dashboard 方便用页面管理K8S 集群
1. 准备镜像
docker pull k8scn/kubernetes-dashboard-amd64:v1.8.3
2. 配置rbac deployment service ingress 的文件
然后在应用这些资源配置清单
[root@hdss7-200 dashboard]# cat rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
[root@hdss7-200 dashboard]# cat dp.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: harbor.od.com/public/kubernetes-dashboard:v1.10.1
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8443
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
volumeMounts:
- name: tmp-volume
mountPath: /tmp
#健康探测探针
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard-admin
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
[root@hdss7-200 dashboard]# cat svc.yaml
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboardtt
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard66
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443
[root@hdss7-200 dashboard]# cat ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: dashboard.od.com
http:
paths:
- backend:
serviceName: kubernetes-dashboardtt
servicePort: 443
3. 配置nginx https 代理:
两台nginx 都要加!
server { listen 80; server_name dashboard.od.com; rewrite ^(.*)$ https://${server_name}$1 permanent; } server { listen 443 ssl; server_name dashboard.od.com; ssl_certificate "certs/dashboard.od.com.crt"; ssl_certificate_key "certs/dashboard.od.com.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://default_backend_traefik; proxy_set_header Host $http_host; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; } }
在dns server 上 配置好A 记录
dashboard 60 IN A 10.4.7.10
4. 在CA 服务器上颁发dashboard证书
在 CA server 上: certs]# (umask 077; openssl genrsa -out dashboard.od.com.key 2048) #生成ca 证书 certs]# openssl req -new -key dashboard.od.com.key -out dashboard.od.com.csr -subj "/CN=dashboard.od.com/C=CN/ST=BJ/L=Beijing/O=OldboyEdu/OU=ops" #生成证书请求 csr certs]# openssl x509 -req -in dashboard.od.com.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dashboard.od.com.crt -days 3650 然后把生成的 dashbord 证书copy 到11 和 12 上去。
5. 访问dashboard
kubectl get secret -n kube-system
NAME TYPE DATA AGE
coredns-token-cks85 kubernetes.io/service-account-token 3 57d
dashboard-cert Opaque 2 20d
default-token-7bzxd kubernetes.io/service-account-token 3 64d
kube-state-metrics-token-zrvdz kubernetes.io/service-account-token 3 43d
kubernetes-dashboard-admin-token-mvk6c kubernetes.io/service-account-token 3 12d
kubernetes-dashboard-key-holder Opaque 2 7d17h
kubernetes-dashboard-token-n9q9l kubernetes.io/service-account-token 3 12d
traefik-ingress-controller-token-rpjj7 kubernetes.io/service-account-token 3 56d
[root@hdss7-21 opt]# kubectl describe secret kubernetes-dashboard-admin-token-mvk6c -n kube-system
Name: kubernetes-dashboard-admin-token-mvk6c
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard-admin
kubernetes.io/service-account.uid: a169d642-80fb-4fdd-a877-df95b370a4f5
Type: kubernetes.io/service-account-token
Data
====
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi1tdms2YyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImExNjlkNjQyLTgwZmItNGZkZC1hODc3LWRmOTViMzcwYTRmNSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.M3YngzqLDu0xlMTNwbL12VnYuloZchsKOPCNDH5V3Tn5M7MNNrriIf8Lc6TyqHfD6gJj30WoLp9vpdlL3tU_XPSQt5HnT4892cI3YfT1nh_znNlaE8lrfLXebMbDAe50s7zLoXWxfHMEQYURO3cEl101yhP5mE-S69PTTQDKwUGVMFPMyCoKH1ejZDDtdH6we8pvuMbfi_iTv53KrVo0OKlQ3NHMgdJFZ04ECVFJ3wWczfOAqCXj8R5AlYTqPXJhNVQmOvopCYH4kEPg5QDhOER71YffMEoqdrR-O5DAUq2npCl9aa7UrFxEUu2ji745y9qAm2fftL68YrhzsA_l0Q
ca.crt: 1346 bytes
把token 信息复制到页面的token 就可以了