【原】安装 k8s-dashboard 并通过 ingress 暴露访问

安装 dashboard

1.1 下载 yaml 文件

[root@uk8s-a ~]# mkdir web-ui
[root@uk8s-a ~]# cd web-ui/
[root@uk8s-a web-ui]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml

1.2 制作证书

因为要使用 ingress 通过域名的方式对外暴露访问，所以需要自己制作证书

准备证书生成脚本

[root@uk8s-a web-ui]# mkdir certs
[root@uk8s-a web-ui]# cd certs
[root@uk8s-a certs]# vim create_cert.sh
#!/bin/bash
# author: liyongjian5179@163.com
# bash create_cert.sh kubernetes-dashboard-certs dashboard dashboard.5179.top kubernetes-dashboard

if [ $# -ne 4 ];then
    echo "please user in: `basename $0` SECRET_NAME CERT_NAME DOMAIN NAMESPACE"
    exit 1
fi

SECRET_NAME=$1
CERT_NAME=$2
DOMAIN=$3
NAMESPACE=$4

# TLS Secrets
# Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.
# You can generate a self-signed certificate and private key with:

# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERT_NAME}.key -out ${CERT_NAME}.crt -subj "/CN=${DOMAIN}/O=${DOMAIN}"
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${CERT_NAME}.key -out ${CERT_NAME}.crt -subj "/CN=${DOMAIN}/O=${DOMAIN}"

# 创建 NAMESPACE
kubectl get namespace |grep ${NAMESPACE}
if [ $? -eq 0 ]; then
     echo "[INFO] ${NAMESPACE} is already exists"
else
     kubectl create namespace ${NAMESPACE}
     echo "[INFO] create ${NAMESPACE} success!"
fi

# Then create the secret in the cluster via:
# kubectl create secret tls ${SECRET_NAME} --key ${CERT_NAME}.key --cert ${CERT_NAME}.crt
# 如果你使用--key --cert方式则创建的secret中data的默认2个文件名就是tls.key和tls.crt

kubectl create secret generic ${SECRET_NAME} --from-file=${CERT_NAME}.crt --from-file=${CERT_NAME}.key -n ${NAMESPACE}
# The resulting secret will be of type kubernetes.io/tls.

执行一下

[root@uk8s-a certs]# bash create_cert.sh kubernetes-dashboard-certs dashboard dashboard.5179.top kubernetes-dashboard
Generating a 2048 bit RSA private key
........+++
....................................................+++
writing new private key to 'dashboard.key'
-----
kubernetes-dashboard   Active   2m48s
[INFO] kubernetes-dashboard is already exists
secret/kubernetes-dashboard-certs created

1.3 修改配置文件

修改文件，使用自己制作的证书

[root@uk8s-a web-ui]# vim ./recommended.yaml

#将以下内容注释，因为要用我们自己生成的证书
# ---
#apiVersion: v1
#kind: Secret
#metadata:
#  labels:
#    k8s-app: kubernetes-dashboard
#  name: kubernetes-dashboard-certs
#  namespace: kubernetes-dashboard
#type: Opaque
...
# 修改启动参数，添加证书路径
...
kind: Deployment
apiVersion: apps/v1
metadata:
spec:
...
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.3
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          command:                              # 新增
            - /dashboard                        # 新增
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            - --token-ttl=3600                  # 新增
            - --bind-address=0.0.0.0            # 新增
            - --tls-cert-file=dashboard.crt     # 新增 
            - --tls-key-file=dashboard.key      # 新增 

其中auto-generate-certificates不能注释，因为我看到过有帖子说要注释掉（这个参数不仅仅是自动证书的开关，还是总的HTTPS的开关，当我们手工配置了证书后，容器不会自动生成）。
另外两个 tls 参数指定的是被挂载到容器中的证书的名字

执行一下该文件

[root@uk8s-a web-ui]# kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard unchanged
serviceaccount/kubernetes-dashboard unchanged
service/kubernetes-dashboard unchanged
secret/kubernetes-dashboard-csrf configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
secret/kubernetes-dashboard-key-holder configured
configmap/kubernetes-dashboard-settings unchanged
role.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard unchanged
deployment.apps/kubernetes-dashboard unchanged
service/dashboard-metrics-scraper unchanged
deployment.apps/dashboard-metrics-scraper unchanged

创建 ingress 文件

[root@uk8s-a ingress]# vim ingress-dashboard.yaml
[root@uk8s-a ingress]# cat ingress-dashboard.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-dashboard
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/ingress.class: "nginx"
    # 开启use-regex，启用path的正则匹配
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - dashboard.5179.top
    secretName: kubernetes-dashboard-certs
  rules:
  - host: dashboard.5179.top
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443

创建用户

[root@uk8s-a web-ui]# cat create-user.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
  
[root@uk8s-a web-ui]# kubectl apply -f create-user.yaml
serviceaccount/admin-user unchanged
clusterrolebinding.rbac.authorization.k8s.io/admin-user unchanged

获取登陆token

[root@uk8s-a web-ui]# cat get-user-token.sh
#!/bin/bash

USER=${1:-admin-user}

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep $USER | awk '{print $1}')

# 执行一下脚本
[root@uk8s-a web-ui]# bash get-user-token.sh
Name:         admin-user-token-dhx6r
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: 84583c60-2c95-4118-9158-6341962d917f

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1363 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImZlaXFTZERBdjhGLWwyZ0xLTzljaHdhSlJ1OWdfeTNDWU4wRzhuS3MyYTAifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWRoeDZyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4NDU4M2M2MC0yYzk1LTQxMTgtOTE1OC02MzQxOTYyZDkxN2YiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.tPgicyWaMDfN5GkLY8XX2S-jhS-pvNC6eNvZ1FCIgZi3quWQND_JASqUr4Y9nyzdFtt-Jog1QbBCRGOE1YMrc3CX27TZttsbJNgq_PqlSjJ8NpmQfUzL5EAaYEUk7bcTRsePrGpECLqih7OOMN1lXO3WYiMJLfeDvkSaUweuUQzSTGtdkzbjVmVY-DksejyXSO_DI_-DMa4lq8zTnegwywdNUkFu06J_DXTTZZIpyKBKvpKz0pny2JIS4x9rI6v4g4Ljw47U7GM30CkQeletagQ8tjXf8g2QTp7Puc9NIpK39u8H1SIqbEZCBtRTJEfLTibDXXnlNplZF5FQ5bms1g

用这个 token 去访问界面

参考

https://blog.csdn.net/catoop/article/details/105046078/