标签:Kubernetes kubernetes RBAC yaml CERT mango dashboard k8s com
安装部署Kubernetes Dashboard (补充解决官方出现的一些RBAC CERT等问题)
官方文档:https://github.com/kubernetes/dashboard
参考文章:https://kuboard.cn/install/install-k8s-dashboard.html#
前言
Kubernetes Dashboard 是 Kubernetes 的官方 Web UI。使用 Kubernetes Dashboard,你可以:
-
向 Kubernetes 集群部署容器化应用
-
诊断容器化应用的问题
-
管理集群的资源
-
查看集群上所运行的应用程序
-
创建、修改Kubernetes 上的资源(例如 Deployment、Job、DaemonSet等)
-
展示集群上发生的错误
例如:您可以伸缩一个 Deployment、执行滚动更新、重启一个 Pod 或部署一个新的应用程序
1. 准备安装kubernetes dashboard的yaml文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml
Kubernetes Dashboard 默认部署时,只配置了最低权限的 RBAC
参考文档:https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
2. 创建 serviceaccount
[@kube-test.master.mango.com ~/manifests/dashboard]# cat dashboard-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
3. 创建clusterrolebinding为dashboard sa授权集群权限cluster-admin
[@kube-test.master.mango.com ~/manifests/dashboard]# cat dashboard-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
4. 启动服务
kubectl apply -f recommended.yaml dashboard-sa.yaml dashboard-clusterrolebinding.yaml
5. 访问
修改kubernetes-dashboard namespace中的svc kubernetes-dashboard 的spec.type为NodePort,便于我们从集群外使用浏览器访问dashboard
- 方法1. 修改 recommended.yaml文件
service段配置更改如下:(nodePort: 30001可以省略,缺省则为随机端口,服务启动后使用kubectl get svc -n kubernetes-dashboard查看)
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
- 方法2. 热更新打补丁的方式修改svc
kubectl -n kubernetes-dashboard patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'
此时通过chrome浏览器访问https://ip:30001
显然,无法正常访问,k8s旧版本可能不存在此问题,使用Firefox浏览器添加例外可能可以跳过证书问题,但这里我们使用重新制作自签证书,重建secret,更新证书,解决此错误
6. 解决证书过期问题
- 为dashboard制作自签证书
[@kube-test.master.mango.com ~]# (umask 077; openssl genrsa -out dashboard.key 2048)
[@kube-test.master.mango.com ~]# openssl req -key dashboard.key -out dashboard.csr -subj "/O=mango/CN=dashboard"
[@kube-test.master.mango.com ~]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=mango/CN=dashboard"
[@kube-test.master.mango.com ~]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650
- 修改官方的recommended.yaml文件
删除secret部分:
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
这里顺便修改一下service资源对象,更改为nodeport类型
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
---
7. 重新部署dashboard
kubectl apply -f recommended.yaml dashboard-sa.yaml dashboard-clusterrolebinding.yaml
8. 创建dashboard的secret
kubectl create secret generic kubernetes-dashboard-certs -n kubernetes-dashboard --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key
9. 查看服务状态
[@kube-test.master.mango.com ~/manifests/dashboard]# kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.96.73.251 <none> 8000/TCP 58m
kubernetes-dashboard NodePort 10.96.236.10 <none> 443:30001/TCP 58m
10. 浏览器访问
11. 获取验证token
[@kube-test.master.mango.com ~/manifests/dashboard]# kubectl describe secret -n kubernetes-dashboard $(kubectl get secret -n kubernetes-dashboard | grep dashboard-admin | awk '{print $1}')
Name: dashboard-admin-token-n7795
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 286e2ee6-b03d-4e65-a386-7b0a9d03d47d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbjc3OTUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjg2ZTJlZTYtYjAzZC00ZTY1LWEzODYtN2IwYTlkMDNkNDdkIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.koV8lmBHo49jj1Nzrp1CjyiAKuU_7vxYmdsxkQPpjAi-WyZ8IJt3Al85l07HNY48m9nK-3w1yDIPYxoXNDTLVO88enk1JMqmvXrsbeyGHOLm3z5SwS8W7mCP22JO_A9dFDupGQ26MIE0quJhQ0MkgzAGVRpRjrgFqY4upi8_2j6VISgcVS6tG-do6TBZrv2fv6VKhn0njJ4Y2oc3ZxU4_nd4_2tsoAQS9LtZrOUbiF8xmNVSyUFZGF7JxpeW1JFpAtbUruQUC0sPGKfJ9vSKeDlIF3QV9frw4v8J7Roi1IoavKfRmzfNbWtiiu3S59GDgd_w5mP9k9H6f1ryz69Zgg
复制token填写至令牌处
标签:Kubernetes,kubernetes,RBAC,yaml,CERT,mango,dashboard,k8s,com 来源: https://blog.csdn.net/sinat_28371057/article/details/112119607
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。