背景

? ? ?想要直觀地管理和監(jiān)控k8s集群狀況，kubernets-dashboard是一個(gè)比較大眾的方式。dashboard提供了一個(gè)UI界面，使我們可以在頁面上查看kubernetes的集群狀態(tài)以及對(duì)集群進(jìn)行相關(guān)的操作，大大便利了我們管理k8s集群。

在k8s中 dashboard可以有兩種訪問方式：kubeconfig（HTTPS）和token（http）本篇先來介紹下Token方式的訪問。

Token訪問是無登錄密碼的，簡單方便

1、從官方網(wǎng)站上下載dashboard的yaml編排文件，并進(jìn)行相應(yīng)的修改。

# 官網(wǎng)版https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

2、下載完之后開始修改YAML文件，修改鏡像內(nèi)容如下

image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1

修改文件里面的鏡像為自己可用的鏡像

3、修改通過NodePort方式來進(jìn)行訪問dashboard：

# ------------------- Dashboard Service ------------------- #

kind: Service

apiVersion: v1

metadata:

? labels:

? ? k8s-app: kubernetes-dashboard

? name: kubernetes-dashboard

? namespace: kube-system

spec:

? type: NodePort? ? ? #增加type: NodePort

? ports:

? ? - port: 443

? ? ? targetPort: 8443

? ? ? nodePort: 31620? #增加nodePort: 31620

? selector:

? ? k8s-app: kubernetes-dashboard

4、官方提供的創(chuàng)建dashboard的yaml文件，由于創(chuàng)建的用戶kubernetes-dashboard綁定的角色為kubernetes-dashboard-minimal，由于該角色并沒有訪問和操作集群的權(quán)限，因此登陸dashboard的時(shí)候，會(huì)提示權(quán)限錯(cuò)誤：“configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard"。因此需修改RoleBinding的相關(guān)參數(shù)，綁定權(quán)限更高的角色：

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

? name: kubernetes-dashboard

subjects:

? - kind: ServiceAccount

? ? name: kubernetes-dashboard

? ? namespace: kube-system

roleRef:

? kind: ClusterRole

? name: cluster-admin

? apiGroup: rbac.authorization.k8s.io

5、master上通過kubernetes-dashboard.yaml文件，創(chuàng)建dashboard：

kubectl create -f kubernetes-dashboard.yaml

6、獲取dashboard token

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token|awk '{print $1}')|grep token:|awk '{print $2}'

7、通過火狐瀏覽器訪問實(shí)例地址和服務(wù)端口(https://10.1.245.239:31620/#!/login)如下，拷貝步驟6中獲取的token輸入到令牌框，點(diǎn)擊 登錄 即可訪問dashboard；

附錄：修改后的yaml文件

# Copyright 2017 The Kubernetes Authors.

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#? ? http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1

kind: Secret

metadata:

? labels:

? ? k8s-app: kubernetes-dashboard

? name: kubernetes-dashboard-certs

? namespace: kube-system

type: Opaque

---

# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1

kind: ServiceAccount

metadata:

? labels:

? ? k8s-app: kubernetes-dashboard

? name: kubernetes-dashboard

? namespace: kube-system

---

---

kind: ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1beta1

metadata:

? name: kubernetes-dashboard

subjects:

? - kind: ServiceAccount

? ? name: kubernetes-dashboard

? ? namespace: kube-system

roleRef:

? kind: ClusterRole

? name: cluster-admin

? apiGroup: rbac.authorization.k8s.io

---

# ------------------- Dashboard Deployment ------------------- #

kind: Deployment

apiVersion: apps/v1

metadata:

? labels:

? ? k8s-app: kubernetes-dashboard

? name: kubernetes-dashboard

? namespace: kube-system

spec:

? replicas: 1

? revisionHistoryLimit: 10

? selector:

? ? matchLabels:

? ? ? k8s-app: kubernetes-dashboard

? template:

? ? metadata:

? ? ? labels:

? ? ? ? k8s-app: kubernetes-dashboard

? ? spec:

? ? ? containers:

? ? ? - name: kubernetes-dashboard

? ? ? ? image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1

? ? ? ? ports:

? ? ? ? - containerPort: 8443

? ? ? ? ? protocol: TCP

? ? ? ? args:

? ? ? ? ? - --auto-generate-certificates

? ? ? ? ? # Uncomment the following line to manually specify Kubernetes API server Host

? ? ? ? ? # If not specified, Dashboard will attempt to auto discover the API server and connect

? ? ? ? ? # to it. Uncomment only if the default does not work.

? ? ? ? ? # - --apiserver-host=http://my-address:port

? ? ? ? volumeMounts:

? ? ? ? - name: kubernetes-dashboard-certs

? ? ? ? ? mountPath: /certs

? ? ? ? ? # Create on-disk volume to store exec logs

? ? ? ? - mountPath: /tmp

? ? ? ? ? name: tmp-volume

? ? ? ? livenessProbe:

? ? ? ? ? httpGet:

? ? ? ? ? ? scheme: HTTPS

? ? ? ? ? ? path: /

? ? ? ? ? ? port: 8443

? ? ? ? ? initialDelaySeconds: 30

? ? ? ? ? timeoutSeconds: 30

? ? ? volumes:

? ? ? - name: kubernetes-dashboard-certs

? ? ? ? secret:

? ? ? ? ? secretName: kubernetes-dashboard-certs

? ? ? - name: tmp-volume

? ? ? ? emptyDir: {}

? ? ? serviceAccountName: kubernetes-dashboard

? ? ? # Comment the following tolerations if Dashboard must not be deployed on master

? ? ? tolerations:

? ? ? - key: node-role.kubernetes.io/master

? ? ? ? effect: NoSchedule

---

---

# ------------------- Dashboard Service ------------------- #

kind: Service

apiVersion: v1

metadata:

? labels:

? ? k8s-app: kubernetes-dashboard

? name: kubernetes-dashboard

? namespace: kube-system

spec:

? type: NodePort? ? ? #增加type: NodePort

? ports:

? ? - port: 443

? ? ? targetPort: 8443

? ? ? nodePort: 31620? #增加nodePort: 31620

? selector:

? ? k8s-app: kubernetes-dashboard

8、通過上述創(chuàng)建的dashboard只能通過火狐訪問，無法通過chrome等瀏覽器訪問，是由于證書過期問題，如下解決證書過期。

?a: 由于證書無效，需要重新生成自簽名證書，首先需要生成證書，生成證書通過openssl生成自簽名證書即可，默認(rèn)證書有效期為1個(gè)月，如果需要修改證書時(shí)間，可以增加-days參數(shù)，參考如下所示：

[ips@ips81 cert]$ openssl genrsa -out dashboard.key 2048 -days 365

Generating RSA private key, 2048 bit long modulus

...........................+++

.........+++

e is 65537 (0x10001)

[ips@ips81 cert]$ openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN='10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239'' -days 365

[ips@ips81 cert]$ openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt?-days 365

Signature ok

subject=/CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239

Getting Private key

[ips@ips81 cert]$ openssl x509 -in dashboard.crt -text -noout

Certificate:

? ? Data:

? ? ? ? Version: 1 (0x0)

? ? ? ? Serial Number: 12978830105745149643 (0xb41e11376515cecb)

? ? Signature Algorithm: sha1WithRSAEncryption

? ? ? ? Issuer: CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239

? ? ? ? Validity

? ? ? ? ? ? Not Before: Apr? 1 08:02:30 2019 GMT

? ? ? ? ? ? Not After : May? 1 08:02:30 2019 GMT

? ? ? ? Subject: CN=10.1.235.81,10.1.235.82,10.1.235.72,10.1.245.239

? ? ? ? Subject Public Key Info:

? ? ? ? ? ? Public Key Algorithm: rsaEncryption

? ? ? ? ? ? ? ? Public-Key: (2048 bit)

? ? ? ? ? ? ? ? Modulus:

? ? ? ? ? ? ? ? ? ? 00:9f:4b:01:3c:d6:05:5c:1d:64:5e:e0:07:eb:3b:

? ? ? ? ? ? ? ? ? ? c8:b5:d5:4b:1c:ca:5a:5c:44:49:93:b5:75:4a:e5:

? ? ? ? ? ? ? ? ? ? b8:56:42:25:92:69:f1:09:d3:cf:31:75:7d:41:ed:

? ? ? ? ? ? ? ? ? ? ea:92:68:e7:39:53:75:e5:92:be:db:da:ff:f9:63:

? ? ? ? ? ? ? ? ? ? 82:1e:58:32:54:5f:e6:b4:bc:5f:33:d5:c8:c0:eb:

? ? ? ? ? ? ? ? ? ? 2b:30:4d:ce:b0:22:50:7b:9a:f8:0e:ca:e9:a5:f5:

? ? ? ? ? ? ? ? ? ? 01:cf:8d:76:35:4a:38:12:a9:bd:85:26:f7:76:01:

? ? ? ? ? ? ? ? ? ? a6:9f:8c:39:94:40:b2:10:fa:b2:fd:7a:bc:ce:0c:

? ? ? ? ? ? ? ? ? ? 33:cf:2d:b2:07:76:1e:55:05:e7:8d:95:95:d5:c7:

? ? ? ? ? ? ? ? ? ? 72:44:ff:b5:39:ae:b4:8d:83:40:05:a9:db:5e:ea:

? ? ? ? ? ? ? ? ? ? 6c:27:03:0b:65:a0:af:44:1e:f8:17:75:76:a9:66:

? ? ? ? ? ? ? ? ? ? 3d:56:04:51:fd:e1:1a:2e:ac:7b:9c:3a:f3:95:49:

? ? ? ? ? ? ? ? ? ? d5:95:83:76:da:df:eb:41:d9:3f:4e:1e:3d:06:24:

? ? ? ? ? ? ? ? ? ? fe:31:32:88:e8:4d:95:68:db:75:14:fa:6b:e6:5b:

? ? ? ? ? ? ? ? ? ? f1:91:c0:12:82:65:ad:92:0d:48:b1:4a:d7:81:a1:

? ? ? ? ? ? ? ? ? ? b4:53:c5:a2:99:f2:3f:25:33:3d:f7:a5:b0:bc:21:

? ? ? ? ? ? ? ? ? ? ad:0b:7f:5f:06:aa:0e:ec:1b:a4:04:70:63:2f:d7:

? ? ? ? ? ? ? ? ? ? 21:9f

? ? ? ? ? ? ? ? Exponent: 65537 (0x10001)

? ? Signature Algorithm: sha1WithRSAEncryption

? ? ? ? 37:28:4b:7e:4a:54:e1:5c:15:7c:e7:c0:71:c8:2f:ae:1b:ce:

? ? ? ? 10:67:0a:c2:53:72:67:64:b3:4c:48:6b:bf:79:a0:cd:dd:c5:

? ? ? ? 41:5a:0b:de:ff:78:04:10:ef:c1:4b:02:fb:ab:7e:88:f5:eb:

? ? ? ? 6a:0d:d8:50:4f:ea:ba:73:06:2b:dd:6f:8a:28:6f:9a:20:73:

? ? ? ? 76:42:c2:1e:54:d9:bd:4e:d5:ec:a0:13:c8:49:86:25:1b:e2:

? ? ? ? b0:03:fe:0c:0a:72:6f:f1:0b:4e:2b:0b:b9:63:07:a9:10:29:

? ? ? ? f6:a7:b4:c5:fb:e4:ee:86:97:e5:78:8a:51:2c:c5:8d:a9:33:

? ? ? ? 85:7f:35:fb:78:80:de:70:f7:3e:c0:73:dd:4e:61:ab:22:b6:

? ? ? ? 3f:90:7b:2b:6e:dc:7f:5e:cc:c9:8e:37:7c:b4:5b:30:fb:fb:

? ? ? ? 8f:ed:a2:2c:ca:9e:9f:10:33:81:e2:e4:54:20:29:0c:85:8c:

? ? ? ? 44:24:ee:c5:2d:1c:ca:1e:ba:31:46:cf:2d:80:13:05:70:5d:

? ? ? ? 5e:76:b3:38:c3:d4:1a:b9:9c:57:49:90:4f:e1:14:9d:e3:33:

? ? ? ? fe:67:96:df:75:5d:55:da:a5:12:89:9e:4b:21:63:4a:5f:db:

? ? ? ? 13:fd:2f:56:8f:25:ea:10:4e:66:04:0f:5d:96:8f:dd:56:f4:

? ? ? ? d3:f3:f5:d3

[ips@ips81 cert]$ ls

dashboard.crt? dashboard.csr? dashboard.key? kubernetes-dashboard.yaml

[ips@ips81 cert]$ ll

total 20

-rw-r--r-- 1 ips ips 1082 Apr? 1 16:02 dashboard.crt

-rw-r--r-- 1 ips ips? 944 Apr? 1 16:02 dashboard.csr

-rw-r--r-- 1 ips ips 1679 Apr? 1 16:02 dashboard.key

-rw-r--r-- 1 ips ips 5093 Apr? 1 15:53 kubernetes-dashboard.yaml

[ips@ips81 cert]$

b: 將該配置文件中創(chuàng)建secret的配置文件信息去掉，將以下內(nèi)容 從配置文件中去掉：

?------------------- Dashboard Secret ------------------- #

apiVersion: v1

kind: Secret

metadata:

? labels:

? ? k8s-app: kubernetes-dashboard

? name: kubernetes-dashboard-certs

? namespace: kube-system

type: Opaque

---

c: 重新生成secret，創(chuàng)建同名稱的secret，名稱為： kubernetes-dashboard-certs

kubectl create secret generic kubernetes-dashboard-certs --from-file=/data/ylh/k8sdashboard/cert/dashboard.key --from-file=/data/ylh/k8sdashboard/cert/dashboard.crt -n kube-system

kubectl describe secret kubernetes-dashboard-certs -n kube-system

d: 重新apply yaml文件或者刪除之前已經(jīng)在k8s創(chuàng)建的dashboard，重新create

kubectl apply -f kubernetes-dashboard.yaml? ?或者

kubectl create?-f kubernetes-dashboard.yaml?

e: 此時(shí)通過chrome瀏覽器，可以跟火狐一樣訪問dashboard,首先獲取token

[ips@ips81 cert]$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token|awk '{print $1}')|grep token:|awk '{print $2}'

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi16bjh4ciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjYwNWMwMzE2LTU0NTMtMTFlOS04ODhmLWZhMTYzZWU2YTljOCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.JIsJb0lcgs7sXFyHQAZnRlxamILSiixjjjSX0J3QZOYyXCIoFTlWgVlU-IANV-zZShnEHOtOsLsniJf5VxXGCZJ-uCLfU0RhcgtsUEBLbWLw45X3o3wl6j8D9yZgKYPywzapwNxttO0wsJd5ribNn5bmcnPsqQ2HqrUyRhnDwtb3TZiUKb0LQh9vyossiE9Vhv-_TbJJbvx8Z3dJWxb6Fp6vGak7jq4EhHH1tEbSmQCvBbZpXtzdOad_V5Nfr2uHUkFb8FjhbQqf0ItSCsO7xlwRvmdgzFHvH9HyVgDqninHyZxn-VDt85pPTBRilrYFQ3Dzs33MgShmSNzVs9DUlA

f: 訪問dashboard的URL鏈接，(https://10.1.245.239:31620/#!/login)忽略提示，選擇繼續(xù)前往不安全的鏈接，令牌處輸入上一步獲取到的token，就可以正常訪問dashboard。

g、查看chrome以及火狐的證書發(fā)現(xiàn)，證書有效期時(shí)間已經(jīng)修改，不再為超過有效期的證書，不再是如下的0001年

http://www.itdecent.cn/p/d6c10ee788a7