具有kubernetes1.16 安装dashboard UI-来自沈超飞的IT博客

文章目录

前言

前面踩坑特别特别多，由于网络原因，由于版本原因，由于证书原因等等。

分析

下载官方文件
修改官方文件
配置证书
拉取镜像为本地并设置为master为部署节点
启动kubernetes-dashboard
页面登录
授权管理员
查看日志

部署dashboard 过程

下载官方文件

修改官方文件

web</a>kit-tab-size:4; tab-size:4; font-size: 13px !important; line-height: 15px !important;">
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml

1 2	wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml

修改官方文件

证书问题

 48 #---
 49 ## 由于证书问题，只能firefox浏览器才能打开，通过修改证书的方式，使得所有浏览器都能打开
 50 #apiVersion: v1
 51 #kind: Secret
 52 #metadata:
 53 #  labels:
 54 #    <span class='wp_keywordlink_affiliate'><a href="https://shenchaofei.cn/tag/k8s" title="View all posts in k8s" target="_blank">k8s</a></span>-app: kubernetes-dashboard
 55 #  name: kubernetes-dashboard-certs  #生成证书会用到该名字
 56 #  namespace: kubernetes-dashboard  #生成证书使用该命名空间
 57 #type: Opaque

48 #---

49 ## 由于证书问题，只能firefox浏览器才能打开，通过修改证书的方式，使得所有浏览器都能打开

50 #apiVersion: v1

51 #kind: Secret

52 #metadata:

53 # labels:

54 # k8s-app: kubernetes-dashboard

55 # name: kubernetes-dashboard-certs #生成证书会用到该名字

56 # namespace: kubernetes-dashboard #生成证书使用该命名空间

57 #type: Opaque

具有kubernetes1.16 安装dashboard UI-来自沈超飞的IT博客第1张

名字很重要下面生成证书会用到

修改获取镜像相关

190     spec:
191       nodeSelector:     #部署在哪一个节点的选择器
192         type: master     # master
193       containers:
194         - name: kubernetes-dashboard
195           image: kubernetesui/dashboard:v2.0.0-beta4
196           #imagePullPolicy: Always                                  # 注释原来的镜像拉取规则
197           imagePullPolicy: IfNotPresent                           # 设置为本地没有则拉取

190 spec:

191 nodeSelector: #部署在哪一个节点的选择器

192 type: master # master

193 containers:

194 - name: kubernetes-dashboard

195 image: kubernetesui/dashboard:v2.0.0-beta4

196 #imagePullPolicy: Always # 注释原来的镜像拉取规则

197 imagePullPolicy: IfNotPresent # 设置为本地没有则拉取

具有kubernetes1.16 安装dashboard UI-来自沈超飞的IT博客第3张

镜像相关设置

暴露端口相关设置

 30 ---
 31 
 32 kind: Service
 33 apiVersion: v1
 34 metadata:
 35   labels:
 36     k8s-app: kubernetes-dashboard
 37   name: kubernetes-dashboard
 38   namespace: kubernetes-dashboard
 39 spec:
 40   type: NodePort                  # 设置为NodePort
 41   ports:
 42     - port: 443
 43       nodePort: 30001           # 不设置则为随机，设置则为该端口
 44       targetPort: 8443
 45   selector:
 46     k8s-app: kubernetes-dashboard

30 ---

32 kind: Service

33 apiVersion: v1

34 metadata:

35 labels:

36 k8s-app: kubernetes-dashboard

37 name: kubernetes-dashboard

38 namespace: kubernetes-dashboard

39 spec:

40 type: NodePort # 设置为NodePort

41 ports:

42 - port: 443

43 nodePort: 30001 # 不设置则为随机，设置则为该端口

44 targetPort: 8443

45 selector:

46 k8s-app: kubernetes-dashboard

配置证书

# 创建目录使用证书
mkdir key && cd key
# 查看是否存在namespace为kubernetes-dashboard
kubectl get namespaces
# 不存在namespace为创建kubernetes-dashboard创建namespace
kubectl create namespace kubernetes-dashboard
# 生成 key
openssl genrsa -out dashboard.key 2048
# 生成证书请求
openssl req -days 36000   -new -out dashboard.csr    -key dashboard.key   -subj '/CN=**192.168.100.10**'
# 生成自签证书
openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
# 目录结构
[root@k8smaster key]# ll
total 12
-rw-r--r-- 1 root root 1001 Oct 23 22:21 dashboard.crt
-rw-r--r-- 1 root root  903 Oct 23 22:20 dashboard.csr
-rw-r--r-- 1 root root 1679 Oct 23 22:20 dashboard.key
# 使用自签证书创建secret
kubectl create secret generic kubernetes-dashboard-certs     --from-file=dashboard.key     --from-file=dashboard.crt      -n kubernetes-dashboard

# 创建目录使用证书

mkdir key && cd key

# 查看是否存在namespace为kubernetes-dashboard

kubectl get namespaces

# 不存在namespace为创建kubernetes-dashboard创建namespace

kubectl create namespace kubernetes-dashboard

# 生成 key

openssl genrsa -out dashboard.key 2048

# 生成证书请求

openssl req -days 36000 -new -out dashboard.csr -key dashboard.key -subj '/CN=**192.168.100.10**'

# 生成自签证书

openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt

# 目录结构

[root@k8smaster key]# ll

total 12

-rw-r--r-- 1 root root 1001 Oct 23 22:21 dashboard.crt

-rw-r--r-- 1 root root 903 Oct 23 22:20 dashboard.csr

-rw-r--r-- 1 root root 1679 Oct 23 22:20 dashboard.key

# 使用自签证书创建secret

kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kubernetes-dashboard

在master节点上这是label，拉取镜像

# 设置node选择器label为master
kubectl label node k8smaster type=master
# 拉取镜像
docker pull kubernetesui/dashboard:v2.0.0-beta4

# 设置node选择器label为master

kubectl label node k8smaster type=master

# 拉取镜像

docker pull kubernetesui/dashboard:v2.0.0-beta4

启动

kubectl apply -f  recommended.yaml

1 2	kubectl apply -f recommended.yaml

检查

# 查看pod 与service是否运行正常
[root@k8smaster 1]# kubectl  get pod,svc -n kubernetes-dashboard  -o wide
NAME                                             READY   STATUS    RESTARTS   AGE     IP            NODE        NOMINATED NODE   READINESS GATES
pod/dashboard-metrics-scraper-566cddb686-7csmx   1/1     Running   0          2m16s   10.244.2.15   k8snode1    <none>           <none>
pod/kubernetes-dashboard-75d8b49cf6-fcn6v        1/1     Running   0          2m17s   10.244.0.19   k8smaster   <none>           <none>

NAME                                TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE     SELECTOR
service/dashboard-metrics-scraper   ClusterIP   10.110.92.64     <none>        8000/TCP        2m16s   k8s-app=dashboard-metrics-scraper
service/kubernetes-dashboard        NodePort    10.101.171.115   <none>        443:30001/TCP   2m17s   k8s-app=kubernetes-dashboard
[root@k8smaster 1]# kubectl describe pod kubernetes-dashboard-75d8b49cf6-fcn6v -n kubernetes-dashboard 
Name:         kubernetes-dashboard-75d8b49cf6-fcn6v
Namespace:    kubernetes-dashboard
Priority:     0
Node:         k8smaster/192.168.100.10
Start Time:   Wed, 23 Oct 2019 22:31:49 -0400
Labels:       k8s-app=kubernetes-dashboard
              pod-template-hash=75d8b49cf6
... ...
省略
... ...
Events:
  Type    Reason     Age        From                Message
  ----    ------     ----       ----                -------
  Normal  Scheduled  <unknown>  default-scheduler   Successfully assigned kubernetes-dashboard/kubernetes-dashboard-75d8b49cf6-fcn6v to k8smaster
  Normal  Pulled     3m1s       kubelet, k8smaster  Container image "kubernetesui/dashboard:v2.0.0-beta4" already present on machine
  Normal  Created    3m1s       kubelet, k8smaster  Created container kubernetes-dashboard
  Normal  Started    3m         kubelet, k8smaster  Started container kubernetes-dashboard
# 查看

# 查看pod 与service是否运行正常

[root@k8smaster 1]# kubectl get pod,svc -n kubernetes-dashboard -o wide

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

pod/dashboard-metrics-scraper-566cddb686-7csmx 1/1 Running 0 2m16s 10.244.2.15 k8snode1 <none> <none>

pod/kubernetes-dashboard-75d8b49cf6-fcn6v 1/1 Running 0 2m17s 10.244.0.19 k8smaster <none> <none>

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR

service/dashboard-metrics-scraper ClusterIP 10.110.92.64 <none> 8000/TCP 2m16s k8s-app=dashboard-metrics-scraper

service/kubernetes-dashboard NodePort 10.101.171.115 <none> 443:30001/TCP 2m17s k8s-app=kubernetes-dashboard

[root@k8smaster 1]# kubectl describe pod kubernetes-dashboard-75d8b49cf6-fcn6v -n kubernetes-dashboard

Name: kubernetes-dashboard-75d8b49cf6-fcn6v

Namespace: kubernetes-dashboard

Priority: 0

Node: k8smaster/192.168.100.10

Start Time: Wed, 23 Oct 2019 22:31:49 -0400

Labels: k8s-app=kubernetes-dashboard

pod-template-hash=75d8b49cf6

... ...

省略

... ...

Events:

Type Reason Age From Message

---- ------ ---- ---- -------

Normal Scheduled <unknown> default-scheduler Successfully assigned kubernetes-dashboard/kubernetes-dashboard-75d8b49cf6-fcn6v to k8smaster

Normal Pulled 3m1s kubelet, k8smaster Container image "kubernetesui/dashboard:v2.0.0-beta4" already present on machine

Normal Created 3m1s kubelet, k8smaster Created container kubernetes-dashboard

Normal Started 3m kubelet, k8smaster Started container kubernetes-dashboard

# 查看

页面登录

具有kubernetes1.16 安装dashboard UI-来自沈超飞的IT博客第5张

浏览器打开

具有kubernetes1.16 安装dashboard UI-来自沈超飞的IT博客第7张

到登录页面

默认用户登录

# 获取token
kubectl describe secrets  $(kubectl  get secrets -n kubernetes-dashboard | awk  '/kubernetes-dashboard-token/{print $1}' ) -n kubernetes-dashboard |sed -n '/token:.*/p'
# 使用该token登录

# 获取token

kubectl describe secrets $(kubectl get secrets -n kubernetes-dashboard | awk '/kubernetes-dashboard-token/{print $1}' ) -n kubernetes-dashboard |sed -n '/token:.*/p'

# 使用该token登录

默认用户权限不足

具有kubernetes1.16 安装dashboard UI-来自沈超飞的IT博客第9张

默认用户现象

授权管理员

# 创建sa
kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard
# 绑定集群管理员
kubectl create clusterrolebinding  dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin
# 查看sa以及secrets
[root@k8smaster ENV]# kubectl  get sa,secrets -n kubernetes-dashboard 
NAME                                  SECRETS   AGE
serviceaccount/dashboard-admin        1         32s
serviceaccount/default                1         33m
serviceaccount/kubernetes-dashboard   1         25m

NAME                                      TYPE                                  DATA   AGE
secret/dashboard-admin-token-rjk49        kubernetes.io/service-account-token   3      32s
secret/default-token-65rm4                kubernetes.io/service-account-token   3      33m
secret/kubernetes-dashboard-certs         Opaque                                2      33m
secret/kubernetes-dashboard-csrf          Opaque                                1      25m
secret/kubernetes-dashboard-key-holder    Opaque                                2      25m
secret/kubernetes-dashboard-token-696vq   kubernetes.io/service-account-token   3      25m
# 查看token
kubectl describe secrets dashboard-admin-token-rjk49 -n kubernetes-dashboard 
- 或者通过下面命令直接获取token
kubectl describe secrets  $(kubectl  get secrets -n kubernetes-dashboard | awk  '/dashboard-admin-token/{print $1}' ) -n kubernetes-dashboard |sed -n '/token:.*/p'

# 创建sa

kubectl create serviceaccount dashboard-admin -n kubernetes-dashboard

# 绑定集群管理员

kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-admin

# 查看sa以及secrets

[root@k8smaster ENV]# kubectl get sa,secrets -n kubernetes-dashboard

NAME SECRETS AGE

serviceaccount/dashboard-admin 1 32s

serviceaccount/default 1 33m

serviceaccount/kubernetes-dashboard 1 25m

NAME TYPE DATA AGE

secret/dashboard-admin-token-rjk49 kubernetes.io/service-account-token 3 32s

secret/default-token-65rm4 kubernetes.io/service-account-token 3 33m

secret/kubernetes-dashboard-certs Opaque 2 33m

secret/kubernetes-dashboard-csrf Opaque 1 25m

secret/kubernetes-dashboard-key-holder Opaque 2 25m

secret/kubernetes-dashboard-token-696vq kubernetes.io/service-account-token 3 25m

# 查看token

kubectl describe secrets dashboard-admin-token-rjk49 -n kubernetes-dashboard

- 或者通过下面命令直接获取token

kubectl describe secrets $(kubectl get secrets -n kubernetes-dashboard | awk '/dashboard-admin-token/{print $1}' ) -n kubernetes-dashboard |sed -n '/token:.*/p'

管理员登录截图

具有kubernetes1.16 安装dashboard UI-来自沈超飞的IT博客第11张

管理员登录截图

查看日志

kubectl   logs -f    kubernetes-dashboard-75d8b49cf6-fcn6v  -n kubernetes-dashboard

1 2	kubectl logs -f kubernetes-dashboard-75d8b49cf6-fcn6v -n kubernetes-dashboard

后话

欢迎交流
必要时候必须查看官方文档

坑点

由于版本原因，上面操作都正常，你授权管理员登录会出现404，实测版本：1.10.1
安装# heapster
由于extensions/v1beta1弃用，会出现一连串的问题官网公告
heapster 问题

修改后资源清单

[root@k8smaster 1]# cat recommended.yaml 
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort
  ports:
    - port: 443
      nodePort: 30001
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

#---
#
#apiVersion: v1
#kind: Secret
#metadata:
#  labels:
#    k8s-app: kubernetes-dashboard
#  name: kubernetes-dashboard-certs
#  namespace: kubernetes-dashboard
#type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      nodeSelector:
        type: master
      containers:
        - name: kubernetes-dashboard
          #image: registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.0.0-beta4
          image: kubernetesui/dashboard:v2.0.0-beta4
          #imagePullPolicy: Always
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
    spec:
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.1
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

[root@k8smaster 1]# cat recommended.yaml

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

# http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

apiVersion: v1

kind: Namespace

metadata:

---

apiVersion: v1

kind: ServiceAccount

metadata:

labels:

k8s-app: kubernetes-dashboard

namespace: kubernetes-dashboard

---

kind: Service

apiVersion: v1

metadata:

labels:

k8s-app: kubernetes-dashboard

namespace: kubernetes-dashboard

spec:

type: NodePort

ports:

- port: 443

nodePort: 30001

targetPort: 8443

selector:

k8s-app: kubernetes-dashboard

#---

#apiVersion: v1

#kind: Secret

#metadata:

# labels:

# k8s-app: kubernetes-dashboard

# name: kubernetes-dashboard-certs

# namespace: kubernetes-dashboard

#type: Opaque

---

apiVersion: v1

kind: Secret

metadata:

labels:

k8s-app: kubernetes-dashboard

namespace: kubernetes-dashboard

type: Opaque

data:

csrf: ""

---

apiVersion: v1

kind: Secret

metadata:

labels:

k8s-app: kubernetes-dashboard

namespace: kubernetes-dashboard

type: Opaque

---

kind: ConfigMap

apiVersion: v1

metadata:

labels:

k8s-app: kubernetes-dashboard

namespace: kubernetes-dashboard

---

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

labels:

k8s-app: kubernetes-dashboard

namespace: kubernetes-dashboard

rules:

# Allow Dashboard to get, update and delete Dashboard exclusive secrets.

- apiGroups: [""]

resources: ["secrets"]

resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]

verbs: ["get", "update", "delete"]

# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.

- apiGroups: [""]

resources: ["configmaps"]

resourceNames: ["kubernetes-dashboard-settings"]

verbs: ["get", "update"]

# Allow Dashboard to get metrics.

- apiGroups: [""]

resources: ["services"]

resourceNames: ["heapster", "dashboard-metrics-scraper"]

verbs: ["proxy"]

- apiGroups: [""]

resources: ["services/proxy"]

resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]

verbs: ["get"]

---

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1

metadata:

labels:

k8s-app: kubernetes-dashboard

rules:

# Allow Metrics Scraper to get metrics from the Metrics server

- apiGroups: ["metrics.k8s.io"]

resources: ["pods", "nodes"]

verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

labels:

k8s-app: kubernetes-dashboard

namespace: kubernetes-dashboard

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: Role

subjects:

- kind: ServiceAccount

namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

namespace: kubernetes-dashboard

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

subjects:

- kind: ServiceAccount

namespace: kubernetes-dashboard

---

kind: Deployment

apiVersion: apps/v1

metadata:

labels:

k8s-app: kubernetes-dashboard

namespace: kubernetes-dashboard

spec:

replicas: 1

revisionHistoryLimit: 10

selector:

matchLabels:

k8s-app: kubernetes-dashboard

template:

metadata:

labels:

k8s-app: kubernetes-dashboard

spec:

nodeSelector:

type: master

containers:

- name: kubernetes-dashboard

#image: registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.0.0-beta4

image: kubernetesui/dashboard:v2.0.0-beta4

#imagePullPolicy: Always

imagePullPolicy: IfNotPresent

ports:

- containerPort: 8443

protocol: TCP

args:

- --auto-generate-certificates

- --namespace=kubernetes-dashboard

# Uncomment the following line to manually specify Kubernetes API server Host

# If not specified, Dashboard will attempt to auto discover the API server and connect

# to it. Uncomment only if the default does not work.

# - --apiserver-host=http://my-address:port

volumeMounts:

- name: kubernetes-dashboard-certs

mountPath: /certs

# Create on-disk volume to store exec logs

- mountPath: /tmp

livenessProbe:

httpGet:

scheme: HTTPS

path: /

port: 8443

initialDelaySeconds: 30

timeoutSeconds: 30

volumes:

- name: kubernetes-dashboard-certs

secret:

secretName: kubernetes-dashboard-certs

- name: tmp-volume

emptyDir: {}

serviceAccountName: kubernetes-dashboard

# Comment the following tolerations if Dashboard must not be deployed on master

tolerations:

- key: node-role.kubernetes.io/master

effect: NoSchedule

---

kind: Service

apiVersion: v1

metadata:

labels:

k8s-app: dashboard-metrics-scraper

namespace: kubernetes-dashboard

spec:

ports:

- port: 8000

targetPort: 8000

selector:

k8s-app: dashboard-metrics-scraper

---

kind: Deployment

apiVersion: apps/v1

metadata:

labels:

k8s-app: dashboard-metrics-scraper

namespace: kubernetes-dashboard

spec:

replicas: 1

revisionHistoryLimit: 10

selector:

matchLabels:

k8s-app: dashboard-metrics-scraper

template:

metadata:

labels:

k8s-app: dashboard-metrics-scraper

spec:

containers:

- name: dashboard-metrics-scraper

image: kubernetesui/metrics-scraper:v1.0.1

ports:

- containerPort: 8000

protocol: TCP

livenessProbe:

httpGet:

scheme: HTTP

path: /

port: 8000

initialDelaySeconds: 30

timeoutSeconds: 30

volumeMounts:

- mountPath: /tmp

serviceAccountName: kubernetes-dashboard

# Comment the following tolerations if Dashboard must not be deployed on master

tolerations:

- key: node-role.kubernetes.io/master

effect: NoSchedule

volumes:

- name: tmp-volume

emptyDir: {}

作者：无处安放的躁动
链接：https://www.jianshu.com/p/f7ebd54ed0d1
来源：简书
著作权归作者所有。商业转载请联系作者获得授权，非商业转载请注明出处。

//下面这个css和插件后台设置的主题有关系，如果需要换样式，则需要修改以下CSS名称

前言

分析

部署dashboard 过程

下载官方文件

修改官方文件

配置证书

在master节点上这是label，拉取镜像

启动

检查

页面登录

默认用户登录

授权管理员

后话

坑点

修改后资源清单

相关文章

发表评论