kubenetes-Dashboard

kubenetes-Dashboard

kubenetes-Dashboard

1、部署和访问 Kubernetes 仪表板(Dashboard)

1.1、dashboard 仪表板

对整个k8s集群的资源对象全盘掌控

Dashboard 是基于网页的 Kubernetes 用户界面。 你可以使用 Dashboard 将容器应用部署到 Kubernetes 集群中,也可以对容器应用排错,还能管理集群资源。 你可以使用 Dashboard 获取运行在集群中的应用的概览信息,也可以创建或者修改 Kubernetes 资源 (如 Deployment,Job,DaemonSet 等等)。 例如,你可以对 Deployment 实现弹性伸缩、发起滚动升级、重启 Pod 或者使用向导创建新的应用。

Dashboard 是基于网页的 Kubernetes 用户界面,可以在web界面上操作k8s集群,不需要使用命令。

官方文档:

https://kubernetes.io/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/

2、安装dashboard

1.下载

shell 复制代码
wget  https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
使用的dashboard的版本是v2.7.0
shell 复制代码
'下载yaml文件'
recommended.yaml
shell 复制代码
'修改配置文件,将service对应的类型设置为NodePort'
shell 复制代码
[root@master dashboard]# vim recommended.yaml 
---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort  #指定类型
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30088  #指定宿主机端口号
  selector:
    k8s-app: kubernetes-dashboard

---
其他的配置都不修改

应用上面的配置,启动dashboard相关的实例

2.启动dashboard

shell 复制代码
[root@master dashboard]# kubectl apply -f recommended.yaml 
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
[root@master dashboard]# 

查看是否启动dashboard的pod

shell 复制代码
[root@master dashboard]# kubectl get pod --all-namespaces
NAMESPACE              NAME                                         READY   STATUS         RESTARTS   AGE
default                sc-nginx-deploy-3-7496c84fcf-4489n           1/1     Running        0          5h52m
default                sc-nginx-deploy-3-7496c84fcf-msgm6           1/1     Running        0          5h52m
default                sc-nginx-deploy-3-7496c84fcf-q58lm           1/1     Running        0          5h52m
default                sc-nginx-deploy-4-766c99dd77-dgzq5           1/1     Running        0          5h52m
default                sc-nginx-deploy-4-766c99dd77-pljdw           1/1     Running        0          5h52m
default                sc-nginx-deploy-4-766c99dd77-s9qkc           1/1     Running        0          5h52m
default                sc-nginx-deploy-7bb895f9f5-7ttq9             1/1     Running        1          22h
default                sc-nginx-deploy-7bb895f9f5-mlhqt             1/1     Running        1          22h
default                sc-nginx-deploy-7bb895f9f5-prbvf             1/1     Running        1          22h
halou-gh               gh-nginx-busybox                             2/2     Running        26         15d
ingress-nginx          ingress-nginx-admission-create-fwrjt         0/1     Completed      0          22h
ingress-nginx          ingress-nginx-admission-patch-m7ftw          0/1     Completed      0          22h
ingress-nginx          ingress-nginx-controller-589dccc958-pz6s8    1/1     Running        1          22h
ingress-nginx          ingress-nginx-controller-589dccc958-zhrpq    1/1     Running        1          22h
kube-system            calico-kube-controllers-6949477b58-48hcx     1/1     Running        9          12d
kube-system            calico-node-48bw7                            1/1     Running        16         20d
kube-system            calico-node-lwvsk                            1/1     Running        16         20d
kube-system            calico-node-zjvg8                            1/1     Running        16         20d
kube-system            coredns-7f89b7bc75-pncxv                     1/1     Running        16         20d
kube-system            coredns-7f89b7bc75-zrzp2                     1/1     Running        9          12d
kube-system            etcd-master                                  1/1     Running        16         20d
kube-system            kube-apiserver-master                        1/1     Running        18         20d
kube-system            kube-controller-manager-master               1/1     Running        16         20d
kube-system            kube-proxy-48lqm                             1/1     Running        16         20d
kube-system            kube-proxy-7kfxj                             1/1     Running        16         20d
kube-system            kube-proxy-lwlxq                             1/1     Running        16         20d
kube-system            kube-scheduler-master                        1/1     Running        16         20d
kube-system            metrics-server-769f6c8464-ctxl7              1/1     Running        24         16d
kubernetes-dashboard   dashboard-metrics-scraper-66dd8bdd86-gg2c6   1/1     Running        0          2m17s
kubernetes-dashboard   kubernetes-dashboard-785c75749d-7vglw        1/1     Running        0          2m17s
mem-example            memory-demo                                  1/1     Running        14         16d
mem-example            memory-demo-3                                1/1     Running        13         16d
sc                     pod-nodename                                 1/1     Running        6          8d
sc                     pod-nodeselector                             0/1     NodeAffinity   0          8d
[root@master dashboard]# 
shell 复制代码
[root@master dashboard]# kubectl get pod --all-namespaces|grep dashboard
kubernetes-dashboard   dashboard-metrics-scraper-66dd8bdd86-gg2c6   1/1     Running        0          2m59s
kubernetes-dashboard   kubernetes-dashboard-785c75749d-7vglw        1/1     Running        0          2m59s
[root@master dashboard]# 

查看服务是否创建

shell 复制代码
[root@master dashboard]# kubectl get svc --all-namespaces|grep dash
kubernetes-dashboard   dashboard-metrics-scraper            ClusterIP   10.111.14.32     <none>        8000/TCP                     3m37s
kubernetes-dashboard   kubernetes-dashboard                 NodePort    10.109.54.232    <none>        443:30088/TCP                3m37s
[root@master dashboard]# 

3.在浏览器里访问,使用https协议去访问

shell 复制代码
https://192.168.182.133:30088/

出现一个登录画图,需要输入token

获取dashboard 的secret的名字

shell 复制代码
kubectl get secret -n kubernetes-dashboard|grep dashboard-token
[root@master dashboard]# kubectl get secret -n kubernetes-dashboard|grep dashboard-token
kubernetes-dashboard-token-w2fzn   kubernetes.io/service-account-token   3      7m4s
[root@master dashboard]# 

获取secret里的token

shell 复制代码
kubectl describe secret kubernetes-dashboard-token-w2fzn -n kubernetes-dashboard
[root@master dashboard]# kubectl describe secret kubernetes-dashboard-token-w2fzn -n kubernetes-dashboard
Name:         kubernetes-dashboard-token-w2fzn
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
              kubernetes.io/service-account.uid: c916b21d-bdf3-4299-a976-3c7f736dc9fb

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InhDSFBDR1Zqa0l3a2hHWW1wVmZhc3lpZm1nOUxYVFBOanM3dUVfd2NSZDgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi13MmZ6biIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImM5MTZiMjFkLWJkZjMtNDI5OS1hOTc2LTNjN2Y3MzZkYzlmYiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.LOod4iSE_j9x32OmFgVH_s6NpppxDcQSTeKEax9KIU-6Bj_XAwwByg4RCp2wDo1EYy21ofXlza3waQF7NncsLhbETnCqwT-3tXyyybv-wzIpjkuk-EnUIoKLHtv3BEEG1VaS71yaPq2m5I8Wu2vVyAnO90gdKMWkHzNl-jO10eNb4XXqBO1Ps__IRcVg8TlCWco21dSxFwSTb6WSKgF38k4XPOhxy8jNsznHoTqjE0f2uaLx7q11WKGc-T5s1g6K41FhXUtos5sDu6UjROaE-tu3fVO5cQ1foSXNaThC1OpOk5RIkDIVgxyZvEM3yGrCvhP_B_8eLsuGtYd8tm_VUg
ca.crt:     1066 bytes
namespace:  20 bytes
[root@master dashboard]# 

获取dashboard 的服务对应的端口

shell 复制代码
[root@master dashboard]# kubectl get svc --all-namespaces|grep dash
kubernetes-dashboard   dashboard-metrics-scraper            ClusterIP   10.111.14.32     <none>        8000/TCP                     9m33s
kubernetes-dashboard   kubernetes-dashboard                 NodePort    10.109.54.232    <none>        443:30088/TCP                9m33s
[root@master dashboard]# 

访问:https://192.168.182.133:30088/

登录成功后,发现dashboard不能访问任何的资源对象,因为没有权限,需要RBAC鉴权

授权kubernetes-dashboard,防止找不到namespace资源

shell 复制代码
[root@master dashboard]# kubectl create clusterrolebinding serviceaccount-cluster-admin --clusterrole=cluster-admin --user=system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard
clusterrolebinding.rbac.authorization.k8s.io/serviceaccount-cluster-admin created
[root@master dashboard]# 

然后刷新一下页面就有了

如果要删除角色绑定:

shell 复制代码
[root@master ~]#kubectl delete clusterrolebinding serviceaccount-cluster-admin 

用yaml创建这个角色绑定

shell 复制代码
[root@master dashboard]# kubectl get clusterrolebinding serviceaccount-cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2024-03-23T08:15:27Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: kubectl-create
    operation: Update
    time: "2024-03-23T08:15:27Z"
  name: serviceaccount-cluster-admin
  resourceVersion: "583594"
  uid: bcc29869-fa2c-4878-bd9c-f19c415805d1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard
[root@master dashboard]# 

把角色绑定也写到yaml文件中去

shell 复制代码
[root@master dashboard]# cat recommended-sc-2023.yaml 
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: serviceaccount-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30088
  selector:
    k8s-app: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.7.0
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.8
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}
[root@master dashboard]# 

大佬的文章:

https://blog.51cto.com/yangxingzhen/5980340

4.token的超时时间修改

相关推荐
巅峰程序12 小时前
[docker]拉取镜像失败
docker·容器·eureka
MonkeyKing_sunyuhua13 小时前
sudo docker ps才能查看,docker ps不能查看问题
docker·容器·eureka
小龙在山东13 小时前
使用Docker快速部署FastAPI Web应用
docker·容器·fastapi
苏格拉真没有底14 小时前
docker配置代理解决不能拉镜像问题
运维·docker·容器
A ?Charis17 小时前
我来讲一下-Service Mesh.
云原生·service_mesh
ciao-lk17 小时前
docker desktop运行rabittmq容器,控制台无法访问
docker·容器
严格要求自己19 小时前
nacos-operator在k8s集群上部署nacos-server2.4.3版本踩坑实录
云原生·容器·kubernetes
少吃一口就会少吃一口19 小时前
k8s笔记
云原生·容器·kubernetes
葡萄皮Apple19 小时前
[CKS] K8S ServiceAccount Set Up
服务器·容器·kubernetes
星海幻影20 小时前
云原生-docker安装与基础操作
网络·安全·docker·云原生·容器