Kubernetes部署Dashboard快速起步¶
Kubernetes仪表盘 (原先案例是minikube)简单快速可以提供一个对集群的概览
部署Kubernetes Dashboard¶
在操作系统中安装好
wget
和curl
获取最新
Kubernetes dashboard
yaml并部署:
VER=$(curl -s https://api.github.com/repos/kubernetes/dashboard/releases/latest|grep tag_name|cut -d '"' -f 4)
echo $VER
wget https://raw.githubusercontent.com/kubernetes/dashboard/$VER/aio/deploy/recommended.yaml -O kubernetes-dashboard.yaml
kubectl apply -f kubernetes-dashboard.yaml
语法兼容问题¶
备注
本段落问题我实际没有解决,而是绕过。这个解决方法可能不正确。我感觉应该是采用正确的Kubernetes版本来安装对应的 Kubernetes dashboard
。过高的 Kubernetes dashboard```Kubernetes dashboard`
版本可能会存在隐患
我部署时候遇到一个报错:
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard configured
error: error validating "kubernetes-dashboard.yaml": error validating data: ValidationError(Deployment.spec.template.spec.securityContext): unknown field "seccompProfile" in io.k8s.api.core.v1.PodSecurityContext; if you choose to ignore these errors, turn validation off with --validate=false
我检查了一下 kubernetes-dashboard.yaml
:
...
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
...
感觉可以忽略,所以清理掉上述 securityContext
配置重新执行
设置服务输出¶
kubernetes-dashboard
默认部署在kubernetes-dashboard
namespace,也可能部署在kube-system
namespace,所以可以通过kubectl get svc -A | grep kubernetes-dashboard
查找,输出可能类似:kube-system kubernetes-dashboard ClusterIP 10.233.12.29 <none> 443:32642/TCP 10d
有两种方式输出,一种是采用
LoadBalancer
,一种是采用NodePort
,配置方法类似,以下为NodePort
方式配置:kubectl --namespace kubernetes-dashboard patch svc kubernetes-dashboard -p '{"spec": {"type": "NodePort"}}'
修订以后再次见检查 kubectl get svc -n kube-system | grep kubernetes-dashboard
输出显示:
kubernetes-dashboard NodePort 10.233.12.29 <none> 443:32642/TCP 10d
kubernetes-dashboard
主机证书错误问题¶
我遇到一个非常奇怪的问题,当使用 NodePort
对外输出了 kubernetes-dashboard
之后,通过浏览器访问时显示 NET::ERR_CERT_INVALID
(chrome)。此时,浏览器阻止我访问 kubernetes-dashboard
(没有允许的选项)
这个问题似乎出现在最新版本的Firefox/Safari/Chrome浏览器,是因为服务器证书是 localhost
签名,但是通过 NodePort
输出以后,地址是局域网或者公网IP,浏览器会拒绝访问。
mkdir certs
openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
openssl x509 -req -sha256 -days 365 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt
kubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard
kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kubernetes-dashboard
kubectl delete pod -n kubernetes-dashboard -l k8s-app=kubernetes-dashboard
上述secret重新生成后,主机证书就能够被chrome浏览器接受,也就能够打开 kubernetes-dashboard
了:
kubernetes-dashboard
Bearer Token¶
Kubernetes-dashboard
访问需要使用 Token
或者集群管理 Kubeconfig
,建议使用 Token
。
但是怎么获得这个Token呢?
通过 kubectl
获取Token¶
检查
kubernetes-dashboard
中的scrects
:
kubectl -n kubernetes-dashboard get secret
输出显示
NAME TYPE DATA AGE
kubernetes-dashboard-certs Opaque 3 12m
kubernetes-dashboard-csrf Opaque 1 10d
kubernetes-dashboard-key-holder Opaque 2 10d
kubernetes-dashboard-token-8tptt kubernetes.io/service-account-token 3 10d
输出名为
kubernetes-dashboard-token-XXXXX
的toke内容:
kubectl -n kube-system describe secrets kubernetes-dashboard-token-8tptt
将输出信息中的 token
字段内容去除作为 kubernetes-dashboard
登陆的 token
账号角色¶
此时登陆后可能没有权限访问任何资源,需要为 kubernetes-dashboard
的登陆用户创建一个Role绑定到 cluster-admin
这个 ClusterRole
上:
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
备注
这里采用的是官方发布版本安装角色。我遇到 Kubespray 自动安装的 kubernetes-dashboard
的账号名不同,可能需要根据错误提示修改。见下文
登陆后无权限问题¶
备注
特殊错误: 我修复这个问题是因为 Kubespray 部署的Kubernetes系统,使用了不同的访问账号 system:serviceaccount:kube-system:kubernetes-dashboard
解决了主机证书和token之后,确实可以登陆 kubernetes-dashboard
了,但是遇到一个问题,所有界面内容都是空的。消息中显示没有权限的错误:
roles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list resource "roles" in API group "rbac.authorization.k8s.io" in the namespace "default"
类似错误消息多条
这是因为没有创建 Service Account
和 ClusterRoleBinding
,也就是为 kube-system
这个namespace的 kubernetes-dashboard
构建管理员角色(使用 Kubespray 部署的Kubernetes系统,其 kubernetes-dashboard
使用了 kube-system
namespace 中的 kubernetes-dashboard
),所以需要模仿之前为 dashboard 配置服务账号的方法,为这个账号修订 dashboard-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
参考¶
Discussion on: Bare metal load balancer on Kubernetes with MetalLB 这个帖子解决了
kubernetes-dashboard
主机证书错误问题dashboard/docs/user/access-control/README.md 获取token可参考这篇文档
dashboard/docs/user/access-control/creating-sample-user.md 创建用户账号可参考这篇文档