tags: addons, dashboard
dashboard yaml 配置文件也在 kubernetes-src.tar.gz 文件中,对应的目录是cluster/addons/dashboard
。
[admin@k8s-admin ~]$ cp -R kubernetes/kubernetes-src/cluster/addons/dashboard yaml/
[admin@k8s-admin ~]$ grep image yaml/dashboard/dashboard-controller.yaml
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
[admin@k8s-admin ~]$ sed -i "s#k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1#mirrorgcrio/kubernetes-dashboard-amd64:v1.10.1#g" yaml/dashboard/dashboard-controller.yaml
[admin@k8s-admin ~]$ cat yaml/dashboard/dashboard-service.yaml
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443
- 默认 dashboard service 没有开启 NodePort,开发环境如需开启,可以添加
spec.type: NodePort
,这样外界可以通过地址 nodeIP:nodePort 访问 dashboard。
[admin@k8s-admin ~]$ ls yaml/dashboard/*.yaml
yaml/dashboard/dashboard-configmap.yaml yaml/dashboard/dashboard-secret.yaml
yaml/dashboard/dashboard-controller.yaml yaml/dashboard/dashboard-service.yaml
yaml/dashboard/dashboard-rbac.yaml
[admin@k8s-admin ~]$ kubectl create -f yaml/dashboard/.
configmap/kubernetes-dashboard-settings created
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-key-holder created
service/kubernetes-dashboard created
[admin@k8s-admin ~]$ kubectl get deployment kubernetes-dashboard -n kube-system
NAME READY UP-TO-DATE AVAILABLE AGE
kubernetes-dashboard 1/1 1 1 11h
[admin@k8s-admin ~]$ kubectl get pods -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
coredns-dc8bbbcf9-w62r9 1/1 Running 0 14h 172.16.208.3 k8s-node04 <none> <none>
kubernetes-dashboard-6d84bc5d64-6jhb8 1/1 Running 0 9h 172.16.128.3 k8s-node05 <none> <none>
[admin@k8s-admin ~]$ kubectl get services -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.0.0.2 <none> 53/UDP,53/TCP 15h
kubernetes-dashboard ClusterIP 10.0.98.221 <none> 443/TCP 11h
[admin@k8s-admin ~]$ kubectl exec -n kube-system kubernetes-dashboard-6d84bc5d64-6jhb8 -- /dashboard --help
pflag: help requested
2019/03/08 01:25:18 Starting overwatch
Usage of /dashboard:
--alsologtostderr log to standard error as well as files
--api-log-level string Level of API request logging. Should be one of 'INFO|NONE|DEBUG'. Default: 'INFO'. (default "INFO")
--apiserver-host string The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted.
--authentication-mode strings Enables authentication options that will be reflected on login screen. Supported values: token, basic. Default: token.Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set. (default [token])
--auto-generate-certificates When set to true, Dashboard will automatically generate certificates used to serve HTTPS. Default: false.
--bind-address ip The IP address on which to serve the --secure-port (set to 0.0.0.0 for all interfaces). (default 0.0.0.0)
--default-cert-dir string Directory path containing '--tls-cert-file' and '--tls-key-file' files. Used also when auto-generating certificates flag is set. (default "/certs")
--disable-settings-authorizer When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page.
--enable-insecure-login When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. Default: false.
--enable-skip-login When enabled, the skip button on the login page will be shown. Default: false.
--heapster-host string The address of the Heapster Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.
--insecure-bind-address ip The IP address on which to serve the --port (set to 0.0.0.0 for all interfaces). (default 127.0.0.1)
--insecure-port int The port to listen to for incoming HTTP requests. (default 9090)
--kubeconfig string Path to kubeconfig file with authorization and master location information.
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--logtostderr log to standard error instead of files
--metric-client-check-period int Time in seconds that defines how often configured metric client health check should be run. Default: 30 seconds. (default 30)
--port int The secure port to listen to for incoming HTTPS requests. (default 8443)
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
--system-banner string When non-empty displays message to Dashboard users. Accepts simple HTML tags. Default: ''.
--system-banner-severity string Severity of system banner. Should be one of 'INFO|WARNING|ERROR'. Default: 'INFO'. (default "INFO")
--tls-cert-file string File containing the default x509 Certificate for HTTPS.
--tls-key-file string File containing the default x509 private key matching --tls-cert-file.
--token-ttl int Expiration time (in seconds) of JWE tokens generated by dashboard. Default: 15 min. 0 - never expires (default 900)
-v, --v Level log level for V logs
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
command terminated with exit code 2
访问 dashboard 有以下几种方式:
- 通过 kube-apiserver 访问 dashboard;
- 通过 kubectl proxy 访问 dashboard;
- 如果 kubernetes-dashboard 服务暴露了 NodePort,可以使用
https://NodeIP:NodePort
地址访问 dashboard。
dashboard 的 --authentication-mode 支持 token、basic,默认为 token。如果使用 basic,则 kube-apiserver 必须配置 '--authorization-mode=ABAC' 和 '--basic-auth-file' 参数。
获取集群信息:
[admin@k8s-admin ~]$ kubectl cluster-info
Kubernetes master is running at https://192.168.99.100:8443
CoreDNS is running at https://192.168.99.100:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
kubernetes-dashboard is running at https://192.168.99.100:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
必须通过 kube-apiserver 的安全端口(https)访问 dashbaord,访问时浏览器需要使用自定义证书,否则会被 kube-apiserver 拒绝访问。
创建和导入自定义证书的步骤,参考:A.浏览器访问kube-apiserver安全端口
浏览器访问 URL: https://192.168.99.100:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
为了集群安全,从 1.7 开始,dashboard 只允许通过 https 访问,如果使用 kubectl proxy 代理则必须监听 localhost 或 127.0.0.1,对于 NodePort 没有这个限制,但是仅建议在开发环境中使用。
对于不满足这些条件的登录访问,在登录成功后浏览器不跳转,始终停在登录界面。
参考: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above kubernetes/dashboard#2540
启动 kubectl proxy 代理:
[admin@k8s-admin ~]$ kubectl proxy --address='127.0.0.1' --port=8086 --accept-hosts='^*$'
Starting to serve on 192.168.99.251:8086
--address
必须为localhost
或127.0.0.1
;- 需要指定
--accept-hosts
选项,否则浏览器访问 dashboard 页面时提示 “Unauthorized”。
浏览器访问 URL:http://127.0.0.1:8086/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
上面提到,Dashboard 默认只支持 token 认证,所以如果使用 KubeConfig 文件,需要在该文件中指定 token,不支持使用 client 证书认证。
[admin@k8s-admin ~]$ kubectl get sa -n kube-system kubernetes-dashboard
NAME SECRETS AGE
kubernetes-dashboard 1 12h
[admin@k8s-admin ~]$ kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
[admin@k8s-admin ~]$ kubectl describe sa -n kube-system kubernetes-dashboard
Name: kubernetes-dashboard
Namespace: kube-system
Labels: addonmanager.kubernetes.io/mode=Reconcile
k8s-app=kubernetes-dashboard
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"labels":{"addonmanager.kubernetes.io/mode":"Reconcile","k8s-app":...
Image pull secrets: <none>
Mountable secrets: kubernetes-dashboard-token-7wrlb
Tokens: kubernetes-dashboard-token-7wrlb
Events: <none>
[admin@k8s-admin ~]$ DASHBOARD_LOGIN_TOKEN=$(kubectl describe secrets -n kube-system kubernetes-dashboard-token-7wrlb|grep "^token"|awk '{print $2}')
[admin@k8s-admin ~]$ echo $DASHBOARD_LOGIN_TOKEN
授予 Dashboard 的 serviceaccounts kubernetes-dashboard
集群管理员 cluster-admin
权限,使用该 serviceaccounts 的 token 即可登录 Dashboard 并拥有集群管理员权限。
也可以使用上面的 token 生成的 dashboard.kubeconfig 文件登录 Dashboard,同样拥有集群管理员权限。
[admin@k8s-admin ~]$ source environment.sh
# 设置集群参数
[admin@k8s-admin ~]$ kubectl config set-cluster kubernetes \
--certificate-authority=cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=conf/dashboard.kubeconfig
Cluster "kubernetes" set.
# 设置客户端认证参数,使用上面创建的 Token
[admin@k8s-admin ~]$ kubectl config set-credentials dashboard_user \
--token=${DASHBOARD_LOGIN_TOKEN} \
--kubeconfig=conf/dashboard.kubeconfig
User "dashboard_user" set.
# 设置上下文参数
[admin@k8s-admin ~]$ kubectl config set-context default \
--cluster=kubernetes \
--user=dashboard_user \
--kubeconfig=conf/dashboard.kubeconfig
Context "default" created.
# 设置默认上下文
[admin@k8s-admin ~]$ kubectl config use-context default \
--kubeconfig=conf/dashboard.kubeconfig
Switched to context "default".
查看当前上下文的配置信息:
[admin@k8s-admin ~]$ kubectl config view --kubeconfig=conf/dashboard.kubeconfig --minify
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.99.100:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: dashboard_user
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: dashboard_user
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi03d3JsYiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjVlMjcwYjcwLTQwZTItMTFlOS1iMTdkLTUyNTQwMGJjNTBmMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.QtyC8PKaQnyMaVzjTxiS4jaSDLcwQvOtFJA9QMrhpJw1LY8VpufwDA53amGBOlbv5qlxcCkA0ptRJzpFF-Vvhg-QniIk2donxorF8Rve4e87p2VRqNe9mVth61B2_PfjdUBB1RkoSt2pP8OTXB6GqWHowuVO832nXS69ae5wiCILAHxEoHM6fg7XJd40GDI2QPF0jgYGy1iqAjkWcT20RndUb-kGURiIRyV0BMC_lZmbpVMNqJKOs0cL9gVWR6MCjHKwA-z1HpRRZaqnd8JWm7KITpCaZzhuwdZU8S1sWgMBJfouTsONCTYHRpBgn2cpVvNrwld8ve6NroTcLm4D-Q
用生成的 dashboard.kubeconfig 登录 Dashboard。
- 由于缺少 Heapster 插件,当前 dashboard 不能展示 Pod、Nodes 的 CPU、内存等统计数据和图表。