[kubernetes]安装dashboard

前言

kubernetes官方文档中的web UI网页管理工具是kubernetes-dashboard，可提供部署应用、资源对象管理、容器日志查询、系统监控等常用的集群管理功能。为了在页面上显示系统资源的使用情况，需要部署 Metrics Server（参考博客园 - 安装metrics-server）。

• kubernetes版本：1.26.6
  

创建资源对象

官方yaml。github仓库地址：https://github.com/kubernetes/dashboard。这里的版本为 v2.7.0。
用到的镜像分别为kubernetesui/dashboard:v2.7.0 和 kubernetesui/metrics-scraper:v1.0.8 。可以从docker hub直接下载，内网离线环境可以先传到内网的镜像仓库，然后镜像改成内网镜像地址。

1. # Copyright 2017 The Kubernetes Authors.
2. #
3. # Licensed under the Apache License, Version 2.0 (the "License");
4. # you may not use this file except in compliance with the License.
5. # You may obtain a copy of the License at
6. #
7. #     http://www.apache.org/licenses/LICENSE-2.0
8. #
9. # Unless required by applicable law or agreed to in writing, software
10. # distributed under the License is distributed on an "AS IS" BASIS,
11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12. # See the License for the specific language governing permissions and
13. # limitations under the License.
15. apiVersion: v1
16. kind: Namespace
17. metadata:
18.   name: kubernetes-dashboard
20. ---
21. apiVersion: v1
22. kind: ServiceAccount
23. metadata:
24.   labels:
25.     k8s-app: kubernetes-dashboard
26.   name: kubernetes-dashboard
27.   namespace: kubernetes-dashboard
29. ---
30. kind: Service
31. apiVersion: v1
32. metadata:
33.   labels:
34.     k8s-app: kubernetes-dashboard
35.   name: kubernetes-dashboard
36.   namespace: kubernetes-dashboard
37. spec:
38.   # type: NodePort
39.   ports:
40.     - port: 443
41.       targetPort: 8443
42.       # nodeport: 30001
43.   selector:
44.     k8s-app: kubernetes-dashboard
46. ---
47. apiVersion: v1
48. kind: Secret
49. metadata:
50.   labels:
51.     k8s-app: kubernetes-dashboard
52.   name: kubernetes-dashboard-certs
53.   namespace: kubernetes-dashboard
54. type: Opaque
56. ---
57. apiVersion: v1
58. kind: Secret
59. metadata:
60.   labels:
61.     k8s-app: kubernetes-dashboard
62.   name: kubernetes-dashboard-csrf
63.   namespace: kubernetes-dashboard
64. type: Opaque
65. data:
66.   csrf: ""
68. ---
69. apiVersion: v1
70. kind: Secret
71. metadata:
72.   labels:
73.     k8s-app: kubernetes-dashboard
74.   name: kubernetes-dashboard-key-holder
75.   namespace: kubernetes-dashboard
76. type: Opaque
78. ---
79. kind: ConfigMap
80. apiVersion: v1
81. metadata:
82.   labels:
83.     k8s-app: kubernetes-dashboard
84.   name: kubernetes-dashboard-settings
85.   namespace: kubernetes-dashboard
87. ---
88. kind: Role
89. apiVersion: rbac.authorization.k8s.io/v1
90. metadata:
91.   labels:
92.     k8s-app: kubernetes-dashboard
93.   name: kubernetes-dashboard
94.   namespace: kubernetes-dashboard
95. rules:
96.   # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
97.   - apiGroups: [""]
98.     resources: ["secrets"]
99.     resourceNames:
100.       [
101.         "kubernetes-dashboard-key-holder",
102.         "kubernetes-dashboard-certs",
103.         "kubernetes-dashboard-csrf",
104.       ]
105.     verbs: ["get", "update", "delete"]
106.     # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
107.   - apiGroups: [""]
108.     resources: ["configmaps"]
109.     resourceNames: ["kubernetes-dashboard-settings"]
110.     verbs: ["get", "update"]
111.     # Allow Dashboard to get metrics.
112.   - apiGroups: [""]
113.     resources: ["services"]
114.     resourceNames: ["heapster", "dashboard-metrics-scraper"]
115.     verbs: ["proxy"]
116.   - apiGroups: [""]
117.     resources: ["services/proxy"]
118.     resourceNames:
119.       [
120.         "heapster",
121.         "http:heapster:",
122.         "https:heapster:",
123.         "dashboard-metrics-scraper",
124.         "http:dashboard-metrics-scraper",
125.       ]
126.     verbs: ["get"]
128. ---
129. kind: ClusterRole
130. apiVersion: rbac.authorization.k8s.io/v1
131. metadata:
132.   labels:
133.     k8s-app: kubernetes-dashboard
134.   name: kubernetes-dashboard
135. rules:
136.   # Allow Metrics Scraper to get metrics from the Metrics server
137.   - apiGroups: ["metrics.k8s.io"]
138.     resources: ["pods", "nodes"]
139.     verbs: ["get", "list", "watch"]
141. ---
142. apiVersion: rbac.authorization.k8s.io/v1
143. kind: RoleBinding
144. metadata:
145.   labels:
146.     k8s-app: kubernetes-dashboard
147.   name: kubernetes-dashboard
148.   namespace: kubernetes-dashboard
149. roleRef:
150.   apiGroup: rbac.authorization.k8s.io
151.   kind: Role
152.   name: kubernetes-dashboard
153. subjects:
154.   - kind: ServiceAccount
155.     name: kubernetes-dashboard
156.     namespace: kubernetes-dashboard
158. ---
159. apiVersion: rbac.authorization.k8s.io/v1
160. kind: ClusterRoleBinding
161. metadata:
162.   name: kubernetes-dashboard
163. roleRef:
164.   apiGroup: rbac.authorization.k8s.io
165.   kind: ClusterRole
166.   name: kubernetes-dashboard
167. subjects:
168.   - kind: ServiceAccount
169.     name: kubernetes-dashboard
170.     namespace: kubernetes-dashboard
172. ---
173. kind: Deployment
174. apiVersion: apps/v1
175. metadata:
176.   labels:
177.     k8s-app: kubernetes-dashboard
178.   name: kubernetes-dashboard
179.   namespace: kubernetes-dashboard
180. spec:
181.   replicas: 1
182.   revisionHistoryLimit: 10
183.   selector:
184.     matchLabels:
185.       k8s-app: kubernetes-dashboard
186.   template:
187.     metadata:
188.       labels:
189.         k8s-app: kubernetes-dashboard
190.     spec:
191.       securityContext:
192.         seccompProfile:
193.           type: RuntimeDefault
194.       containers:
195.         - name: kubernetes-dashboard
196.           image: registry.elifen.cn/kubernetesui/dashboard:v2.7.0
197.           imagePullPolicy: Always
198.           ports:
199.             - containerPort: 8443
200.               protocol: TCP
201.           args:
202.             - --auto-generate-certificates
203.             - --namespace=kubernetes-dashboard
204.             # Uncomment the following line to manually specify Kubernetes API server Host
205.             # If not specified, Dashboard will attempt to auto discover the API server and connect
206.             # to it. Uncomment only if the default does not work.
207.             # - --apiserver-host=http://my-address:port
208.           volumeMounts:
209.             - name: kubernetes-dashboard-certs
210.               mountPath: /certs
211.               # Create on-disk volume to store exec logs
212.             - mountPath: /tmp
213.               name: tmp-volume
214.           livenessProbe:
215.             httpGet:
216.               scheme: HTTPS
217.               path: /
218.               port: 8443
219.             initialDelaySeconds: 30
220.             timeoutSeconds: 30
221.           securityContext:
222.             allowPrivilegeEscalation: false
223.             readOnlyRootFilesystem: true
224.             runAsUser: 1001
225.             runAsGroup: 2001
226.       volumes:
227.         - name: kubernetes-dashboard-certs
228.           secret:
229.             secretName: kubernetes-dashboard-certs
230.         - name: tmp-volume
231.           emptyDir: {}
232.       serviceAccountName: kubernetes-dashboard
233.       nodeSelector:
234.         "kubernetes.io/os": linux
235.       # Comment the following tolerations if Dashboard must not be deployed on master
236.       tolerations:
237.         - key: node-role.kubernetes.io/master
238.           effect: NoSchedule
240. ---
241. kind: Service
242. apiVersion: v1
243. metadata:
244.   labels:
245.     k8s-app: dashboard-metrics-scraper
246.   name: dashboard-metrics-scraper
247.   namespace: kubernetes-dashboard
248. spec:
249.   ports:
250.     - port: 8000
251.       targetPort: 8000
252.   selector:
253.     k8s-app: dashboard-metrics-scraper
255. ---
256. kind: Deployment
257. apiVersion: apps/v1
258. metadata:
259.   labels:
260.     k8s-app: dashboard-metrics-scraper
261.   name: dashboard-metrics-scraper
262.   namespace: kubernetes-dashboard
263. spec:
264.   replicas: 1
265.   revisionHistoryLimit: 10
266.   selector:
267.     matchLabels:
268.       k8s-app: dashboard-metrics-scraper
269.   template:
270.     metadata:
271.       labels:
272.         k8s-app: dashboard-metrics-scraper
273.     spec:
274.       securityContext:
275.         seccompProfile:
276.           type: RuntimeDefault
277.       containers:
278.         - name: dashboard-metrics-scraper
279.           image: registry.elifen.cn/kubernetesui/metrics-scraper:v1.0.8
280.           ports:
281.             - containerPort: 8000
282.               protocol: TCP
283.           livenessProbe:
284.             httpGet:
285.               scheme: HTTP
286.               path: /
287.               port: 8000
288.             initialDelaySeconds: 30
289.             timeoutSeconds: 30
290.           volumeMounts:
291.             - mountPath: /tmp
292.               name: tmp-volume
293.           securityContext:
294.             allowPrivilegeEscalation: false
295.             readOnlyRootFilesystem: true
296.             runAsUser: 1001
297.             runAsGroup: 2001
298.       serviceAccountName: kubernetes-dashboard
299.       nodeSelector:
300.         "kubernetes.io/os": linux
301.       # Comment the following tolerations if Dashboard must not be deployed on master
302.       tolerations:
303.         - key: node-role.kubernetes.io/master
304.           effect: NoSchedule
305.       volumes:
306.         - name: tmp-volume
307.           emptyDir: {}

复制代码

发布到集群：

1. kubectl create -f kube-dashboard.yaml

复制代码

使用nodePort访问dashboard

k8s官方文档给的示例是用kube-proxy，这里用的nodePort，稍微改动下原yaml中的kubernetes-dashboard服务，加了nodePort的配置。

1. kind: Service
2. apiVersion: v1
3. metadata:
4.   labels:
5.     k8s-app: kubernetes-dashboard
6.   name: kubernetes-dashboard
7.   namespace: kubernetes-dashboard
8. spec:
9.   type: NodePort
10.   ports:
11.     - port: 443
12.       targetPort: 8443
13.       nodeport: 30001
14.   selector:
15.     k8s-app: kubernetes-dashboard

复制代码

应用：

1. kubectl apply -f kube-dashboard.yaml

复制代码

若运行正常，浏览器访问 https://:30001，理应显示dashboard的界面，接下来生成用于登录的token。

使用token访问

• 创建一个serviceaccount
  

1. apiVersion: v1
2. kind: ServiceAccount
3. metadata:
4.   name: admin-user
5.   namespace: kubernetes-dashboard

复制代码

或者使用命令

1. kubectl create serviceaccount admin-user -n kubernetes-dashboard

复制代码

• 授予cluster-admin的集群管理员权限
  

1. apiVersion: rbac.authorization.k8s.io/v1
2. kind: ClusterRoleBinding
3. metadata:
4.   name: admin-user
5. roleRef:
6.   apiGroup: rbac.authorization.k8s.io
7.   kind: ClusterRole
8.   name: cluster-admin
9. subjects:
10. - kind: ServiceAccount
11.   name: admin-user
12.   namespace: kubernetes-dashboard

复制代码

使用命令

1. kubectl create clusterrolebinding admin-user --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user

复制代码

• 获取token
  

1. kubectl -n kubernetes-dashboard create token admin-user

复制代码

• 页面填入token登录。
  

参考

• GitHub - dashboard创建简单用户
  
• kubernetes官方文档 - 部署和访问 Kubernetes 仪表板（Dashboard）
  
• 《kubernetes进阶实战-v2》
  

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！