Dashboard插件安装

https://github.com/kubernetes/dashboard

• 下载到本地

[root@k8s-master ~]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.1/aio/deploy/recommended.yaml

• 修改配置文件添加NodePort

[root@k8s-master ~]# vim recommended.yaml

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

• 创建dashboard

[root@k8s-master ~]# kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

• 查看dashboard的pod

[root@k8s-master ~]# kubectl get pods -n kubernetes-dashboard
NAME                                         READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-6b4884c9d5-flm79   1/1     Running   0          2m5s
kubernetes-dashboard-7bfbb48676-kd8h7        1/1     Running   0          2m5s

• 查看service

[root@k8s-master ~]# kubectl get service -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)         AGE
dashboard-metrics-scraper   ClusterIP   10.1.190.22   <none>        8000/TCP        4m20s
kubernetes-dashboard        NodePort    10.1.92.84    <none>        443:30317/TCP   4m20s

• 查看dashboard详细信息

[root@k8s-master ~]# kubectl describe svc kubernetes-dashboard -n  kubernetes-dashboard
Name:                     kubernetes-dashboard
Namespace:                kubernetes-dashboard
Labels:                   k8s-app=kubernetes-dashboard
Annotations:              Selector:  k8s-app=kubernetes-dashboard
Type:                     NodePort
IP:                       10.1.92.84
Port:                     <unset>  443/TCP
TargetPort:               8443/TCP
NodePort:                 <unset>  30317/TCP
Endpoints:                10.244.2.4:8443
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

• 查看dashboard在哪一个节点

[root@k8s-master ~]# kubectl get pods -n kubernetes-dashboard -o wide
NAME                                         READY   STATUS    RESTARTS   AGE     IP           NODE        NOMINATED NODE   READINESS GATES
dashboard-metrics-scraper-6b4884c9d5-flm79   1/1     Running   0          9m26s   10.244.1.6   k8s-node1   <none>           <none>
kubernetes-dashboard-7bfbb48676-kd8h7        1/1     Running   0          9m26s   10.244.2.4   k8s-node2   <none>           <none>

• 从上面可以看出node任意一个节点都可以
• https://10.10.0.245:30317/

我们创建一个admin用户并授予admin 角色绑定，使用下面的yaml文件创建admin用户并赋予他管理员权限，然后就可以通过token 登陆dashbaord，这种认证方式本质实际上是通过Service Account 的身份认证加上Bearer token请求 API server 的方式实现，参考 Kubernetes 中的认证。

[root@k8s-master ~]# vim admin-token.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile

• 创建对应的token

[root@k8s-master ~]# kubectl apply -f admin-token.yaml
clusterrolebinding.rbac.authorization.k8s.io/admin created
serviceaccount/admin created

• 查看token

[root@k8s-master ~]# kubectl get secret -n kube-system | grep admin-toke | awk '{print $1}' | xargs kubectl -n kube-system describe secret
Name:         admin-token-cddr8
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin
              kubernetes.io/service-account.uid: af2cfeb2-ed6e-40f8-97d5-213066ed1d1d

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InNfLUtqdFZteUNTVHRpUXBWWXRPVm1BQUJFZzdwaG9uSGdtYXBUM1pZeDAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1jZGRyOCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImFmMmNmZWIyLWVkNmUtNDBmOC05N2Q1LTIxMzA2NmVkMWQxZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.QKyXLBuDZFyADFJvckuuQoFC4zESrSn3ah8MOODzbJ_2X0dQaWX8i7z7em620Uz_VBTqIVdLrldKQtExPv1RTtAyYujlijNdP3fKbrSdNGDRyiKy5bUifbPAYukJUaJgF5Z0ls-tQw77EjE_8iTZgcCjVXiszY1Irng-joICY63Jz6eA-62r5LXQNS23YSVU7rRLLe26Y7cLTDrSJY5FGbpvkpRo1_8SMRsxIYSvp09tHswMJi0R3vBjfzg5XRYI-XPyjj4OKT7Qog0DvoTRUc3IYDWvC7eUhPF0QgZEB5vNvUyq7J9jLhRMPNAXWneC_AmtNIAGo2WZqcwzbC_L4g

• 使用以上的token登陆

• 查看Nodes