search

cisen / blog

Time waits for no one.
135 stars 20 forks source link

kubernetes-dashboar 安装 #417

Open cisen opened 5 years ago

cisen commented 5 years ago

https://www.cnblogs.com/klvchen/p/9963642.html

重要

v1.10.1支持的k8s版本

Kubernetes version 1.8 1.9 1.10 1.11 1.12 1.13
Compatibility Y Y Y ? ? X

kubernetes集群UI访问是默认使用认证的https,而dashboard默认使用的自签署证书,默认自生成的证书很明显不是当前使用kubernetes集群签署的,在浏览器上是无权限访问,安装dashboard前要生成自己的kubernetes集群签署证书给运行dashboard的Pod使用。

(1) 生成dashboard证书

# 切换到集群证书目录
cd /etc/kubernetes/pki

# 生成私钥dashboard.key
openssl genrsa -out dashboard.key 2048

# 生成证书请求文件dashboard.csr
openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=dashboard/CN=demo.dashboard.com"

# 生成证书文件dashboard.crt
openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365

# 把dashboard证书复制到新建目录/etc/kubernetes/pki/dashboard
mkdir -p /etc/kubernetes/pki/dashboard
mv dashboard.* /etc/kubernetes/pki/dashboard

(2) 安装dashboard插件

# 下载安装dashboard配置文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

# 注意里面的image是下载不了的,先替换为mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1

# 如果node节点不能翻墙,无法正常启动相关pod,原因是下载镜像失败,解决办法是设置docker代理翻墙或预先下载导入镜像(具体镜像版本查看kubernetes-dashboard.yaml文件)

# 默认配置Dashboard Service的类型是ClusterIP,集群外是无法访问的,把它改为NodeIp类型,并且设置映射端口固定为为30303
# 搜索Dashboard Service
# spec:
#   type: NodePort
#   ports:
#     - port: 443
#       targetPort: 8443
#       nodePort: 30303

# 安装dashboard插件
kubectl apply -f kubernetes-dashboard.yaml

# 删除默认的自签名证书
kubectl delete secret kubernetes-dashboard-certs -n kube-system

# 添加自己签名证书
kubectl create secret generic kubernetes-dashboard-certs --from-file=/etc/kubernetes/pki/dashboard -n kube-system

# 因为证书请求文件使用demo.dashboard.com域名,在master节点上添加域名解析
echo '192.168.8.90 demo.dashboard.com' >> /etc/hosts

# 查看是Dashboard Service是否NodeIp,并且端口为30303
kubectl get svc -n kube-system

# 在master宿主机的chrome浏览器访问https://demo.dashboard.com:30303,然后点击高级继续前往访问,进入到Kubernetes的仪表板登录界面。

(3) 生成登录token和授权

# 生成登录token
  # 创建系统级别的serviceaccount
  kubectl create serviceaccount dashboard-admin -n kube-system
  # 创建帐号时自动生成token,拿到token值虽然可以登录,但是没有操作资源权限,还需要授权

# 授权
  #把dashboard-admin帐号绑定到cluster-admin(管理员角色, 使用命令kubectl get clusterrole -n kube-system查看)
  kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

# 获取token值,复制token值到浏览器上登录即可。
kubectl get secret -n kube-system | grep dashboard-admin # 获取对应secret名称
kubectl describe secret <secrect名称> -n kube-system | awk '/^token:/{print $2}'
# token值:
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtc2EtdG9rZW4tdDJoNGYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLXNhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZmU1NDk1ZWEtYzZkOC0xMWU4LWI2MjktMDAwYzI5NmY4YzY0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1zYSJ9.LLXz3UoEhPrN1l_edxx8K0kG04SSvqkpBERH5PlfPkhV_o8vaHOpWyzyuo5Ik3d6yEXIPoHVr7e-ZTH4fZDTnul94rMChYLUimIEvmu0JI0lxhp9FrkHbjvLtW-Xa34J-1-lg73xBi_nboFSKJAqRtw2rse3y0zQPb8tcIpV_ptgTJmDOXgFfwjmToUAqlieePIlxj3w8QoHInGHziTf0MYmn7O2725VyGoHxi2PSROtXASmVOeghwn52zRXQtDe7SVhhkPHGlCcbK8Wki5N5lZIpWWoD8xv_DOGq3o1tImr02yTsPlrmiCWgJTXHxgwOmXIQD3X3sP5iYxYP04EAg

上面创建serviceaccount和绑定使用了参数-n kube-system,说明该帐号拥有集群管理权限,如果需要创建命名空间级别的帐号,去掉参数默认使用default命名空间即可。

# 生成只有default命名空间权限的账号
kubectl create serviceaccount dashboard-vison
kubectl create rolebinding dashboard-default-vison --clusterrole=cluster-admin --serviceaccount=default:dashboard-vison
kubectl get secret | grep dashboard-vison
kubectl describe secret <secrect名称>  | awk '/^token:/{print $2}'
# token值:
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRhc2hib2FyZC12aXNvbi10b2tlbi1saDQ0ZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkYXNoYm9hcmQtdmlzb24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzOTZhNzUwOC1jNmUxLTExZTgtYjYyOS0wMDBjMjk2ZjhjNjQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkYXNoYm9hcmQtdmlzb24ifQ.DyYsIjpxN6MREBEfDQQyA9Hlm9iU69JRH5oRkkUjA1bz-EkTLbb3Slc7mDztMeXsDxXKu1gBJ63_FAOrikCAXCoj8keH_JPrJGAFi7jHwlvYWqboy59fhcN81rhDxeBvuGUgafeRoHfgZ5j0ZypW9-85LOwYL-QbB4gj-NW77lDjGbrcuNGSrLQYYZSB0aAnyRi5QrT0c8-5aEf27xjTglBcR_xIbUO-WcdfVYdl08inbM5D6wqAyKFSqV5d_FPJDMg0svAcRthM_qaArdj1MKBNtxa_smBrYXUj3hgc49admYNHHlTqB13xv0aELwshzUzjJtKMXdwlqyrN7VDq8Q
# 161.145
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-sy
stem:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
[root@master kubedashboard]# kubectl get secret -n kube-system | grep dashboard-admin
dashboard-admin-token-q75pj                      kubernetes.io/service-account-token   3         17s
[root@master kubedashboard]# kubectl describe secret dashboard-admin-token-q75pj -n kube-system | awk '/^token:/{print $2}'
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdW
JlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tcTc1cGoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY
2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDNi
YTljYzItODA1NC0xMWU5LWFlOGYtMDAwYzI5MzY4OGM3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.G9E4i3nUAyl-gQ
JCA2hTafyoJ8OnTIvSvAXndTQzR5-A0tTRes_3bEDcZQu69uRDrbHVBj-UJJ7frecEAzsJIhsjMJKwjmq-OHLgE_qbDkLcgYzStLgNvkZPRx-hcfqre3VbJS4Ty-HXcruyX9ciUvGR0
x2KQgkh1pvbuT3GYfB3nBuOrCyt4A3gnZBkeevvQfpBrQquhlQD03gvMmnsjh-KFs0RKWCVpdFBYT2LDiwD8SyDYitCvIqHUNLQnChRAc3AhTeCi2Qgj77kuxHL8r-MYxvx5_c5oPdX
PqwNt2s9HNq4orQFUmHP7Dzv3-_rSM3meULBEPRw3xga0xy5SQ

代理访问

kubectl proxy --address=192.168.202.142 --accept-hosts='^*$' --disable-filter=true &
# 获取登陆令牌,列出所有令牌
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

忽略证书访问

wget  --no-check-certificat https://192.168.202.142:30303
curl https://192.168.202.142:30303 -k
cisen commented 5 years ago

K8S dashboard https://www.cnblogs.com/klvchen/p/9963642.html kubernetes-dashboard有两种认证方式,一个token认证,另一个是Kubeconfig文件的认证。这个时候的认证不是UserAccount而是获取kubernetes集群资源信息的serviceAccount。

token 认证

# 创建一个dashboard的私钥
cd /etc/kubernetes/pki/
# 注意这里要创建key
umask 077; openssl genrsa -out dashboard.key 2048

# 生成一个证书签署请求
openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=klvchen/CN=dashboard"

# 通过ca.key和ca.crt签署证书
openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365

# 通过签署证书创建一个sercert
kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key

# 创建一个专用的 serviceaccount 帐号 dashboard-admin
kubectl create serviceaccount dashboard-admin -n kube-system

# 绑定角色 cluster-admin
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

# 查看 dashboard-admin 的 Tokens
kubectl describe serviceaccount dashboard-admin -n kube-system
# 根据上面显示为 dashboard-admin-token-wrfng 
kubectl get secret -n kube-system
kubectl describe secret dashboard-admin-token-wrfng -n kube-system
# 获取 token 值,用来在填写网页登录认证信息

# 创建 dashboard 所需要的资源
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.8.3/src/deploy/recommended/kubernetes-dashboard.yaml
kubectl get pods -n kube-system
kubectl get svc -n kube-system

# 修改 svc 的的网络类型
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
kubectl get svc -n kube-system
# 获取 NodePort 映射的外网端口,这里是 32240

使用 火狐浏览器 访问 https://192.168.0.205:32240 ,点击 高级, 添加例外。这里使用 chrome 和 搜狗浏览器没法出来界面。

Kubeconfig文件认证

# 创建一个访问 default命令空间的 serviceaccount 账号
cd /etc/kubernetes/pki
kubectl create serviceaccount def-ns-admin -n default

# 创建 rolebinding 把 def-ns-admin 与 admin 关联
kubectl create rolebinding def-ns-admin --clusterrole=admin --serviceaccount=default:def-ns-admin

# 查看 def-ns-admin 的 token
kubectl get secret
kubectl describe secret def-ns-admin-token-8vzj5

# 创建一个kubeconfig配置文件(基于token配置)
kubectl config set-cluster kubernetes --certificate-authority=./ca.crt  --server="https://192.168.0.205:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf

kubectl config view --kubeconfig=/root/def-ns-admin.conf 

DEF_NS_ADMIN_TOKEN=$(kubectl get secret  def-ns-admin-token-8vzj5  -o jsonpath={.data.token} |base64 -d)

kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf

kubectl config view --kubeconfig=/root/def-ns-admin.conf

# 配置上下文
kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf 

# 配置当前上下文
kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf

kubectl config view --kubeconfig=/root/def-ns-admin.conf

# 下载 def-ns-admin.conf

# 使用 火狐浏览器 访问
https://192.168.0.205:31328

总结

部署 Dashboard 的方法

  1. 创建: 
    kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.8.3/src/deploy/recommended/kubernetes-dashboard.yaml
  2. 将Service 改为 NodePort 
    kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
  3. 认证: 认证时的帐号必须为 ServiceAccount,被 dashboard pod 拿来由 kubernetes 进行认证;

一:token: (1) 创建 ServiceAccount,根据其管理目标,使用 rolebinding 或 clusterrolebinding 绑定至合理 role 或 clusterrole; (2) 获取到此 ServiceAccount 的 secret, 查看 secret 的详细信息,其中就有 token;

二:kubeconfig: 把 ServiceAccount 的 token封装为 kubeconfig 文件 (1) 创建 ServiceAccount,根据其管理目标,使用 rolebinding 或 clusterrolebinding 绑定至合理 role 或 clusterrole; (2) kubectl get secret | awk '/^ServiceAccount/{print $1}' DEF_NS_ADMIN_TOKEN=$(kubectl get secret def-ns-admin-token-8vzj5 -o jsonpath={.data.token} |base64 -d) (3) 生成 kubeconfig 文件

   kubectl config set-cluster  --kubeconfig=/PATH/TO/SOMEFILE
   kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE
   kubectl config set-context
   kubectl config use-context