死磕k8s系统-dashboard配置

Posted on 2022-11-18 In kubernetes

实战

1
2
3

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
mv recommended.yaml dashboard-deploy.yaml
kubectl apply -f dashboard-deploy.yaml

查看运行状态

[root@node1 ~]# kubectl get pods -n kubernetes-dashboard
NAME                                        READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-c79c65bb7-x9pgz   1/1     Running   0          88s
kubernetes-dashboard-56484d4c5-lflxh        1/1     Running   0          88s

[root@node2 ~]#  kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
dashboard-metrics-scraper   ClusterIP   10.254.57.95    <none>        8000/TCP   3m26s
kubernetes-dashboard        ClusterIP   10.254.14.214   <none>        443/TCP    3m26s

访问 dashboard

通过nginx Ingress 访问。
通过kube-proxy 访问。

通过 nginx Ingress 访问 dashboard

cat > dashboard-ingress.yaml <<EOF
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: dashboard-deploy
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  rules:
  - host: dashboard.biglittleant.cn
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
EOF

kubectl apply -f dashboard-ingress.yaml

[root@node1 ~]# kubectl get ingress -n kubernetes-dashboard
NAME                 HOSTS                       ADDRESS                       PORTS   AGE
dashboard-deploy     dashboard.biglittleant.cn   192.168.66.11,192.168.66.12   80      4m33s

浏览器访问 URL：https://dashboard.biglittleant.cn

自己配置hosts解析,或者用命令这样验证结果。curl -I https://dashboard.biglittleant.cn -x 192.168.66.11:80

通过 port forward 访问 dashboard

启动端口转发：

1
2
3

[root@node2 ~]# kubectl port-forward -n kubernetes-dashboard  svc/kubernetes-dashboard 4443:443 --address 0.0.0.0
Forwarding from 0.0.0.0:4443 -> 8443
Handling connection for 4443

浏览器访问 URL：https://192.168.66.12:4443/

如果chrome 浏览器不让访问，可以在chrome该页面上，直接键盘敲入这11个字符：thisisunsafe

创建登录 Dashboard 的 token 和 kubeconfig 配置文件

dashboard 默认只支持 token 认证（不支持 client 证书认证），所以如果使用 Kubeconfig 文件，需要将 token 写入到该文件。

创建登录 token

kubectl create sa dashboard-admin -n kube-system
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')
DASHBOARD_LOGIN_TOKEN=$(kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{print $2}')
echo ${DASHBOARD_LOGIN_TOKEN}

使用输出的 token 登录 Dashboard。

创建使用 token 的 KubeConfig 文件

# node1 上操作
export KUBE_APISERVER=https://192.168.66.11:6443
# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/cert/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=dashboard.kubeconfig

# 设置客户端认证参数，使用上面创建的 Token
kubectl config set-credentials dashboard_user \
  --token=${DASHBOARD_LOGIN_TOKEN} \
  --kubeconfig=dashboard.kubeconfig

# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=dashboard_user \
  --kubeconfig=dashboard.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=dashboard.kubeconfig

用生成的 dashboard.kubeconfig 登录 Dashboard。

[root@node1 ~]# sz -y dashboard.kubeconfig
rz
Starting zmodem transfer.  Press Ctrl+C to cancel.
Transferring dashboard.kubeconfig...
  100%       2 KB       2 KB/sec    00:00:01       0 Errors

访问成功的界面

dashboar-nodes

参考文档

Fail to login - Access Control is not helping
Organizing Cluster Access Using kubeconfig Files
Cannot access dashboard with no error
Can’t sign in into dashboard
基于kubernetes集群部署DashBoard
Kubernetes Dashboard
在开启TLS的Kubernetes1.6集群上安装Dashboard
Kubernetes Dashboard 1.7.0部署二三事

报错汇总

k8s自动启动dashboard

1	"dial tcp 10.0.0.1:443: getsockopt: no route to host"

1	systemctl restart flanneld docker

Ingress 访问 dashboard服务

点击登录，不能实现跳转

Let me have a summary:
if you use recommend yaml to deploy dashboard, you should only access your dashboard by https , and you should generete you certs, refer to guide
then , you can run kubectl proxy –address=’0.0.0.0’ –accept-hosts=’^*$’ to visit dashboard on “http://localhost:8001/ui" . This page need to login use token, generete refer to this page. Also you can add NodePort to you yaml and access to it use :

if you deploy use http alternative method, you can only access your dashboard by :, remeber to add it to yaml first!!
After deploy, you should also generate you token and add header Authorization: Bearer for every request.

The offical wiki is a little bit confused so I reordered it here.

解决办法：使用https登陆。