部署Kubernetes Dashboard记录代码片段

CodeSnippet.Cn
代码片段

kubernetes 小笨蛋发布于：2021年10月15日更新于：2021年10月15日 143

如果没什么特别要求的话，就按GitHub上的提示一步一步做即可。
Dashboard GitHub 地址：[Kubernetes Dashboard](https://github.com/kubernetes/dashboard "Kubernetes Dashboard")

本次部署的目标是使用域名来访问Dashboard并为域名绑定阿里云的证书，所以我们要把yaml文件下载下来稍做修改。

### 1.下载配置文件
https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml

### 2.配置文件修改
- 将这段注释掉，下面我们使用自己手工签发的TLS证书并手工创建Secret

![图片alt](/uploads/images/20211015/161510-c2b85310df664e0cbc7b4c504659cd89.png ''图片title'')

- 修改容器启动参数

![图片alt](/uploads/images/20211015/161655-73af3e662f914179af3b7f8c4fcf77ae.png ''图片title'')

其中`auto-generate-certificates`不能注释，因为我看到过有帖子说要注释掉（这个参数不仅仅是自动证书的开关，还是总的HTTPS的开关，当我们手工配置了证书后，容器不会自动生成）。
另外两个tls参数指定的是被挂载到容器中的证书的名字，下面我们使用 tls secret 处理的证书，通过配置mountPath: /certs可以得知被挂载到容器的/certs目录中，其名字为tls.crt和tls.key（为什么叫这2个名字或者是否可以配置其他名字，请继续往下看）。

### 3.申请阿里云证书
这部分就省略了
要说明的是下载来的证书会有两个文件key与pem，我们直接把pem改成crt即可。
![图片alt](/uploads/images/20211015/162053-9f239d5b50a5420b976feebfc58fa777.png ''图片title'')

------------

当然你也可以选择手动生成证书，下面是网上找的例子，没试过。
```shell
# 生成证书请求的key
openssl genrsa -out dashboard.key 2048
# 生成证书请求
openssl req -days 3650 -new -key dashboard.key -out dashboard.csr -subj /C=CN/ST=JiangSu/L=NanJing/O=Shanhy/OU=Shanhy/CN=*.domain.com
# 生成自签证书（证书文件 dashboard.crt 和私钥 dashboad.key）
openssl x509 -req -in dashboard.csr -signkey tls.key -out dashboard.crt
# 查看证书信息
openssl x509 -in dashboard.crt -text -noout
```

```shell
kubectl create secret tls kubernetes-dashboard-certs -n kubernetes-dashboard --key dashboard.key --cert dashboard.crt
kubectl create secret tls kubernetes-dashboard-certs -n kubernetes-dashboard --from-file=tls.crt=dashboard.crt --from-file=tls.key=dashboard.key
```

这里创建 secret 的两种方法命令对上面的问题进行了解释，下面解释一下，彻底把这块的用法说明白：

- 如果你使用`--key --cert`方式则创建的`secret`中data的默认2个文件名就是`tls.key`和`tls.crt`，你可以使用命令`kubectl describe secret -n kubernetes-dashboard kubernetes-dashboard-certs`查看。
![图片alt](/uploads/images/20211015/170645-a4e3bc6dace6477da96b096c77dbb770.png ''图片title'')

- 如果你使用第二条命令的`--from-file`的方式，则你需要手工指定文件名称`tls.crt`和`tls.key`（看示例的写法），如果你把上面的命令直接写成`--from-file=dashboard.crt`，那么挂载后的文件就是`dashboard.crt`，这样你需要把第二步第2点中参数的`tls.crt`修改为`dashboard.crt`。
- 你还可以直接使用`--from-file=mycert/`这样直接指定一个目录，那么会把改目录下的所有文件都挂载到容器的`/certs`中，文件名保持不变。

------------

### 4.创建命名空间
```shell
kubectl create namespace kubernetes-dashboard
```

### 5.生成证书secret
```shell
kubectl -n kubernetes-dashboard create secret tls kubernetes-dashboard-certs --key D:\aliSecret\我是域名.com_nginx\我是域名.com.key --cert D:\aliSecret\我是域名.com_nginx\我是域名.com.crt
```
注意：
- 生成的secret一定要在`kubernetes-dashboard`命名空间下
- tls指定的名称一定要云recommended.yaml文件中的一致，即官方给的默认名称`kubernetes-dashboard-certs`

验证：
```shell
kubectl get secret -A | sls kubernetes-dashboard-certs
```
![图片alt](/uploads/images/20211015/164527-00816cd2aa8a47b29465c24c5e3784de.png ''图片title'')

### 6.apply 
应用主配置文件一键启动
```shell
kubectl apply -f recommended.yaml
```
验证：
```shell
kubectl get pod,svc -n kubernetes-dashboard
```
![图片alt](/uploads/images/20211015/164942-b7b3d8686fbc4e6798122add13e5adfd.png ''图片title'')

### 7.配置ingress
创建文件`ingress-nginx-kubernetes-dashboard.yaml`

```shell
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-nginx-kubernetes-dashboard
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/ingress.class: "nginx"
    # 开启use-regex，启用path的正则匹配
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    # 默认为 true，启用 TLS 时，http请求会 308 重定向到https
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # 默认为 http，开启后端服务使用 proxy_pass https://协议
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  rules:
  - host: 你的域名.com
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
  tls:
  - secretName: kubernetes-dashboard-certs #证书的名称前后要保持一致
    hosts:
    - 你的域名.com
```

应用一下 `kubectl apply -f ingress-nginx-kubernetes-dashboard.yaml`

### 8.创建登录用户
创建文件`dashboard-adminuser.yaml`
这里注意下命名空间前后要一致，其它的默认即可

```shell
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
```

应用一下 `kubectl apply -f dashboard-adminuser.yaml`

### 9.Dashboard亮个相吧小宝贝
![图片alt](/uploads/images/20211015/165701-2a71b155ad804672b322b3d71ee9f5f7.png ''图片title'')
dashboard两种登录方式
- token方式：使用 `kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"` 命令来查找登录的token，粘贴即可。
![图片alt](/uploads/images/20211015/170215-09dedbf55f13468cad690f478e8531fb.png ''图片title'')

- Kubeconfig方式：选择本机的kubectl配置文件即可。
![图片alt](/uploads/images/20211015/170032-d8d4c227033041669cb9da7147d31680.png ''图片title'')

![图片alt](/uploads/images/20211015/170405-5ecad178f02a4d0e81a358d958c643e8.png ''图片title'')

### recommended.yaml
```shell
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

---
#将这段注释掉，下面我们使用自己手工签发的TLS证书并手工创建Secret
#apiVersion: v1
#kind: Secret
#metadata:
#  labels:
#    k8s-app: kubernetes-dashboard
#  name: kubernetes-dashboard-certs
#  namespace: kubernetes-dashboard
#type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.3.1
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          command:
            - /dashboard
          args:
            - --auto-generate-certificates
            - --token-ttl=3600
            - --tls-cert-file=tls.crt
            - --tls-key-file=tls.key
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.6
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}

```

这里⇓感觉得写点什么，要不显得有点空，但还没想好写什么... 返回顶部