1身害、修改配置文件

將下載的 kubernetes-server-linux-amd64.tar.gz 解壓后味悄，再解壓其中的 kubernetes-src.tar.gz 文件
dashboard 對(duì)應(yīng)的目錄是：cluster/addons/dashboard

pwd
/home/k8s/k8s/kubernetes/cluster/addons/dashboard

cp dashboard-controller.yaml{,.orig}

#修改第33行鏡像tag梅屉，并pull好自己定義的對(duì)應(yīng)tag的鏡像隧土。
vim dashboard-controller.yaml

#修改前后對(duì)比
diff dashboard-controller.yaml{,.orig}
33c33
<         image: cnych/kubernetes-dashboard-amd64:v1.8.3
---
>         image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3

cp dashboard-service.yaml{,.orig}

#在第十一行添加一個(gè)labels泄隔，定義端口類型為NodePort硼啤。
vim dashboard-service.yaml

#修改前后對(duì)比
diff dashboard-service.yaml.orig dashboard-service.yaml
10a11
>   type: NodePort

指定端口類型為 NodePort绞绒，這樣外界可以通過地址 nodeIP:nodePort 訪問 dashboard

2譬挚、執(zhí)行所有定義文件

ls *.yaml
dashboard-configmap.yaml  dashboard-controller.yaml  dashboard-rbac.yaml  dashboard-secret.yaml  dashboard-service.yaml

kubectl create -f  .

3顶掉、查看分配的 NodePort

kubectl get deployment kubernetes-dashboard  -n kube-system
NAME                   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
kubernetes-dashboard   1         1         1            1           15h

kubectl --namespace kube-system get pods -o wide
NAME                                    READY     STATUS    RESTARTS   AGE       IP            NODE
coredns-77c989547b-j77lp                1/1       Running   0          15h       172.30.84.3   kube-node1
coredns-77c989547b-t6mxc                1/1       Running   0          15h       172.30.29.3   kube-node3
kubernetes-dashboard-5bb8d4d76c-8kkwt   1/1       Running   0          15h       172.30.84.5   kube-node1

kubectl get svc kubernetes-dashboard -n kube-system
NAME                   TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
kubernetes-dashboard   NodePort   10.254.147.2   <none>        443:8605/TCP   15h

• dashboard pod 443 端口通過 NodePort 映射到 node 的 8605 端口

dashboard 的 --authentication-mode 支持 token锁施、basic淮悼，默認(rèn)為 token咐低。如果使用 basic，則 kube-apiserver 必須配置 ‘--authorization-mode=ABAC’ 和 ‘--basic-auth-file’ 參數(shù)

4袜腥、查看 dashboard 支持的命令行參數(shù)

kubectl exec --namespace kube-system -it kubernetes-dashboard-5bb8d4d76c-8kkwt  -- /dashboard --help
20XX/XX/XX XX:XX:XX Starting overwatch
Usage of /dashboard:
      --alsologtostderr                   log to standard error as well as files
      --apiserver-host string             The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted.
      --authentication-mode stringSlice   Enables authentication options that will be reflected on login screen. Supported values: token, basic. Default: token.Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set. (default [token])
      --auto-generate-certificates        When set to true, Dashboard will automatically generate certificates used to serve HTTPS. Default: false.
      --bind-address ip                   The IP address on which to serve the --secure-port (set to 0.0.0.0 for all interfaces). (default 0.0.0.0)
      --default-cert-dir string           Directory path containing '--tls-cert-file' and '--tls-key-file' files. Used also when auto-generating certificates flag is set. (default "/certs")
      --disable-settings-authorizer       When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page.
      --enable-insecure-login             When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. Default: false.
      --heapster-host string              The address of the Heapster Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.
      --insecure-bind-address ip          The IP address on which to serve the --port (set to 0.0.0.0 for all interfaces). (default 127.0.0.1)
      --insecure-port int                 The port to listen to for incoming HTTP requests. (default 9090)
      --kubeconfig string                 Path to kubeconfig file with authorization and master location information.
      --log_backtrace_at traceLocation    when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                    If non-empty, write log files in this directory
      --logtostderr                       log to standard error instead of files
      --metric-client-check-period int    Time in seconds that defines how often configured metric client health check should be run. Default: 30 seconds. (default 30)
      --port int                          The secure port to listen to for incoming HTTPS requests. (default 8443)
      --stderrthreshold severity          logs at or above this threshold go to stderr (default 2)
      --system-banner string              When non-empty displays message to Dashboard users. Accepts simple HTML tags. Default: ''.
      --system-banner-severity string     Severity of system banner. Should be one of 'INFO|WARNING|ERROR'. Default: 'INFO'. (default "INFO")
      --tls-cert-file string              File containing the default x509 Certificate for HTTPS.
      --tls-key-file string               File containing the default x509 private key matching --tls-cert-file.
      --token-ttl int                     Expiration time (in seconds) of JWE tokens generated by dashboard. Default: 15 min. 0 - never expires (default 900)
  -v, --v Level                           log level for V logs
      --vmodule moduleSpec                comma-separated list of pattern=N settings for file-filtered logging
command terminated with exit code 2

5见擦、訪問 dashboard

為了集群安全，從 1.7 開始羹令，dashboard 只允許通過 https 訪問鲤屡，如果使用 kube proxy 則必須監(jiān)聽 localhost 或 127.0.0.1，對(duì)于 NodePort 沒有這個(gè)限制福侈，但是僅建議在開發(fā)環(huán)境中使用酒来。

對(duì)于不滿足這些條件的登錄訪問，在登錄成功后瀏覽器不跳轉(zhuǎn)肪凛，始終停在登錄界面堰汉。

參考： https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard—1.7.X-and-above https://github.com/kubernetes/dashboard/issues/2540

• kubernetes-dashboard 服務(wù)暴露了 NodePort，可以使用 https://NodeIP:NodePort 地址訪問 dashboard伟墙；
• 通過 kube-apiserver 訪問 dashboard翘鸭；
• 通過 kubectl proxy 訪問 dashboard：
  1）通過 kubectl proxy 訪問 dashboard（了解）
  啟動(dòng)代理：

kubectl proxy --address='localhost' --port=8086 --accept-hosts='^*$'
Starting to serve on 127.0.0.1:8086

• --address 必須為 localhost 或 127.0.0.1；
• 需要指定 --accept-hosts 選項(xiàng)戳葵，否則瀏覽器訪問 dashboard 頁面時(shí)提示 “Unauthorized”就乓；

瀏覽器訪問 URL：http://127.0.0.1:8086/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy

2）通過 kube-apiserver 訪問 dashboard（應(yīng)用）
獲取集群服務(wù)地址列表：

kubectl cluster-info
Kubernetes master is running at https://172.68.96.110:8443
CoreDNS is running at https://172.68.96.110:8443/api/v1/namespaces/kube-system/services/coredns:dns/proxy
kubernetes-dashboard is running at https://172.68.96.110:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

必須通過 kube-apiserver 的安全端口 (https) 訪問 dashbaord，訪問時(shí)瀏覽器需要使用自定義證書拱烁，否則會(huì)被 kube-apiserver 拒絕訪問生蚁。

創(chuàng)建和導(dǎo)入自定義證書的步驟和參考：
A. 瀏覽器訪問 kube-apiserver 安全端口

瀏覽器訪問 URL：https://xxxx:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ 對(duì)于 virtuabox 做了端口映射： http://127.0.0.1:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

現(xiàn)在，直接使用剛剛通過kubectl cluster-info獲取到的地址進(jìn)行訪問：https://xxxx:8443

image.png

6邻梆、創(chuàng)建登錄 Dashboard 的 token 和 kubeconfig 配置文件

上面提到守伸，Dashboard 默認(rèn)只支持 token 認(rèn)證，所以如果使用 KubeConfig 文件浦妄，需要在該文件中指定 token尼摹，不支持使用 client 證書認(rèn)證
1）創(chuàng)建登錄 token

kubectl create sa dashboard-admin -n kube-system
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep dashboard-admin | awk '{print $1}')
Name:         dashboard-admin-token-r2kh8
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: dashboard-admin
              kubernetes.io/service-account.uid: 834a0b4b-c002-4feb-98bd-d71bc710a9e2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1099 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InZtMldLcU1ZalhLYVVhN293Y2k1TFUtWVc2ZkxzSkhxb0dKeFpERTV3TjgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tcjJraDgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODM0YTBiNGItYzAwMi00ZmViLTk4YmQtZDcxYmM3MTBhOWUyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.khLRLjAXwTLMYOcIAbhfMQw43sW8cYq4xU1h2tigFdFWg5gpXb6AfmWxh-CKi9fq2mvTa1j8O3VrYiCZ1mrwLLQOtZ4h9L-gXHopu0RQUYyBkapaFgbkz_WAVOZISPLOSI48vQrOKu_LayJwiCXOu1TrBdyTr9SOjJFthcmCP_8T2-xelHOGOTts4n3ldWl_5lhs5IcvxzKVmHxJuB_KtUZjYDCSUD4iJwnrkTfhKgAmf5CU8MAL7-VZCP_QSZcVEmCCiH4dFMq3h1fzzus4P-0esBROrkQmgXr30NEn7WDtzCyjQM1xgGP4uN2LSLfhWU1pPS3-3c0wbTVXzGI_dA

將上邊輸出的 token 輸入到剛剛 dashboard 需要驗(yàn)證的界面见芹，點(diǎn)擊令牌，然后復(fù)制進(jìn)去

image.png

點(diǎn)擊登錄即可訪問首頁了

image.png

2）創(chuàng)建使用 token 的 KubeConfig 文件

source /opt/k8s/bin/environment.sh

# 設(shè)置集群參數(shù)
kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/cert/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=dashboard.kubeconfig
# 設(shè)置客戶端認(rèn)證參數(shù)蠢涝，使用上面創(chuàng)建的 Token
kubectl config set-credentials dashboard_user \
  --token=${DASHBOARD_LOGIN_TOKEN} \
  --kubeconfig=dashboard.kubeconfig
# 設(shè)置上下文參數(shù)
kubectl config set-context default \
  --cluster=kubernetes \
  --user=dashboard_user \
  --kubeconfig=dashboard.kubeconfig
# 設(shè)置默認(rèn)上下文
kubectl config use-context default --kubeconfig=dashboard.kubeconfig

將如上操作所生成的 dashboard.kubeconfig 下載到本地玄呛，然后在登錄界面，選擇 kubeconfig 的方式和二，將剛剛本地的 config 文件導(dǎo)入進(jìn)來徘铝，點(diǎn)擊登錄登入到 Dashboard

image.png

由于缺少 Heapster 插件，當(dāng)前 dashboard 不能展示 Pod惯吕、Nodes 的 CPU惕它、內(nèi)存等統(tǒng)計(jì)數(shù)據(jù)和圖表

7、參考

https://github.com/kubernetes/dashboard/wiki/Access-control https://github.com/kubernetes/dashboard/issues/2558 https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/

8废登、dashboard配置里面淹魄，添加英文改為中文語言的參數(shù)

---
kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.0-beta5
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          # 設(shè)置語言
          env:
            - name: ACCEPT_LANGUAGE
              value: zh           # 中文
              value: english      # 英文
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
.......

重新部署Deployment.yaml文件

kubectl apply -f Deployment.yaml