(十三)Kubernetes Dashboard

(十三)Kubernetes Dashboard

Dashboard概述

​​Dashboard​​​是​​Kubernetes​​​的​​Web GUI​​​，可用于在​​Kubernetes​​​集群上部署容器化应用、应用排障、管理集群本身及附加的资源等。常用于集群及应用速览、创建或修改单个资源（如​​Deployment​​​、​​Jobs​​​和​​DaemonSet​​​等），以及扩展​​Deployment​​​、启动滚动更新、重启​​Pod​​或使用部署向导部署一个应用等。​​Dashboard​​​的认证和授权均可由​​Kubernetes​​​集群实现，它自身仅是一个代理，所有的相关操作都将发给​​API Server​​​进行，而非由​​Dashboard​​​自行完成。目前仅支持使用的认证方式有令牌​​（token）​​​认证和​​kubeconfig​​两种，在访问之前都需要准备好相应的认证凭证。

Dashboard部署

由于用到镜像​​k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1​​，是国外的，我们拉取不下来，这里可以使用下面两种方式。# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1或者是# docker pull blwy/kubernetes-dashboard-amd64:v1.10.1

1）这里将资源清单文件下载本地，编辑使用的镜像

[root@k8s-master ~]# wget ~]# vim kubernetes-dashboard.yaml...... spec: containers: - name: kubernetes-dashboard image: blwy/kubernetes-dashboard-amd64:v1.10.1 #将镜像地址改为可以下载的地址 ports:......

3）部署

[root@k8s-master ~]# kubectl apply -f kubernetes-dashboard.yamlsecret/kubernetes-dashboard-certs createdserviceaccount/kubernetes-dashboard createdrole.rbac.authorization.k8s.io/kubernetes-dashboard-minimal createdrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal createddeployment.apps/kubernetes-dashboard createdservice/kubernetes-dashboard created[root@k8s-master ~]# kubectl get pods -n kube-systemNAME READY STATUS RESTARTS AGEcoredns-bccdc95cf-9gsn8 1/1 Running 0 10dcoredns-bccdc95cf-x7m8g 1/1 Running 0 10detcd-k8s-master 1/1 Running 0 10dkube-apiserver-k8s-master 1/1 Running 0 10dkube-controller-manager-k8s-master 1/1 Running 0 10dkube-flannel-ds-amd64-gg55s 1/1 Running 0 10dkube-flannel-ds-amd64-ssr7j 1/1 Running 5 10dkube-flannel-ds-amd64-w6f9h 1/1 Running 4 10dkube-proxy-77pbc 1/1 Running 3 10dkube-proxy-qs655 1/1 Running 3 10dkube-proxy-xffq4 1/1 Running 0 10dkube-scheduler-k8s-master 1/1 Running 0 10dkubernetes-dashboard-d977fcf6-d25xz 1/1 Running 0 4s

4）查看svc，并将类型改为NodePort

[root@k8s-master ~]# kubectl get svc -n kube-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkube-dns ClusterIP 10.96.0.10 53/UDP,53/TCP,9153/TCP 9dkubernetes-dashboard ClusterIP 10.99.151.238 443/TCP 7m25s#可以像下面直接打补丁进行更改。[root@k8s-master ~]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-systemservice/kubernetes-dashboard patched[root@k8s-master ~]# kubectl get svc -n kube-systemNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkube-dns ClusterIP 10.96.0.10 53/UDP,53/TCP,9153/TCP 9dkubernetes-dashboard NodePort 10.99.151.238 443:32058/TCP 8m45s#或者也可以修改资源清单修改类型为NodePort[root@k8s-master ~]# vim kubernetes-dashboard.yaml......kind: ServiceapiVersion: v1metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-systemspec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard type: NodePort #这里添加类型为NodePort

浏览器访问：​​如下图；建议使用火狐浏览器，并在高级选项中添加信任，谷歌会禁止不安全证书访问。

token认证

集群级别的管理操作依赖于集群管理员权限，例如，内建的​​cluster-admin​​​集群角色拥有全部权限，创建​​ServiceAccount​​​并将其绑定其上即完成集群管理员授权。而用户通过相应的​​ServiceAccount​​​的​​token​​​信息完成​​Dashboard​​​认证也就能扮演起​​Dashboard​​​接口上的集群管理员角色。例如，下面创建一个名为​​dashboard-admin​​​的​​ServiceAccount​​，并完成集群角色绑定：

1）创建​​serviceaccount​​资源

[root@k8s-master ~]# kubectl create serviceaccount dashboard-admin -n kube-systemserviceaccount/dashboard-admin created[root@k8s-master ~]# kubectl get sa/dashboard-admin -n kube-systemNAME SECRETS AGEdashboard-admin 1 15s

2）创建​​clusterrolebinding​​​，将角色​​cluster-admin​​​与​​serviceaccount​​​资源(​​dashboard-admin​​)进行绑定

[root@k8s-master ~]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created[root@k8s-master ~]# kubectl describe clusterrolebinding/dashboard-admin #查看绑定信息Name: dashboard-adminLabels: Annotations: Role: Kind: ClusterRole Name: cluster-adminSubjects: Kind Name Namespace ---- ---- --------- ServiceAccount dashboard-admin kube-system

3）查看​​token​​值并进行登录验证

[root@k8s-master ~]# ADMIN_SECRET=$(kubectl -n kube-system get secret |awk '/^dashboard-admin/{print $1}') #获取上面创建的dashboard-admin生成的secret的名字[root@k8s-master ~]# kubectl describe secrets $ADMIN_SECRET -n kube-system |grep ^token #获取上面获取到的secret的token值token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbmZ2NGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTY5MDhiMTgtYzUyYy00NWEwLWIxODEtMTM2OGM4ZGZkMGUwIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.xVHNDKiU7n8fvfN8_5RF3Z6Ppxl-ULk-zYfWywPktJ6mVgtgm4tnAX9_n8zpzHhff1tD4y04Ra7OKvnJTypkI78ELHqggrQxNLggfpbdrWnIif2qIqEbIv5Hay3s4UeOqU2p6Kex4v7UUVtdo781W4rNi7DP2yXKfV5YSTeu6ZMTQiMa3H-O6y-y4sH_ISi_UwiAtHALTJ_OX-j9BzsFIUBhryKnGbOK4ygVmlTA2tWFe8TDUI6xCTjEKSRId3iL_TpKg-uXc652JHnQPYH2ZErojWCbwGR6IqeRTH4kMlAfjvDIeDdT6sSNyjJONpgJQpdYtaGzQiHgE2CW2_q4zQ

输入上获取到的​​token​​进行登录。

Kubeconfig认证

​​kubeconfig​​​是认证信息承载工具，能够持久存入秘钥和证书，或者认证令牌等作为用户的认证配置文件。为了说明如何配置一个仅具有特定名称空间管理权限的登录账号，这里创建一个新的​​ServiceAccount​​​用于管理默认的​​default​​​名称空间，并将之绑定于​​admin​​集群角色。

1）创建​​serviceaccount​​资源

[root@k8s-master ~]# kubectl create serviceaccount def-ns-admin -n default #创建sa资源def-ns-adminserviceaccount/def-ns-admin created[root@k8s-master ~]# kubectl get sa/def-ns-admin -n default #查看上面创建的sa资源NAME SECRETS AGEdef-ns-admin 1 19s

2）创建​​rolebinding​​​，将上面创建的​​serviceaccount​​​与​​clusterrole（admin）​​进行绑定

[root@k8s-master ~]# kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-adminrolebinding.rbac.authorization.k8s.io/def-ns-admin created[root@k8s-master ~]# kubectl get secret |grep def-ns #查看生成的secretdef-ns-admin-token-m2ct6 kubernetes.io/service-account-token 3 106s[root@k8s-master ~]# kubectl describe secret/def-ns-admin-token-m2ct6 #查看secret资源详细信息Name: def-ns-admin-token-m2ct6Namespace: defaultLabels: Annotations: kubernetes.io/service-account.name: def-ns-admin kubernetes.io/service-account.uid: f824dbcd-d661-4776-993a-921042f7e196Type: kubernetes.io/service-account-tokenData====namespace: 7 bytestoken: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxgca.crt: 1025 bytes

3）初始化集群信息，提供​​API Server​​​的​​URL​​​，以及验证​​API Server​​​证书所用到的​​CA​​证书等

[root@k8s-master ~]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="--embed-certs=true --kubeconfig=/root/def-ns-admin.confCluster "kubernetes" set.[root@k8s-master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf #查看生成的配置文件信息apiVersion: v1clusters:- cluster: certificate-authority-data: DATA+OMITTED server: name: kubernetescontexts: []current-context: ""kind: Configpreferences: {}users: []

4）获取​​def-ns-admin​​​的​​token​​​，并将其作为认证信息。由于直接得到的​​token​​​是​​base64​​​编码格式，故采用​​“base -d”​​命令将其解码

[root@k8s-master ~]# kubectl get secret -n defaultNAME TYPE DATA AGEadmin-token-lc826 kubernetes.io/service-account-token 3 16ddef-ns-admin-token-m2ct6 kubernetes.io/service-account-token 3 12m[root@k8s-master ~]# kubectl -n default get secret/def-ns-admin-token-m2ct6 -o jsonpath={.data.token} |base64 -d #获取token并将其解码eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxg[root@k8s-master ~]# DEFNS_ADMIN_TOKEN=$(kubectl -n default get secret/def-ns-admin-token-m2ct6 -o jsonpath={.data.token} |base64 -d) #这里将上面得到的token保存为一个变量，方便调用[root@k8s-master ~]# kubectl config set-credentials def-ns-admin --token=$DEFNS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.confUser "def-ns-admin" set.

5）设置​​cotext​​​列表，定义一个名为​​def-ns-admin​​​的​​context​​

[root@k8s-master ~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.confContext "def-ns-admin@kubernetes" created.

6）最后指定要使用的​​context​​​为前面定义的名为​​def-ns-admin​​​的​​context​​

[root@k8s-master ~]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf[root@k8s-master ~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf #查看最终生成的配置文件信息apiVersion: v1clusters:- cluster: certificate-authority-data: DATA+OMITTED server: name: kubernetescontexts:- context: cluster: kubernetes user: def-ns-admin name: def-ns-admin@kubernetescurrent-context: def-ns-admin@kuberneteskind: Configpreferences: {}users:- name: def-ns-admin user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi1tMmN0NiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmODI0ZGJjZC1kNjYxLTQ3NzYtOTkzYS05MjEwNDJmN2UxOTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.U72TWqg3pd-zJgd0QsoYysbNm4rf8rPtEvNBDoVRpRnuX_NkJPtSniAdEIw-g_RjZXNhWHjOXOUmlQ1HwXu0FO3d_j0g6S3dX5BlEA4uPeNskgTH83T7g2BoI3XazAzLKtfGPUuOPk9F2IQQvp3m93x-D1BETOp4ga-R4CMQdVZBUl4XWqFpDxJ47pCsK_VrvP3g7LJpzJk9dnwr2i4-3ysLFwZ84x07Kbcw-1ED8jMh8LNpUGPnevpKntqwo9ghCDVN-oPdPGcXlvxrc9enDu_7gIb2H_fJbMWS_vH1pQX8SoYDhneW2gkVKg2RaW1QaF4TrcdUAabcCcfoqdiCxg

7）将这个配置文件保存​​client​​上，通过加装该配置文件进行登录

这里通过测试可以发现，这里的​​def-ns-admin​​​用户登录进来只能看到​​default​​​名称空间的内容。也只能对​​default​​名称空间的资源进行管理。

人生是条无名的河，是浅是深都要过； 人生是杯无色的茶，是苦是甜都要喝； 人生是首无畏的歌，是高是低都要唱。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。