1. 必要工具准备

1.1 下载部署dashboard 需要的yaml文件

  1. wget https://github.com/kubernetes/dashboard/blob/v2.0.0/aio/deploy/recommended.yaml

也可以用这个文件:
recommended.yaml

1.2 制作证书

  1. vim create_cert.sh
  3. #!/bin/bash
  4. if [ $# -ne 4 ];then
  5.     echo "please user in: `basename $0` SECRET_NAME CERT_NAME DOMAIN NAMESPACE"
  6.     exit 1
  7. fi
  9. SECRET_NAME=$1
  10. CERT_NAME=$2
  11. DOMAIN=$3
  12. NAMESPACE=$4
  14. # TLS Secrets 
  15. openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERT_NAME}.key -out ${CERT_NAME}.crt -subj "/CN=${DOMAIN}/O=${DOMAIN}"
  17. # 创建 NAMESPACE
  18. kubectl get namespace |grep ${NAMESPACE}
  19. if [ $? -eq 0 ]; then
  20.      echo "[INFO] ${NAMESPACE} is already exists"
  21. else
  22.      kubectl create namespace ${NAMESPACE}
  23.      echo "[INFO] create ${NAMESPACE} success!"
  24. fi
  26. # 如果你使用--key --cert方式则创建的secret中data的默认2个文件名就是tls.key和tls.crt
  27. kubectl create secret generic ${SECRET_NAME} --from-file=${CERT_NAME}.crt --from-file=${CERT_NAME}.key -n ${NAMESPACE}

运行上面文件

  1. chmod 7 create_cert.sh
  2. ./create_cert.sh kubernetes-dashboard-certs dashboard dashboard.shiqi.cn kubernetes-dashboard
  3. Generating a 2048 bit RSA private key
  4. ........+++
  5. ....................................................+++
  6. writing new private key to 'dashboard.key'
  7. -----
  8. kubernetes-dashboard   Active   2m48s
  9. [INFO] kubernetes-dashboard is already exists
  10. secret/kubernetes-dashboard-certs created

1.3 修改配置文件

  1. [root@m]# vim ./recommended.yaml
  3. #将以下内容注释,因为要用我们自己生成的证书
  4. # ---
  5. #apiVersion: v1
  6. #kind: Secret
  7. #metadata:
  8. #  labels:
  9. #    k8s-app: kubernetes-dashboard
  10. #  name: kubernetes-dashboard-certs
  11. #  namespace: kubernetes-dashboard
  12. #type: Opaque
  13. ...
  14. # 修改启动参数,添加证书路径
  15. ...
  16. kind: Deployment
  17. apiVersion: apps/v1
  18. metadata:
  19. spec:
  20. ...
  21.     spec:
  22.       containers:
  23.         - name: kubernetes-dashboard
  24.           image: kubernetesui/dashboard:v2.0.3
  25.           imagePullPolicy: Always
  26.           ports:
  27.             - containerPort: 8443
  28.               protocol: TCP
  29.           command:                              # 新增
  30.             - /dashboard                        # 新增
  31.           args:
  32.             - --auto-generate-certificates
  33.             - --namespace=kubernetes-dashboard
  34.             - --token-ttl=3600                  # 新增
  35.             - --bind-address=0.0.0.0            # 新增
  36.             - --tls-cert-file=dashboard.crt     # 新增 
  37.             - --tls-key-file=dashboard.key      # 新增

kubectl apply -f recommended.yaml

1.4 创建 ingress 文件

  1. [root@uk8s-a ingress]# vim ingress-dashboard.yaml
  2. [root@uk8s-a ingress]# cat ingress-dashboard.yaml
  3. apiVersion: extensions/v1beta1
  4. kind: Ingress
  5. metadata:
  6.   name: ingress-dashboard
  7.   namespace: kubernetes-dashboard
  8.   annotations:
  9.     kubernetes.io/ingress.class: "nginx"
  10.     # 开启use-regex,启用path的正则匹配
  11.     nginx.ingress.kubernetes.io/use-regex: "true"
  12.     nginx.ingress.kubernetes.io/rewrite-target: /
  13.     nginx.ingress.kubernetes.io/ssl-redirect: "true"
  14.     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  15. spec:
  16.   tls:
  17.   - hosts:
  18.     - dashboard.5179.top
  19.     secretName: kubernetes-dashboard-certs
  20.   rules:
  21.   - host: dashboard.5179.top
  22.     http:
  23.       paths:
  24.       - path: /
  25.         backend:
  26.           serviceName: kubernetes-dashboard
  27.           servicePort: 443

1.5 创建用户

  1. [root@m]# cat create-user.yaml
  2. ---
  3. apiVersion: v1
  4. kind: ServiceAccount
  5. metadata:
  6.   name: admin-user
  7.   namespace: kubernetes-dashboard
  9. ---
  10. apiVersion: rbac.authorization.k8s.io/v1
  11. kind: ClusterRoleBinding
  12. metadata:
  13.   name: admin-user
  14. roleRef:
  15.   apiGroup: rbac.authorization.k8s.io
  16.   kind: ClusterRole
  17.   name: cluster-admin
  18. subjects:
  19. - kind: ServiceAccount
  20.   name: admin-user
  21.   namespace: kubernetes-dashboard
  23. [root@m]# kubectl apply -f create-user.yaml
  24. serviceaccount/admin-user unchanged
  25. clusterrolebinding.rbac.authorization.k8s.io/admin-user unchanged

1.6 获取token

  1. [root@m]# cat get-user-token.sh
  2. #!/bin/bash
  4. USER=${1:-admin-user}
  6. kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep $USER | awk '{print $1}')
  8. # 执行一下脚本
  9. [root@uk8s-a web-ui]# bash get-user-token.sh
  10. Name:         admin-user-token-dhx6r
  11. Namespace:    kubernetes-dashboard
  12. Labels:       <none>
  13. Annotations:  kubernetes.io/service-account.name: admin-user
  14.               kubernetes.io/service-account.uid: 84583c60-2c95-4118-9158-6341962d917f
  16. Type:  kubernetes.io/service-account-token
  18. Data
  19. ====
  20. ca.crt:     1363 bytes
  21. namespace:  20 bytes
  22. token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImZlaXFTZERBdjhGLWwyZ0xLTzljaHdhSlJ1OWdfeTNDWU4wRzhuS3MyYTAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWRoeDZyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4NDU4M2M2MC0yYzk1LTQxMTgtOTE1OC02MzQxOTYyZDkxN2YiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.tPgicyWaMDfN5GkLY8XX2S-jhS-pvNC6eNvZ1FCIgZi3quWQND_JASqUr4Y9nyzdFtt-Jog1QbBCRGOE1YMrc3CX27TZttsbJNgq_PqlSjJ8NpmQfUzL5EAaYEUk7bcTRsePrGpECLqih7OOMN1lXO3WYiMJLfeDvkSaUweuUQzSTGtdkzbjVmVY-DksejyXSO_DI_-DMa4lq8zTnegwywdNUkFu06J_DXTTZZIpyKBKvpKz0pny2JIS4x9rI6v4g4Ljw47U7GM30CkQeletagQ8tjXf8g2QTp7Puc9NIpK39u8H1SIqbEZCBtRTJEfLTibDXXnlNplZF5FQ5bms1g

1.7 宿主机上访问虚拟机

https://dashboard.shiqi.cn/#/persistentvolume?namespace=default
image.png

参见

安装 k8s-dashboard 并通过 ingress 暴露访问