Fork me on GitHub

搭建 K8S-Dashboard

字数统计: 1.6k字   |   阅读时长≈ 8分

搭建k8s Dashboard

新建一个文件夹:

1
mkdir  /usr/local/kubernetes/dashboard

拉取yaml文件

1
# wget https://github.com/kubernetes/dashboard/blob/master/aio/deploy/recommended.yaml

解决国内K8S镜像拉取慢: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
1. 
地址一:registry.aliyuncs.com/google_containers
地址二:registry.cn-hangzhou.aliyuncs.com/google_containers


2. 
apt install jq
curl -s https://zhangguanzhang.github.io/bash/pull.sh | bash -s search gcr.io
# 查询某一名称空间下镜像列表
 curl -s https://zhangguanzhang.github.io/bash/pull.sh | bash -s search gcr.io/google_containers
# gcr.io/google_containers ---> namespace ——————> 根据上面查询出来的namespace查
# 查询某一镜像的所有tag
curl -s https://zhangguanzhang.github.io/bash/pull.sh | bash -s search gcr.io/google_containers/coredns 
# 下载镜像
curl -s https://zhangguanzhang.github.io/bash/pull.sh | bash -s  gcr.io/google_containers/coredns:1.7.0

3. 
# 去 docker hub 下找到
# https://registry.hub.docker.com/r/kubernetesui/metrics-scraper/tags?page=1&ordering=last_updated

# 拉取docker镜像,然后直接kubectl create 
docker pull kubernetesui/metrics-scraper:v1.0.6

编辑配置文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# image 换成国内镜像 registry.aliyuncs.com/google_containers/
# kubernetesui/dashboard:v2.2.0 -> registry.aliyuncs.com/google_containers/kubernetesui/dashboard:v2.2.0
# registry.aliyuncs.com/google_containers/kubernetesui/metrics-scraper:v1.0.6
# ...
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  # 改为NodePort入口
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      # 定义dashboard port
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard
#...

报错: The Service “kubernetes-dashboard” is invalid: spec.ports[0].nodePort: Invalid value: 30001: the provided range does not
match the current range
是因为端口范围的原因,
修改 vi /etc/kubernetes/manifests/kube-apiserver.yaml

1
2
3
4
5
6
7
8
9
10
...
spec:
  containers:
  - command:
    - kube-apiserver
    # 添加此句,开放2-65535端口
    # 如果是多个 master,则每个master 都要配置
    - --service-node-port-range=2-65535
    - --advertise-address=192.168.79.131
...

查看是否运行成功

1
2
3
4
5
6
7
8
9
10
kubectl create -f recommended.yaml

# amespace: kubernetes-dashboard
kubectl get pods -n kubernetes-dashboard

# 查看镜像拉取信息
kubectl describe pod -n kubernetes-dashboard dashboard-metrics-scraper-79c5968bdc-7xgp7

# 查看 dashboard
kubectl get service -n kubernetes-dashboard

登录dashboard,创建token dashboard

创建一个dashboard-adminuser.yaml, 认证与授权服务器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
EOF

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

拿到token

1
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

浏览器打开: https://192.168.79.180:30001/

删除TOKEN

1
2
kubectl -n kubernetes-dashboard delete serviceaccount admin-user
kubectl -n kubernetes-dashboard delete clusterrolebinding admin-user

使用config来登录

配置对多集群的访问
假设用户有两个集群,一个用于正式开发工作,一个用于其它临时用途(scratch)。 在 development 集群中,前端开发者在名为 frontend 的名字空间下工作, 存储开发者在名为 storage 的名字空间下工作。 在 scratch 集群中, 开发人员可能在默认名字空间下工作,也可能视情况创建附加的名字空间。 访问开发集群需要通过证书进行认证。 访问其它临时用途的集群需要通过用户名和密码进行认证。
创建名为 config-exercise 的目录。 在 config-exercise 目录中,创建名为 config-demo 的文件,其内容为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: Config
preferences: {}

clusters:
- cluster:
  name: development
- cluster:
  name: scratch

users:
- name: developer
- name: experimenter

contexts:
- context:
  name: dev-frontend
- context:
  name: dev-storage
- context:
  name: exp-scratch

配置文件描述了集群、用户名和上下文。config-demo 文件中含有描述两个集群、 两个用户和三个上下文的框架。

进入 config-exercise 目录。输入以下命令,将群集详细信息添加到配置文件中:

1
2
3
kubectl config --kubeconfig=config-demo set-cluster development --server=https://1.2.3.4 --certificate-authority=fake-ca-file

kubectl config --kubeconfig=config-demo set-cluster scratch --server=https://5.6.7.8 --insecure-skip-tls-verify

将用户详细信息添加到配置文件中:

1
2
3
kubectl config --kubeconfig=config-demo set-credentials developer --client-certificate=fake-cert-file --client-key=fake-key-seefile

kubectl config --kubeconfig=config-demo set-credentials experimenter --username=exp --password=some-password

注意:

  • 要删除用户,可以运行 kubectl –kubeconfig=config-demo config unset users.
  • 要删除集群,可以运行 kubectl –kubeconfig=config-demo config unset clusters.
  • 要删除上下文,可以运行 kubectl –kubeconfig=config-demo config unset contexts.

将上下文详细信息添加到配置文件中:

1
2
3
4
5
kubectl config --kubeconfig=config-demo set-context dev-frontend --cluster=development --namespace=frontend --user=developer

kubectl config --kubeconfig=config-demo set-context dev-storage --cluster=development --namespace=storage --user=developer

kubectl config --kubeconfig=config-demo set-context exp-scratch --cluster=scratch --namespace=default --user=experimenter

打开 config-demo 文件查看添加的详细信息。 也可以使用 config view 命令进行查看:

1
kubectl config --kubeconfig=config-demo view

简化版 参考

创建一个 test 用户

1
2
kubectl create ns test
kubectl create sa test -n tes

创建ServiceAccount test-service-account.yaml

1
2
3
4
5
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-service-account
  namespace: test     #指定上面创建的 Namespace

然后创建自定义角色分配 Namespace 权限 test-role-binding-custom.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-role
  namespace: test                 #指定 Namespace
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
#role binding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-role-binding
  namespace: test                 #指定 Namespace
subjects:
  - kind: ServiceAccount
    name: test-service-account              #指定 ServiceAccount
    namespace: test               #指定 Namespace
roleRef:
  kind: Role
  name: test-role
  apiGroup: rbac.authorization.k8s.io

创建 test-cluster-role-binding.yaml 用于解决登录 Dashboard 不能选择 Namespace 问题

1
2
3
4
5
6
7
8
9
10
11
12
13
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-bind-test
  namespace: test
subjects:
- kind: ServiceAccount
  name: test
  namespace: test
roleRef:
  kind: Role
  name: role-test
  apiGroup: rbac.authorization.k8s.io

创建role

1
2
3
4
5
kubectl apply -f test-service-account.yaml

kubectl apply -f test-role-binding-custom.yaml

kubectl apply -f test-cluster-role-binding.yaml

查看token

1
2
3
4
kubectl get secret -n test |grep test-service-account
token_name=`kubectl get secret -n test |grep test-service-account |awk '{print $1}'`
secret=`kubectl  describe secret  -n test $token_name|grep "token:" |awk -F":" '{print $NF}'`
echo $secret

创建test的conf文件

1
2
3
4
5
6
7
8
9
10
kubectl config set-cluster kubernetes --server=192.168.79.180:6444 --kubeconfig=/usr/local/kubernetes/dashboard/dashbord-test.conf

# 这里的scret参数需要替换成上面获取到的登陆的token值
kubectl config set-credentials dashboard-test --token="$secret" --kubeconfig=/usr/local/kubernetes/dashboard/dashbord-test.conf

# 设置context
kubectl config set-context dashboard-test@kubernetes --cluster=kubernetes --user=dashboard-test --kubeconfig=/usr/local/kubernetes/dashboard/dashbord-test.conf

# 使用设置context
kubectl config use-context dashboard-test@kubernetes  --kubeconfig=/usr/local/kubernetes/dashboard/dashbord-test.conf

把dashbord-test.conf 拷贝到本机,然后使用kubeconfig登录

如果报错:services is forbidden: User “system:anonymous” cannot list resource “services” in API group “” in the namespace “default”

给匿名用户授权即可解决,测试环境可用此快速解决

1
kubectl create clusterrolebinding test:anonymous --clusterrole=cluster-admin --user=system:anonymous

另外一种解决办法

1
2
3
4
5
6
# 删除原先配置
kubectl delete -f kubernetes-dashboard.yaml
# 重新加载配置
kubectl create -f kubernetes-dashboard.yaml
# 重启代理
kubectl proxy --address=192.168.79.180 --disable-filter=true &

谢谢你请我吃糖果

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要涉及技术:
后端开发、微服务2.0(服务网格)
、大数据、人工智能、超级账本
打工仔、开源爱好者、极客
联系QQ:2595903671
很惭愧
只做了一点微小的工作