1.前言
Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
一句話簡單介紹下Kubernetes Dashboard
Kubernetes Dashboard就是k8s集群的webui搂赋,集合了所有命令行可以操作的所有命令清笨。界面如下所示:(ps:目前自動識別為中文版本)
dashboard-ui.png
2.安裝
k8s的dashboard安裝可以說是非常簡單受扳,參考github的指導既可晃财。項目地址如下:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
但是這么安裝存在幾個問題:
- 鏡像國內無法直接訪問,需要設置docker代理驮履,才能下載鏡像
- dashboard的默認webui證書是自動生成的府怯,由于時間和名稱存在問題舵揭,導致谷歌和ie瀏覽器無法打開登錄界面,經過測試Firefox可以正常打開
2.1 設置docker代理
k8s dashboard 的 docker鏡像是
k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
在執(zhí)行 kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml 前校赤,首先設置docker代理
以下提供個腳本吆玖,可以方便切換docker代理
#/bin/bash
# you should set it to your proxy ip
proxy_ip="http://192.168.246.1:1080"
# you need set it to the host ip
proxy_none_ip="192.168.0.0/16"
proxy='Environment="HTTPS_PROXY='${proxy_ip}'"\
Environment="NO_PROXY=127.0.0.0/8"\
Environment="NO_PROXY='${proxy_none_ip}'"'
DOCKER_CONF="/usr/lib/systemd/system/docker.service"
#DOCKER_CONF="docker.service"
if [ ! -e $DOCKER_CONF ]; then
echo "INFO: docker not running "
exit 2
fi
func_reload(){
systemctl daemon-reload
systemctl restart docker
echo "INFO#: docker-reload finined!"
}
func_proxy_on(){
if grep PROXY $DOCKER_CONF >> /dev/null ; then
echo "INFO#: docker proxy may be on : "
echo ""
grep PROXY $DOCKER_CONF
echo ""
else
echo "INFO: docker proxy on"
sed -i "/ExecStart/i${proxy}" $DOCKER_CONF
func_reload
fi
}
func_proxy_off(){
if grep PROXY $DOCKER_CONF >>/dev/null; then
echo "INFO: docker proxy off"
sed -i "/PROXY/d" $DOCKER_CONF
func_reload
else
echo "INFO: docker proxy already off"
fi
}
case $1 in
on)
func_proxy_on
;;
off)
func_proxy_off
;;
*)
echo "userage `basename $0` {on|off}"
exit 1
;;
esac
請將 以上腳本中 proxy_ip="http://192.168.246.1:1080" 替換為你自己的代理地址,保存為dockersetproxy.sh 马篮,通過chmod +x dockersetproxy.sh 增加執(zhí)行權限 沾乘。
然后執(zhí)行 kubectl apply -f https://...... 命令參考上面
如果能夠正常下載,通過docker image ls查看浑测,應該如下所示:
[root@master ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
k8s.gcr.io/kube-proxy v1.12.3 ab97fa69b926 2 weeks ago 96.5 MB
k8s.gcr.io/kube-apiserver v1.12.3 6b54f7bebd72 2 weeks ago 194 MB
k8s.gcr.io/kube-controller-manager v1.12.3 c79022eb8bc9 2 weeks ago 164 MB
k8s.gcr.io/kube-scheduler v1.12.3 5e75513787b1 2 weeks ago 58.3 MB
k8s.gcr.io/etcd 3.2.24 3cab8e1b9802 2 months ago 220 MB
k8s.gcr.io/coredns 1.2.2 367cdc8433a4 3 months ago 39.2 MB
k8s.gcr.io/kubernetes-dashboard-amd64 v1.10.0 0dab2435c100 3 months ago 122 MB
quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 10 months ago 44.6 MB
k8s.gcr.io/pause 3.1 da86e6ba6ca1 11 months ago 742 kB
k8s.gcr.io/kubernetes-dashboard-amd64 即為下載的docker image 鏡像文件
下載完成后翅阵,k8s dashboard 應該正常運行起來了,但是這時候我們還無法訪問到迁央。
2.2 修改service通過NodePort方式訪問k8s dashboard
小技巧掷匠,由于后面的操作都是在 kube-system 名稱空間中進行,可以設置個別名 ksys=kubectl -n kube-system 這樣就可以使用ksys操作該名稱空間了
命令參考:alias ksys='kubectl -n kube-system'
[root@master ~]# alias ksys='kubectl -n kube-system'
[root@master ~]# ksys get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 15d
kubernetes-dashboard ClusterIP 10.106.68.90 <none> 443/TCP 15s
[root@master ~]#
可以看到 kubernetes-dashboard service 在集群內部岖圈,無法再外部訪問讹语,為了方便訪問寞缝,我們暴露kubernetes-dashboard 443端口給NodePort
ksys edit svc kubernetes-dashboard 通過ksys edit svc 直接編輯service
[root@master ~]# ksys edit svc kubernetes-dashboard
找到type字段旅薄,將ClusterIP睹欲,修改為NodePort
spec:
clusterIP: 10.106.68.90
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: ClusterIP ## <------修改為NodePort
status:
loadBalancer: {}
wq 保存退出萧福,然后重新查看 service
[root@master ~]# ksys get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 15d
kubernetes-dashboard NodePort 10.106.68.90 <none> 443:32248/TCP 4m41s
[root@master ~]#
可以看到當前NodePort 端口是隨機的32248,通過ifconfig 查看節(jié)點ip地址擎值,該節(jié)點ip為:192.168.246.200
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
ether 02:42:3a:a2:76:1f txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.246.200 netmask 255.255.255.0 broadcast 192.168.246.255
inet6 fe80::1d7c:9fdf:c738:7459 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:21:65:3b txqueuelen 1000 (Ethernet)
RX packets 10074 bytes 1051745 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10716 bytes 7583211 (7.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
通過谷歌瀏覽器訪問慌烧,發(fā)現居然無法繼續(xù),如下圖所示:
image.png
通過360瀏覽器訪問鸠儿,發(fā)現居然直接無法訪問
image.png
在測試IE屹蚊、QQ等瀏覽器,均無法訪問进每,
在測試windows機器上通過curl命令測試汹粤,可以確認網絡和端口是通的。
image.png
難道就無解了么田晚?
再拿出firefox測試嘱兼,發(fā)現證書是0001年1月簽發(fā)的
image.png
添加例外后,居然能正常打開了贤徒。
image.png
難道這就完事了么芹壕? 通過Firefox查看證書,懷疑其他瀏覽器打不開和證書過期有關系接奈。
image.png
2.2 解決證書過期問題
2.2.1 首先需要生成證書
生成證書通過openssl生成自簽名證書即可踢涌,不再贅述,參考如下所示:
[root@master keys]# pwd
/root/keys
[root@master keys]# ls
[root@master keys]# openssl genrsa -out dashboard.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.................................................+++
e is 65537 (0x10001)
[root@master keys]# openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.246.200'
[root@master keys]# ls
dashboard.csr dashboard.key
[root@master keys]#
[root@master keys]# openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
Signature ok
subject=/CN=192.168.246.200
Getting Private key
[root@master keys]#
[root@master keys]# ls
dashboard.crt dashboard.csr dashboard.key
[root@master keys]#
[root@master keys]# openssl x509 -in dashboard.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
f0:8a:26:aa:9f:24:bf:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=192.168.246.200
Validity
Not Before: Dec 13 08:10:36 2018 GMT
Not After : Jan 12 08:10:36 2019 GMT
Subject: CN=192.168.246.200
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f6:7a:b4:4a:ad:bd:b3:00:9c:d1:fe:06:2d:09:
cf:eb:28:54:0f:3f:6e:dc:29:6b:67:e1:9b:58:e4:
82:00:15:ee:35:25:00:4c:c1:e0:1b:29:8b:b2:6b:
8d:e8:09:77:66:4d:f3:9e:9d:85:36:94:80:da:1b:
35:c8:a1:b3:0b:b2:7f:6f:1e:e9:fe:fc:15:1b:7b:
ba:85:1f:2b:70:16:d5:c3:7f:36:18:f1:8e:44:1e:
8a:13:a2:9c:b8:bf:b8:08:3f:a0:5c:ef:19:f5:ce:
73:0c:3e:0a:b5:87:7a:de:25:74:36:0e:26:52:ff:
4b:d0:24:40:c9:03:9a:44:f6:17:a7:d7:fa:7e:e0:
fb:6a:76:5b:dc:0f:43:c2:63:f4:22:20:4c:4e:5d:
b7:a0:83:54:58:1c:10:0f:57:ef:ad:1f:36:0b:8f:
8d:f4:a2:52:ab:e7:39:57:ea:30:c3:1d:30:93:ee:
44:7f:73:ef:41:94:e8:34:8c:c4:bb:02:d9:17:da:
55:07:ff:43:6c:f3:8e:91:5f:81:03:e9:94:2e:f1:
25:e7:41:86:e2:25:c4:b9:07:b4:9c:d9:04:36:31:
82:43:1b:26:10:17:8c:98:4a:f3:23:69:15:1b:76:
75:ae:4e:27:6f:70:4c:c6:f7:cc:75:e4:ed:48:b7:
51:c5
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
28:55:3c:0a:66:77:2a:fd:8a:b6:81:54:59:13:d7:03:17:7f:
d4:fa:e4:94:2b:bc:f4:11:ea:0c:18:e9:c0:2c:02:86:eb:39:
12:38:19:71:6c:b8:7a:4d:03:57:59:4f:c0:50:c4:19:92:c1:
9f:2f:0d:18:92:9e:2b:2e:a2:44:52:9a:32:2b:75:35:fb:43:
66:fb:fa:32:77:ce:b8:4e:80:cb:38:52:c4:2c:17:11:1a:38:
c3:a9:62:43:5e:60:ae:47:d4:f7:46:12:29:f5:e4:75:35:e5:
90:5d:2e:4f:2f:c5:65:9a:e5:6a:4d:8a:cd:69:ba:e0:4f:43:
d1:ab:9a:62:74:fc:d5:88:9c:3a:ba:22:2d:38:96:fc:35:b0:
3c:23:f7:8c:23:07:4e:05:8e:ae:53:82:9c:fd:54:24:86:75:
12:a6:e9:77:62:bd:f6:bb:f9:4d:5b:64:1e:d0:48:68:31:86:
f5:36:b5:6b:fc:b6:36:f0:01:3c:0a:9f:2b:27:56:28:1d:1f:
c4:e9:f7:c6:5d:16:5e:88:c5:e0:43:00:bf:79:d7:04:2f:45:
57:df:e6:17:dd:5a:f8:53:e9:ca:f6:33:ed:19:f0:d9:0a:ae:
f0:ba:c6:5b:7e:70:af:c3:f3:a5:b0:95:b0:ee:cd:35:29:5c:
34:4a:ce:49
這樣就有了證書文件dashboard.crt 和 私鑰 dashboad.key
2.2.2 下載yaml序宦,并修改
wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
將該配置文件下載下來
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
....................省略一堆信息
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs <-----------這里可以看到secret掛載到了certs目錄
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
睁壁。。互捌。潘明。。秕噪。钉疫。。巢价。牲阁。省略無用信息
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs <---secret 可以看到secret創(chuàng)建為了volume
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
所以,我們需要重新生成secret壤躲,并且將該配置文件中創(chuàng)建secret的配置文件信息去掉城菊,將以下內容 從配置文件中去掉:
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
可以在配置文件中,修改service 為nodeport類型碉克,固定訪問端口
修改前:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
修改后:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
nodePort:30001
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
2.2.3 生成secret
創(chuàng)建同名稱的secret:
名稱為: kubernetes-dashboard-certs
[root@master keys]# ls
dashboard.crt dashboard.csr dashboard.key kubernetes-dashboard.yaml
[root@master keys]# ksys create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt
secret/kubernetes-dashboard-certs created
[root@master keys]#
[root@master keys]# ksys get secret | grep dashboard
kubernetes-dashboard-certs Opaque 2 25s
kubernetes-dashboard-key-holder Opaque 2 25h
[root@master keys]#
[root@master keys]# ksys describe secret kubernetes-dashboard-certs
Name: kubernetes-dashboard-certs
Namespace: kube-system
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
dashboard.crt: 993 bytes
dashboard.key: 1675 bytes
[root@master keys]#
可以看到凌唬,已經成功創(chuàng)建了 secret文件
2.2.4 重新apply yaml文件
應用下載到本地并且修改過的yaml文件,如下所示:
[root@master keys]# ls
dashboard.crt dashboard.csr dashboard.key kubernetes-dashboard.yaml
[root@master keys]#
[root@master keys]#
[root@master keys]# kubectl apply -f kubernetes-dashboard.yaml
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
[root@master keys]#
查看服務狀態(tài):
[root@master keys]# ksys get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 15d
kubernetes-dashboard NodePort 10.111.32.20 <none> 443:30001/TCP 2m14s
[root@master keys]#
通過瀏覽器訪問:
image.png
image.png
查看證書信息如下所示:
image.png
firefox 上查看證書信息:
image.png
至此漏麦,k8s dashboard 部署完成客税。
