首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >​TKE容器服务搭建kubernetes-dashboard教程

​TKE容器服务搭建kubernetes-dashboard教程

原创
作者头像
马凌鑫
修改2018-10-25 11:23:23
1.2K0
修改2018-10-25 11:23:23
举报
文章被收录于专栏:云知识学习云知识学习

目前TKE控制台暂时不支持Job, Pod, CronJob等对象的展示。有通过web界面查看这些类型对象的需求的话,可以自行安装k8s dashboard UI来实现。

这段话引用腾讯云容器服务集群中安装 dashboard ui但是实验了不行,所以更新一篇

理论知识

这个dashboard目前搭建的方法可以分为两种:

一种是无安全设置的kubectl create -f .就能启动一个ui去访问的

一种是通过https访问,这个需要先自行创建证书较为复杂。

两种方式我都会讲。按需选择。

官方推荐通过https访问。


开始搭建

证书

  • Generate certificates. 1.Public trusted CA. 2.Self-signed certificate.

公共的证书申请这里不描述,请自行百度。

###自定义证书的:

创建SSL证书需要私钥和证书签名请求。这些可以通过一些简单的命令生成。当openssl req命令要求输入“密码”时,只需按回车键,密码为空。

生成私钥和证书签名请求

$ openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................................................................+++
................................................................................................+++
e is 65537 (0x10001)
$ openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key
# Writing RSA key
$ rm dashboard.pass.key
$ openssl req -new -key dashboard.key -out dashboard.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 这里上面一路回车就完事了,测试用不用注意细节。

生成SSL证书

自签名SSL证书是从dashboard.key私钥和dashboard.csr文件生成的。

$ openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
$ ls
dashboard.crt  dashboard.csr  dashboard.key

dashboard.crt文件是适用于仪表板和dashboard.key私钥的证书。

创建secret

--from-file=$HOME/certs 是证书的所在地

$ kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system
secret "kubernetes-dashboard-certs" created

创建dashboard的pod

然后到了部署的环节,这里官方的是直接kubectl apply -f

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

但是在大天朝是行不通的,所以我修改了一下kubernetes-dashboard-nodeport.yaml访问方式是通过nodeportkubernetes-dashboard-LoadBalancer.yaml是通过负载均衡。

$ kubectl create -f  kubernetes-dashboard-LoadBalancer.yaml
serviceaccount "kubernetes-dashboard" created
role.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created
rolebinding.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created
deployment.apps "kubernetes-dashboard" created
service "kubernetes-dashboard" created

这里的yaml文件应用的是官方的,只做了images、service、Secret(注释,前面先创建了所以这里注释) 修改 查看dashboard的运行状态以及svc

image: hub.tencentyun.com/malingxin/kubernetes-dashboard-amd64:v1.10.0

$ kubectl get -n kube-system  pod -l k8s-app=kubernetes-dashboard
NAME                                    READY     STATUS    RESTARTS   AGE
kubernetes-dashboard-78c46b977d-tckf5   1/1       Running   0          33s
$ kubectl get -n kube-system svc -l k8s-app=kubernetes-dashboard
NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
kubernetes-dashboard   LoadBalancer   192.168.255.19   123.207.102.187   443:31734/TCP   1m

通过 https://123.207.102.187 访问ui,会显示证书错误

继续前往可以看到需要输入(令牌)token,这玩意需要创建

创建token

创建 Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system

创建ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

获取/查看token

$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

Name:         admin-user-token-7jhdm
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name=admin-user
              kubernetes.io/service-account.uid=49b5fdf6-d769-11e8-ba22-52540008e6f8

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1176 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTdqaGRtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0OWI1ZmRmNi1kNzY5LTExZTgtYmEyMi01MjU0MDAwOGU2ZjgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.BzULebqkbrYgatCYWtgPO9nrgY8CmRQkMwUP_ctAmgB4ZwB-Zi4P-1tScTSqa-L0c-Du4YMuLRu4Xdv-4AgAtSR2p821lsgSVxgBt5PjHjtuB_rtWHI5GSjxqRgQugG9gyUm8NqchIi08o10TPBtLVUAmveG278tLXOFmsTDwuP0wW3eSV_QhRyFhRjAv8V756X41-0uYUIgymC3y2Ru6Zqvs0x2h7LzimmamVGRHPA0jrm92XnSRNJOqKWvfPADMyFfpEKOKZglXnTUd1Ez2dqX6xMNjniT-h23Z5O4k4kuGnGBYRSx6pzCqC96qlTEdpXSuEs-9n8-HgNCCRHQPQ

输入token

即可登录

一键安装的:

$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

记得把images修改下就行。成功后无验证。以最小权限运行。

文档参考:

https://github.com/kubernetes/dashboard

https://github.com/kubernetes/dashboard/wiki/Installation

https://github.com/kubernetes/dashboard/wiki/Certificate-management

https://github.com/kubernetes/dashboard/wiki/Creating-sample-user

https://cloud.tencent.com/developer/article/1046647

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。

如有侵权,请联系 cloudcommunity@tencent.com 删除。

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 理论知识
  • 开始搭建
    • 证书
      • 生成私钥和证书签名请求
      • 生成SSL证书
      • 创建secret
    • 创建dashboard的pod
      • 创建token
      相关产品与服务
      容器服务
      腾讯云容器服务(Tencent Kubernetes Engine, TKE)基于原生 kubernetes 提供以容器为核心的、高度可扩展的高性能容器管理服务,覆盖 Serverless、边缘计算、分布式云等多种业务部署场景,业内首创单个集群兼容多种计算节点的容器资源管理模式。同时产品作为云原生 Finops 领先布道者,主导开源项目Crane,全面助力客户实现资源优化、成本控制。
      领券
      问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档