# Dashboard功能介绍 Kubernetes Dashboard 是一个管理Kubernetes集群的全功能Web界面，旨在以UI的方式完全替代命令行工具（kubectl 等）。 kubespray 默认已经部署了dashboard，我们只需要简单修改kubeconfig 文件，然后在通过ingress 添加路由就能正常访问。 ### 修改dashboard文件添加nodeport访问方式 修改kubespray 提供的dashboard.yml 将service type设置为NodePort，修改后的yaml文件见kubernetes-dashboard.yaml，然后就可以部署新版本的dashboard了。 kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" name: kubernetes-dashboard namespace: kube-system spec: type: NodePort ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard 先删除原有dashboard，然后在重新创建dashboard kubectl create -f dashboard.yml 获取dashboard的外网访问端口 kubectl -n kube-system get svc kubernetes-dashboard NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes-dashboard NodePort 10.233.38.80 <none> 443:31782/TCP 1h 访问集群中的任何一个节点，即可打开dashboard登陆页面，如 https://172.20.0.113:32324/ （请使用https访问），支持使用kubeconfig和token两种的认证方式：选择本地的kubeconfig文件以登陆集群，kubeconfig文件中包括登陆的用户名、证书和token信息。  登陆之后首先看到的界面是这样的：这是因为该用户没有对default命名空间的访问权限。  # 配置Dashboard 登录权限 登陆 dashboard 的时候支持 kubeconfig 和 token 两种认证方式，kubeconfig 中也依赖 token 字段，所以生成 token 这一步是必不可少的。 下文分两块来讲解两种登陆认证方式： - 使用 kubeconfig - 使用token登录 ## 使用kubeconfig 登录dashboard 登陆dashboard的时候可以指定kubeconfig文件来认证用户权限，如何生成登陆dashboard时指定的kubeconfig文件请参考[创建用户认证授权的kubeconfig文件](https://jimmysong.io/kubernetes-handbook/guide/kubectl-user-authentication-authorization.html) 使用kubespray部署集群默认已经给我们创建了kubeconfig 文件，文件路径/etc/kubernetes/admin.conf。 我们只需要在文件最后一行添加token 配置及给管理者用户绑定权限。 admin.conf文件内容参考如下： apiVersion: v1 kind: Config current-context: admin-cluster.local preferences: {} clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrVENDQWVHZ0F3SUJBZ0lKQU03VFpMRlhGZkdaTUEwR0NTcUdTSWIzRFFFQk server: https://10.34.11.12:6443 name: cluster.local contexts: - context: cluster: cluster.local user: admin-cluster.local name: admin-cluster.local users: - name: admin-cluster.local user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ4akNDQXRxZ0F3SUJBZ0lKQU5leE1YMUZORHJsTUEwR0NTcUdTSWIzRFFFQkN client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbjhudGxyQUR4aTFpbytlWEVwU1NYU1ZmMXZqUTV token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNj ### 创建管理用户及绑定用户权限 #### 创建用户 cat admin-user.yaml apiVersion: v1 kind: ServiceAccount metadata: name: admin-cluster.local namespace: kube-system --- ### 绑定RBAC用户角色 apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: admin-cluster.local roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-cluster.local namespace: kube-system 执行kubectl create命令 kubectl create -f admin-user.yaml ### 获取token 现在我们需要找到新创建的用户的Token，以便用来登录dashboard： kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-cluster.local | awk '{print $1}') 输出类似： Name: admin-cluster.local-token-xpm5v Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name=admin-cluster.local kubernetes.io/service-account.uid=0610610c-84e7-11e8-98de-00163e02d9ff Type: kubernetes.io/service-account-token Data ==== ca.crt: 1090 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNj 把查询到的token字段添加到admin.conf 文件中，登入后显示如下：  ## 使用token方式登录dashboard 使用token登录方式和使用kubeconfig方式非常类似，同样需要先创建管理用户及绑定权限。详细方法可以参考上文。 当我们创建好管理用户后需要查询创建用户的token： 查询方法 kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-cluster.local | awk '{print $1}') 输出类似：token是一段很长的字符 Name: admin-cluster.local-token-xpm5v Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name=admin-cluster.local kubernetes.io/service-account.uid=0610610c-84e7-11e8-98de-00163e02d9ff Type: kubernetes.io/service-account-token Data ==== ca.crt: 1090 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNj 在 dashboard 登录页面上使用上面输出中的那个非常长的字符串进行 **base64 解码后作为 token 登录**，即可以拥有管理员权限操作整个kubernetes集群中的对象。当然您也可以将这串 token 进行 base64 解码后，加到 admin 用户的kubeconfig文件中，继续使用kubeconfig登录，两种认证方式任您选择。 > 注意：定要将 kubectl 的输出中的 token 值进行 base64 解码，在线解码工具 [base64decode](https://www.base64decode.org/)，Linux 和 Mac 有自带的 base64 命令也可以直接使用，输入 base64 是进行编码，Linux 中base64 -d 表示解码，Mac 中使用 base64 -D。 也可以使用 jsonpath 的方式直接获取 token 的值，如： kubectl -n kube-system get secret admin-cluster.local-token-xpm5v -o jsonpath={.data.token}|base64 -d 结果输出： eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNj 最后只需要把解码后的token值填入登录界面即可登录。 ### backend https 部署dashboard 创建密钥 ks8-v1.10 最新版创建秘钥方法与老版本v1.7.6有所差异 kubectl create secret generic jiedai361-certs --from-file=tls.crt=jiedai361.com.pem --from-file=tls.key=jiedai361.com.key -n kube-system 后端dashboard 使用https ，系统默认有创建kubernetes-dashboard-certs 证书，需要先手动删除然后重新创建证书：kubernetes-dashboard-certs kubectl delete secret kubernetes-dashboard-certs -n kube-system kubectl delete secret kubernetes-dashboard-key-holder -n kube-system kubectl create secret generic kubernetes-dashboard-certs --from-file=tls.crt=jiedai361.com.pem --from-file=tls.key=jiedai361.com.key -n kube-system ### 添加ingress ，backend 转发为https apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: ingress.kubernetes.io/ssl-passthrough: "true" # 开启https 透传 nginx.org/ssl-backends: "kubernetes-dashboard" kubernetes.io/ingress.allow-http: "false" nginx.ingress.kubernetes.io/secure-backends: "true" # 后端backend 使用https name: dashboard-ingress namespace: kube-system spec: tls: - hosts: - ftc-dashboard.jiedai361.com secretName: kubernetes-dashboard-certs rules: - host: ftc-dashboard.jiedai361.com http: paths: - path: / backend: serviceName: kubernetes-dashboard servicePort: 443 [ingress annotations 注解地址 ](https://github.com/kubernetes/ingress-nginx/blob/722027723f4b08f902f684ccc7c7bb203e42c36a/docs/user-guide/nginx-configuration/annotations.md) ### backend http 部署dashboard 使用kubespray 部署新版dashborad v1.8.3 默认使用https 。也可以个人修改dashboard-http.yaml。 使用http:9090 ，添加NodePort:30090 cat /etc/kubernetes/dashboard-http.yml # Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Configuration to deploy release version of the Dashboard UI compatible with # Kubernetes 1.8. # # Example usage: kubectl create -f <this_file> # ------------------- Dashboard Secret ------------------- # apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs namespace: kube-system type: Opaque --- # ------------------- Dashboard Service Account ------------------- # apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system --- # ------------------- Dashboard Role & Role Binding ------------------- # kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubernetes-dashboard-minimal namespace: kube-system rules: # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. - apiGroups: [""] resources: ["secrets"] verbs: ["create"] # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. - apiGroups: [""] resources: ["configmaps"] verbs: ["create"] # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - apiGroups: [""] resources: ["configmaps"] resourceNames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # Allow Dashboard to get metrics from heapster. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster"] verbs: ["proxy"] - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster", "http:heapster:", "https:heapster:"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kubernetes-dashboard-minimal namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard-minimal subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system --- # ------------------- Dashboard Deployment ------------------- # kind: Deployment apiVersion: apps/v1beta2 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: serviceAccountName: kubernetes-dashboard containers: - name: kubernetes-dashboard image: dl-harbor.dianrong.com/google_containers/kubernetes-dashboard-amd64:v1.8.3 ports: - containerPort: 9090 protocol: TCP args: #- --auto-generate-certificates # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. #- --apiserver-host=http://10.0.1.168:8080 volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume livenessProbe: httpGet: scheme: HTTP path: / port: 9090 initialDelaySeconds: 30 timeoutSeconds: 30 volumes: - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule --- # ------------------- Dashboard Service ------------------- # kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: ports: - port: 9090 targetPort: 9090 selector: k8s-app: kubernetes-dashboard # ------------------------------------------------------------ kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-external namespace: kube-system spec: ports: - port: 9090 targetPort: 9090 nodePort: 30090 type: NodePort selector: k8s-app: kubernetes-dashboard ### Ingress separated between HTTP and HTTPS - HTTP only config ``` apiVersion: extensions/v1beta1 kind: Ingress metadata: name: foo-http annotations: kubernetes.io/ingress.allow-http: "true" ingress.kubernetes.io/ssl-passthrough: "false" spec: rules: - host: foo.com http: paths: - backend: serviceName: foo-service servicePort: 80 ``` - SSL passtrough config ``` apiVersion: extensions/v1beta1 kind: Ingress metadata: name: foo-https annotations: kubernetes.io/ingress.allow-http: "false" ingress.kubernetes.io/ssl-passthrough: "true" spec: rules: - host: foo.com http: paths: - backend: serviceName: foo-service servicePort: 443 ``` ### 创建私有registry secret kubectl create secret docker-registry regcred --docker-server='dl-harbor.dianrong.com' --docker-username='admin' --docker-password='Dianrong@huyi1987' --docker-email='yi.hu@dianrong.com' ### 创建双向证书 kubectl create secret generic corp.dalianyun-secret --from-file=tls.crt=corp.dalianyun.com.pem.crt --from-file=corp.dalianyun.com.pem.key -n ftc-demo kubectl create secret generic ca-tls-chain --from-file=ca-chain.cert.pem -n ftc-demo