目录
1.准备dashboard镜像
2.创建资源配置清单
3.应用资源配置清单
4.查看创建的资源
5.解析域名
6.浏览器访问
7.令牌命令行获取方式
准备dashboard镜像
[root@hdss7-200 k8s-yaml]# docker pull k8scn/kubernetes-dashboard-amd64:v1.8.3
[root@hdss7-200 k8s-yaml]# docker images|grep dashboard
[root@hdss7-200 k8s-yaml]# docker tag fcac9aa03fd6 harbor.fx.com/public/dashboard:v1.8.3
[root@hdss7-200 k8s-yaml]# docker push harbor.fx.com/public/dashboard:v1.8.3
创建资源配置清单
[root@hdss7-200 k8s-yaml]# mkdir -p /data/k8s-yaml/dashboard && cd /data/k8s-yaml/dashboard
rabc.yaml
[root@hdss7-200 dashboard]# vim rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
dp.yaml
[root@hdss7-200 dashboard]# vi dp.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: harbor.fx.com/public/dashboard:v1.8.3
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8443
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
volumeMounts:
- name: tmp-volume
mountPath: /tmp
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard-admin
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
svc.yaml
[root@hdss7-200 dashboard]# vim svc.yaml
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443
ingress.yaml
[root@hdss7-200 dashboard]# vim ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: dashboard.fx.com
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
应用资源配置清单
[root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.fx.com/dashboard/rbac.yaml [root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.fx.com/dashboard/dp.yaml [root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.fx.com/dashboard/svc.yaml [root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.fx.com/dashboard/ingress.yaml
查看创建的资源
[root@hdss7-21 ~]# kubectl get pods -n kube-system
[root@hdss7-21 ~]# kubectl get svc -n kube-system
[root@hdss7-21 ~]# kubectl get ingress -n kube-system
解析域名
[root@hdss7-11 ~]# vim /var/named/fx.com.zone
$ORIGIN fx.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.fx.com. dnsadmin.fx.com. (
2020061010 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.fx.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
harbor A 10.4.7.200
k8s-yaml A 10.4.7.200
traefik A 10.4.7.10
dashboard A 10.4.7.10
[root@hdss7-11 ~]# systemctl restart named
浏览器访问
http://dashboard.fx.com/
创建dashboard证书
[root@hdss7-200 certs]# (umask 077; openssl genrsa -out dashboard.fx.com.key 2048) [root@hdss7-200 certs]# openssl req -new -key dashboard.fx.com.key -out dashboard.fx.com.csr -subj "/CN=dashboard.fx.com/C=CN/ST=BJ/L=Beijing/O=fangxing/OU=ops" [root@hdss7-200 certs]# openssl x509 -req -in dashboard.fx.com.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dashboard.fx.com.crt -days 3650
拷贝证书
在HDSS7-11.host.com上
[root@hdss7-11 conf.d]# mkdir -p /etc/nginx/certs && cd /etc/nginx/certs [root@hdss7-11 certs]# scp hdss7-200:/opt/certs/dashboard.fx.com.crt . [root@hdss7-11 certs]# scp hdss7-200:/opt/certs/dashboard.fx.com.key .
注:HDSS7-12.host.com也需要copy证书
配置nginx证书
在HDSS7-11.host.com上
[root@hdss7-11 conf.d]# vim dashboard.fx.com.conf server { listen 80; server_name dashboard.fx.com; rewrite ^(.*)$ https://${server_name}$1 permanent; } server { listen 443 ssl; server_name dashboard.fx.com; ssl_certificate "certs/dashboard.fx.com.crt"; ssl_certificate_key "certs/dashboard.fx.com.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://default_backend_traefik; proxy_set_header Host $http_host; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; } }
注:HDSS7-12.host.com也需要配置nginx
令牌命令行获取方式
[root@hdss7-21 ~]# kubectl get secret -n kube-system
[root@hdss7-21 ~]# kubectl describe secret kubernetes-dashboard-admin-token-c8gsp -n kube-system
Name: kubernetes-dashboard-admin-token-c8gsp
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard-admin
kubernetes.io/service-account.uid: 22e7c7e4-8c03-4dad-a942-2a00a6689d14
Type: kubernetes.io/service-account-token
Data
====
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi1jOGdzcCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIyZTdjN2U0LThjMDMtNGRhZC1hOTQyLTJhMDBhNjY4OWQxNCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.eM2aJ7L9amwdo6XHYT2S5w6FMTdsu8u6hmB5bAcLrDJPwdiNMevriF9LensNtdobZlUd10qTmJ_uVDl7W_pW7sycN1MYpSyre7FPMiwaH8bSpcwCibgMSoCA5ce9eShePJ14iErBD12h1ru0BI1O-Vk-WC9yfBdrbBG4e9R3YclaKCo38Y7wS2WgMi0intELPyG-Sb8s3BTpPdnFBN5I_FAFtmAmonpuAz17FpxrMxF7ZlJXxhPwY1GoAHkKDkvw3J3z6peEGAazqZup-N4b6cjAyIucLd4xNbUXviAP6lGDGFAaHF7E-oN2Ec8WWNm3M26m2I3zxb_fyl8v9lNacQ
ca.crt: 1342 bytes
namespace: 11 bytes
注:令牌对应的是token
验证令牌登录
部署heapster
[root@hdss7-200 dashboard]# mkdir heapster [root@hdss7-200 heapster]# docker pull quay.io/bitnami/heapster:1.5.4 [root@hdss7-200 heapster]# docker tag c359b95ad38b harbor.fx.com/public/heapster:v1.5.4 [root@hdss7-200 heapster]# docker push harbor.fx.com/public/heapster:v1.5.4
应用heapster配置清单
[root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.fx.com/dashboard/heapster/rbac.yaml [root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.fx.com/dashboard/heapster/deployment.yaml [root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.fx.com/dashboard/heapster/svc.yaml
重新登录dashboard查看
