一、准备dashboard使用的证书

# cd /etc/kubernetes/pki/

pki]# (umask 077; openssl genrsa -out dashboard.key 2048)

pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=dongfei/CN=dashboard"

pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365

pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key

二、部署dashboard

# docker pull k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1

kind: Secret

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard-certs

  namespace: kube-system

type: Opaque

---

# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1

kind: ServiceAccount

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kube-system

---

# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: kubernetes-dashboard-minimal

  namespace: kube-system

rules:

  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.

- apiGroups: [""]

  resources: ["secrets"]

  verbs: ["create"]

  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.

- apiGroups: [""]

  resources: ["configmaps"]

  verbs: ["create"]

  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.

- apiGroups: [""]

  resources: ["secrets"]

  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]

  verbs: ["get", "update", "delete"]

  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.

- apiGroups: [""]

  resources: ["configmaps"]

  resourceNames: ["kubernetes-dashboard-settings"]

  verbs: ["get", "update"]

  # Allow Dashboard to get metrics from heapster.

- apiGroups: [""]

  resources: ["services"]

  resourceNames: ["heapster"]

  verbs: ["proxy"]

- apiGroups: [""]

  resources: ["services/proxy"]

  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]

  verbs: ["get"]

---

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

  name: kubernetes-dashboard-minimal

  namespace: kube-system

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: Role

  name: kubernetes-dashboard-minimal

subjects:

- kind: ServiceAccount

  name: kubernetes-dashboard

  namespace: kube-system

---

# ------------------- Dashboard Deployment ------------------- #

kind: Deployment

apiVersion: apps/v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kube-system

spec:

  replicas: 1

  revisionHistoryLimit: 10

  selector:

    matchLabels:

      k8s-app: kubernetes-dashboard

  template:

    metadata:

      labels:

        k8s-app: kubernetes-dashboard

    spec:

      containers:

      - name: kubernetes-dashboard

        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

        ports:

        - containerPort: 8443

          protocol: TCP

        args:

          - --auto-generate-certificates

          # Uncomment the following line to manually specify Kubernetes API server Host

          # If not specified, Dashboard will attempt to auto discover the API server and connect

          # to it. Uncomment only if the default does not work.

          # - --apiserver-host=http://my-address:port

        volumeMounts:

        - name: kubernetes-dashboard-certs

          mountPath: /certs

          # Create on-disk volume to store exec logs

        - mountPath: /tmp

          name: tmp-volume

        livenessProbe:

          httpGet:

            scheme: HTTPS

            path: /

            port: 8443

          initialDelaySeconds: 30

          timeoutSeconds: 30

      volumes:

      - name: kubernetes-dashboard-certs

        secret:

          secretName: kubernetes-dashboard-certs

      - name: tmp-volume

        emptyDir: {}

      serviceAccountName: kubernetes-dashboard

      # Comment the following tolerations if Dashboard must not be deployed on master

      tolerations:

      - key: node-role.kubernetes.io/master

        effect: NoSchedule

---

# ------------------- Dashboard Service ------------------- #

kind: Service

apiVersion: v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kube-system

spec:

  ports:

    - port: 443

      targetPort: 8443

  selector:

    k8s-app: kubernetes-dashboard

# kubectl apply -f kubernetes-dashboard.yaml

# kubectl get pods -n kube-system

kubernetes-dashboard-7d75c474bb-xn784   1/1     Running   0          19s
  • 修改svc服务的网络为NodePort,从而使集群外部可以访问
# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system

# kubectl get svc -n kube-system

kubernetes-dashboard   NodePort    10.110.42.26   <none>        443:30121/TCP            7m1s

访问:https://192.168.100.51:30121

三、使用token认证

# kubectl create serviceaccount dashboard-admin -n kube-system

# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

# kubectl get secret -n kube-system |grep dashboard-admin

# kubectl describe secret dashboard-admin-token-5k7d7  -n kube-system

ca.crt:     1025 bytes

namespace:  11 bytes

token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tNWs3ZDciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYjU4MDM0NTUtYjVhNS00Mzg3LWIwYjktZTNlNGNmZGY0ZjQ4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.YXGDW9nk-5idQUVc66-Utcsc8G_D9kX9bOnVw_cz0wujjYKxGAjMBAXQFmZcnlqBZoF4OdX2kXHmywrOI-Y346SE2632UVHGrwoxdvsYRFFlteRvUTyeTqvaogt0xeWmSmvLnxN5JSol-SDbx7v14RHsR-_BMKZdeXUk8EDAFUJIEy6SSYaViyCP19kg2pyjZkk3C4K0zhZhb5zRrVrWV55OPLsMUae8B-VzmVPQ0sI7xnffdLgC0Vo1tV8-QdVGPHyKD4I8k5mpPr7f83Laz97hlElj7j09RPjAzm-8fh6btM2SlV4ZHzPEmMfsvzh8x3d5OJU6ZZ-pczQRCtwp3g

将此token复制到页面的令牌认证页

四、使用kubeconfig认证

  • 使用token做kubeconfig
# kubectl create serviceaccount def-ns-admin -n default

~]# kubectl get secret |grep def-ns-admin

def-ns-admin-token-m57kk   kubernetes.io/service-account-token   3      10m

~]# DEF_NS_ADMIN_SECRET=$(kubectl get secret def-ns-admin-token-m57kk -o jsonpath={.data.token} |base64 -d)

~]# kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_SECRET --kubeconfig=/root/def-ns-admin.conf

~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf

~]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf

~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
  • 使用证书做kubeconfig
# cd /etc/kubernetes/pki/

pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://192.168.100.51:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf

11、kubernetes之dashboard的更多相关文章

  1. 一文吃透如何部署kubernetes之Dashboard

    kubernetes Dashboard是什么? Dashboard是kubernetes的Web GUI,可用于在kubernetes集群上部署容器化应用,应用排错,管理集群本身及其附加的资源等,它 ...

  2. Helm 安装部署Kubernetes的dashboard

    Kubernetes Dashboard 是 k8s集群的一个 WEB UI管理工具,代码托管在 github 上,地址:https://github.com/kubernetes/dashboard ...

  3. Kubernetes 配置管理 Dashboard(十三)

    目录 一.安装配置 1.1 下载 镜像 1.2.安装 1.3.修改 NodePort 二.配置授权 Kubernetes 所有的操作我们都是通过命令行工具 kubectl 完成的.为了提供更丰富的用户 ...

  4. Kubernetes之dashboard

    部署dashboard $ wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommen ...

  5. Kubernetes及Dashboard详细安装配置(Ubuntu14.04)

    前些日子部门计划搞并行开发,需要对开发及测试环境进行隔离,所以打算用kubernetes对docker容器进行版本管理,搭建了下Kubernetes集群,过程如下: 本流程使用了阿里云加速器,配置流程 ...

  6. Kubernetes 学习11 kubernetes ingress及ingress controller

    一.上集回顾 1.Service 3种模型:userspace,iptables,ipvs 2.Service类型 ClusterIP,NodePort NodePort:client -> N ...

  7. kubernetes安装dashboard步骤 【h】

    本篇文章参考kubernetes---dashboardv1.8.3版本安装详细步骤及 kubernetes-dashboard(1.8.3)部署与踩坑这两篇文章,详细写了自己部署过程中的操作.遇到的 ...

  8. K8S从入门到放弃系列-(11)kubernetes集群网络Calico部署

    摘要: 前面几个篇幅,已经介绍master与node节点集群组件部署,由于K8S本身不支持网络,当 node 全部启动后,由于网络组件(CNI)未安装会显示为 NotReady 状态,需要借助第三方网 ...

  9. kubernetes搭建dashboard报错

    warningconfigmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard&qu ...

随机推荐

  1. 第二十一篇 jQuery 学习3 特效效果

    jQuery 学习3   这节课主要是学习jQuery的动态效果. show()和hide()显示与隐藏方法,toggle()方法,fadeIn()谈入,fadeOut()谈出,slideDown() ...

  2. 谷歌浏览器(Chrome)离线包的下载方法!

    谷歌浏览器(Chrome)其实可以下载离线包,用离线包安装的好处,就是一次获得全部安装文件,不需要漫长的在线下载过程了! 下载地址:https://www.google.com/chrome/eula ...

  3. Linux安装Redis、PHP安装Redis扩展模块

    Redis的官方下载: http://redis.io/download   步骤一:下载安装包  步骤二:编译源程序  步骤三:移动文件.便于管理  步骤四:启动 Redis服务  查看是否启动成功 ...

  4. Nginx默认配置语法

    Nginx默认配置语法 1. 我们进入  /etc/nginx/目录下,打开  nginx.conf文件 2. 我们来解析下 这里面标签和各模块的作用 # 设置nginx服务的系统使用用户 user ...

  5. Android系统分析之Audio音频流, 音频策略, 输出设备之间的关系

    音频流, 音频策略, 输出设备之间的关系 只针对 AudioManager.STREAM_VOICE_CALL 音频流类型进行分析 涉及到的类: hardware/libhardware_legacy ...

  6. 韦东山嵌入式Linux学习笔记01--转载: 板子ping不通PC怎么办

    请参考链接:https://blog.csdn.net/u013490896/article/details/71250060 我的环境: window 10 jz2440 v3 我采用的连接方式如下 ...

  7. Windows 聚焦的锁屏壁纸设置为桌面壁纸

    需求: Windows的锁屏壁纸偶尔遇到非常喜欢的壁纸,想设置为桌面壁纸. 步骤如下: 1. “Windows 聚焦”的锁屏壁纸都保存在隐藏文件夹 --- Assets里. a. 打开“资源管理器 b ...

  8. 小程序UI设计之-介绍篇

    工具截图 此工具通过可视化操作进行布局,依据iphone6尺寸设置画布,可以自动生成rpx和百分比的wxss.后续还会增加js代码自动生成.工具中组件按照微信小程序开发规范进行了缺省设置,margin ...

  9. Kattis - bitwise Bitwise (RMQ+尺取+树上dfs)

    题意:有一个长度为n的序列,让你把它分成k段,段内元素取or,段间取and,求能够得到的最大值. 这个算法是我和xz场上yy出来的,然而时间不够了没写出来,而且时间复杂度是$O(nlogn+nlogA ...

  10. 查看Spring MVC 父容器和子容器的对象的实例

    话不多说,直接上案例 package com.oukele.web; import org.springframework.beans.factory.annotation.Autowired; im ...