CodeSnippet.Cn
代码片段
Csharp
架构设计
.NetCore
西班牙语
kubernetes
MySql
Redis
Algorithm
Ubuntu
Linux
Other
.NetMvc
VisualStudio
Git
pm
Python
WPF
java
Plug-In
分布式
CSS
微服务架构
JavaScript
DataStructure
Shared
部署Kubernetes Dashboard记录
0
kubernetes
小笨蛋
发布于:2021年10月15日
更新于:2021年10月15日
148
#custom-toc-container
如果没什么特别要求的话,就按GitHub上的提示一步一步做即可。 Dashboard GitHub 地址:[Kubernetes Dashboard](https://github.com/kubernetes/dashboard "Kubernetes Dashboard") 本次部署的目标是使用域名来访问Dashboard并为域名绑定阿里云的证书,所以我们要把yaml文件下载下来稍做修改。 ### 1.下载配置文件 https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml ### 2.配置文件修改 - 将这段注释掉,下面我们使用自己手工签发的TLS证书并手工创建Secret ![图片alt](/uploads/images/20211015/161510-c2b85310df664e0cbc7b4c504659cd89.png ''图片title'') - 修改容器启动参数 ![图片alt](/uploads/images/20211015/161655-73af3e662f914179af3b7f8c4fcf77ae.png ''图片title'') 其中`auto-generate-certificates`不能注释,因为我看到过有帖子说要注释掉(这个参数不仅仅是自动证书的开关,还是总的HTTPS的开关,当我们手工配置了证书后,容器不会自动生成)。 另外两个tls参数指定的是被挂载到容器中的证书的名字,下面我们使用 tls secret 处理的证书,通过配置mountPath: /certs可以得知被挂载到容器的/certs目录中,其名字为tls.crt和tls.key(为什么叫这2个名字或者是否可以配置其他名字,请继续往下看)。 ### 3.申请阿里云证书 这部分就省略了 要说明的是下载来的证书会有两个文件key与pem,我们直接把pem改成crt即可。 ![图片alt](/uploads/images/20211015/162053-9f239d5b50a5420b976feebfc58fa777.png ''图片title'') ------------ 当然你也可以选择手动生成证书,下面是网上找的例子,没试过。 ```shell # 生成证书请求的key openssl genrsa -out dashboard.key 2048 # 生成证书请求 openssl req -days 3650 -new -key dashboard.key -out dashboard.csr -subj /C=CN/ST=JiangSu/L=NanJing/O=Shanhy/OU=Shanhy/CN=*.domain.com # 生成自签证书(证书文件 dashboard.crt 和私钥 dashboad.key) openssl x509 -req -in dashboard.csr -signkey tls.key -out dashboard.crt # 查看证书信息 openssl x509 -in dashboard.crt -text -noout ``` ```shell kubectl create secret tls kubernetes-dashboard-certs -n kubernetes-dashboard --key dashboard.key --cert dashboard.crt kubectl create secret tls kubernetes-dashboard-certs -n kubernetes-dashboard --from-file=tls.crt=dashboard.crt --from-file=tls.key=dashboard.key ``` 这里创建 secret 的两种方法命令对上面的问题进行了解释,下面解释一下,彻底把这块的用法说明白: - 如果你使用`--key --cert`方式则创建的`secret`中data的默认2个文件名就是`tls.key`和`tls.crt`,你可以使用命令`kubectl describe secret -n kubernetes-dashboard kubernetes-dashboard-certs`查看。 ![图片alt](/uploads/images/20211015/170645-a4e3bc6dace6477da96b096c77dbb770.png ''图片title'') - 如果你使用第二条命令的`--from-file`的方式,则你需要手工指定文件名称`tls.crt`和`tls.key`(看示例的写法),如果你把上面的命令直接写成`--from-file=dashboard.crt`,那么挂载后的文件就是`dashboard.crt`,这样你需要把第二步第2点中参数的`tls.crt`修改为`dashboard.crt`。 - 你还可以直接使用`--from-file=mycert/`这样直接指定一个目录,那么会把改目录下的所有文件都挂载到容器的`/certs`中,文件名保持不变。 ------------ ### 4.创建命名空间 ```shell kubectl create namespace kubernetes-dashboard ``` ### 5.生成证书secret ```shell kubectl -n kubernetes-dashboard create secret tls kubernetes-dashboard-certs --key D:\aliSecret\我是域名.com_nginx\我是域名.com.key --cert D:\aliSecret\我是域名.com_nginx\我是域名.com.crt ``` 注意: - 生成的secret一定要在`kubernetes-dashboard`命名空间下 - tls指定的名称一定要云recommended.yaml文件中的一致,即官方给的默认名称`kubernetes-dashboard-certs` 验证: ```shell kubectl get secret -A | sls kubernetes-dashboard-certs ``` ![图片alt](/uploads/images/20211015/164527-00816cd2aa8a47b29465c24c5e3784de.png ''图片title'') ### 6.apply 应用主配置文件一键启动 ```shell kubectl apply -f recommended.yaml ``` 验证: ```shell kubectl get pod,svc -n kubernetes-dashboard ``` ![图片alt](/uploads/images/20211015/164942-b7b3d8686fbc4e6798122add13e5adfd.png ''图片title'') ### 7.配置ingress 创建文件`ingress-nginx-kubernetes-dashboard.yaml` ```shell apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: ingress-nginx-kubernetes-dashboard namespace: kubernetes-dashboard annotations: kubernetes.io/ingress.class: "nginx" # 开启use-regex,启用path的正则匹配 nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: / # 默认为 true,启用 TLS 时,http请求会 308 重定向到https nginx.ingress.kubernetes.io/ssl-redirect: "true" # 默认为 http,开启后端服务使用 proxy_pass https://协议 nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: rules: - host: 你的域名.com http: paths: - path: / backend: serviceName: kubernetes-dashboard servicePort: 443 tls: - secretName: kubernetes-dashboard-certs #证书的名称前后要保持一致 hosts: - 你的域名.com ``` 应用一下 `kubectl apply -f ingress-nginx-kubernetes-dashboard.yaml` ### 8.创建登录用户 创建文件`dashboard-adminuser.yaml` 这里注意下命名空间前后要一致,其它的默认即可 ```shell apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard ``` 应用一下 `kubectl apply -f dashboard-adminuser.yaml` ### 9.Dashboard亮个相吧小宝贝 ![图片alt](/uploads/images/20211015/165701-2a71b155ad804672b322b3d71ee9f5f7.png ''图片title'') dashboard两种登录方式 - token方式:使用 `kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"` 命令来查找登录的token,粘贴即可。 ![图片alt](/uploads/images/20211015/170215-09dedbf55f13468cad690f478e8531fb.png ''图片title'') - Kubeconfig方式:选择本机的kubectl配置文件即可。 ![图片alt](/uploads/images/20211015/170032-d8d4c227033041669cb9da7147d31680.png ''图片title'') ![图片alt](/uploads/images/20211015/170405-5ecad178f02a4d0e81a358d958c643e8.png ''图片title'') ### recommended.yaml ```shell # Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Namespace metadata: name: kubernetes-dashboard --- apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard --- kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard --- #将这段注释掉,下面我们使用自己手工签发的TLS证书并手工创建Secret #apiVersion: v1 #kind: Secret #metadata: # labels: # k8s-app: kubernetes-dashboard # name: kubernetes-dashboard-certs # namespace: kubernetes-dashboard #type: Opaque --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-csrf namespace: kubernetes-dashboard type: Opaque data: csrf: "" --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-key-holder namespace: kubernetes-dashboard type: Opaque --- kind: ConfigMap apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-settings namespace: kubernetes-dashboard --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - apiGroups: [""] resources: ["configmaps"] resourceNames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # Allow Dashboard to get metrics. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster", "dashboard-metrics-scraper"] verbs: ["proxy"] - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] verbs: ["get"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard rules: # Allow Metrics Scraper to get metrics from the Metrics server - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- kind: Deployment apiVersion: apps/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: containers: - name: kubernetes-dashboard image: kubernetesui/dashboard:v2.3.1 imagePullPolicy: Always ports: - containerPort: 8443 protocol: TCP command: - /dashboard args: - --auto-generate-certificates - --token-ttl=3600 - --tls-cert-file=tls.crt - --tls-key-file=tls.key - --namespace=kubernetes-dashboard # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. # - --apiserver-host=http://my-address:port volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 timeoutSeconds: 30 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 volumes: - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard nodeSelector: "kubernetes.io/os": linux # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule --- kind: Service apiVersion: v1 metadata: labels: k8s-app: dashboard-metrics-scraper name: dashboard-metrics-scraper namespace: kubernetes-dashboard spec: ports: - port: 8000 targetPort: 8000 selector: k8s-app: dashboard-metrics-scraper --- kind: Deployment apiVersion: apps/v1 metadata: labels: k8s-app: dashboard-metrics-scraper name: dashboard-metrics-scraper namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: dashboard-metrics-scraper template: metadata: labels: k8s-app: dashboard-metrics-scraper annotations: seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' spec: containers: - name: dashboard-metrics-scraper image: kubernetesui/metrics-scraper:v1.0.6 ports: - containerPort: 8000 protocol: TCP livenessProbe: httpGet: scheme: HTTP path: / port: 8000 initialDelaySeconds: 30 timeoutSeconds: 30 volumeMounts: - mountPath: /tmp name: tmp-volume securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 serviceAccountName: kubernetes-dashboard nodeSelector: "kubernetes.io/os": linux # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule volumes: - name: tmp-volume emptyDir: {} ```
这里⇓感觉得写点什么,要不显得有点空,但还没想好写什么...
返回顶部
About
京ICP备13038605号
© 代码片段 2024