安装版本信息
k8s v1.15.4

  1. # kubeadm version -o short
  2. v1.15.4

查看镜像信息
dashboard 是1.10.1

  1. # kubectl get pod kubernetes-dashboard-7dffbd5994-7zn2v -n kube-system -o yaml|grep image
  2.     image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
  3.     imagePullPolicy: IfNotPresent
  4.     image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
  5.     imageID: docker-pullable://registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64@sha256:0ae6b69432e78069c5ce2bcde0fe409c5c4d6f0f4d9cd50a17974fea38898747

在Dashboard v1.10.1 和k8s 1.16.1无法使用
https://github.com/kubernetes/dashboard/issues/4401

查看当前pod

  1. # kubectl get pods --all-namespaces
  2. NAMESPACE     NAME                                   READY   STATUS    RESTARTS   AGE
  3. kube-system   coredns-bccdc95cf-smmxq                1/1     Running   0          7m5s
  4. kube-system   coredns-bccdc95cf-wlr8b                1/1     Running   0          7m5s
  5. kube-system   etcd-k8s-master01                      1/1     Running   0          6m11s
  6. kube-system   kube-apiserver-k8s-master01            1/1     Running   0          6m5s
  7. kube-system   kube-controller-manager-k8s-master01   1/1     Running   0          6m15s
  8. kube-system   kube-flannel-ds-amd64-rld8p            1/1     Running   0          5m50s
  9. kube-system   kube-proxy-lpr6h                       1/1     Running   0          7m5s
  10. kube-system   kube-scheduler-k8s-master01            1/1     Running   0          5m57s

由于yaml配置文件中指定镜像从google拉取,先下载yaml文件到本地,修改配置从阿里云仓库拉取镜像。

  1. $wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

修改yaml配置文件image部分,指定镜像从阿里云镜像仓库拉取:

  1. [centos@k8s-master ~]$ vi kubernetes-dashboard.yaml
  2. ......
  3. containers:
  4.      - name: kubernetes-dashboard
  5.        #image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
  6.        image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
  7.        ports:
  8. ......

修改成NodePort的网络

  1. kind: Service
  2. apiVersion: v1
  3. metadata:
  4.   labels:
  5.     k8s-app: kubernetes-dashboard
  6.   name: kubernetes-dashboard
  7.   namespace: kube-system
  8. spec:
  9.   # 添加Service的type为NodePort
  10.   type: NodePort
  11.   ports:
  12.     - port: 443
  13.       targetPort: 8443
  14.       # 添加映射到虚拟机的端口,k8s只支持30000以上的端口
  15.       nodePort: 32288
  16.   selector:
  17.     k8s-app: kubernetes-dashboard

最终文件

  1. # Copyright 2017 The Kubernetes Authors.
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. #     http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  15. # ------------------- Dashboard Secret ------------------- #
  17. apiVersion: v1
  18. kind: Secret
  19. metadata:
  20.   labels:
  21.     k8s-app: kubernetes-dashboard
  22.   name: kubernetes-dashboard-certs
  23.   namespace: kube-system
  24. type: Opaque
  26. ---
  27. # ------------------- Dashboard Service Account ------------------- #
  29. apiVersion: v1
  30. kind: ServiceAccount
  31. metadata:
  32.   labels:
  33.     k8s-app: kubernetes-dashboard
  34.   name: kubernetes-dashboard
  35.   namespace: kube-system
  37. ---
  38. # ------------------- Dashboard Role & Role Binding ------------------- #
  40. kind: Role
  41. apiVersion: rbac.authorization.k8s.io/v1
  42. metadata:
  43.   name: kubernetes-dashboard-minimal
  44.   namespace: kube-system
  45. rules:
  46.   # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
  47. - apiGroups: [""]
  48.   resources: ["secrets"]
  49.   verbs: ["create"]
  50.   # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
  51. - apiGroups: [""]
  52.   resources: ["configmaps"]
  53.   verbs: ["create"]
  54.   # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  55. - apiGroups: [""]
  56.   resources: ["secrets"]
  57.   resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  58.   verbs: ["get", "update", "delete"]
  59.   # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  60. - apiGroups: [""]
  61.   resources: ["configmaps"]
  62.   resourceNames: ["kubernetes-dashboard-settings"]
  63.   verbs: ["get", "update"]
  64.   # Allow Dashboard to get metrics from heapster.
  65. - apiGroups: [""]
  66.   resources: ["services"]
  67.   resourceNames: ["heapster"]
  68.   verbs: ["proxy"]
  69. - apiGroups: [""]
  70.   resources: ["services/proxy"]
  71.   resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  72.   verbs: ["get"]
  74. ---
  75. apiVersion: rbac.authorization.k8s.io/v1
  76. kind: RoleBinding
  77. metadata:
  78.   name: kubernetes-dashboard-minimal
  79.   namespace: kube-system
  80. roleRef:
  81.   apiGroup: rbac.authorization.k8s.io
  82.   kind: Role
  83.   name: kubernetes-dashboard-minimal
  84. subjects:
  85. - kind: ServiceAccount
  86.   name: kubernetes-dashboard
  87.   namespace: kube-system
  89. ---
  90. # ------------------- Dashboard Deployment ------------------- #
  92. kind: Deployment
  93. apiVersion: apps/v1
  94. metadata:
  95.   labels:
  96.     k8s-app: kubernetes-dashboard
  97.   name: kubernetes-dashboard
  98.   namespace: kube-system
  99. spec:
  100.   replicas: 1
  101.   revisionHistoryLimit: 10
  102.   selector:
  103.     matchLabels:
  104.       k8s-app: kubernetes-dashboard
  105.   template:
  106.     metadata:
  107.       labels:
  108.         k8s-app: kubernetes-dashboard
  109.     spec:
  110.       nodeName: k8s-master01
  111.       containers:
  112.       - name: kubernetes-dashboard
  113.         image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
  114.         ports:
  115.         - containerPort: 8443
  116.           protocol: TCP
  117.         args:
  118.           - --auto-generate-certificates
  119.           # Uncomment the following line to manually specify Kubernetes API server Host
  120.           # If not specified, Dashboard will attempt to auto discover the API server and connect
  121.           # to it. Uncomment only if the default does not work.
  122.           # - --apiserver-host=http://my-address:port
  123.         volumeMounts:
  124.         - name: kubernetes-dashboard-certs
  125.           mountPath: /certs
  126.           # Create on-disk volume to store exec logs
  127.         - mountPath: /tmp
  128.           name: tmp-volume
  129.         livenessProbe:
  130.           httpGet:
  131.             scheme: HTTPS
  132.             path: /
  133.             port: 8443
  134.           initialDelaySeconds: 30
  135.           timeoutSeconds: 30
  136.       volumes:
  137.       - name: kubernetes-dashboard-certs
  138.         secret:
  139.           secretName: kubernetes-dashboard-certs
  140.       - name: tmp-volume
  141.         emptyDir: {}
  142.       serviceAccountName: kubernetes-dashboard
  143.       # Comment the following tolerations if Dashboard must not be deployed on master
  144.       #tolerations:
  145.       #- key: node-role.kubernetes.io/master
  146.        # effect: NoSchedule
  148. ---
  149. # ------------------- Dashboard Service ------------------- #
  151. kind: Service
  152. apiVersion: v1
  153. metadata:
  154.   labels:
  155.     k8s-app: kubernetes-dashboard
  156.   name: kubernetes-dashboard
  157.   namespace: kube-system
  158. spec:
  159.   type: NodePort  
  160.   ports:
  161.     - port: 443
  162.       targetPort: 8443
  163.       nodePort: 32288
  164.   selector:
  165.     k8s-app: kubernetes-dashboard

然后执行以下命令部署dashboard服务:

  1. ]# kubectl apply -f kubernetes-dashboard.yaml 
  2. secret/kubernetes-dashboard-certs created
  3. serviceaccount/kubernetes-dashboard created
  4. role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
  5. rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
  6. deployment.apps/kubernetes-dashboard created
  7. service/kubernetes-dashboard created

查看kubernetes-dashboar 是否运行成功

  1. # kubectl get pods -n kube-system
  2. NAME                                    READY   STATUS    RESTARTS   AGE
  3. coredns-bccdc95cf-smmxq                 1/1     Running   0          9m15s
  4. coredns-bccdc95cf-wlr8b                 1/1     Running   0          9m15s
  5. etcd-k8s-master01                       1/1     Running   0          8m21s
  6. kube-apiserver-k8s-master01             1/1     Running   0          8m15s
  7. kube-controller-manager-k8s-master01    1/1     Running   0          8m25s
  8. kube-flannel-ds-amd64-rld8p             1/1     Running   0          8m
  9. kube-proxy-lpr6h                        1/1     Running   0          9m15s
  10. kube-scheduler-k8s-master01             1/1     Running   0          8m7s
  11. kubernetes-dashboard-7dffbd5994-7zn2v   1/1     Running   0          30

使用token 创建登录用户权限文件
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: ClusterRoleBinding
  3. metadata:
  4.   name: admin-user
  5. roleRef:
  6.   apiGroup: rbac.authorization.k8s.io
  7.   kind: ClusterRole
  8.   name: cluster-admin
  9. subjects:
  10. - kind: ServiceAccount
  11.   name: admin-user
  12.   namespace: kube-system
  14. ---
  15. apiVersion: v1
  16. kind: ServiceAccount
  17. metadata:
  18.   name: admin-user
  19.   namespace: kube-system

运行

  1. # kubectl apply -f dashboard-adminuser.yaml
  2. clusterrolebinding.rbac.authorization.k8s.io/admin-user configured
  3. serviceaccount/admin-user created

获取token

  1. kubectl describe secret $(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system
  1. # kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system
  2. Name:         admin-token-5fhzc
  3. Namespace:    kube-system
  4. Labels:       <none>
  5. Annotations:  kubernetes.io/service-account.name: admin
  6.               kubernetes.io/service-account.uid: d8ea8268-4f2c-4134-85ea-4b8e1527e9e6
  8. Type:  kubernetes.io/service-account-token
  10. Data
  11. ====
  12. ca.crt:     1025 bytes
  13. namespace:  11 bytes
  14. token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi01Zmh6YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQ4ZWE4MjY4LTRmMmMtNDEzNC04NWVhLTRiOGUxNTI3ZTllNiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.A4_b3g3r9jaEGHmERA2ufizs_nRVKyi2WAeaz5iQdDDNwXb9-1shQevsx8KjvI5BAdeFPMLLqduS97PEYHkrWQB9SmNd6b0KHIfc8jswC7g6dHYpNx-2Q0QeGrll6oeP37LSdWqehQxA_7QDn7hiz86amsAi6hm6natvOyfZoHgjXo1RaJ0zs6VVrS_ftkywQi_NrdwKx2cvv1tVKEXge6cepQzyGc7zXNVWELxywjL34gsIwne3RbS3TNx2nPIRNeJm8FAjhvaU9LBLCrYYCEWZZzugTIV3j0TGh4U7aThonFPGBjvbhVll_-YpC0GkanVZOSj0h1iUFM_AtmRgk

主要是https 例如我本地的地址是https://172.17.245.18:32288/#!/login
图片.png
选择:高级——接收风险并继续

图片.png

参考文章

https://blog.csdn.net/networken/article/details/85607593