K8S之Dashboard图形界面
- 一、Dashboard简介
- 二、k8s安装Dashboard
- (1)下载Dashboard镜像(
可选) - (2)根据yaml文件创建资源
- (3)查看资源
- (4)生成登录需要的token
- (5)使用火狐 / 搜狗浏览器访问(
个人用的搜狗)
- (1)下载Dashboard镜像(
一、Dashboard简介
官网:https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
Dashboard是基于web的Kubernetes用户界面。您可以使用指示板将容器化的应用程序部署到Kubernetes集群,对容器化的应用程序进行故障排除,并管理集群资源。您可以使用Dashboard来获得运行在集群上的应用程序的概览,以及创建或修改单独的Kubernetes资源(例如部署、作业、守护进程集等)。例如,您可以扩展部署、发起滚动更新、重新启动pod或使用部署向导部署新的应用程序。
二、k8s安装Dashboard
(1)下载Dashboard镜像(可选)
提前下载Dashboard镜像(可选):
[root@m test]# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0
也可上传至私有仓库(可选):
# 启动私有仓库
[root@m test]# docker start registry
# 给镜像打tag
[root@m test]# docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0 192.168.116.170:5000/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0
# push镜像到私有仓库
[root@m test]# docker push 192.168.116.70:5000/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0
(2)根据yaml文件创建资源
[root@m test]# vi dashboard.yaml
内容(如果可能,注意修改其中的dashboard镜像地址(大约44行)):
apiVersion: v1
kind: ConfigMap
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-settings
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard
namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8443
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
- name: tmp-volume
mountPath: /tmp
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-key-holder
namespace: kube-system
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443
nodePort: 30018
type: NodePort
创建资源:
[root@m test]# kubectl apply -f dashboard.yaml
configmap/kubernetes-dashboard-settings created
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-key-holder created
service/kubernetes-dashboard created
[root@m test]#
(3)查看资源
[root@m test]# kubectl get pods -n kube-system
[root@m test]# kubectl get pods -n kube-system -o wide
[root@m test]# kubectl get svc -n kube-system
[root@m test]# kubectl get deploy kubernetes-dashboard -n kube-system
# 查看pod创建详情:
[root@m test]# kubectl describe pod kubernetes-dashboard-7bdfc744fc-hmhh2 -n kube-system
(4)生成登录需要的token
# 创建service account
kubectl create sa dashboard-admin -n kube-system
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
# 查看dashboard-admin的secret名字
ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')
echo ADMIN_SECRET
# 打印secret的token
kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{print $2}'
# (1)创建service account
[root@m test]# kubectl create sa dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@m test]#
# (2)创建角色绑定关系
[root@m test]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
[root@m test]#
# (3)查看dashboard-admin的secret名字
[root@m test]# ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')
[root@m test]# echo ADMIN_SECRET
ADMIN_SECRET
[root@m test]#
# (4)打印secret的token(浏览器访问需要)
[root@m test]# kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{print $2}'
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdDVjbjQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzdjMDFmZmQtNTY5MC0xMWViLThiNDQtMDA1MDU2Mjg0ZjMwIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.nafBF2TUqen-4LFLQHdOWZ8XZ08k1rzBMkR0vEvFov6c0DVTUUlwX4-Uxe_OCep8gQgOphlJ3SXUNwCkFvONzxzR5799JeiLr3ahUaVhuMB12m45KHRPE-95pRvgFzs7OpPKiIxEn1cUMtErKdDPRo1zNBB-PzE95-5RGFimrdw-maP2yMo1auAgMow-JjHXhGTLeujDacEdcBWm5YbgFbaD3AkUd_c9EjbokR4-yT4iMd99tD4TwZqjYpUI_Qm76rV54qqylyf5LaOssR2scoiwA2TVHGA4ElMMOng_HqRjJJzmHux9-unakNfM5z8wtTAbJow8r7XHM6IfhxfLSg
[root@m test]#
注:以上
密钥,浏览器访问时需要输入。
(5)使用火狐 / 搜狗浏览器访问(个人用的搜狗)
说明:谷歌浏览器配置安全问题太麻烦。
访问地址(输入密钥):https://192.168.116.170:30018/
