1. ingress-nginx 安装
我们希望通过ingress代理的方式访问dashboard。
- 安装ingress-nginx
# 获取文件
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml
# 备份
[root@master1 ~]# cp deploy.yaml{,.ori}
# 修改文件,以DaemonSet运行,修改网络模式为hostNetwork,增加nodeSelector,将ingress部署到master服务器上,后续文档专门会介绍污点和容忍的方式调度。
[root@master1 ~]# diff deploy.yaml deploy.yaml.ori
< kind: DaemonSet
---
> kind: Deployment
321d320
< hostNetwork: true
324c323
< image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0
---
> image: k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a
398d396
< ingress-controller: 'true'
# 部分配置,配置太多就不粘出来了,我们重点看下deployment部分
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
helm.sh/chart: ingress-nginx-3.33.0
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 0.47.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
revisionHistoryLimit: 10
minReadySeconds: 0
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
spec:
dnsPolicy: ClusterFirst
hostNetwork: true
containers:
- name: controller
image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
args:
- /nginx-ingress-controller
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 101
allowPrivilegeEscalation: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: webhook
containerPort: 8443
protocol: TCP
volumeMounts:
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
resources:
requests:
cpu: 100m
memory: 90Mi
nodeSelector:
kubernetes.io/os: linux
ingress-controller: 'true'
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
# 标记节点调度到指定节点
kubectl label node master1.sysit.cn ingress-controller="true"
kubectl label node master2.sysit.cn ingress-controller="true"
kubectl label node master3.sysit.cn ingress-controller="true"
# 执行配置文件
kubectl apply -f deploy.yaml
- 检查
[root@master1 ~]# kubectl get pods -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-admission-create-kpgmb 0/1 Completed 0 7m54s 10.244.197.132 node1.sysit.cn <none> <none>
ingress-nginx-admission-patch-qtp5t 0/1 Completed 0 7m54s 10.244.96.129 master3.sysit.cn <none> <none>
ingress-nginx-controller-2mgp5 1/1 Running 0 2m23s 192.168.112.141 master1.sysit.cn <none> <none>
ingress-nginx-controller-mwczj 1/1 Running 1 2m23s 192.168.112.142 master2.sysit.cn <none> <none>
ingress-nginx-controller-xgldp 1/1 Running 0 2m23s 192.168.112.143 master3.sysit.cn <none> <none>
[root@master1 ~]# kubectl get daemonset -n ingress-nginx
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
ingress-nginx-controller 3 3 3 3 3 ingress-controller=true,kubernetes.io/os=linux 8m29s
2. 安装dashboard
2.1 安装dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
- 通过proxy访问
# 执行如下命令,代理出一个只能本地访问的地址。
kubectl proxy
可供访问的地址如下:
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
- 通过apiserver访问
还可以通过apiserver访问,访问地址:
https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
# 如我通过master1访问,则访问地址如下:
https://192.168.112.141:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
- 通过nginx-ingress代理访问(本文推荐)
2.2 创建ssl证书
多种方式可以创建ssl证书,我们这里选取2种方式。
- openssl工具生成证书
cat >openssl.cnf<<EOF
[req]
distinguished_name = req_distinguished_name
prompt = yes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_value = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_value = Sichuan
localityName = Locality Name (eg, city)
localityName_value = Chengdu
organizationName = Organization Name (eg, company)
organizationName_value = Sysit
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_value = R & D Department
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_value = dashboard.sysit.cn
emailAddress = Email Address
emailAddress_value = admin@sysit.cn
EOF
openssl req -newkey rsa:4096 -nodes -config openssl.cnf -days 3650 -x509 -out dashboard.crt -keyout dashboard.key
上面dashboard.crt和dashboard.key就是我们需要的文件。
- cfssl工具生成证书
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"dashboard": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat >ca-csr.json<<EOF
{
"CN": "dashboard",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Chengdu"
}
]
}
EOF
cfssl gencert --initca ca-csr.json |cfssljson -bare ca -
cat >dashbaord-csr.json<<EOF
{
"CN": "*.sysit.cn",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Chengdu"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile=dashboard dashbaord-csr.json |cfssljson -bare dashboard
生成的dashboard.pem和dashboard-key.pem就是我们需要的文件
- 导入kubernetes
kubectl create -n kube-system secret tls dashboard-ssl-name --cert dashboard.pem --key dashboard-key.pem
# 输出:secret/dashboard-ssl-name created
2.3 ingress-dashboard配置
cat > ingress-dashboard.yaml<<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- dashboard.sysit.cn
secretName: dashboard-ssl-name
rules:
- host: dashboard.sysit.cn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
EOF
kubectl apply -f ingress-dashboard.yaml
https://dashboard.sysit.cn访问界面如下:
- 登录
创建管理用户
kubectl create serviceaccount admin-user -n kubernetes-dashboard
绑定用户为集群管理用户
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user
token登录
# 直接获取token
[root@master1 ~]# kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"
# 得到
eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw
使用获取的token进行页面访问
kubeconfig登录
# 以通过如下操只获取上一个步骤生成的token
DASHBOARD_LOGIN_TOKEN=$(kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}")
echo ${DASHBOARD_LOGIN_TOKEN}
eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw
#创建使用 token 的 KubeConfig 文件
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://192.168.112.140:6443 \
--kubeconfig=dashboard-admin.kubeconfig
# 设置客户端认证参数,使用上面创建的 Token
kubectl config set-credentials admin-user \
--token=${DASHBOARD_LOGIN_TOKEN} \
--kubeconfig=dashboard-admin.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=admin-user \
--kubeconfig=dashboard-admin.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=dashboard-admin.kubeconfig
登录界面如下:
