• kubernetes dashboard 搭建参考


    Kubernetes Dashboard安装过程中会出现的问题包括:

    1、证书失效问题

    2、token获取问题

    3、服务如何暴露的问题

    按照本文的步骤,可保你安装一路平安

    一、生成证书

    生成证书通过openssl生成自签名证书即可,不再赘述,参考如下所示:

    [root@master keys]# pwd

    /root/keys

    [root@master keys]# ls

    [root@master keys]# openssl genrsa -out dashboard.key 2048

    Generating RSA private key, 2048 bit long modulus

    .+++

    .................................................+++

    e is 65537 (0x10001)

    [root@master keys]# openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.246.200'

    [root@master keys]# ls

    dashboard.csr dashboard.key

    [root@master keys]#

    [root@master keys]# openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt

    Signature ok

    subject=/CN=192.168.246.200

    Getting Private key

    [root@master keys]#

    [root@master keys]# ls

    dashboard.crt dashboard.csr dashboard.key

    [root@master keys]#

    [root@master keys]# openssl x509 -in dashboard.crt -text -noout

    Certificate:

    Data:

    Version: 1 (0x0)

    Serial Number:

    f0:8a:26:aa:9f:24:bf:92

    Signature Algorithm: sha256WithRSAEncryption

    Issuer: CN=192.168.246.200

    Validity

    Not Before: Dec 13 08:10:36 2018 GMT

    Not After : Jan 12 08:10:36 2019 GMT

    Subject: CN=192.168.246.200

    Subject Public Key Info:

    Public Key Algorithm: rsaEncryption

    Public-Key: (2048 bit)

    Modulus:

    00:f6:7a:b4:4a:ad:bd:b3:00:9c:d1:fe:06:2d:09:

    cf:eb:28:54:0f:3f:6e:dc:29:6b:67:e1:9b:58:e4:

    82:00:15:ee:35:25:00:4c:c1:e0:1b:29:8b:b2:6b:

    8d:e8:09:77:66:4d:f3:9e:9d:85:36:94:80:da:1b:

    35:c8:a1:b3:0b:b2:7f:6f:1e:e9:fe:fc:15:1b:7b:

    ba:85:1f:2b:70:16:d5:c3:7f:36:18:f1:8e:44:1e:

    8a:13:a2:9c:b8:bf:b8:08:3f:a0:5c:ef:19:f5:ce:

    73:0c:3e:0a:b5:87:7a:de:25:74:36:0e:26:52:ff:

    4b:d0:24:40:c9:03:9a:44:f6:17:a7:d7:fa:7e:e0:

    fb:6a:76:5b:dc:0f:43:c2:63:f4:22:20:4c:4e:5d:

    b7:a0:83:54:58:1c:10:0f:57:ef:ad:1f:36:0b:8f:

    8d:f4:a2:52:ab:e7:39:57:ea:30:c3:1d:30:93:ee:

    44:7f:73:ef:41:94:e8:34:8c:c4:bb:02:d9:17:da:

    55:07:ff:43:6c:f3:8e:91:5f:81:03:e9:94:2e:f1:

    25:e7:41:86:e2:25:c4:b9:07:b4:9c:d9:04:36:31:

    82:43:1b:26:10:17:8c:98:4a:f3:23:69:15:1b:76:

    75:ae:4e:27:6f:70:4c:c6:f7:cc:75:e4:ed:48:b7:

    51:c5

    Exponent: 65537 (0x10001)

    Signature Algorithm: sha256WithRSAEncryption

    28:55:3c:0a:66:77:2a:fd:8a:b6:81:54:59:13:d7:03:17:7f:

    d4:fa:e4:94:2b:bc:f4:11:ea:0c:18:e9:c0:2c:02:86:eb:39:

    12:38:19:71:6c:b8:7a:4d:03:57:59:4f:c0:50:c4:19:92:c1:

    9f:2f:0d:18:92:9e:2b:2e:a2:44:52:9a:32:2b:75:35:fb:43:

    66:fb:fa:32:77:ce:b8:4e:80:cb:38:52:c4:2c:17:11:1a:38:

    c3:a9:62:43:5e:60:ae:47:d4:f7:46:12:29:f5:e4:75:35:e5:

    90:5d:2e:4f:2f:c5:65:9a:e5:6a:4d:8a:cd:69:ba:e0:4f:43:

    d1:ab:9a:62:74:fc:d5:88:9c:3a:ba:22:2d:38:96:fc:35:b0:

    3c:23:f7:8c:23:07:4e:05:8e:ae:53:82:9c:fd:54:24:86:75:

    12:a6:e9:77:62:bd:f6:bb:f9:4d:5b:64:1e:d0:48:68:31:86:

    f5:36:b5:6b:fc:b6:36:f0:01:3c:0a:9f:2b:27:56:28:1d:1f:

    c4:e9:f7:c6:5d:16:5e:88:c5:e0:43:00:bf:79:d7:04:2f:45:

    57:df:e6:17:dd:5a:f8:53:e9:ca:f6:33:ed:19:f0:d9:0a:ae:

    f0:ba:c6:5b:7e:70:af:c3:f3:a5:b0:95:b0:ee:cd:35:29:5c:

    34:4a:ce:49

    这样就有了证书文件dashboard.crt 和 私钥 dashboad.key

    二、生成secret

    创建同名称的secret:

    名称为: kubernetes-dashboard-certs

    [root@master keys]# ls

    dashboard.crt dashboard.csr dashboard.key kubernetes-dashboard.yaml

    [root@master keys]# ksys create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system

    secret/kubernetes-dashboard-certs created

    [root@master keys]#

    [root@master keys]# kubectl get secret | grep dashboard

    kubernetes-dashboard-certs Opaque 2 25s

    kubernetes-dashboard-key-holder Opaque 2 25h

    [root@master keys]#

    [root@master keys]# kubectl describe secret kubernetes-dashboard-certs

    Name: kubernetes-dashboard-certs

    Namespace: kube-system

    Labels: <none>

    Annotations: <none>

     

    Type: Opaque

     

    Data

    ====

    dashboard.crt: 993 bytes

    dashboard.key: 1675 bytes

    [root@master keys]#

     

    可以看到,已经成功创建了 secret文件

     

    三、获取和修改kubernetes-dashboard.yaml文件:

     

    wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

     

    为了便于本地访问,这里对其进行了适当的修改,修改后可对外开放一个30001的nodeport端口,可以基于ip:30001的方式来访问,

    并删除了生成secret的部分,因为上面已经生成了呀

    文件内容见下:

    复制代码

     

    [root@k8s-master k8s]# cat kubernetes-dashboard.yaml

    apiVersion: v1

    kind: ServiceAccount

    metadata:

    labels:

    k8s-app: kubernetes-dashboard

    name: kubernetes-dashboard

    namespace: kube-system

     

    ---

    # ------------------- Dashboard Role & Role Binding ------------------- #

     

    kind: Role

    apiVersion: rbac.authorization.k8s.io/v1

    metadata:

    name: kubernetes-dashboard-minimal

    namespace: kube-system

    rules:

    # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.

    - apiGroups: [""]

    resources: ["secrets"]

    verbs: ["create"]

    # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.

    - apiGroups: [""]

    resources: ["configmaps"]

    verbs: ["create"]

    # Allow Dashboard to get, update and delete Dashboard exclusive secrets.

    - apiGroups: [""]

    resources: ["secrets"]

    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]

    verbs: ["get", "update", "delete"]

    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.

    - apiGroups: [""]

    resources: ["configmaps"]

    resourceNames: ["kubernetes-dashboard-settings"]

    verbs: ["get", "update"]

    # Allow Dashboard to get metrics from heapster.

    - apiGroups: [""]

    resources: ["services"]

    resourceNames: ["heapster"]

    verbs: ["proxy"]

    - apiGroups: [""]

    resources: ["services/proxy"]

    resourceNames: ["heapster", "http:heapster:", "https:heapster:"]

    verbs: ["get"]

     

    ---

    apiVersion: rbac.authorization.k8s.io/v1

    kind: RoleBinding

    metadata:

    name: kubernetes-dashboard-minimal

    namespace: kube-system

    roleRef:

    apiGroup: rbac.authorization.k8s.io

    kind: Role

    name: kubernetes-dashboard-minimal

    subjects:

    - kind: ServiceAccount

    name: kubernetes-dashboard

    namespace: kube-system

     

    ---

    # ------------------- Dashboard Deployment ------------------- #

     

    kind: Deployment

    apiVersion: apps/v1

    metadata:

    labels:

    k8s-app: kubernetes-dashboard

    name: kubernetes-dashboard

    namespace: kube-system

    spec:

    replicas: 1

    revisionHistoryLimit: 10

    selector:

    matchLabels:

    k8s-app: kubernetes-dashboard

    template:

    metadata:

    labels:

    k8s-app: kubernetes-dashboard

    spec:

    containers:

    - name: kubernetes-dashboard

    image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

    ports:

    - containerPort: 8443

    protocol: TCP

    args:

    - --auto-generate-certificates

    # Uncomment the following line to manually specify Kubernetes API server Host

    # If not specified, Dashboard will attempt to auto discover the API server and connect

    # to it. Uncomment only if the default does not work.

    # - --apiserver-host=http://my-address:port

    volumeMounts:

    - name: kubernetes-dashboard-certs

    mountPath: /certs

    # Create on-disk volume to store exec logs

    - mountPath: /tmp

    name: tmp-volume

    livenessProbe:

    httpGet:

    scheme: HTTPS

    path: /

    port: 8443

    initialDelaySeconds: 30

    timeoutSeconds: 30

    volumes:

    - name: kubernetes-dashboard-certs

    secret:

    secretName: kubernetes-dashboard-certs

    - name: tmp-volume

    emptyDir: {}

    serviceAccountName: kubernetes-dashboard

    # Comment the following tolerations if Dashboard must not be deployed on master

    tolerations:

    - key: node-role.kubernetes.io/master

    effect: NoSchedule

     

    ---

    # ------------------- Dashboard Service ------------------- #

     

    kind: Service

    apiVersion: v1

    metadata:

    labels:

    k8s-app: kubernetes-dashboard

    name: kubernetes-dashboard

    namespace: kube-system

    spec:

    type: NodePort

    ports:

    - port: 443

    targetPort: 8443

    nodePort: 30001

    selector:

    k8s-app: kubernetes-dashboard

     

    标红处是上述内容和原始文件不同的地方。

    然后执行kubectl apply -f kubernetes-dashboard.yaml 创建dashboard

    查看服务状态:

    [root@master keys]# ksys get svc

    NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

    kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 15d

    kubernetes-dashboard NodePort 10.111.32.20 <none> 443:30001/TCP 2m14s

    [root@master keys]#

     

    作者:dyzsoft

    链接:https://www.jianshu.com/p/c6d560d12d50

    来源:简书

    著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。

     

    当然你可能访问不了谷歌,所以无法下载镜像,那请参考

     

    四、科学解决镜像获取问题

    如果你不能上网,此镜像的获取可以参考我的文章:github和dockerhub制作k8s镜像https://www.cnblogs.com/fengzhihai/p/9849683.html

    ---

     

    搭建时遇到的坑:

    1、搭建K8S 的dashboard的时候显示404

    the server could not find the requested resource

    这是因为dashboard暂时不支持v16版本,使用dashboardv2.0吧,image的地址有变动 

     

    完美copyfrom:

    1:kubernetes-dashboard安装

    2:kubernetes dashboard 使用令牌登录

    3:Kubernetes Dashboard的安装与坑

    4:kubernetes-dashboard(1.8.3)部署与踩坑

  • 相关阅读:
    [51nod 1135] 原根
    [CF1303F] Number of Components
    [CF1303E] Erase Subsequences
    [CF1303D] Fill The Bag
    子域名收集的一些姿势
    使用phpstorm+wamp实现php代码实时调试审计
    XSS小游戏通关Writeup
    Exif xss
    xss的一个tip
    应急响应
  • 原文地址:https://www.cnblogs.com/lizhaoxian/p/11996942.html
Copyright © 2020-2023  润新知