1.下载dashboard资源请单
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
vim kubernetes-dashboard.yaml
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 31000 固定端口映射
selector:
k8s-app: kubernetes-dashboard
type: NodePort 指定NodePort类的service,把服务放出去
...
spec:
containers:
- name: kubernetes-dashboard
image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 修改镜像地址
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
删除 下面这一段secret
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
cd /etc/kubernetes/pki/
(umask 077;openssl genrsa -out dashboard.key 2048) 私钥
openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=mageedu/CN=dashboard" 证书签名请求
openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365 签署完成证书
kubectl create secret generic kubernetes-dashboard-certs -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key 创建secret 类型是generic 即签名证书
kubectl get secrets -n kube-system 查询创建是否成功
2.创建dashboard
kubectl apply –f kubernetes-dashboard.yaml
查看dashboard的POD是否正常启动,如果正常说明安装成功
kubectl get pods --namespace=kube-system
解决签名证书过期的问题参考: https://www.jianshu.com/p/c6d560d12d50
登录dashboard的方式
1.通过token登录
创建sa
kubectl create serviceaccount dashboard-admin -n kube-system
kubectl get sa -n kube-system 查询sa
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin 给sa账号dashboard-admin添加集群角色 绑定名要与sa账号一致
结果: dashboard-admin-token-j6g69
kubectl describe secrets -n kube-system dashboard-admin-token-j6g69
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tajZnNjkiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMGY5ZjE0MzEtZThhNC00MWE3LTg4MmUtNzExNDNiMzEwODJmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.c2yulGwZU9AECgGBXmYACpB1Sg7IaZIjMFrOC2MYAPeAdDWPGRjhtTFL5vwheu1EUsuPTA__uxLwvQ4VDxWA64MjsZy_PT-86Oe4LuhGltZpHiqfuonqpRGqQLdlXut0AU1NULi4pZ7QJxVoS9hrN88Cwc40AxyyKjoqdudmRuQC1C6zp_fP-VPHKtVJg6JMgTaFBNoFDL40j9nNm9GDCDDVqdWapQxuaaPdz9Mm-Nm3cL8hz3oGV0FBrgoi5zvumMKZLsU70B5_zDW8ZeMRjf7Js5G4LSQ8C5bQ-bEs3ioCbV-2YtPMuFALJJHmmY_yzommDqJ3Jf3TUu3_n9R_ig
复制token,并粘帖到认证栏里即可
2.通过自建kubeconf文件登录
kubectl create serviceaccount def-ns-admin -n default 创建sa账号def-ns-admin
kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin 给sa账号绑定角色
kubectl describe secrets def-ns-admin-token-8flrw 获取token也能登录系统
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZi1ucy1hZG1pbi10b2tlbi04ZmxydyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWYtbnMtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0MzdlNzcwOS1hYzdlLTRhMGEtYTU1OC0xZGNmOWVlOTg2ZjkiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZWYtbnMtYWRtaW4ifQ.TdEtTTFydD5smIksOQ7Vqk9yUV9Gg7t6dTN8Ei1qDi4jYT2LcUBxK1u7KeDJKTHaMxg_Jce3zK9heQT9CaIvnKW-c9B99nd31MAcfeGdQ0zB4Mi5dVMMoVHF1N1S9jqurkjpg4rMnIMA3l-GitXvatouWH1J2mMUX5xOXbQHs-zUOhN_RqvLl1KNSWzQoK8EEWqw82Xuz33JwcbCJfwB5xXWXzz_2rHpkYqVCKAkoskEA8V3BX0DrdKa7XslgeXs6W55tEbTykmsRTCrq6o750dbyolYY5NHhV-QFIr0uNdXQHygG-Mh4MHV-wCXbI--ueSnmP7y9fgeouD_2xEa3g
Mh4MHV-wCXbI--ueSnmP7y9fgeouD_2xEa3g
DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-8flrw -o jsonpath={.data.token} | base64 -d)
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --server="https://192.168.85.110:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf 创建集群,设置集群
kubectl config view --kubeconfig=/root/def-ns-admin.conf 查看创建的conf生效了没有
kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf 设置登录集群账号,账号名要与sa账号一致
kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf 设置context 账号的切换就是context的切换
kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf 切换context
kubectl config view --kubeconfig=/root/def-ns-admin.conf 这个def-ns-admin.conf可以拿去当用户认证信息使用了
注释:认证时的账号必须为serviceaccount:被dashborad pod拿来由kubernetes进行认证
Token:1.创建serviceaccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理的role或clusterrole
2.获取用户的认证信息,既获取 serviceaccount账号的secret的详细的信息,其中就有token
Kubeconfig:1.把serviceaccount的token封装为kubeconfig
2. DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-8flrw -o jsonpath={.data.token} | base64 -d)
3.生成kubeconfig文件
Kubectl config set-cluster
Kubectl config set-credentials
Kubectl config set-context
Kubectl config use-context
Kubernetes集群的管理方式: 1.命令式 kubectl get create run expose delete edit
2.命令式配置文件 kubectl create/delete –f filename
3.声明式配置文件 kubectl apply –f filename