K8S的web管理方式-dashboard

目录

  • K8S的web管理方式-dashboard
    • 1 部署dashboard
      • 1.1 获取dashboard镜像
        • 1.1.1 获取1.8.3版本的dsashboard
        • 1.1.2 获取1.10.1版本的dashboard
        • 1.1.3 为何要两个版本的dashbosrd
      • 1.2 创建dashboard资源配置清单
        • 1.2.1 创建rbca授权清单
        • 1.2.2 创建depoloy清单
        • 1.2.3 创建service清单
        • 1.2.4 创建ingress清单暴露服务
      • 1.3 创建相关资源
        • 1.3.1 在任意node上创建
        • 1.3.2 添加域名解析
        • 1.3.3 通过浏览器验证
    • 2 升级dashboard版本
      • 2.1 把版本换成1.10以上版本
        • 2.1.1 在线修改直接使用
        • 2.2.2 等待滚动发布
        • 2.2.3 刷新dashboard页面:
      • 2.2 使用token登录
        • 2.2.1 首先获取secret资源列表
        • 2.2.2 获取角色的详情
        • 2.2.3 申请证书
        • 2.2.4 前端nginx服务部署证书
        • 2.2.5 再次登录dashboard
      • 2.3 授权细则思考

dashboard是k8s的可视化管理平台,是三种管理k8s集群方法之一

1 部署dashboard

1.1 获取dashboard镜像

获取镜像和创建资源配置清单的操作,还是老规矩:7.200上操作

1.1.1 获取1.8.3版本的dsashboard

  1. docker pull k8scn/kubernetes-dashboard-amd64:v1.8.3
  2. docker tag  k8scn/kubernetes-dashboard-amd64:v1.8.3 harbor.zq.com/public/dashboard:v1.8.3
  3. docker push harbor.zq.com/public/dashboard:v1.8.3

1.1.2 获取1.10.1版本的dashboard

  1. docker pull loveone/kubernetes-dashboard-amd64:v1.10.1
  2. docker tag  loveone/kubernetes-dashboard-amd64:v1.10.1 harbor.zq.com/public/dashboard:v1.10.1
  3. docker push harbor.zq.com/public/dashboard:v1.10.1

1.1.3 为何要两个版本的dashbosrd

  • 1.8.3版本授权不严格,方便学习使用
  • 1.10.1版本授权严格,学习使用麻烦,但生产需要

    1.2 创建dashboard资源配置清单

    1. mkdir -p /data/k8s-yaml/dashboard

    1.2.1 创建rbca授权清单

    ``` cat >/data/k8s-yaml/dashboard/rbac.yaml <<EOF apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile name: kubernetes-dashboard-admin namespace: kube-system

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard-admin namespace: kube-system labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects:

  • kind: ServiceAccount name: kubernetes-dashboard-admin namespace: kube-system EOF
    1. <a name="b489a8bf"></a>
    2. #### 1.2.2 创建depoloy清单
    cat >/data/k8s-yaml/dashboard/dp.yaml <<EOF apiVersion: apps/v1 kind: Deployment metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: “true” addonmanager.kubernetes.io/mode: Reconcile spec: selector: matchLabels:
    1. k8s-app: kubernetes-dashboard
    template: metadata:
    1. labels:
    2.   k8s-app: kubernetes-dashboard
    3. annotations:
    4.   scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
    1. priorityClassName: system-cluster-critical
    2. containers:
    3. - name: kubernetes-dashboard
    4.   image: harbor.zq.com/public/dashboard:v1.8.3
    5.   resources:
    6.     limits:
    7.       cpu: 100m
    8.       memory: 300Mi
    9.     requests:
    10.       cpu: 50m
    11.       memory: 100Mi
    12.   ports:
    13.   - containerPort: 8443
    14.     protocol: TCP
    15.   args:
    16.     # PLATFORM-SPECIFIC ARGS HERE
    17.     - --auto-generate-certificates
    18.   volumeMounts:
    19.   - name: tmp-volume
    20.     mountPath: /tmp
    21.   livenessProbe:
    22.     httpGet:
    23.       scheme: HTTPS
    24.       path: /
    25.       port: 8443
    26.     initialDelaySeconds: 30
    27.     timeoutSeconds: 30
    28. volumes:
    29. - name: tmp-volume
    30.   emptyDir: {}
    31. serviceAccountName: kubernetes-dashboard-admin
    32. tolerations:
    33. - key: "CriticalAddonsOnly"
    34.   operator: "Exists"
    EOF
    1. <a name="3e76594f"></a>
    2. #### 1.2.3 创建service清单
    cat >/data/k8s-yaml/dashboard/svc.yaml <<EOF apiVersion: v1 kind: Service metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: “true” addonmanager.kubernetes.io/mode: Reconcile spec: selector: k8s-app: kubernetes-dashboard ports:
    • port: 443 targetPort: 8443 EOF
      1. <a name="ca0a197e"></a>
      2. #### 1.2.4 创建ingress清单暴露服务
      cat >/data/k8s-yaml/dashboard/ingress.yaml <<EOF apiVersion: extensions/v1beta1 kind: Ingress metadata: name: kubernetes-dashboard namespace: kube-system annotations: kubernetes.io/ingress.class: traefik spec: rules:
    • host: dashboard.zq.com http: paths:
      • backend: serviceName: kubernetes-dashboard servicePort: 443 EOF
        1. <a name="5ed77bfd"></a>
        2. ### 1.3 创建相关资源
        3. <a name="a5b88012"></a>
        4. #### 1.3.1 在任意node上创建
        kubectl create -f http://k8s-yaml.zq.com/dashboard/rbac.yaml kubectl create -f http://k8s-yaml.zq.com/dashboard/dp.yaml kubectl create -f http://k8s-yaml.zq.com/dashboard/svc.yaml kubectl create -f http://k8s-yaml.zq.com/dashboard/ingress.yaml
        1. <a name="9fddd652"></a>
        2. #### 1.3.2 添加域名解析
        vi /var/named/zq.com.zone dashboard A 10.4.7.10

        注意前滚serial编号

        systemctl restart named
        1. <a name="b04200cc"></a>
        2. #### 1.3.3 通过浏览器验证
        3. 在本机浏览器上访问`[http://dashboard.zq.com](http://dashboard.zq.com)`,如果出来web界面,表示部署成功<br />可以看到安装1.8版本的dashboard,默认是可以跳过验证的:<br />![](https://cdn.nlark.com/yuque/0/2020/png/2511954/1601204047384-94dc3835-a308-4cea-85a2-b5ceff9a42c9.png#align=left&display=inline&height=427&margin=%5Bobject%20Object%5D&originHeight=427&originWidth=987&size=0&status=done&style=none&width=987)
        4. <a name="05ed4213"></a>
        5. ## 2 升级dashboard版本
        6. 跳过登录是不科学的,因为我们在配置dashboard的rbac权限时,绑定的角色是system:admin,这个是集群管理员的角色,权限很大,如果任何人都可跳过登录直接使用,那你就等着背锅吧
        7. <a name="9c9662bf"></a>
        8. ### 2.1 把版本换成1.10以上版本
        9. 在前面我们已经同时下载了1.10.1版本的docker镜像
        10. <a name="0ff2a3f5"></a>
        11. #### 2.1.1 在线修改直接使用
        kubectl edit deploy kubernetes-dashboard -n kube-system
        1. <a name="177f876e"></a>
        2. #### 2.2.2 等待滚动发布
        [root@hdss7-21 ~]# kubectl -n kube-system get pod|grep dashboard kubernetes-dashboard-5bccc5946b-vgk5n 1/1 Running 0 20s kubernetes-dashboard-b75bfb487-h7zft 0/1 Terminating 0 2m27s [root@hdss7-21 ~]# kubectl -n kube-system get pod|grep dashboard kubernetes-dashboard-5bccc5946b-vgk5n 1/1 Running 0 52s
        1. <a name="c033f915"></a>
        2. #### 2.2.3 刷新dashboard页面:
        3. ![](https://cdn.nlark.com/yuque/0/2020/png/2511954/1601204047500-c1ac6c4c-07b5-4209-a821-9a217a7ffa63.png#align=left&display=inline&height=510&margin=%5Bobject%20Object%5D&originHeight=510&originWidth=1038&size=0&status=done&style=none&width=1038)<br />可以看到这里原来的skip跳过已经没有了,我们如果想登陆,必须输入token,那我们如何获取token呢:
        4. <a name="1d78678f"></a>
        5. ### 2.2 使用token登录
        6. <a name="cb6a5d95"></a>
        7. #### 2.2.1 首先获取`secret`资源列表
        kubectl get secret -n kube-system
        1. ![](https://cdn.nlark.com/yuque/0/2020/png/2511954/1601204047326-4c00405b-d778-4d37-b19e-7d1c5e2d8aa5.png#align=left&display=inline&height=138&margin=%5Bobject%20Object%5D&originHeight=138&originWidth=843&size=0&status=done&style=none&width=843)
        2. <a name="686c4dcf"></a>
        3. #### 2.2.2 获取角色的详情
        4. 列表中有很多角色,不同到角色有不同的权限,找到想要的角色`dashboard-admin`后,再用describe命令获取详情
        kubectl -n kube-system describe secrets kubernetes-dashboard-admin-token-85gmd
        1. ![](https://cdn.nlark.com/yuque/0/2020/png/2511954/1601204047339-9035a2fe-7c4b-4f65-9399-707aecde4b33.png#align=left&display=inline&height=440&margin=%5Bobject%20Object%5D&originHeight=440&originWidth=935&size=0&status=done&style=none&width=935)<br />找到详情中的token字段,就是我们需要用来登录的东西<br />拿到token去尝试登录,发现仍然登录不了,因为必须使用https登录,所以需要申请证书
        2. <a name="e729a450"></a>
        3. #### 2.2.3 申请证书
        4. 申请证书在`7.200`主机上<br />**创建json文件:**
        cd /opt/certs/ cat >/opt/certs/dashboard-csr.json <<EOF { “CN”: “*.zq.com”, “hosts”: [ ], “key”: { “algo”: “rsa”, “size”: 2048 }, “names”: [ {
        1. "C": "CN",
        2. "ST": "beijing",
        3. "L": "beijing",
        4. "O": "zq",
        5. "OU": "ops"
        } ] } EOF
        1. **申请证书**
        cfssl gencert -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=server \ dashboard-csr.json |cfssl-json -bare dashboard
        1. **查看申请的证书**
        [root@hdss7-200 certs]# ll |grep dash -rw-r—r— 1 root root 993 May 4 12:08 dashboard.csr -rw-r—r— 1 root root 280 May 4 12:08 dashboard-csr.json -rw———- 1 root root 1675 May 4 12:08 dashboard-key.pem -rw-r—r— 1 root root 1359 May 4 12:08 dashboard.pem
        1. <a name="0488ba6d"></a>
        2. #### 2.2.4 前端nginx服务部署证书
        3. 在`7.11`,`7.12`两个前端代理上,都做相同操作<br />**拷贝证书:**
        mkdir /etc/nginx/certs scp 10.4.7.200:/opt/certs/dashboard.pem /etc/nginx/certs scp 10.4.7.200:/opt/certs/dashboard-key.pem /etc/nginx/certs
        1. **创建nginx配置**
        cat >/etc/nginx/conf.d/dashboard.zq.com.conf <<’EOF’ server { listen 80; server_name dashboard.zq.com; rewrite ^(.*)$ https://${server_name}$1 permanent; } server { listen 443 ssl; server_name dashboard.zq.com; ssl_certificate “certs/dashboard.pem”; ssl_certificate_key “certs/dashboard-key.pem”; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://default_backend_traefik; proxy_set_header Host $http_host; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; } } EOF
        1. **重启nginx服务**
        nginx -t nginx -s reload ```

        2.2.5 再次登录dashboard

        刷新页面后,再次使用前面的token登录,可以成功登录进去了
        K8S(06)web管理方式-dashboard - 图1

        2.3 授权细则思考

        登录是登录了,但是我们要思考一个问题,我们使用rbac授权来访问dashboard,如何做到权限精细化呢?比如开发,只能看,不能摸,不同的项目组,看到的资源应该是不一样的,测试看到的应该是测试相关的资源

转载自cnblog:https://www.cnblogs.com/noah-luo/p/13345229.html