目前TKE控制台暂时不支持Job, Pod, CronJob等对象的展示。有通过web界面查看这些类型对象的需求的话,可以自行安装k8s dashboard UI来实现。
这段话引用腾讯云容器服务集群中安装 dashboard ui但是实验了不行,所以更新一篇
这个dashboard目前搭建的方法可以分为两种:
一种是无安全设置的kubectl create -f .
就能启动一个ui去访问的
一种是通过https访问,这个需要先自行创建证书较为复杂。
两种方式我都会讲。按需选择。
官方推荐通过https访问。
公共的证书申请这里不描述,请自行百度。
###自定义证书的:
创建SSL证书需要私钥和证书签名请求。这些可以通过一些简单的命令生成。当openssl req命令要求输入“密码”时,只需按回车键,密码为空。
$ openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................................................................+++
................................................................................................+++
e is 65537 (0x10001)
$ openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key
# Writing RSA key
$ rm dashboard.pass.key
$ openssl req -new -key dashboard.key -out dashboard.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 这里上面一路回车就完事了,测试用不用注意细节。
自签名SSL证书是从dashboard.key
私钥和dashboard.csr
文件生成的。
$ openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
$ ls
dashboard.crt dashboard.csr dashboard.key
dashboard.crt文件是适用于仪表板和dashboard.key私钥的证书。
--from-file=$HOME/certs 是证书的所在地
$ kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system
secret "kubernetes-dashboard-certs" created
然后到了部署的环节,这里官方的是直接kubectl apply -f
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
但是在大天朝是行不通的,所以我修改了一下kubernetes-dashboard-nodeport.yaml
访问方式是通过nodeport
,kubernetes-dashboard-LoadBalancer.yaml
是通过负载均衡。
$ kubectl create -f kubernetes-dashboard-LoadBalancer.yaml
serviceaccount "kubernetes-dashboard" created
role.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created
rolebinding.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" created
deployment.apps "kubernetes-dashboard" created
service "kubernetes-dashboard" created
这里的yaml文件应用的是官方的,只做了images、service、Secret(注释,前面先创建了所以这里注释) 修改 查看dashboard的运行状态以及svc
image: hub.tencentyun.com/malingxin/kubernetes-dashboard-amd64:v1.10.0
$ kubectl get -n kube-system pod -l k8s-app=kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
kubernetes-dashboard-78c46b977d-tckf5 1/1 Running 0 33s
$ kubectl get -n kube-system svc -l k8s-app=kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard LoadBalancer 192.168.255.19 123.207.102.187 443:31734/TCP 1m
通过 https://123.207.102.187 访问ui,会显示证书错误
继续前往可以看到需要输入(令牌)token,这玩意需要创建
创建 Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
创建ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
获取/查看token
$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
Name: admin-user-token-7jhdm
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=admin-user
kubernetes.io/service-account.uid=49b5fdf6-d769-11e8-ba22-52540008e6f8
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1176 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTdqaGRtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI0OWI1ZmRmNi1kNzY5LTExZTgtYmEyMi01MjU0MDAwOGU2ZjgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.BzULebqkbrYgatCYWtgPO9nrgY8CmRQkMwUP_ctAmgB4ZwB-Zi4P-1tScTSqa-L0c-Du4YMuLRu4Xdv-4AgAtSR2p821lsgSVxgBt5PjHjtuB_rtWHI5GSjxqRgQugG9gyUm8NqchIi08o10TPBtLVUAmveG278tLXOFmsTDwuP0wW3eSV_QhRyFhRjAv8V756X41-0uYUIgymC3y2Ru6Zqvs0x2h7LzimmamVGRHPA0jrm92XnSRNJOqKWvfPADMyFfpEKOKZglXnTUd1Ez2dqX6xMNjniT-h23Z5O4k4kuGnGBYRSx6pzCqC96qlTEdpXSuEs-9n8-HgNCCRHQPQ
输入token
即可登录
一键安装的:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
记得把images修改下就行。成功后无验证。以最小权限运行。
文档参考:
https://github.com/kubernetes/dashboard
https://github.com/kubernetes/dashboard/wiki/Installation
https://github.com/kubernetes/dashboard/wiki/Certificate-management
https://github.com/kubernetes/dashboard/wiki/Creating-sample-user
https://cloud.tencent.com/developer/article/1046647
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。