安装 K8S Dashboard v2.0.0

查看 K8S 集群版本号 v1.18

1
2
3
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.6", GitCommit:"8a62859e515889f07e3e3be6a1080413f17cf2c3", GitTreeState:"clean", BuildDate:"2021-04-15T03:28:42Z", GoVersion:"go1.15.10", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.10", GitCommit:"62876fc6d93e891aa7fbe19771e6a6c03773b0f7", GitTreeState:"clean", BuildDate:"2020-10-15T01:43:56Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}

查看 K8S Dashboard 权限矩阵 Kubernetes Dashboard v2.0.0,选择与当前 K8S 版本匹配的 Dashboard 版本:

部署:

1
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml

查看资源所有 kubernetes-dashboard 名称空间下的资源对象:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ kubectl get all -n kubernetes-dashboard 
NAME                                             READY   STATUS    RESTARTS   AGE
pod/dashboard-metrics-scraper-5b8896d7fc-cqhd7   1/1     Running   0          3h53m
pod/kubernetes-dashboard-897c7599f-wwg46         1/1     Running   0          3h53m

NAME                                TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
service/dashboard-metrics-scraper   ClusterIP   10.0.0.128   <none>        8000/TCP   3h53m
service/kubernetes-dashboard        ClusterIP   10.0.0.89    <none>        443/TCP    3h53m

NAME                                        READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/dashboard-metrics-scraper   1/1     1            1           3h53m
deployment.apps/kubernetes-dashboard        1/1     1            1           3h53m

NAME                                                   DESIRED   CURRENT   READY   AGE
replicaset.apps/dashboard-metrics-scraper-5b8896d7fc   1         1         1       3h53m
replicaset.apps/kubernetes-dashboard-897c7599f         1         1         1       3h53m

配置 Dashboard Ingress

创建 basic-auth 简单 Web 认证 Secret

安装 htpasswd 工具:

1
yum -y install httpd-tools
  • 文件名:auth
  • 用户名:admin
1
2
3
4
5
6
7
8
$ htpasswd -c basic-auth admin
New password:                   # 设置一个密码
Re-type new password:           # 再次输入密码
Adding password for user admin


# 创建 secret
$ kubectl -n kubernetes-dashboard create secret generic basic-auth --from-file=auth

创建 ingress

部署 SSL 证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
# secret-tls.yaml
---
apiVersion: v1
kind: Secret
metadata:
  name: star.lyc7456.com
  namespace: kubernetes-dashboard
type: kubernetes.io/tls
data:
  tls.crt: |
        cat star.lyc7456.com.crt | base64     # 替换为命令运行结果
  tls.key: |
        cat star.lyc7456.com.key | base64     # 替换为命令运行结果

部署 ingress:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# ingress.yaml    # for k8s 1.18 ingress
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/whitelist-source-range: 10.100.0.0/16,175.42.20.0/26
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
  name: dashboard
  namespace: kubernetes-dashboard
spec:
  tls:
  - hosts:
    - jdyfs-k8s-cluster.idspub.com
    secretName: star-idspub-com
  rules:
  - host: jdyfs-k8s-cluster.idspub.com
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
        path: /

配置 dashboard-admin RBAC

Kubernetes Dashboard Creating sample user

创建 dashboard-admin 用户 SA 并绑定默认 cluster-admin 集群管理员集群角色:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# rbac-admin.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard-admin
  namespace: kube-system

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dashboard-admin
subjects:
  - kind: ServiceAccount
    name: dashboard-admin
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

获取 cluster-admin 用户 Token

1
2
3
4
5
6
# 获取 sa 用户名称
$ kubectl -n kube-system get serviceaccount dashboard-admin -o jsonpath={.secrets[0].name}
dashboard-admin-token-nfpbj

# 根据 secret name 获取 token,token 串需要 base64 解密
$ kubectl -n kube-system get secret dashboard-admin-token-nfpbj -o jsonpath={.data.token} | base64 -d

浏览器访问 ingress 域名登录 Dashboard: