背景说明

由于国内网络问题,相关镜像大概率无法正常下载。

解决方案

文件下载

https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.1/aio/deploy/recommended.yaml

默认镜像

  1. [root@cka-master dashboard]# cat kubernetes-recommended.yaml  |grep image
  2.           image: kubernetesui/dashboard:v2.5.1
  3.           imagePullPolicy: Always
  4.           image: kubernetesui/metrics-scraper:v1.0.7
  5. [root@cka-master dashboard]#

为了后续安装更加顺利,所有节点提前pull需要使用的镜像

[root@cka-master dashboard]# docker pull kubernetesui/dashboard:v2.5.1

v2.5.1: Pulling from kubernetesui/dashboard
d1d01ae59b08: Pull complete 
a25bff2a339f: Pull complete 
Digest: sha256:cc746e7a0b1eec0db01cbabbb6386b23d7af97e79fa9e36bb883a95b7eb96fe2
Status: Downloaded newer image for kubernetesui/dashboard:v2.5.1
docker.io/kubernetesui/dashboard:v2.5.1
[root@cka-master dashboard]# 
[root@cka-master dashboard]# docker pull kubernetesui/metrics-scraper:v1.0.7
v1.0.7: Pulling from kubernetesui/metrics-scraper
18dd5eddb60d: Pull complete 
1930c20668a8: Pull complete 
Digest: sha256:36d5b3f60e1a144cc5ada820910535074bdf5cf73fb70d1ff1681537eef4e172
Status: Downloaded newer image for kubernetesui/metrics-scraper:v1.0.7
docker.io/kubernetesui/metrics-scraper:v1.0.7
[root@cka-master dashboard]#

配置应用

[root@cka-master dashboard]# kubectl apply -f kubernetes-recommended.yaml 
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
[root@cka-master dashboard]#

资源查看

[root@cka-master dashboard]# kubectl get ns
NAME                   STATUS   AGE
default                Active   35h
kube-node-lease        Active   35h
kube-public            Active   35h
kube-system            Active   35h
kubernetes-dashboard   Active   3m34s
[root@cka-master dashboard]# 
[root@cka-master dashboard]# kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
dashboard-metrics-scraper   ClusterIP   10.96.194.186   <none>        8000/TCP   4m29s
kubernetes-dashboard        ClusterIP   10.96.164.75    <none>        443/TCP    4m30s
[root@cka-master dashboard]#
[root@cka-master dashboard]# kubectl get pod -n kubernetes-dashboard
NAME                                        READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-c45b7869d-p5jkh   1/1     Running   0          5m2s
kubernetes-dashboard-79b5779bf4-d8swb       1/1     Running   0          5m2s
[root@cka-master dashboard]#

节点端口

默认情况下SVC的网络类型为ClusterIP,为了便于访问修改为NodePort

[root@cka-master dashboard]# kubectl edit svc kubernetes-dashboard  -n kubernetes-dashboard
service/kubernetes-dashboard edited

默认使用的是vim编辑器,使用:wq编辑保存退出即可

在spec节点下修改 type: ClusterIP为type: NodePort
image.png
查看节点端口为31866

[root@cka-master dashboard]# kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
dashboard-metrics-scraper   ClusterIP   10.96.194.186   <none>        8000/TCP        13m
kubernetes-dashboard        NodePort    10.96.164.75    <none>        443:31866/TCP   13m
[root@cka-master dashboard]#

看板访问

打开浏览器访问:https://192.168.184.128:31866/
image.png
image.png

获取令牌

查看Secret

[root@cka-master dashboard]# kubectl get secret -n kubernetes-dashboard
NAME                               TYPE                                  DATA   AGE
default-token-d78wj                kubernetes.io/service-account-token   3      22m
kubernetes-dashboard-certs         Opaque                                0      22m
kubernetes-dashboard-csrf          Opaque                                1      22m
kubernetes-dashboard-key-holder    Opaque                                2      22m
kubernetes-dashboard-token-nkpcj   kubernetes.io/service-account-token   3      22m
[root@cka-master dashboard]#

default-token-d78wj这个为默认的命名空间的secret

[root@cka-master dashboard]# kubectl describe secrets kubernetes-dashboard-token-nkpcj -n kubernetes-dashboard
Name:         kubernetes-dashboard-token-nkpcj
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
              kubernetes.io/service-account.uid: 322764e6-8734-4774-9f6e-e2e1039a280c

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1099 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InV1N3FiZC04UDRIa1dWRW43S05fNEhpbXNzQ05Vb3JVQ0VVVGhCeGVfb28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1ua3BjaiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMyMjc2NGU2LTg3MzQtNDc3NC05ZjZlLWUyZTEwMzlhMjgwYyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.2GiB8c-xgQljWscGUp_kOf2apQBX3QKJwgJxN6ugdVUgkKDJQiQQHHADUdSg1XlwV8JbfwtSL-q7rrNdESH7DdiODKF4Q1jeG_hA99LWLtSazFfZlggxzgZEshsJ4JrY5VhIGDe-yrNyieBRifx5oHBCpGpoWV7oN5wXRqcTfXasELz6P0QTprnrYIUQUD1-RACwHslKh-RTavazZq9e_sS6MX2ifxyGeEHQwzVH_R-qX9B2JQn6ophN2P9vPjTxiMqCYiY1wVXWs4V8Nn_0yRzTsZu3Hz-__3Wy_22kReaQMACHngnCWWmdVZcOxnLVmhXT8qJpad7m07ZnbBBJiw
[root@cka-master dashboard]#

保留令牌

eyJhbGciOiJSUzI1NiIsImtpZCI6InV1N3FiZC04UDRIa1dWRW43S05fNEhpbXNzQ05Vb3JVQ0VVVGhCeGVfb28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1ua3BjaiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMyMjc2NGU2LTg3MzQtNDc3NC05ZjZlLWUyZTEwMzlhMjgwYyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.2GiB8c-xgQljWscGUp_kOf2apQBX3QKJwgJxN6ugdVUgkKDJQiQQHHADUdSg1XlwV8JbfwtSL-q7rrNdESH7DdiODKF4Q1jeG_hA99LWLtSazFfZlggxzgZEshsJ4JrY5VhIGDe-yrNyieBRifx5oHBCpGpoWV7oN5wXRqcTfXasELz6P0QTprnrYIUQUD1-RACwHslKh-RTavazZq9e_sS6MX2ifxyGeEHQwzVH_R-qX9B2JQn6ophN2P9vPjTxiMqCYiY1wVXWs4V8Nn_0yRzTsZu3Hz-__3Wy_22kReaQMACHngnCWWmdVZcOxnLVmhXT8qJpad7m07ZnbBBJiw

令牌登录

浏览器访问https://192.168.184.128:31866/#/login填入token
image.png

权限提升

默认登录右上角有报错信息
image.png
切换命名空间发现并不是全部
image.png
查看文件中Deployment为的kubernetes-dashboard配置节serviceAccountName: kubernetes-dashboard

[root@cka-master dashboard]# kubectl create clusterrolebinding kubernetes-dashboard-clusterbingding --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-clusterbingding created
[root@cka-master dashboard]#

此时可以可以看到权限已经正常
image.png

相关文件

kubernetes-recommended.v2.5.1.yaml