Install K8S dashboard with ingress

k8s

字数统计: 1,479阅读时长: 8 min

 2019/03/15   Share

安装 kubernetes dashboard（仪表盘）同时开启 ingress

Kubernetes Dashboard是Kubernetes集群的基于Web的通用UI。它允许用户管理在群集中运行的应用程序并对其进行故障排除，以及管理群集本身。

Step1: 为 dashboard 创建 service account

我们创建一个命名空间在 kube-system 中，名为 kubernetes-dashboard 的 Service Account:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubernetes-dashboard
  namespace: kube-system

Step2: 为 dashboard设置 RBAC

我们创建一个 ClusterRoleBinding 用于关联我们创建好的 Service Account，并且给他赋予操纵整个集群的功能:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dashboard-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

注意： ClusterRoleBinding 的 apiVersion 在不同的 kubernetes 版本可能略有不同，在 v1.8之前的集群他们的apiVersion 为 rbac.authorization.k8s.io/v1beta1 。

如果你并不想给 dashboard 那么大的权限，你可以根据官方的 YAML 文件进行修改：k8s dashboard deploy yaml

Step3: 为 dashboard 生成 Secret

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

Step4：为 dashboard 编写 Deployment

开启TLS认证（强烈推荐！非常安全！）

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master

这里dashboard 网页默认开启TLS 认证，如果你不想使用TLS认证并且使其在内网使用，你需要像下面这样设置：

关闭 TLS 与认证（不推荐）

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
        ports:
        - containerPort: 9090
          protocol: TCP
        # 关闭 TLS 认证 将端口设置为 9090 并且关闭自动生成的认证功能
        # args:
          # - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master

如果这么设置你的 dashboard 将不会进行认证，请谨慎使用！

Step5: 为 dashboard 创建 Service

开启TLS 认证情况：

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 80
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

关闭 TLS 认证情况（不推荐）：

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 80
      targetPort: 9090
  selector:
    k8s-app: kubernetes-dashboard

Step6: 为 dashboard 创建 ingress

6.1 生成证书:

这里我推荐使用 Free SSL 提供的免费 TLS 证书，直接通过 DNS 解析获取证书，而且各种浏览器都是小绿锁。

6.2 上传证书到集群:

在证书的文件夹里存在 full_chain.pem, private.key 两个文件，一个是公钥，一个是私钥

6.3 为创建 `TLS` 类型的 `Secret`:

在终端中执行：

1	$ kubectl create secret -n kube-system tls dashboard-tls --key private.key --cert full_chain.pem

6.4 创建 Ingress

开启 TLS 情况：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kube-system
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    #nginx.ingress.kubernetes.io/secure-backends: "true"  该注释在0.18.0中被弃用，并在0.20.0发布后被删除，使用下面
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - dashboard.example.top
    secretName: dashboard-tls
  rules:
  - host: dashboard.example.top
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 80

这里我的 ingress-controller 使用的是 ingress-nginx，由于 dashboard 暴露的 8443 端口本身就开启了TLS,因此需要设置以下 ingress-nginx 参数用于重定向 TLS,不然容易导致 Pod 无法对外部提供服务的问题：

annotations:
  nginx.ingress.kubernetes.io/ssl-redirect: "true"
  nginx.ingress.kubernetes.io/rewrite-target: /
  nginx.ingress.kubernetes.io/secure-backends: "true"

关闭 TLS 情况（不推荐）：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kube-system
spec:
  rules:
  - host: dashboard.example.top
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 80

Step7: 查找 dashboard 登录 Token

在终端中输入：

1	$ kubectl get secret -n kube-system \| grep kubernetes-dashboard

你会看见如下输出：

1
2
3

kubernetes-dashboard-certs                       Opaque                                0      34h
kubernetes-dashboard-key-holder                  Opaque                                2      37h
kubernetes-dashboard-token-xxxxxx                kubernetes.io/service-account-token   3      34h

获取 Token：

1	$ kubectl -n kube-system describe secret kubernetes-dashboard-token-xxxxx

你会看见如下输出：

Name:         kubernetes-dashboard-token-qnwp5
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
              kubernetes.io/service-account.uid: c106fd9e-4614-11e9-81b0-525400ea5ba6

Type:  kubernetes.io/service-account-token

Data
====
namespace:  11 bytes
token:      asdasdasdasdasdasdasdasd
ca.crt:     1025 bytes

那么 token 对应的就是你登录 dashboard 需要的 token 。

或者直接通过下面的命令实现token获取：

1	$ kubectl -n kube-system describe secrets kubernetes-dashboard-token \|awk -F'token: ' 'NR==13 { print $2 }'

至此，dashboard 搭建完毕!

本文代码地址：https://github.com/Mr-Linus/k8s-example/tree/master/dashboard

原文作者：Linus Lee

原文链接：http://note.run-linux.com/2019/03/15/Install-K8S-dashboard/

发表日期：March 15th 2019, 10:28:38 pm

更新日期：August 8th 2019, 10:36:56 pm

Next Post

Install Helm for k8s
Previous Post

Install a single master K8S cluster with kubeadm

CATALOG

1. 安装 kubernetes dashboard（仪表盘）同时开启 ingress



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true