[5.kubernetes的GUI资源管理插件-仪表盘]

1.准备dashboard镜像

  1. [root@k8s-60 harbor]# docker pull k8scn/kubernetes-dashboard-amd64:v1.8.3
  2. [root@k8s-60 harbor]# docker images|grep dashboard
  3. [root@k8s-60 harbor]# docker tag fcac9aa03fd6 harbor.od.com/public/dashboard:v1.8.3
  4. [root@k8s-60 harbor]# docker push harbor.od.com/public/dashboard:v1.8.3

2.创建资源配置清单

官方配置清单模板

  1. https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dashboard

在k8s-60.host.com上

  1. [root@k8s-60 harbor]# mkdir -p /data/k8s-yaml/dashboard && cd /data/k8s-yaml/dashboard

rbac.yaml

  1. [root@k8s-60 dashboard]# vi rbac.yaml
  2. apiVersion: v1
  3. kind: ServiceAccount
  4. metadata:
  5. labels:
  6. k8s-app: kubernetes-dashboard
  7. addonmanager.kubernetes.io/mode: Reconcile
  8. name: kubernetes-dashboard-admin
  9. namespace: kube-system
  10. ---
  11. apiVersion: rbac.authorization.k8s.io/v1
  12. kind: ClusterRoleBinding
  13. metadata:
  14. name: kubernetes-dashboard-admin
  15. namespace: kube-system
  16. labels:
  17. k8s-app: kubernetes-dashboard
  18. addonmanager.kubernetes.io/mode: Reconcile
  19. roleRef:
  20. apiGroup: rbac.authorization.k8s.io
  21. kind: ClusterRole
  22. name: cluster-admin
  23. subjects:
  24. - kind: ServiceAccount
  25. name: kubernetes-dashboard-admin
  26. namespace: kube-system

dp.yaml

  1. [root@k8s-60 dashboard]# vi dp.yaml
  2. apiVersion: apps/v1
  3. kind: Deployment
  4. metadata:
  5. name: kubernetes-dashboard
  6. namespace: kube-system
  7. labels:
  8. k8s-app: kubernetes-dashboard
  9. kubernetes.io/cluster-service: "true"
  10. addonmanager.kubernetes.io/mode: Reconcile
  11. spec:
  12. selector:
  13. matchLabels:
  14. k8s-app: kubernetes-dashboard
  15. template:
  16. metadata:
  17. labels:
  18. k8s-app: kubernetes-dashboard
  19. annotations:
  20. scheduler.alpha.kubernetes.io/critical-pod: ''
  21. spec:
  22. priorityClassName: system-cluster-critical
  23. containers:
  24. - name: kubernetes-dashboard
  25. image: harbor.od.com/public/dashboard:v1.8.3
  26. resources:
  27. limits:
  28. cpu: 100m
  29. memory: 300Mi
  30. requests:
  31. cpu: 50m
  32. memory: 100Mi
  33. ports:
  34. - containerPort: 8443
  35. protocol: TCP
  36. args:
  37. - --auto-generate-certificates
  38. volumeMounts:
  39. - name: tmp-volume
  40. mountPath: /tmp
  41. livenessProbe:
  42. httpGet:
  43. scheme: HTTPS
  44. path: /
  45. port: 8443
  46. initialDelaySeconds: 30
  47. timeoutSeconds: 30
  48. volumes:
  49. - name: tmp-volume
  50. emptyDir: {}
  51. serviceAccountName: kubernetes-dashboard-admin
  52. tolerations:
  53. - key: "CriticalAddonsOnly"
  54. operator: "Exists"

svc.yaml

  1. [root@k8s-60 dashboard]# vi svc.yaml
  2. apiVersion: v1
  3. kind: Service
  4. metadata:
  5. name: kubernetes-dashboard
  6. namespace: kube-system
  7. labels:
  8. k8s-app: kubernetes-dashboard
  9. kubernetes.io/cluster-service: "true"
  10. addonmanager.kubernetes.io/mode: Reconcile
  11. spec:
  12. selector:
  13. k8s-app: kubernetes-dashboard
  14. ports:
  15. - port: 443
  16. targetPort: 8443

ingress.yaml

  1. [root@k8s-60 dashboard]# vi ingress.yaml
  2. apiVersion: extensions/v1beta1
  3. kind: Ingress
  4. metadata:
  5. name: kubernetes-dashboard
  6. namespace: kube-system
  7. annotations:
  8. kubernetes.io/ingress.class: traefik
  9. spec:
  10. rules:
  11. - host: dashboard.od.com
  12. http:
  13. paths:
  14. - backend:
  15. serviceName: kubernetes-dashboard
  16. servicePort: 443

3.应用资源配置清单

  1. [root@k8s-40 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/rbac.yaml
  2. [root@k8s-40 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/dp.yaml
  3. [root@k8s-40 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/svc.yaml
  4. [root@k8s-40 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/ingress.yaml

4.查看创建的资源

  1. [root@k8s-40 ~]# kubectl get pods -n kube-system
  2. NAME READY STATUS RESTARTS AGE
  3. coredns-6b6c4f9648-8fzsf 1/1 Running 0 18m
  4. kubernetes-dashboard-76dcdb4677-67bwn 1/1 Running 0 21s
  5. traefik-ingress-96th7 1/1 Running 0 10m
  6. traefik-ingress-b6rkv 1/1 Running 0 10m
  7. [root@k8s-40 ~]# kubectl get svc -n kube-system
  8. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
  9. coredns ClusterIP 10.96.0.2 <none> 53/UDP,53/TCP,9153/TCP 18m
  10. kubernetes-dashboard ClusterIP 10.96.3.196 <none> 443/TCP 30s
  11. traefik-ingress-service ClusterIP 10.96.1.198 <none> 80/TCP,8080/TCP 10m
  12. [root@k8s-40 ~]# kubectl get ingress -n kube-system
  13. NAME HOSTS ADDRESS PORTS AGE
  14. kubernetes-dashboard dashboard.od.com 80 31s
  15. traefik-web-ui traefik.od.com 80 10m

5.解析域名

  1. [root@k8s-20 conf.d]# vi /var/named/od.com.zone
  2. $ORIGIN od.com.
  3. $TTL 600 ; 10 minutes
  4. @ IN SOA dns.od.com. dnsadmin.od.com. (
  5. 2020042602 ; serial //前滚一个序列号
  6. 10800 ; refresh (3 hours)
  7. 900 ; retry (15 minutes)
  8. 604800 ; expire (1 week)
  9. 86400 ; minimum (1 day)
  10. )
  11. NS dns.od.com.
  12. $TTL 60 ; 1 minute
  13. dns A 192.168.10.20
  14. harbor A 192.168.10.60
  15. k8s-yaml A 192.168.10.60
  16. traefik A 192.168.10.10
  17. dashboard A 192.168.10.10
  18. [root@hdss7-11 conf.d]# systemctl restart named

6.浏览器访问

  1. http://dashboard.od.com/

7.令牌命令行获取方式

  1. kubectl get secret -n kube-system
  2. kubectl describe secret kubernetes-dashboard-admin-token-xxxxx -n kube-system

8.签发dashboard的证书

到运维主机上操作

使用哦openssl签发

  1. [root@k8s-60 certs]# (umask 077; openssl genrsa -out dashboard.od.com.key 2048)
  2. [root@k8s-60 certs]# openssl req -new -key dashboard.od.com.key -out dashboar.od.com.csr -subj "/CN=dashboard.od.com/C=CN/ST=BJ/L=Beijing/O=daliuyuan/OU=ops"
  3. [root@k8s-60 certs]# openssl x509 -req -in dashboar.od.com.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dashboard.od.com.crt -days 3650
  4. [root@k8s-60 certs]# cfssl-certinfo -cert dashboard.od.com.crt
  1. [root@k8s-20 ~]# cd /etc/nginx/
  2. [root@k8s-20 nginx]# mkdir certs
  3. [root@k8s-20 nginx]# cd certs/
  4. [root@k8s-20 certs]# scp k8s-60:/opt/certs/dashboard.od.com.crt .
  5. [root@k8s-20 certs]# scp k8s-60:/opt/certs/dashboard.od.com.key .
  6. 加入nginx配置
  7. [root@k8s-20 certs]# cd ../conf.d/
  8. [root@k8s-20 conf.d]# vi dashboard.od.com.conf
  9. server {
  10. listen 80;
  11. server_name dashboard.od.com;
  12. rewrite ^(.*)$ https://${server_name}$1 permanent;
  13. }
  14. server {
  15. listen 443 ssl;
  16. server_name dashboard.od.com;
  17. ssl_certificate "certs/dashboard.od.com.crt";
  18. ssl_certificate_key "certs/dashboard.od.com.key";
  19. ssl_session_cache shared:SSL:1m;
  20. ssl_session_timeout 10m;
  21. ssl_ciphers HIGH:!aNULL:!MD5;
  22. ssl_prefer_server_ciphers on;
  23. location / {
  24. proxy_pass http://default_backend_traefik;
  25. proxy_set_header Host $http_host;
  26. proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
  27. }
  28. }
  29. [root@k8s-20 conf.d]# nginx -t
  30. [root@k8s-20 conf.d]# nginx -s reload

配置认证

  • 下载新版dashboard
  1. [root@k8s-60 ~]# docker pull hexun/kubernetes-dashboard-amd64:v1.10.1
  2. [root@k8s-60 ~]# docker tag f9aed6605b81 harbor.od.com/public/dashboard:v1.10.1
  3. [root@k8s-60 ~]# docker push harbor.od.com/public/dashboard:v1.10.1