~]# vim kubernetes-dashboard.yaml
......
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort    #這裏添加類型爲NodePort

瀏覽器訪問:https://192.168.1.31:32058 以下圖;建議使用火狐瀏覽器,並在高級選項中添加信任,谷歌會禁止不安全證書訪問。app

token認證

集羣級別的管理操做依賴於集羣管理員權限,例如,內建的cluster-admin集羣角色擁有所有權限,建立ServiceAccount並將其綁定其上即完成集羣管理員受權。而用戶經過相應的ServiceAccounttoken信息完成Dashboard認證也就能扮演起Dashboard接口上的集羣管理員角色。例如,下面建立一個名爲dashboard-adminServiceAccount,並完成集羣角色綁定:工具

1)建立serviceaccount資源

[root@k8s-master ~]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@k8s-master ~]# kubectl get sa/dashboard-admin -n kube-system
NAME              SECRETS   AGE
dashboard-admin   1         15s

2)建立clusterrolebinding,將角色cluster-adminserviceaccount資源(dashboard-admin)進行綁定

[root@k8s-master ~]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin 
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created

[root@k8s-master ~]# kubectl describe clusterrolebinding/dashboard-admin    #查看綁定信息
Name:         dashboard-admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name             Namespace
  ----            ----             ---------
  ServiceAccount  dashboard-admin  kube-system

3)查看token值並進行登陸驗證

[root@k8s-master ~]# ADMIN_SECRET=$(kubectl -n kube-system get secret  |awk '/^dashboard-admin/{print $1}')    #獲取上面建立的dashboard-admin生成的secret的名字

[root@k8s-master ~]# kubectl describe secrets $ADMIN_SECRET -n kube-system |grep ^token    #獲取上面獲取到的secret的token值
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbmZ2NGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTY5MDhiMTgtYzUyYy00NWEwLWIxODEtMTM2OGM4ZGZkMGUwIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.xVHNDKiU7n8fvfN8_5RF3Z6Ppxl-ULk-zYfWywPktJ6mVgtgm4tnAX9_n8zpzHhff1tD4y04Ra7OKvnJTypkI78ELHqggrQxNLggfpbdrWnIif2qIqEbIv5Hay3s4UeOqU2p6Kex4v7UUVtdo781W4rNi7DP2yXKfV5YSTeu6ZMTQiMa3H-O6y-y4sH_ISi_UwiAtHALTJ_OX-j9BzsFIUBhryKnGbOK4ygVmlTA2tWFe8TDUI6xCTjEKSRId3iL_TpKg-uXc652JHnQPYH2ZErojWCbwGR6IqeRTH4kMlAfjvDIeDdT6sSNyjJONpgJQpdYtaGzQiHgE2CW2_q4zQ

輸入上獲取到的token進行登陸。

Kubeconfig認證

kubeconfig是認證信息承載工具,可以持久存入祕鑰和證書,或者認證令牌等做爲用戶的認證配置文件。爲了說明如何配置一個僅具備特定名稱空間管理權限的登陸帳號,這裏建立一個新的ServiceAccount用於管理默認的default名稱空間,並將之綁定於admin集羣角色。

1)建立serviceaccount資源

[root@k8s-master ~]# kubectl create serviceaccount def-ns-admin -n default    #建立sa資源def-ns-admin
serviceaccount/def-ns-admin created

[root@k8s-master ~]# kubectl get sa/def-ns-admin -n default    #查看上面建立的sa資源
NAME           SECRETS   AGE
def-ns-admin   1         19s

2)建立rolebinding,將上面建立的serviceaccountclusterrole(admin)進行綁定

[root@k8s-master ~]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin
rolebinding.rbac.authorization.k8s.io/def-ns-admin created

[root@k8s-master ~]# kubectl get secret  |grep def-ns    #查看生成的secret
def-ns-admin-token-m2ct6   kubernetes.io/service-account-token   3      106s

[root@k8s-master ~]# kubectl describe secret/def-ns-admin-token-m2ct6    #查看secret資源詳細信息
Name:         def-ns-admin-token-m2ct6
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: def-ns-admin
              kubernetes.io/service-account.uid: f824dbcd-d661-4776-993a-921042f7e196

Type:  kubernetes.io/service-account-token

Data
====
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxg
ca.crt:     1025 bytes

3)初始化集羣信息,提供API ServerURL,以及驗證API Server證書所用到的CA證書等

[root@k8s-master ~]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="https://192.168.1.31:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
Cluster "kubernetes" set.

[root@k8s-master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf   #查看生成的配置文件信息
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.1.31:6443
  name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

4)獲取def-ns-admintoken,並將其做爲認證信息。因爲直接獲得的tokenbase64編碼格式,故採用「base -d」命令將其解碼

[root@k8s-master ~]# kubectl get secret -n default
NAME                       TYPE                                  DATA   AGE
admin-token-lc826          kubernetes.io/service-account-token   3      16d
def-ns-admin-token-m2ct6   kubernetes.io/service-account-token   3      12m

[root@k8s-master ~]# kubectl -n default get secret/def-ns-admin-token-m2ct6 -o jsonpath={.data.token} |base64 -d     #獲取token並將其解碼
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxg

[root@k8s-master ~]# DEFNS_ADMIN_TOKEN=$(kubectl -n default get secret/def-ns-admin-token-m2ct6 -o jsonpath={.data.token} |base64 -d)    #這裏將上面獲得的token保存爲一個變量,方便調用

[root@k8s-master ~]# kubectl config set-credentials def-ns-admin --token=$DEFNS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf
User "def-ns-admin" set.

5)設置cotext列表,定義一個名爲def-ns-admincontext

[root@k8s-master ~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
Context "def-ns-admin@kubernetes" created.

6)最後指定要使用的context爲前面定義的名爲def-ns-admincontext

[root@k8s-master ~]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf

[root@k8s-master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf    #查看最終生成的配置文件信息
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.1.31:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: def-ns-admin
  name: def-ns-admin@kubernetes
current-context: def-ns-admin@kubernetes
kind: Config
preferences: {}
users:
- name: def-ns-admin
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxg

7)將這個配置文件保存client上,經過加裝該配置文件進行登陸

這裏經過測試能夠發現,這裏的def-ns-admin用戶登陸進來只能看到default名稱空間的內容。也只能對default名稱空間的資源進行管理。

相關文章
相關標籤/搜索