二进制安装k8s集群(15)-安装kube-dashboard
在上一篇文章里我们主要介绍安装k8s集群内的基础服务coredns,这里我们继续介绍安装k8s集群内基础服务kube-dashboard,这个基础服务也创建在kube-system namesapce里,是以deployment的方式运行。image镜像从我们的private repo pull来(以前文章里介绍过harbor private repo的创建,以及镜像的push和pull)。当然原始image来源于官方的k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1,不过要下载它需要访问国外网站。
创建配置文件目录:
由于kube-dashboard是以deployment的方式部署在k8s集群里的,一般都会有yaml部署文件,目前都放在此目录里。
mkdir -p /opt/application/k8s/kube-dashboard
cd /opt/application/k8s/kube-dashboard
创建kube-dashboard的service-account:
kube-dashboard需要访问kube-apiserver来得到集群中的对象资源,从而展示在UI上。对于资源访问,k8s有自己的策略,这里给kube-dashboard创建单独的service-account,cluster-role-binding。这里就不详细展开,有兴趣的同学可以看一下k8s的RBAC访问策略。
cat > /opt/application/k8s/kube-dashboard/kube-dashboard-service-account.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: serviceaccount-kube-dashboard
namespace: kube-system
imagePullSecrets:
- name: container-registry
EOF
kubectl create -f /opt/application/k8s/kube-dashboard/kube-dashboard-service-account.yaml
kubectl describe serviceaccount serviceaccount-kube-dashboard -n kube-system
创建kube-dasboard的cluster-role-binding:
这里为了方便,我们绑定k8s集群内置的cluster-admin账号。注意账户cluster-admin的权限比较大(从名字里就可以看出来),对于实际应用请根据自身需求看是否创建cluster-role或者role来绑定给service-account。
cat > /opt/application/k8s/kube-dashboard/kube-dashboard-cluster-role-binding.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-role-binding-kube-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: serviceaccount-kube-dashboard
namespace: kube-system
EOF
kubectl create -f /opt/application/k8s/kube-dashboard/kube-dashboard-cluster-role-binding.yaml
kubectl describe clusterrolebinding cluster-role-binding-kube-dashboard -n kube-system
创建kube-dasboard的证书secret:
kube-dasboard是需要被外部访问的,我们这里开启了ssl,那么就必须给kube-dasboard配置ssl证书。这里的证书以secret的形式存储在k8s里,然后挂载给kube-dasboard容器作为配置使用。当然请提前制作好相关证书,可以参考以前文章里制作server的证书。
kubectl create secret generic kube-dashboard-cert-secret --namespace=kube-system \
--from-file=kube-dashboard.key=/opt/sw/cert/k8sdashboard-server.key \
--from-file=kube-dashboard.crt=/opt/sw/cert/k8sdashboard-server.crt
kubectl describe secret kube-dashboard-cert-secret -n kube-system
创建kube-dasboard的kubeconfig文件secret:
kube-dashboard需要访问kube-apiserver来得到集群中的对象资源,我们的kube-apiserver的访问需要kubeconfig文件。这里我们提前制作好(可以参考以前文章里安装kubectl的时候制作kubeconfig文件),然后以secret的形式存储在k8s里,挂载给kube-dasboard容器作为配置使用。
kubectl config --kubeconfig /etc/kubernetes/kubeconfig/config-contains-cert set-cluster k8s-cluster-one --server=https://172.20.11.41:6443 --certificate-authority=/etc/kubernetes/kubeconfig/cert/ca.crt --embed-certs=true
kubectl config --kubeconfig /etc/kubernetes/kubeconfig/config-contains-cert set-credentials k8s-access-user-with-cert --client-certificate=/etc/kubernetes/kubeconfig/cert/k8sapiserver-client.crt --client-key=/etc/kubernetes/kubeconfig/cert/k8sapiserver-client.key --embed-certs=true
kubectl config --kubeconfig /etc/kubernetes/kubeconfig/config-contains-cert set-context context-one --cluster=k8s-cluster-one --user=k8s-access-user-with-cert
kubectl config --kubeconfig /etc/kubernetes/kubeconfig/config-contains-cert use-context context-one
kubectl create secret generic kube-dashboard-apiserver-access-secret --namespace=kube-system \
--from-file=kubeconfig=/etc/kubernetes/kubeconfig/config-contains-cert
kubectl describe secret kube-dashboard-apiserver-access-secret -n kube-system
创建kube-dashboard的deployment:
kube-dashboard的配置很多,在这里不逐一介绍了,有兴趣的同学请参考kube-dashboard的配置文档。https://github.com/kubernetes/dashboard/blob/master/docs/common/dashboard-arguments.md
cat > /opt/application/k8s/kube-dashboard/kube-dashboard-deployment.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-kube-dashboard
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: kube-dashboard
template:
metadata:
labels:
k8s-app: kube-dashboard
spec:
serviceAccountName: serviceaccount-kube-dashboard
containers:
- name: kube-dashboard
image: 172.20.11.41:1034/infra/kubernetes-dashboard-adm64:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --kubeconfig=/config/kubeconfig
- --default-cert-dir=/certs
- --tls-cert-file=kube-dashboard.crt
- --tls-key-file=kube-dashboard.key
volumeMounts:
- name: kube-dashboard-certs
mountPath: /certs
- name: tmp-volume
mountPath: /tmp
- name: kube-apiserver-access-config
mountPath: /config
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 60
timeoutSeconds: 30
volumes:
- name: kube-dashboard-certs
secret:
secretName: kube-dashboard-cert-secret
- name: kube-apiserver-access-config
secret:
secretName: kube-dashboard-apiserver-access-secret
- name: tmp-volume
emptyDir: {}
EOF
kubectl create -f /opt/application/k8s/kube-dashboard/kube-dashboard-deployment.yaml
kubectl describe deployment deployment-kube-dashboard -n kube-system
创建kube-dashboard的service:
这里把service定义成node-port类型,以node port的方式提供给外部访问。node port定义为9092,同时也请打开9092的防火墙端口(可以参考以前文章如何打开某个端口)。
cat > /opt/application/k8s/kube-dashboard/kube-dashboard-service.yaml <<EOF
apiVersion: v1
kind: Service
metadata:
name: service-kube-dashboard
namespace: kube-system
spec:
selector:
k8s-app: kube-dashboard
type: NodePort
ports:
- name: kube-dashboard-https
nodePort: 9092
port: 443
targetPort: 8443
protocol: TCP
EOF
kubectl create -f /opt/application/k8s/kube-dashboard/kube-dashboard-service.yaml
kubectl describe service service-kube-dashboard -n kube-system
查看kube-dashboard在集群中的pod:
kubectl get pods -n kube-system|grep dashboard
访问kube-dashboard
kube-dashboard的访问需要token,我们可以通过kubectl命令得到kube-dashboard的service-account token,从而访问kube-dashboard。当然,kube-dashboard接受的token为base64格式,所以在得到token的时候将其转换为base64格式。
获取kube-dashboard相关service-account的token:
kubectl get secret -n kube-system|grep serviceaccount-kube-dashboard
kubectl get secret serviceaccount-kube-dashboard-token-kc9sg -o jsonpath={.data.token} -n kube-system | base64 -d
访问kube-dashboard:
检查kube-dasboard access token:
本质上kube-dashboard access token是一个jwt,我们可以在工具网站https://jwt.io/上查看这个jwt。
