Kubernetes Dashboard安装过程中会出现的问题包括:
1、证书失效问题
2、token获取问题
3、服务如何暴露的问题
按照本文的步骤,可保你安装一路平安
一、生成证书
生成证书通过openssl生成自签名证书即可,不再赘述,参考如下所示:
[root@master keys]# pwd
/root/keys
[root@master keys]# ls
[root@master keys]# openssl genrsa -out dashboard.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.................................................+++
e is 65537 (0x10001)
[root@master keys]# openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.246.200'
[root@master keys]# ls
dashboard.csr dashboard.key
[root@master keys]#
[root@master keys]# openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
Signature ok
subject=/CN=192.168.246.200
Getting Private key
[root@master keys]#
[root@master keys]# ls
dashboard.crt dashboard.csr dashboard.key
[root@master keys]#
[root@master keys]# openssl x509 -in dashboard.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
f0:8a:26:aa:9f:24:bf:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=192.168.246.200
Validity
Not Before: Dec 13 08:10:36 2018 GMT
Not After : Jan 12 08:10:36 2019 GMT
Subject: CN=192.168.246.200
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f6:7a:b4:4a:ad:bd:b3:00:9c:d1:fe:06:2d:09:
cf:eb:28:54:0f:3f:6e:dc:29:6b:67:e1:9b:58:e4:
82:00:15:ee:35:25:00:4c:c1:e0:1b:29:8b:b2:6b:
8d:e8:09:77:66:4d:f3:9e:9d:85:36:94:80:da:1b:
35:c8:a1:b3:0b:b2:7f:6f:1e:e9:fe:fc:15:1b:7b:
ba:85:1f:2b:70:16:d5:c3:7f:36:18:f1:8e:44:1e:
8a:13:a2:9c:b8:bf:b8:08:3f:a0:5c:ef:19:f5:ce:
73:0c:3e:0a:b5:87:7a:de:25:74:36:0e:26:52:ff:
4b:d0:24:40:c9:03:9a:44:f6:17:a7:d7:fa:7e:e0:
fb:6a:76:5b:dc:0f:43:c2:63:f4:22:20:4c:4e:5d:
b7:a0:83:54:58:1c:10:0f:57:ef:ad:1f:36:0b:8f:
8d:f4:a2:52:ab:e7:39:57:ea:30:c3:1d:30:93:ee:
44:7f:73:ef:41:94:e8:34:8c:c4:bb:02:d9:17:da:
55:07:ff:43:6c:f3:8e:91:5f:81:03:e9:94:2e:f1:
25:e7:41:86:e2:25:c4:b9:07:b4:9c:d9:04:36:31:
82:43:1b:26:10:17:8c:98:4a:f3:23:69:15:1b:76:
75:ae:4e:27:6f:70:4c:c6:f7:cc:75:e4:ed:48:b7:
51:c5
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
28:55:3c:0a:66:77:2a:fd:8a:b6:81:54:59:13:d7:03:17:7f:
d4:fa:e4:94:2b:bc:f4:11:ea:0c:18:e9:c0:2c:02:86:eb:39:
12:38:19:71:6c:b8:7a:4d:03:57:59:4f:c0:50:c4:19:92:c1:
9f:2f:0d:18:92:9e:2b:2e:a2:44:52:9a:32:2b:75:35:fb:43:
66:fb:fa:32:77:ce:b8:4e:80:cb:38:52:c4:2c:17:11:1a:38:
c3:a9:62:43:5e:60:ae:47:d4:f7:46:12:29:f5:e4:75:35:e5:
90:5d:2e:4f:2f:c5:65:9a:e5:6a:4d:8a:cd:69:ba:e0:4f:43:
d1:ab:9a:62:74:fc:d5:88:9c:3a:ba:22:2d:38:96:fc:35:b0:
3c:23:f7:8c:23:07:4e:05:8e:ae:53:82:9c:fd:54:24:86:75:
12:a6:e9:77:62:bd:f6:bb:f9:4d:5b:64:1e:d0:48:68:31:86:
f5:36:b5:6b:fc:b6:36:f0:01:3c:0a:9f:2b:27:56:28:1d:1f:
c4:e9:f7:c6:5d:16:5e:88:c5:e0:43:00:bf:79:d7:04:2f:45:
57:df:e6:17:dd:5a:f8:53:e9:ca:f6:33:ed:19:f0:d9:0a:ae:
f0:ba:c6:5b:7e:70:af:c3:f3:a5:b0:95:b0:ee:cd:35:29:5c:
34:4a:ce:49
这样就有了证书文件dashboard.crt 和 私钥 dashboad.key
二、生成secret
创建同名称的secret:
名称为: kubernetes-dashboard-certs
[root@master keys]# ls
dashboard.crt dashboard.csr dashboard.key kubernetes-dashboard.yaml
[root@master keys]# ksys create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system
secret/kubernetes-dashboard-certs created
[root@master keys]#
[root@master keys]# kubectl get secret | grep dashboard
kubernetes-dashboard-certs Opaque 2 25s
kubernetes-dashboard-key-holder Opaque 2 25h
[root@master keys]#
[root@master keys]# kubectl describe secret kubernetes-dashboard-certs
Name: kubernetes-dashboard-certs
Namespace: kube-system
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
dashboard.crt: 993 bytes
dashboard.key: 1675 bytes
[root@master keys]#
可以看到,已经成功创建了 secret文件
三、获取和修改kubernetes-dashboard.yaml文件:
wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
为了便于本地访问,这里对其进行了适当的修改,修改后可对外开放一个30001的nodeport端口,可以基于ip:30001的方式来访问,
并删除了生成secret的部分,因为上面已经生成了呀
文件内容见下:
复制代码
[root@k8s-master k8s]# cat kubernetes-dashboard.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
标红处是上述内容和原始文件不同的地方。
然后执行kubectl apply -f kubernetes-dashboard.yaml 创建dashboard
查看服务状态:
[root@master keys]# ksys get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 15d
kubernetes-dashboard NodePort 10.111.32.20 <none> 443:30001/TCP 2m14s
[root@master keys]#
作者:dyzsoft
链接:https://www.jianshu.com/p/c6d560d12d50
来源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
当然你可能访问不了谷歌,所以无法下载镜像,那请参考
四、科学解决镜像获取问题
如果你不能上网,此镜像的获取可以参考我的文章:github和dockerhub制作k8s镜像https://www.cnblogs.com/fengzhihai/p/9849683.html。
---
搭建时遇到的坑:
1、搭建K8S 的dashboard的时候显示404
the server could not find the requested resource
这是因为dashboard暂时不支持v16版本,使用dashboardv2.0吧,image的地址有变动
完美copyfrom: