kubernetes附加组件—图形化管理工具Dashboard
Dashboard是k8s集群管理的一个WebUi,它是k8s的一个附加组件,需要单独部署。我们可以通过图形化的方法,创建、删除、修改、查询k8s资源。
一、介绍
Dashboard是k8s集群管理的一个WebUi,它是k8s的一个附加组件,需要单独部署。
我们可以通过图形化的方法,创建、删除、修改、查询k8s资源。
二、安装部署dashboard组件
Github地址:GitHub - kubernetes/dashboard: General-purpose web UI for Kubernetes clusters
参考链接:Release v2.5.1 · kubernetes/dashboard · GitHub
可以通过上述地址,查询对应k8s的版本,来下载对应的dashboard
dashborad.yml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 8443
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.5.1
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.7
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
1、上传dashboard文件到服务器
上边是下载好的文件
[root@master dashboard]# rz
[root@master dashboard]# ll
总用量 8
-r-------- 1 root root 7660 5月 8 23:41 dashboard.yaml
2、修改nodeport的端口范围
这里也可以修改dashboard的文件中的svc资源的端口范围为30000-32767;
这里不该配置文件,修改我们k8s的端口范围;
[root@master dashboard]# vim /etc/kubernetes/manifests/kube-apiserver.yaml
.............
spec:
containers:
- command:
- kube-apiserver
#下面这一条加进去,就修改完成了;自动就会更新;稍等一会;先会崩溃;
- --service-node-port-range=3000-50000
- --advertise-address=10.0.0.231
.....
3、创建dashboard资源
[root@master dashboard]# kubectl apply -f dashboard.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
4、验证是否部署成功
[root@master dashboard]# kubectl get pods -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-799d786dbf-2qct8 1/1 Running 0 3m
kubernetes-dashboard-fb8648fd9-9dn7p 1/1 Running 0 3m
5、访问页面测试
浏览器会显示不安全的证书链接;点击【高级】也没用,怎么办?
温馨提示:如果打不开网页,可以鼠标单击空白处,,依次输入“thisisunsafe”,即可自动跳转进入页面了;
点击空白处,写上“thisisunsafe”之后,会自动进入登录页面
我们可以看见上图中:有两个登录选项,token登录和kubeconfig登录;
6、token登录方式登录dashboard
1) 查看dashboard的token
其实就是先查看dashboard的sa用户的详细信息;
我们可以看到,sa用户有一个token字段;这个token字段本质上也是一个secrets资源;
[root@master dashboard]# kubectl -n kubernetes-dashboard describe sa kubernetes-dashboard | grep Tokens
Tokens: kubernetes-dashboard-token-gncvr
我们继续查看用户token的secrets资源详细信息,就可以获取到token的详细编码信息了;
[root@master dashboard]# kubectl -n kubernetes-dashboard describe secrets kubernetes-dashboard-token-gncvr
Name: kubernetes-dashboard-token-gncvr
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: 50898f21-d135-4687-ac70-601053b2aa34Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlpTbGVjbERXaHkyVUVVbU9Ub29WUU10Y1BweGE5U0d5ZjNra1QtV284OTQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1nbmN2ciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjUwODk4ZjIxLWQxMzUtNDY4Ny1hYzcwLTYwMTA1M2IyYWEzNCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.HUIYiInvICyaOqhEQbaIkn62XxWihw6fNgS92t2zLanTWVD-w4our5frLud1mpXFAycF9MLxFSkU02xbGZxHGjqVdjdLtl3lqXhWjGbrkhO8dgu-aOqI9qJVlQbr5q-bWyQMirymhnjAIgjWoC4BFK-3TRdzba2zMQPqpRIzpYJmKbgw4Nx0yfdaoTtaXGW2G8lePmAPdd3zDh6qwy2jLmZCBo2HTpB-6LIcePS397BqS0_EdtCky16UFUd7Fn31fmsJlw9f11BQCBD8lFeKdj_6OIhvvYiPcsJZ_ZxdEFAupwlfBquFJgn5PjLUrMyG3t1F2ZjHv3_FRMWobfMBtQ
2)复制token编码输入到页面token
登录成功,发现没有资源操作权限
3)给名称空间kubernetes-dashboard的服务账号kubernetes-dashboard添加权限
[root@master dashboard]# cat sa-dashboard.yaml
#绑定k8s集群中的最大权限的角色当前sa用户
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-clusterrolebinding
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
# 既然绑定的是集群角色,那么类型也应该为"ClusterRole",而不是"Role"哟~
kind: ClusterRole
# 关于集群角色可以使用"kubectl get clusterrole | grep admin"进行过滤哟~
name: cluster-admin
subjects:
- kind: ServiceAccount
# 此处要注意哈,绑定的要和我们上面的服务账户一致哟~
name: kubernetes-dashboard
namespace: kubernetes-dashboard
[root@master dashboard]# kubectl apply -f sa-dashboard.yaml
4)再次查看上面页面,可以看到我们有权限访问资源了
7,kubeconfig文件方式登录dashboard (了解即可)
· 生成kubeconfig文件
先编辑生成kubeconfig文件的脚本
[root@k8s231 dashboard]# cat kc.sh
#!/bin/bash#用户token的变量
XINJIZHIWA_TOKEN="eyJhbGciOiJSUzI1NiIsImtpZCI6ImhJc3J4Y0JsRGQtWlVDZE9GbDkxQVRMMVJZaUlVNnRxWTFzZFBPdU5hM0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi0ycnJ6OSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjY2NjI1NDZmLTRhOTctNDc5MS04ZGI3LWZhNTFhZTc4M2Y3OCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.KpE4z0IX_404d_YhdjjcrPzlV-IovqhCx8AT9PaswK35q5AYeY6hf_Eu7oXLDiNlnIKVCscEp8BkpWfiTHZsc1Xfbo4Fw-95-aKXYS-ZOOwWF5vY2UjfQ-fbHqo5tbZN04GLzn67xaE096pVXVz6G6JQwGWIqCHFYcQMn_rp_OYOfPG4TkJ3-nMEq3NJB7gYf2X5xmhvMkEOTOgMwbAw-90Sn3EXW1nHhb6KsyWvKpq65qYnioqNu6KgXub1UD6caXWnMpOaaGE29Tm6_r55Hi_fIaLPwbhHUJ3mx7m99unmAiPDh3wsIhBcFYmbSzWJjGyLpzFJEhs-miKYuVpYNQ"#设置集群
kubectl config set-cluster xinjizhiwa-cluster --server=https://10.0.0.231:6443 --kubeconfig=xjzw.conf#设置客户端
kubectl config set-credentials xinjizhiwa-client --token=${XINJIZHIWA_TOKEN} --kubeconfig=xjzw.conf#集群结合客户端
kubectl config set-context xinjizhiwa-user --cluster=xinjizhiwa-cluster --user=xinjizhiwa-client --kubeconfig=xjzw.conf#声明使用上下文生成kubeconfig文件
kubectl config use-context xinjizhiwa-user --kubeconfig=xjzw.conf
执行脚本生成文件
[root@k8s231 dashboard]# bash kc.sh
[root@k8s231 dashboard]# ll
................
-rw------- 1 root root 1305 Feb 23 03:53 xjzw.conf
导出文件到本地电脑桌面
上传到dashboard页面为止
· 点击登录
至此,两种方式的登录,就成功了;
三、使用dashboard
1,创建资源清单
· 第一种方式
手动编辑资源清单
· 第二种方式
上传yaml文件创建
· 第三种方式
至此,dashboard图形化管理工具学习完毕;
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
20
0- 0
已为社区贡献12条内容
所有评论(0)