一、Dashboard的介绍与部署
Dashboard可以给用户提供一个可视化的 Web 界面来查看当前集群的各种信息。用户可以用 Kubernetes Dashboard 部署容器化的应用、监控应用的状态、执行故障排查任务以及管理 Kubernetes 各种资源。
下载部署文件:
[root@server1 limit]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
修改部署文件,更改镜像源地址:
[root@server1 limit]# vim recommended.yaml
需要的镜像:kubernetesui/metrics-scraper:v1.0.4,kubernetesui/dashboard:v2.0.0,可以先下载放到私有仓库。
应用部署文件:
[root@server1 limit]# kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
查看状态:
[root@server1 limit]# kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.105.95.150 <none> 8000/TCP 84s
kubernetes-dashboard ClusterIP 10.99.200.200 <none> 443/TCP 85s
[root@server1 limit]# kubectl describe svc kubernetes-dashboard -n kubernetes-dashboard
Name: kubernetes-dashboard
Namespace: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: Selector: k8s-app=kubernetes-dashboard
Type: ClusterIP
IP: 10.99.200.200
Port: <unset> 443/TCP
TargetPort: 8443/TCP
Endpoints: 10.244.0.53:8443
Session Affinity: None
Events: <none>
可以看出service的类型是ClusterIP只能在集群内部访问,我们需要将类型修改为NodePort以便外部访问:
[root@server1 limit]# kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard
service/kubernetes-dashboard edited
更改后再次查看状态:
[root@server1 limit]# kubectl describe svc kubernetes-dashboard -n kubernetes-dashboard Name: kubernetes-dashboard
Namespace: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: Selector: k8s-app=kubernetes-dashboard
Type: NodePort
IP: 10.110.242.11
Port: <unset> 443/TCP
TargetPort: 8443/TCP
NodePort: <unset> 30273/TCP
Endpoints: 10.244.0.53:8443
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
查看这个service的端口:
[root@server1 limit]# kubectl get pod -o wide -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dashboard-metrics-scraper-6b4884c9d5-qmmhd 1/1 Running 0 38s 10.244.0.54 server1 <none> <none>
kubernetes-dashboard-7b544877d5-gm5lx 1/1 Running 0 39s 10.244.0.53 server1 <none>
[root@server1 limit]# kubectl get svc -o wide -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
dashboard-metrics-scraper ClusterIP 10.108.81.73 <none> 8000/TCP 3m28s k8s-app=dashboard-metrics-scraper
kubernetes-dashboard NodePort 10.110.242.11 <none> 443:30273/TCP 3m29s k8s-app=kubernetes-dashboard
可以看出pod运行在server1上,端口为30273.
在物理机浏览器访问 :
https://172.25.63.1:30273
陆dashboard需要认证,需要获取dashboard pod的token,查看用于登陆的token:
[root@server1 limit]# kubectl -n kubernetes-dashboard get secrets
NAME TYPE DATA AGE
default-token-k9fbp kubernetes.io/service-account-token 3 5m16s
kubernetes-dashboard-certs Opaque 0 5m15s
kubernetes-dashboard-csrf Opaque 1 5m15s
kubernetes-dashboard-key-holder Opaque 2 5m15s
kubernetes-dashboard-token-stw28 kubernetes.io/service-account-token 3 5m16s
[root@server1 limit]# kubectl -n kubernetes-dashboard describe secrets kubernetes-dashboard-token-stw28
Name: kubernetes-dashboard-token-stw28
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: 8bf16bb6-55d0-44ae-a5c6-a1dd561757f7
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ilp5SmtWcG42LUZiMGhaR3Rac3dUT01HQ0RkdFpvaE00ZkNGNnJuend6dmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1zdHcyOCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjhiZjE2YmI2LTU1ZDAtNDRhZS1hNWM2LWExZGQ1NjE3NTdmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.d4I9DsC5YV3DC1fG5CtetJB6hUeS2rRAtTXH2W8TvBvhXUe8Ybpvp9kzaBaD2P_G7XC6uDHFiPBVfwQzAuRS5cEVZlV6lVzrDRp20KaFW9IUSOyvj8XPtA99Smbughdc06K9_rLcsaraga02og2tyGXgkdjoSJKlEIVoeFh_ZAkoUJlOkm_p2G5MuW-kM80sqKd1hl0bAXi1vWHdKqgSsS_QONOOFfTM3SQmoReI_3VNPNdppmi58T-C4QxL_lRlFYLOn5IglZLHxG-pl_EqFKEhKNggahIOiuXl5KAz31_jZDK3i1R2VHZO7Vr4yZMMUMn9gH6017isxIwbJUOEiQ
将token复制进去登陆:
登陆进去后发现没有信息显示:
默认dashboard对集群没有操作权限,需要授权,由于该namespace下面已经有service account了,我们直接进行授权即可:
[root@server1 limit]# kubectl -n kubernetes-dashboard get sa
NAME SECRETS AGE
default 1 8m20s
kubernetes-dashboard 1 8m20s
[root@server1 limit]# vim dashboard-rbac.yaml
[root@server1 limit]# cat dashboard-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin #绑定的是内置的权限最大的集群角色cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
[root@server1 limit]# kubectl apply -f dashboard-rbac.yaml
clusterrolebinding.rbac.authorization.k8s.io/admin-user created
应用后在查看网页端: