本文讲述的是如何部署K8s的web UI,前提是已经有一个k8s集群后,按照如下步骤进行即可。(如下步骤都是在master节点上进行操作)

1、下载kubernetes-dashboard.yaml文件

2、修改kubernetes-dashboard.yaml文件

  1. # ------------------- Dashboard Deployment ------------------- #
  2.  
  3. kind: Deployment
  4. apiVersion: apps/v1beta2
  5. metadata:
  6. labels:
  7. k8s-app: kubernetes-dashboard
  8. name: kubernetes-dashboard
  9. namespace: kube-system
  10. spec:
  11. replicas: 1
  12. revisionHistoryLimit: 10
  13. selector:
  14. matchLabels:
  15. k8s-app: kubernetes-dashboard
  16. template:
  17. metadata:
  18. labels:
  19. k8s-app: kubernetes-dashboard
  20. spec:
  21. containers:
  22. - name: kubernetes-dashboard
  23. image: registry.cn-hangzhou.aliyuncs.com/kube_containers/kubernetes-dashboard-amd64
  24. ports:
  25. - containerPort: 8443
  26. protocol: TCP
  27. args:
  28. - --auto-generate-certificates
  1. # ------------------- Dashboard Service ------------------- #
  2.  
  3. kind: Service
  4. apiVersion: v1
  5. metadata:
  6. labels:
  7. k8s-app: kubernetes-dashboard
  8. name: kubernetes-dashboard
  9. namespace: kube-system
  10. spec:
  11. type: NodePort
  12. ports:
  13. - port: 443
  14. targetPort: 8443
  15. nodePort: 30001
  16. selector:
  17. k8s-app: kubernetes-dashboard

上面代码红色字为kubernetes-dashboard.yaml文件中需要修改的地方,不然拉取不了镜像,以及使用Nodeport方式做映射,使其他主机能够访问该dashboard。

3、创建kubernetes-dashboard.yaml

  1. kubectl create -f kubernetes-dashboard.yaml

4、查看kubernetes-dashboard容器是否已经运行

  1. [root@docker-master1 ~]# kubectl get pods -n kube-system
  2. NAME READY STATUS RESTARTS AGE
  3. coredns-576cbf47c7-l5wlh 1/1 Running 1 3d8h
  4. coredns-576cbf47c7-zrl66 1/1 Running 1 3d8h
  5. etcd-docker-master1 1/1 Running 1 3d8h
  6. kube-apiserver-docker-master1 1/1 Running 2 3d8h
  7. kube-controller-manager-docker-master1 1/1 Running 2 3d8h
  8. kube-flannel-ds-amd64-c7wz6 1/1 Running 0 3d8h
  9. kube-flannel-ds-amd64-hqvz9 1/1 Running 0 3d8h
  10. kube-flannel-ds-amd64-w7n4s 1/1 Running 2 3d8h
  11. kube-proxy-8gj2w 1/1 Running 1 3d8h
  12. kube-proxy-mt6dk 1/1 Running 0 3d8h
  13. kube-proxy-qtxz7 1/1 Running 0 3d8h
  14. kube-scheduler-docker-master1 1/1 Running 2 3d8h
  15. kubernetes-dashboard-5f864b6c5f-5s2rw 1/1 Running 0 62m

如上红色字体已经显示kubernetes-dashboard已经成功在node节点上运行。当然,你也可以前往node节点上执行docker ps查看kubernetes-dashboard容器是否已经启动,netstat -ptln命令查看30001端口是否已经开放。

5、创建kubernetes-dashboard管理员角色

  1. [root@docker-master1 ~]# vi k8s-admin.yaml
  2. apiVersion: v1
  3. kind: ServiceAccount
  4. metadata:
  5. name: dashboard-admin
  6. namespace: kube-system
  7. ---
  8. kind: ClusterRoleBinding
  9. apiVersion: rbac.authorization.k8s.io/v1beta1
  10. metadata:
  11. name: dashboard-admin
  12. subjects:
  13. - kind: ServiceAccount
  14. name: dashboard-admin
  15. namespace: kube-system
  16. roleRef:
  17. kind: ClusterRole
  18. name: cluster-admin
  19. apiGroup: rbac.authorization.k8s.io

6、加载管理员角色

  1. kubectl create -f k8s-admin.yaml

7、获取dashboard管理员角色token

  1. #获取dashboard secret
  2. kubectl get secret -n kube-system
  3. [root@docker-master1 ~]# kubectl get secret -n kube-system
  4. NAME TYPE DATA AGE
  5. attachdetach-controller-token-d9w8c kubernetes.io/service-account-token 3 3d8h
  6. bootstrap-signer-token-jdjwt kubernetes.io/service-account-token 3 3d8h
  7. bootstrap-token-9n6rpz bootstrap.kubernetes.io/token 6 149m
  8. bootstrap-token-n962df bootstrap.kubernetes.io/token 7 3d8h
  9. certificate-controller-token-lktt8 kubernetes.io/service-account-token 3 3d8h
  10. clusterrole-aggregation-controller-token-7stf6 kubernetes.io/service-account-token 3 3d8h
  11. coredns-token-kbz5z kubernetes.io/service-account-token 3 3d8h
  12. cronjob-controller-token-b647q kubernetes.io/service-account-token 3 3d8h
  13. daemon-set-controller-token-tzlpk kubernetes.io/service-account-token 3 3d8h
  14. dashboard-admin-token-jc8t5 kubernetes.io/service-account-token 3 17m
  1. #获取token
  2. [root@docker-master1 ~]# kubectl describe secret dashboard-admin-token-jc8t5 -n kube-system
  3. Name: dashboard-admin-token-jc8t5
  4. Namespace: kube-system
  5. Labels: <none>
  6. Annotations: kubernetes.io/service-account.name: dashboard-admin
  7. kubernetes.io/service-account.uid: cdfb442a-f48b-11e8-80e8-000c29c3dca5
  8.  
  9. Type: kubernetes.io/service-account-token
  10.  
  11. Data
  12. ====
  13. namespace: 11 bytes
  14. token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tamM4dDUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiY2RmYjQ0MmEtZjQ4Yi0xMWU4LTgwZTgtMDAwYzI5YzNkY2E1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.FZCsonMyEdcDDvbzIz7rMxm8vvlk0Ck6O5ooqzaJRWkggwMoqf92qYBsNxMxxT5BdAtxB_iPUD7rEagR7sLTqixHeC0HdTnGCcTnNU1fq2KJA5ssNyi9P4XGJqsGuf4mAmF5L56uBh43X4hQ41rFYPQwIrmVnknTAbAWf3biiKWkN9Az8NsCulRSSCsJSOwfPoGlo7aSbMYTyRXlmzLuLbkMpMvyMHChBJ_MIYbH9dBj_hL3L9iwo9gpNTfB-0_uYHPEPdQcib8qUkC5NxgXdBuQPug5y1kLUVFNgq45ozLTibZuVihK_gza-WKVpBRPY5PaYCN1Gu0-tFObUYDUow

8、使用管理员角色登陆kubernetes-dashboard web界面

客户端浏览器输入:https://nodeIP:nodeport ,也就是kubernetes-dashboard容器在哪台node节点上跑,以及上面设置的nodeport端口(我这里是https://192.168.20.214:30001)

出现如下界面,选择令牌——输入令牌,(令牌为上面的token)

9、dashboard访问方式

根据官方文档,目前访问Dashboard有四种方式:

  • NodePort
  • API Server
  • kubectl proxy
  • Ingress

以上四种方式,我测试了前三种,目前只有NodePort和kubectl proxy可用,API Server暂时没有解决。

  1. 使用NodePort

   为kubernetes-dashboard.yaml添加Service后,就可以使用NodePort访问Dashboard。在我们的物理机上,使用Chrome访问https://192.168.20.214:30001/,如上2步骤。(2步骤使用的就是nodeport方式访问)

如访问提示了证书错误NET::ERR_CERT_INVALID,原因是由于物理机的浏览器证书不可用。我们可以生成一个私有证书或者使用公有证书,下面开始配置证书。

  1. #1、查看kubernetes-dashboard 容器跑在哪台node节点上,这里跑在docker-slave2上
    root@docker-master1 pki]# kubectl get pod -n kube-system -o wide
  2. NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
  3. coredns-576cbf47c7-l5wlh 1/1 Running 1 9d 10.244.0.5 docker-master1 <none>
  4. coredns-576cbf47c7-zrl66 1/1 Running 1 9d 10.244.0.4 docker-master1 <none>
  5. etcd-docker-master1 1/1 Running 1 9d 192.168.20.210 docker-master1 <none>
  6. kube-apiserver-docker-master1 1/1 Running 2 9d 192.168.20.210 docker-master1 <none>
  7. kube-controller-manager-docker-master1 1/1 Running 2 9d 192.168.20.210 docker-master1 <none>
  8. kube-flannel-ds-amd64-c7wz6 1/1 Running 0 9d 192.168.20.213 docker-slave1 <none>
  9. kube-flannel-ds-amd64-hqvz9 1/1 Running 0 9d 192.168.20.214 docker-slave2 <none>
  10. kube-flannel-ds-amd64-w7n4s 1/1 Running 2 9d 192.168.20.210 docker-master1 <none>
  11. kube-proxy-8gj2w 1/1 Running 1 9d 192.168.20.210 docker-master1 <none>
  12. kube-proxy-mt6dk 1/1 Running 0 9d 192.168.20.213 docker-slave1 <none>
  13. kube-proxy-qtxz7 1/1 Running 0 9d 192.168.20.214 docker-slave2 <none>
  14. kube-scheduler-docker-master1 1/1 Running 2 9d 192.168.20.210 docker-master1 <none>
  15. kubernetes-dashboard-5f864b6c5f-5s2rw 1/1 Running 0 5d21h 10.244.3.9 docker-slave2 <none>
  1. #2、在docker-slave2节点上查看kubernetes-dashboard容器ID
    root@docker-slave2 ~]# docker ps | grep dashboard
  2. 384d9dc0170b registry.cn-hangzhou.aliyuncs.com/kube_containers/kubernetes-dashboard-amd64 "/dashboard --insecu…" 5 days ago Up 44 hours k8s_kubernetes-dashboard_kubernetes-dashboard-5f864b6c5f-5s2rw_kube-system_94c8c50b-f484-11e8-80e8-000c29c3dca5_0
  1. #3、查看kubernetes-dashboard容器certs所挂载的宿主主机目录
    [root@docker-slave2 ~]# docker inspect -f {{.Mounts}} 384d9dc0170b
  2. "Mounts": [
  3. {
  4. "Type": "bind",
  5. "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/volumes/kubernetes.io~empty-dir/tmp-volume",
  6. "Destination": "/tmp",
  7. "Mode": "",
  8. "RW": true,
  9. "Propagation": "rprivate"
  10. },
  11. {
  12. "Type": "bind",
  13. "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/volumes/kubernetes.io~secret/kubernetes-dashboard-token-tbctd",
  14. "Destination": "/var/run/secrets/kubernetes.io/serviceaccount",
  15. "Mode": "ro",
  16. "RW": false,
  17. "Propagation": "rprivate"
  18. },
  19. {
  20. "Type": "bind",
  21. "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/etc-hosts",
  22. "Destination": "/etc/hosts",
  23. "Mode": "",
  24. "RW": true,
  25. "Propagation": "rprivate"
  26. },
  27. {
  28. "Type": "bind",
  29. "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/containers/kubernetes-dashboard/0e84c511",
  30. "Destination": "/dev/termination-log",
  31. "Mode": "",
  32. "RW": true,
  33. "Propagation": "rprivate"
  34. },
  35. {
  36. "Type": "bind",
  37. "Source": "/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/volumes/kubernetes.io~secret/kubernetes-dashboard-certs",
  38. "Destination": "/certs",
  39. "Mode": "ro",
  40. "RW": false,
  41. "Propagation": "rprivate"
  42. }
  43. ],
  1. #4、这里以私有证书配置,生成dashboard证书
  2. openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048
  3. openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key
  4. openssl req -new -key dashboard.key -out dashboard.csr
  5. openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
  1. #5、将生成的dashboard.crt dashboard.key放到certs对应的宿主主机souce目录
  2. scp dashboard.crt dashboard.key 192.168.20.214:/var/lib/kubelet/pods/94c8c50b-f484-11e8-80e8-000c29c3dca5/volumes/kubernetes.io~secret/kubernetes-dashboard-certs
  1. #6、重启kubernetes-dashboard容器
  2. docker restart 384d9dc0170b

完成以上步骤即可访问kubernetes-dashboard web了,由于使用的是私有证书,所以还是会弹出不安全的连接,需要添加例外。

2、使用API Server

在我们的物理机上,使用Chrome访问地址:https://192.168.20.210:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/,返回如下错误:

  1. {
  2. "kind": "Status",
  3. "apiVersion": "v1",
  4. "metadata": {
  5.  
  6. },
  7. "status": "Failure",
  8. "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
  9. "reason": "Forbidden",
  10. "details": {
  11. "name": "https:kubernetes-dashboard:",
  12. "kind": "services"
  13. },
  14. "code": 403
  15. }

原因是由于kube-apiserver使用了TLS认证,而我们的真实物理机上的浏览器使用匿名证书(因为没有可用的证书)去访问Dashboard,导致授权失败而不无法访问。官方提供的解决方法是将kubelet的证书转化为浏览器可用的证书,然后导入进浏览器。但是该方法目前似乎不适用于kubeadm方式安装的集群,参见:https://github.com/opsnull/follow-me-install-kubernetes-cluster/issues/5 。看来,无论物理机还是K8S节点上的浏览器,都需要导入这个证书,暂时无解。

3、使用kubectl proxy

这里,我主要介绍一下最便捷的kubectl proxy方式。在Master上执行nohup kubecll proxy &,然后使用如下地址访问Dashboard:

  1. http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy

但限制就是必须在Master上访问,这显然是个坑,我们的目标是在我们真实的物理机上去访问Master的Dashboard。

所以,在主节点上,我们执行nohup kubectl proxy --address=192.168.20.210 --disable-filter=true & 开启代理。

其中:

  • address表示外界可以使用192.168.20.210来访问Dashboard,我们也可以使用0.0.0.0
  • disable-filter=true表示禁用请求过滤功能,否则我们的请求会被拒绝,并提示 Forbidden (403) Unauthorized
  • 我们也可以指定端口,具体请查看kubectl proxy --help

此时proxy默认对Master的8001端口进行监听:

这样,我们就可以使用如下地址访问登录界面:

  1. http://192.168.20.210:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login

Kubernetes web界面kubernetes-dashboard安装【h】的更多相关文章

  1. Kubernetes web界面kubernetes-dashboard安装

    本文讲述的是如何部署K8s的web UI,前提是已经有一个k8s集群后,按照如下步骤进行即可.(如下步骤都是在master节点上进行操作) 1.下载kubernetes-dashboard.yaml文 ...

  2. Kubernetes入门(二)——Dashboard 安装

    Kubernetes集群搭建完成后,可以通过命令行方式可以了解集群资源的使用情况,但是这种方式比较笨拙且不直观,因此考虑给集群安装Dashboard,这样能更直观了解集群状态.本文Dashboard的 ...

  3. Centos7.2/7.3集群安装Kubernetes 1.8.4 + Dashboard(转)

    原文https://www.cnblogs.com/burningTheStar/p/7865998.html 1.环境配置 结点数量:3 结点系统:CentOS 7.2 / 7.3 2.效果展示 3 ...

  4. kubernetes dashboard 安装

    环境:CentOS Linux release 7.3.1611 (Core)IP:192.168.0.103 [1]组件安装yum install device-mapperyum install ...

  5. kubernetes系列(十七) - 通过helm安装dashboard详细教程

    1. 前提条件 2. 配置https证书为secret 3. dashboard安装 3.1 helm拉取dashboard的chart 3.2 配置dashboard的chart包配置 3.3 he ...

  6. Kubernetes 部署Web UI (Dashboard)

    Kubernetes 部署Web UI (Dashboard) 项目下载地址:https://github.com/kubernetes/kubernetes/tree/master/cluster/ ...

  7. kubernetes实战篇之dashboard搭建

    系列目录 kubernetes dashboard是kubernetes官方提供的web管理界面,通过dashboard可以很方便地查看集群的各种资源.以及修改资源编排文件,对集群进行扩容操作,查看日 ...

  8. centos7.3 kubernetes/k8s 1.10 离线安装 --已验证

    本文介绍在centos7.3使用kubeadm快速离线安装kubernetes 1.10. 采用单master,单node(可以多node),占用资源较少,方便在笔记本或学习环境快速部署,不适用于生产 ...

  9. [原]CentOS7安装Rancher2.1并部署kubernetes (二)---部署kubernetes

    ##################    Rancher v2.1.7  +    Kubernetes 1.13.4  ################ ##################### ...

随机推荐

  1. Access viewchild from another component

    https://stackoverflow.com/questions/50935728/access-viewchild-from-another-component =============== ...

  2. Spring事务管理----------整合学习版

    作者:学无先后 达者为先 Spring提供了一流的事务管理.在Spring中可以支持声明式事务和编程式事务. 一  spring简介 1 Spring的事务       事务管理在应用程序中起着至关重 ...

  3. BZOJ 3038: 上帝造题的七分钟2 / BZOJ 3211: 花神游历各国 (线段树区间开平方)

    题意 给出一些数,有两种操作.(1)将区间内每一个数开方(2)查询每一段区间的和 分析 普通的线段树保留修改+开方优化.可以知道当一个数为0或1时,无论开方几次,答案仍然相同.所以设置flag=1变表 ...

  4. Codeforces Round #590 (Div. 3) E. Special Permutations

    链接: https://codeforces.com/contest/1234/problem/E 题意: Let's define pi(n) as the following permutatio ...

  5. 【Android-GridView控件】 九宫格

    效果图: 1.主界面布局 activity_main.xml GridView的三种属性: android:numColumns="" 每一行显示多少列 android:horiz ...

  6. 使用laravel-wechat微信支付

    参考文档 https://github.com/overtrue/laravel-wechat https://easywechat.com/docs/4.1/payment/index larave ...

  7. JVM(十一),垃圾回收之老年代垃圾收集器

    十一.垃圾回收之老年代垃圾收集器 1.Serial Old收集器(标记整理算法-单线程-Client模式下) 2.Paraller Old收集器(标记整理算法-多线程-) 3.CMS收集器(标记清除算 ...

  8. SVN - Subversion

    Subversion yum install -y subversion 或者 subversion Edge 下载: # wget https://downloads-guests.open.col ...

  9. hdu 5556 Land of Farms 最大团+暴力

    Land of Farms Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/65536 K (Java/Others)Tot ...

  10. Linux之GDB调试命令

    gdb启动 gdb 程序名 l 查看源代码(默认显示十行) l 文件名:行数 l 文件名:函数名 添加断点 break + 行数 (b 也行) b 15 if i == 15 条件断点 i b 查看断 ...