Write by lyc at 2022-6-10
Kubernetes Dashboard GitHub
Kubernetes Dashboard Documentation
kubernetes部署Dashboard(可通过域名外网访问)
kubernetes实战篇之Dashboard的访问权限限制
kubernetes实战篇之创建一个只读权限的用户

1.Kubernetes Dashboard v2.4.0 安装

查看 K8S 集群版本号,这里使用的是 v1.20.6

1
2
3
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.6", GitCommit:"8a62859e515889f07e3e3be6a1080413f17cf2c3", GitTreeState:"clean", BuildDate:"2021-04-15T03:28:42Z", GoVersion:"go1.15.10", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.6", GitCommit:"8a62859e515889f07e3e3be6a1080413f17cf2c3", GitTreeState:"clean", BuildDate:"2021-04-15T03:19:55Z", GoVersion:"go1.15.10", Compiler:"gc", Platform:"linux/amd64"}

Kubernetes Dashboard Releases 选择适用的版本,这里选择 dashboard:v2.4.0

1
2
3
4
mkdir -p /opt/kubernetes/cfg/dashboard
cd /opt/kubernetes/cfg/dashboard
curl -s -o kubernetes-dashboard-v2.4.0.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml
kubectl apply -f kubernetes-dashboard-v2.4.0.yaml

查看资源

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ kubectl get all -n kubernetes-dashboard 
NAME READY STATUS RESTARTS AGE
pod/dashboard-metrics-scraper-5b8896d7fc-cqhd7 1/1 Running 0 3h53m
pod/kubernetes-dashboard-897c7599f-wwg46 1/1 Running 0 3h53m

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dashboard-metrics-scraper ClusterIP 10.0.0.128 <none> 8000/TCP 3h53m
service/kubernetes-dashboard ClusterIP 10.0.0.89 <none> 443/TCP 3h53m

NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/dashboard-metrics-scraper 1/1 1 1 3h53m
deployment.apps/kubernetes-dashboard 1/1 1 1 3h53m

NAME DESIRED CURRENT READY AGE
replicaset.apps/dashboard-metrics-scraper-5b8896d7fc 1 1 1 3h53m
replicaset.apps/kubernetes-dashboard-897c7599f 1 1 1 3h53m

2.Kubernetes Dashboard Ingress

部署 TLS Secret

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ vim dashboard-secret-tls.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: star.lyc7456.com
namespace: kubernetes-dashboard
type: kubernetes.io/tls
data:
tls.crt: |
cat star.lyc7456.com.crt | base64 # 替换为命令运行结果
tls.key: |
cat star.lyc7456.com.key | base64 # 替换为命令运行结果

$ kubectl apply -f dashboard-secret-tls.yaml

部署 ingress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ vim dashboard-ingress.yaml 
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/enable-access-log: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |-
proxy_ssl_server_name on;
proxy_ssl_name $host;
access_log /var/log/nginx/dev-k8s-cluster.lyc7456.com.access.log upstreaminfo;
error_log /var/log/nginx/dev-k8s-cluster.lyc7456.com.error.log;
spec:
ingressClassName: nginx
tls:
- hosts:
- dev-k8s-cluster.lyc7456.com
secretName: star.lyc7456.com
rules:
- host: dev-k8s-cluster.lyc7456.com
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: kubernetes-dashboard
port:
number: 443

查看资源对象

1
2
3
4
5
6
7
8
9
10
11
$ kubectl -n kubernetes-dashboard get secret,ingress
NAME TYPE DATA AGE
secret/default-token-6bgxl kubernetes.io/service-account-token 3 4h26m
secret/kubernetes-dashboard-certs Opaque 0 4h26m
secret/kubernetes-dashboard-csrf Opaque 1 4h26m
secret/kubernetes-dashboard-key-holder Opaque 2 4h26m
secret/kubernetes-dashboard-token-9n7pw kubernetes.io/service-account-token 3 4h26m
secret/star.lyc7456.com kubernetes.io/tls 2 26m

NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/kubernetes-dashboard nginx dev-k8s-cluster.lyc7456.com 192.168.100.192,192.168.100.193 80, 443 17m

3.Kubernetes Dashboard 登录控制台

Creating sample user

dashboard-admin RBAC(管理员)

创建 dashboard-admin 用户 SA 并绑定默认 cluster-admin 集群管理员集群角色:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ vim dashboard-admin.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dashboard-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

$ kubectl apply -f dashboard-admin.yaml

获取 SA token

1
2
3
4
5
6
# 获取 secret name
$ kubectl -n kube-system get serviceaccount dashboard-admin -o jsonpath={.secrets[0].name}
dashboard-admin-token-8h774

# 根据 secret name 获取 token,token 串需要 base64 解密
$ kubectl -n kube-system get secret dashboard-admin-token-8h774 -o jsonpath={.data.token} | base64 -d

浏览器访问 Kubernetes Dashboardhttps://dev-k8s-cluster.lyc7456.com,选择 Token 登录 Dashboard