[ 知识是人生的灯塔,只有不断学习,才能照亮前行的道路 ]
Kubernetes Dashboard 7.10.x
大家好,我是 Weiyigeek,今天我们来聊聊如何在 Kubernetes 集群上安装和使用 Kubernetes Dashboard (原生可视化管理工具)。如果你正在使用或计划在 Kubernetes 上部署应用,那么这个工具绝对值得你深入了解。
Kubernetes Dashboard 是什么?
它是 Kubernetes (原生) 提供的一个基于网页的用户界面,它可以让用户更方便地管理和监控 Kubernetes 集群,通过这个工具,运维和开发人员不需要记复杂的命令,直接通过可视化界面操作,轻松完成应用部署、资源管理以及集群状态监控等任务,降低了 Kubernetes 的操作门槛,目前版本为 7.10.x 系列,界面更加简洁清爽,功能也更加强大。
功能特点
-
应用管理:支持通过界面创建、更新和删除 Kubernetes 的各种工作负载(如 Pod、Deployment、DaemonSet、StatefulSet 等)。
-
可视化监控:实时展示集群中资源的运行状态,包括 CPU、内存等使用情况。
-
错误诊断:快速查看问题资源的日志、事件和错误,帮助用户排查故障。
-
访问控制:支持设置权限,确保不同用户只能访问或操作自己负责的部分资源。
-
简化的多容器支持:对多容器的部署和管理提供了更直观的支持。
-
Ingress 集成:方便配置和管理网络规则,帮助用户更简单地设置外部访问。
-
界面语言:支持英文、中文等多种语言界面,满足不同用户的需求。
实践环境
操作系统:Kylin Linux Advanced Server V10 (Lance)
内核版本: 4.19.90-52.33.v2207.ky10.x86_64
集群版本:Kubernetes v1.28.1 helm 版本: v3.12.3
温馨提示:目前(2025年2月16日 20:59:30)最新版本为 7.10.4 ,但支持的 kubernetes 集群版本为 v1.29+ 以上,为了最大程度兼容 K8S 集群版本,这里我选择安装 7.10.0 版本安装。
weiyigeek.top-Kubernetes Dashboard Github Release图
安装最新版本:
go
# Add kubernetes-dashboard repository
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
# Deploy a Helm Release named "kubernetes-dashboard" using the kubernetes-dashboard chart
helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard安装指定版本:
- 1.下载Helm Chart图表模板并解压
go
VERSION=7.10.0
wget https://github.com/kubernetes/dashboard/releases/download/v${VERSION}/kubernetes-dashboard-${VERSION}.tgz
tar -xvf kubernetes-dashboard-${VERSION}.tgz- 2.拉取镜像并推送至私有仓库
go
tee kubernetesui-images.txt <<'EOF'
docker.io/library/kong:3.6
docker.io/kubernetesui/dashboard-api:1.10.1
docker.io/kubernetesui/dashboard-auth:1.2.2
docker.io/kubernetesui/dashboard-metrics-scraper:1.2.1
docker.io/kubernetesui/dashboard-web:1.6.0
EOF
for image in $(cat kubernetesui-images.txt); do
docker pull $image
grep -c "kubernetesui"$image
if [ $? -eq 0 ]; then
docker tag $image harbor.weiyigeek.top/library/${image#*/}
docker push harbor.weiyigeek.top/library/${image#*/}
else
docker tag $image harbor.weiyigeek.top/${image#*/}
docker push harbor.weiyigeek.top/${image#*/}
fi
done- 3.修改 values.yaml 文件, 包括其中的镜像地址,此处开启了metrics-scraper和kong插件,特别注意 kong 镜像地址,若可以正常拉取到
docker.io/library/kong:3.6镜像,则可以不用修改
go
app:
mode: 'dashboard'
image:
pullPolicy: IfNotPresent
pullSecrets: []
scheduling:
nodeSelector: {}
security:
csrfKey: ~
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
capabilities:
drop: ["ALL"]
podDisruptionBudget:
enabled: false
minAvailable: 0
maxUnavailable: 0
networkPolicy:
enabled: false
ingressDenyAll: false
spec: {}
labels: {}
annotations: {}
priorityClassName: null
settings:
global:
pinnedResources: []
ingress:
enabled: false
hosts:
- localhost
ingressClassName: internal-nginx
useDefaultIngressClass: false
useDefaultAnnotations: true
pathType: ImplementationSpecific
path: /
issuer:
name: selfsigned
scope: default
tls:
enabled: true
secretName: ""
labels: {}
annotations: {}
tolerations: []
affinity: {}
auth:
role: auth
image:
repository: harbor.weiyigeek.top/library/kubernetesui/dashboard-auth
tag: 1.2.2
scaling:
replicas: 1
revisionHistoryLimit: 10
containers:
ports:
- name: auth
containerPort: 8000
protocol: TCP
args: []
env: []
volumeMounts:
- mountPath: /tmp
name: tmp-volume
resources:
requests:
cpu: 100m
memory: 200Mi
limits:
cpu: 250m
memory: 400Mi
automountServiceAccountToken: true
volumes:
- name: tmp-volume
emptyDir: {}
nodeSelector: {}
labels: {}
annotations: {}
serviceLabels: {}
serviceAnnotations: {}
api:
role: api
image:
repository: harbor.weiyigeek.top/library/kubernetesui/dashboard-api
tag: 1.10.1
scaling:
replicas: 1
revisionHistoryLimit: 10
containers:
ports:
- name: api
containerPort: 8000
protocol: TCP
args: []
env: []
volumeMounts:
- mountPath: /tmp
name: tmp-volume
resources:
requests:
cpu: 100m
memory: 200Mi
limits:
cpu: 250m
memory: 400Mi
automountServiceAccountToken: true
volumes:
- name: tmp-volume
emptyDir: {}
nodeSelector: {}
labels: {}
annotations: {}
serviceLabels: {}
serviceAnnotations: {}
web:
role: web
image:
repository: harbor.weiyigeek.top/library/kubernetesui/dashboard-web
tag: 1.6.0
scaling:
replicas: 1
revisionHistoryLimit: 10
containers:
ports:
- name: web
containerPort: 8000
protocol: TCP
args: []
env: []
volumeMounts:
- mountPath: /tmp
name: tmp-volume
resources:
requests:
cpu: 100m
memory: 200Mi
limits:
cpu: 250m
memory: 400Mi
automountServiceAccountToken: true
volumes:
- name: tmp-volume
emptyDir: {}
nodeSelector: {}
labels: {}
annotations: {}
serviceLabels: {}
serviceAnnotations: {}
metricsScraper:
enabled: true
role: metrics-scraper
image:
repository: harbor.weiyigeek.top/library/kubernetesui/dashboard-metrics-scraper
tag: 1.2.1
scaling:
replicas: 1
revisionHistoryLimit: 10
containers:
ports:
- containerPort: 8000
protocol: TCP
args: []
env: []
volumeMounts:
- mountPath: /tmp
name: tmp-volume
resources:
requests:
cpu: 100m
memory: 200Mi
limits:
cpu: 250m
memory: 400Mi
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
automountServiceAccountToken: true
volumes:
- name: tmp-volume
emptyDir: {}
nodeSelector: {}
labels: {}
annotations: {}
serviceLabels: {}
serviceAnnotations: {}
metrics-server:
enabled: false
args:
- --kubelet-preferred-address-types=InternalIP
- --kubelet-insecure-tls
kong:
enabled: true
env:
dns_order: LAST,A,CNAME,AAAA,SRV
plugins: 'off'
nginx_worker_processes: 1
ingressController:
enabled: false
manager:
enabled: false
dblessConfig:
configMap: kong-dbless-config
proxy:
type: ClusterIP
http:
enabled: true- 4.部署Kubernetes Dashboard,指定上述更改后的values.yaml文件,这里作者安装到 kube-system 命名空间中,你可根据需要安装到指定名称空间下。
go
helm upgrade k8s-dashboard --namespace kube-system ./kubernetes-dashboard/ -f values.yaml --debug --create-namespace- 5.创建Kubernetes Dashboard的访问用户,这里创建一个名为admin-user的用户,作为管理集群的管理用户。
访问权限创建参考文档地址:https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
go
# 1.创建ServiceAccount和ClusterRoleBinding,赋予admin权限
cat <<'EOF' | kubectl apply -f -
# Creating a Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
EOF
cat <<'EOF' | kubectl apply -f -
# Creating a ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
EOF
# 2.创建token,用于登录Kubernetes Dashboard (注意有效期 24H)
kubectl -n kube-system create token admin-user
eyJhbGciOiJSUzI1........*****......qaONP9w
# 3.为ServiceAccount创建不失效的令牌
cat <<'EOF' | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: admin-user
namespace: kube-system
annotations:
kubernetes.io/service-account.name: "admin-user"
type: kubernetes.io/service-account-token
EOF
kubectl get secret admin-user -n kube-system -o jsonpath="{.data.token}" | base64 -d使用上述生成的token,登录Kubernetes Dashboard,登录界面如下所示:
weiyigeek.top-Kubernetes仪表板图
- 6.创建只读用户,用于查看集群资源信息,主要针对某些情况下,当然你可以细化分指定名称空间下的资源,此处作者是全局可浏览(只读)。
go
# 创建ServiceAccount、ClusterRole和ClusterRoleBinding,赋予只读权限
cat <<'EOF' | kubectl apply -f -
# Creating a Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: view-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: global-view
rules:
- apiGroups: ["*"] # 匹配所有 API 组
resources: ["*"] # 匹配所有资源
verbs: ["get", "list", "watch"] # 只允许读取操作
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: view-user-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: global-view
subjects:
- kind: ServiceAccount
name: view-user
namespace: kube-system
EOF
# 创建临时访问 token,用于登录Kubernetes Dashboard (注意有效期 24H)
kubectl -n kube-system create token view-user
eyJhbGciOiJSUzI1Ni****M8NEGKuKtWUPz9yjiAWKohWaV3M5tgZQJAQFpLfr0G8F-1dz5-0ZRy0-jy_gbLTDwUgsldlw- 7.查看Kubernetes Dashboard服务,以及使用ingress-nginx暴露访问地址,创建 TLS secret 想必大家都会吧此处不再累述,如下所示:
go
# 查看服务信息
kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
k8s-dashboard-kong-proxy ClusterIP 10.96.27.85 <none> 80/TCP,443/TCP 4d7h
k8s-dashboard-kubernetes-dashboard-api ClusterIP 10.96.92.63 <none> 8000/TCP 4d8h
k8s-dashboard-kubernetes-dashboard-auth ClusterIP 10.96.112.178 <none> 8000/TCP 4d8h
k8s-dashboard-kubernetes-dashboard-metrics-scraper ClusterIP 10.96.51.74 <none> 8000/TCP 4d8h
k8s-dashboard-kubernetes-dashboard-web ClusterIP 10.96.17.199 <none> 8000/TCP 4d8h
# 创建ingress规则,暴露访问地址
vim ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
nginx.ingress.kubernetes.io/client-body-buffer-size: 50m
nginx.ingress.kubernetes.io/proxy-body-size: 50m
nginx.ingress.kubernetes.io/proxy-buffer-size: 50m
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-connect-timeout: 60s
nginx.ingress.kubernetes.io/proxy-read-timeout: 120s
nginx.ingress.kubernetes.io/proxy-send-timeout: 120s
nginx.ingress.kubernetes.io/rewrite-target: /$2
labels:
app: manager
ref: manager
url: manager.weiyigeek.top
name: manager-sec
namespace: kube-system
spec:
ingressClassName: nginx
rules:
- host: manager.weiyigeek.top
http:
paths:
- backend:
service:
name: k8s-dashboard-kong-proxy
port:
number: 80
path: /dashboard(/|$)(.*)
pathType: ImplementationSpecific
tls:
- hosts:
- manager.weiyigeek.top
secretName: ssl-weiyigeek-top浏览器访问 https://manager.weiyigeek.top/dashboard ,输入 Token 凭据即可访问 Kubernetes Dashboard 7.10.x 管理界面,如下所示:
weiyigeek.top-K8s Dashboard 7.10.x 管理界面图
管理创建的 Deployment、StatefulSet、DaemonSet 以及 Pods 等资源,如下所示:
weiyigeek.top-资源管理图
至此,实践完毕,希望此文对大家有所帮助。
若文章写得不错,不要吝惜手中转发,点赞、在看,若有疑问的小伙伴,可在评论区留言你想法哟💬!
温馨提示:作者最近10年的工作学习笔记(涉及网络、安全、运维、开发),需要学习实践笔记的看友,可添加作者账号[WeiyiGeeker],当前价格¥199,除了获得从业笔记的同时还可进行问题答疑以及每月远程技术支持,希望大家多多支持,收获定大于付出!
如果此篇文章对你有帮助,请你将它转发给更多的人!
学习推荐 往期文章
-
💡【相关】如何配置Kubernetes仪表板dashboard支持http方式并使用ingress-nginx代理访问实践
-
💡【相关】在k8s集群中Kubernetes仪表板dashboard使用RABC机制限制指定用户针对指定名称空间中的资源进行管理实践
