K8S集群一套
[root@k8s-master ~]# cat /etc/hosts
51.0.1.213 k8s-master
51.0.1.214 k8s-node1
51.0.1.215 k8s-node2
[root@k8s-master ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:02:58Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
生成客户端证书
[root@k8s-master ~]# mkdir -p $HOME/.kube
[root@k8s-master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8s-master ~]# chown $(id -u):$(id -g) $HOME/.kube/config
[root@k8s-master ~]# grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
[root@k8s-master ~]# grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
[root@k8s-master ~]# openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-web-client"
Enter Export Password: 设置证书密码,浏览器导入证书时需要
Verifying - Enter Export Password:
创建kubernetes-dashboard.yaml
此处有墙(如果不行就用下面的)
[root@k8s-master ~]#kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
或
[root@k8s-master ~]# wget http://pencil-file.oss-cn-hangzhou.aliyuncs.com/blog/kubernetes-dashboard.yaml
[root@k8s-master ~]# kubectl create -f kubernetes-dashboard.yaml
查看POD状态
[root@k8s-master ~]# kubectl get po -n kube-system |grep dashboard
kubernetes-dashboard-5f7b999d65-66rrw 1/1 Running 0 91m
创建访问账户
[root@k8s-master ~]# cat dashboard_service_account_admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
创建集群角色绑定
[root@k8s-master ~]# cat dashboard_cluster_role_binding_admin.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
创建资源
[root@k8s-master ~]# kubectl apply -f dashboard_service_account_admin.yaml
serviceaccount/admin-user created
[root@k8s-master ~]# kubectl apply -f dashboard_cluster_role_binding_admin.yaml
clusterrolebinding.rbac.authorization.k8s.io/admin-user created
获取TOKEN
复制下面token
[root@k8s-master ~]# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
Name: admin-user-token-8dsjg
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 45c6f835-bccd-11e9-8459-0050569ce87d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8
vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLThkc2pnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm
5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0NWM2ZjgzNS1iY2NkLTExZTktODQ1OS0wMDUwNTY5Y2U4N2QiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YW
RtaW4tdXNlciJ9.iVTX3bEaXYidDUfCf4nTM8isAtp7PbjzxbiAYsqkKEwNV1TUh4GqRkaDo4kynA43cULpSmOhdtCi45lhWgLMfgjOgaOra-WOwT5JmkP4Cze5R1tt_Ukw7nSu13nSJ-_QsTXURqGDsHK6NBCyo2WKTeCAJzuJzeHpfsOCVgYP5jnDyG-MTKfeJgVipCnXlDw1duX0JYjsQLgNgDJLZ6SHNstjWeU85AE5xQ37K78Fciqq7mDmLjZ1dbWnNs8sUKttH76--TzqsORzr7zIySJAfDIS_dGuchlWi3s5tXJNX4BbaLAYIGPUM5ZKKVoOzIr1YiVRyp0bVIlnskVPPs4nVQ
导出证书
kubecfg.p12 导需要访问的主机上,浏览器导入证书。我这是谷歌浏览器
登录dashboard
https://xxxxxxxxx:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
跳转后输入token
显示页面
