Dashboard官方地址:https://github.com/kubernetes/dashboard

dashbord是作为一个pod来运行,需要serviceaccount账号来登录。

先给dashboad创建一个专用的认证信息。

先建立私钥:

[root@master~]#cd/etc/kubernetes/pki/[root@masterpki]#(umask077;opensslgenrsa-outdashboard.key2048)GeneratingRSAprivatekey,2048bitlongmodulus.............................................................................................................................+++.................................+++

建立一个证书签署请求:

[root@masterpki]#opensslreq-new-keydashboard.key-outdashboard.csr-subj"/O=zhixin/CN=dashboard"

下面开始签署证书:

[root@masterpki]#opensslx509-req-indashboard.csr-CAca.crt-CAkeyca.key-CAcreateserial-outdashboard.crt-days365Signatureoksubject=/O=zhixin/CN=dashboardGettingCAPrivateKey

把上面生成的私钥和证书创建成secret

[root@masterpki]#kubectlcreatesecretgenericdashboard-cert-nkube-system--from-file=dashboard.crt=./dashboard.crt--from-file=dashboard.key=./dashboard.keysecret/dashboard-certcreated

[root@masterpki]#kubectlgetsecret-nkube-system|grepdashboarddashboard-certOpaque25m

创建一个serviceaccount,因为dashborad需要serviceaccount(pod之间登录验证的用户)验证登录。

[root@masterpki]#kubectlcreateserviceaccountdashboard-admin-nkube-systemserviceaccount/dashboard-admincreated

[root@masterpki]#kubectlgetsa-nkube-system|grepadmindashboard-admin123s

下面通过clusterrolebinding把dashboard-admin加入到clusterrole里面。

[root@masterpki]#kubectlcreateclusterrolebindingdashboard-cluster-admin--clusterrole=cluster-admin--serviceaccount=kube-system:dashboard-adminclusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admincreated

这样serviceaccount 用户dashboard-admin就拥有了管理所有集群的权限。

[root@masterpki]#kubectlgetsecret-nkube-system|grepdashboarddashboard-admin-token-hfxg9kubernetes.io/service-account-token37m

[root@masterpki]#kubectldescribesecretdashboard-admin-token-hfxg9-nkube-systemtoken:eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4taGZ4ZzkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDBlNmIxMzAtYzM5OC0xMWU4LWJiMzUtMDA1MDU2YTI0ZWNiIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.PyE0q9sZl8uDF-KGvpwG3nDfny9i2wdP-24Jf8d5GlWDfaHO3vkEe1zs56K7qkRPvrg-iQ0tVvoVG8SAj2cBKjLYP6oSiQcVS3ax2TyiSG7j5Ibupc1TXKj0Yc4FfcIKu1tMZwtezHdKUDDY7RJ2sp81rYHbJdkjXe-40cITCKcjadSU-6sfNJnq4E4E-bp1LYrBvokUbBW4xkHzruS7QFQAnEZ3v257R_xjXx23NPsqwCH6dx8OWYgIXdtUos7vNjLw8xy-_rO9VEuGRnzni5m9SBdVwEF7edtJh_psZBe7yfGAkgfRPpxbwB_wyyProM-aIn6LL4aekUwBqbwOLQ

上面的token就是serviceaccount用户dashboad-admin的认证令牌。

下面开始部署dashboard

[root@masterpki]#kubectlapply-fhttps://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

[root@master~]#kubectlgetpods-nkube-systemNAMEREADYSTATUSRESTARTSAGEkubernetes-dashboard-767dc7d4d-4mq9z1/1Running22h

[root@master~]#kubectlgetsvc-nkube-systemNAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGEkube-dnsClusterIP10.96.0.10<none>53/UDP,53/TCP21dkubernetes-dashboardClusterIP10.104.8.78<none>443/TCP45m

[root@master~]#kubectlpatchsvckubernetes-dashboard-p'{"spec":{"type":"NodePort"}}'-nkube-systemservice/kubernetes-dashboardpatched

[root@master~]#kubectlgetsvc-nkube-systemNAMETYPECLUSTER-IPEXTERNAL-IPPORT(S)AGEkube-dnsClusterIP10.96.0.10<none>53/UDP,53/TCP21dkubernetes-dashboardNodePort10.104.8.78<none>443:31647/TCP47m

这样我们就可以在集群外部使用31647端口访问dashboard了,ip就使用node master宿主机的ip。

用浏览器打开:https://172..16.1.100:31647,并把上面得到的token粘贴到令牌里面进行登录:

注意,要用火狐浏览器打开,其他浏览器打不开的,注意注意!!!

上面认证的方法,这个用户能看到所有集群的所有东西,是个超级管理员。下面我们再设置个用户,限定它只能访问default名称空间。

[root@master~]#kubectlcreateserviceaccountdef-ns-admin-ndefaultserviceaccount/def-ns-admincreated

[root@master~]#kubectlcreaterolebindingdef-ns-admin--clusterrole=admin--serviceaccount=default:def-ns-adminrolebinding.rbac.authorization.k8s.io/def-ns-admincreated

[root@master~]#kubectlgetsecretNAMETYPEDATAAGEadmin-token-6jpc5kubernetes.io/service-account-token31ddef-ns-admin-token-646gxkubernetes.io/service-account-token32m

[root@master~]#kubectldescribesecretdef-ns-admin-token-646gxtoken:eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

把上面的token登录到web页面的令牌,登录进去后只能看default名称空间的内容。

下面我们再用Kubeconf的方法来验证登录试试。

[root@masterpki]#cd/etc/kubernetes/pki

[root@masterpki]#kubectlconfigset-clusterkubernetes--certificate-authority=./ca.crt--server="https://172.16.1.100:6443"--embed-certs=true--kubeconfig=/root/def-ns-admin.confCluster"kubernetes"set.

[root@masterpki]#kubectlconfigview--kubeconfig=/root/def-ns-admin.confapiVersion:v1clusters:-cluster:certificate-authority-data:REDACTEDserver:https://172.16.1.100:6443name:kubernetescontexts:[]current-context:""kind:Configpreferences:{}users:[]

[root@masterpki]#kubectlgetsecretNAMETYPEDATAAGEadmin-token-6jpc5kubernetes.io/service-account-token31ddef-ns-admin-token-646gxkubernetes.io/service-account-token333m

[root@masterpki]#kubectlgetsecretdef-ns-admin-token-646gx-ojson"token":"ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSmtaV1poZFd4MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltUmxaaTF1Y3kxaFpHMXBiaTEwYjJ0bGJpMDJORFpuZUNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh3YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKa1pXWXRibk10WVdSdGFXNGlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzUxYVdRaU9pSTRPRFppT0dJMk5DMWpNMkptTFRFeFpUZ3RZbUl6TlMwd01EVXdOVFpoTWpSbFkySWlMQ0p6ZFdJaU9pSnplWE4wWlcwNmMyVnlkbWxqWldGalkyOTFiblE2WkdWbVlYVnNkRHBrWldZdGJuTXRZV1J0YVc0aWZRLk1UeVFXN1ZuXzFqOWNmbXRZQUU0Q2VwbUxzYU1zTWZFNVZHNnhreDRMc2Zyc0tPTzJGQW8xYlF1VXRqTHRBajUyVXpDN0kwZFZxUUtwY3gxRFB4a3I4UUlwTm0zN1BMRTAxZ2VRMEMwbWU3UWlSaU05S3JGWG1EdHhVU0xsaFBCYWh5Zy1rcmxhQU5FV0RLWDY5bnNzNnFLaUZnaXA3S0hNX3VQLWIxZDFjYVNFOHktemRFdFRISzhRSjlyZU1iLUVIRzZpUGtGcFlKLTJndURPVWhMNTU1OXVzUjE2bzJBV29OOHlSZGNLdG5wcXdCVl9uMlVFNG04M2tMakEzMFB0WXBxcmFJUXA5eVRhMjFqaVZsY2VIWnBXeHgtSGxPRWpERTRla05DZV94VG9ySjdNYkhWVHlmcXIzN284Zmg4R3NoLVA1X3RLLXFhRE9PN3BTTWtIQQ=="

[root@masterpki]#DEF_NS_ADMIN_TOKEN=$(kubectlgetsecretdef-ns-admin-token-646gx-ojsonpath={.data.token}|base64-d)

[root@masterpki]#kubectlconfigset-credentialsdef-ns-admin--token=$DEF_NS_ADMIN_TOKEN--kubeconfig=/root/def-ns-admin.confUser"def-ns-admin"set.

[root@masterpki]#kubectlconfigview--kubeconfig=/root/def-ns-admin.confapiVersion:v1clusters:-cluster:certificate-authority-data:REDACTEDserver:https://172.16.1.100:6443name:kubernetescontexts:[]current-context:""kind:Configpreferences:{}users:-name:def-ns-admin

[root@masterpki]#kubectlconfigset-contextdef-ns-admin@kubernetes--cluster=kubernetes--user=def-ns-admin--kubeconfig=/root/def-ns-admin.confContext"def-ns-admin@kubernetes"created.

[root@masterpki]#kubectlconfigview--kubeconfig=/root/def-ns-admin.confapiVersion:v1clusters:-cluster:certificate-authority-data:REDACTEDserver:https://172.16.1.100:6443name:kubernetescontexts:-context:cluster:kubernetesuser:def-ns-adminname:def-ns-admin@kubernetescurrent-context:""kind:Configpreferences:{}users:-name:def-ns-adminuser:token:eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

[root@masterpki]#kubectlconfiguse-contextdef-ns-admin@kubernetes--kubeconfig=/root/def-ns-admin.confSwitchedtocontext"def-ns-admin@kubernetes".

[root@masterpki]#kubectlconfigview--kubeconfig=/root/def-ns-admin.confapiVersion:v1clusters:-cluster:certificate-authority-data:REDACTEDserver:https://172.16.1.100:6443name:kubernetescontexts:-context:cluster:kubernetesuser:def-ns-adminname:def-ns-admin@kubernetescurrent-context:def-ns-admin@kuberneteskind:Configpreferences:{}users:-name:def-ns-adminuser:token:eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi02NDZneCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4ODZiOGI2NC1jM2JmLTExZTgtYmIzNS0wMDUwNTZhMjRlY2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.MTyQW7Vn_1j9cfmtYAE4CepmLsaMsMfE5VG6xkx4LsfrsKOO2FAo1bQuUtjLtAj52UzC7I0dVqQKpcx1DPxkr8QIpNm37PLE01geQ0C0me7QiRiM9KrFXmDtxUSLlhPBahxg-krlaANEWDKX69nss6qKiFgip7KHM_uP-b1d1caSE8y-zdEtTHK8QJ9reMb-EHG6iPkFpYJ-2guDOUhL5559usR16o2AWoN8yRdcKtnpqwBV_n2UE4m83kLjA30PtYpqraIQp9yTa21jiVlceHZpWxx-HlOEjDE4ekNCe_xTorJ7MbHVTyfqr37o8fh8Gsh-P5_tK-qaDOO7pSMkHA

这时候/root/def-ns-admin.conf文件就可以用在dashboard中,用它进行登录了。

总结

1、部署:

kubectlapply-fhttps://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

2、将service改为NodePort:

kubectlpatchsvckubernetes-dashboard-p'{"spec":{"type":"NodePort"}}'-nkube-system

3、认证:

认证时的账户必须为ServiceAccount:作用是被dashboard pod拿来由kubernetes进行认证。

第一种:token方式认证:

a) 创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole;

b)获取到此serviceAccount的secret,查看secret的详细信息,其中就有token,粘贴到web界面的令牌里面

第二种: kubeconfig方式认证:把serviceaccount的token封装为kubeconfig文件。

a)创建serviceaccount,根据其管理目标,使用rolebinding或者clusterrolebinding绑定至合理role或者clusterrole;

b)

kubect get secret | awk '/^ServiceAccountName/{print $1}'

KUBE_TOKEN=DEF_NS_ADMIN_TOKEN=$(kubectl get secret SERVICEACCOUNT_SERCRET_NAME -o jsonpath={.data.token}|base64 -d)

c) 生成kubeconfig文件

kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE

kubectl config set-credentials NAME --token=$KUBE_TOKEN--kubeconfig=/PATH/TO/SOMEFILE

kubctl config set-context

kubectl config use-context


kubernetes集群的管理方式

1、命令式:create,run,expose,delete,edit....

2、命令式配置文件:create -f /PATH/TO/RESOURCE_CONFIGURATION_FILE,delete -f,replace -f

3、声明式配置文件:apply -f,patch,

一般建议不要混合使用上面三种方式。建议使用apply和patch这样的命令。