Kubernetes Dashboard的安装与坑【h】
1.前言
https://github.com/kubernetes/dashboard/releases
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.
一句话简单介绍下Kubernetes Dashboard
Kubernetes Dashboard就是k8s集群的webui,集合了所有命令行可以操作的所有命令。界面如下所示:(ps:目前自动识别为中文版本)
2.安装
k8s的dashboard安装可以说是非常简单,参考github的指导既可。项目地址如下:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
但是这么安装存在几个问题:
- 镜像国内无法直接访问,需要设置docker代理,才能下载镜像
- dashboard的默认webui证书是自动生成的,由于时间和名称存在问题,导致谷歌和ie浏览器无法打开登录界面,经过测试Firefox可以正常打开
2.1 设置docker代理
k8s dashboard 的 docker镜像是k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
在执行 kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml 前,首先设置docker代理
以下提供个脚本,可以方便切换docker代理
#/bin/bash
# you should set it to your proxy ip
proxy_ip="http://192.168.246.1:1080"
# you need set it to the host ip
proxy_none_ip="192.168.0.0/16"
proxy='Environment="HTTPS_PROXY='${proxy_ip}'"\
Environment="NO_PROXY=127.0.0.0/8"\
Environment="NO_PROXY='${proxy_none_ip}'"'
DOCKER_CONF="/usr/lib/systemd/system/docker.service"
#DOCKER_CONF="docker.service"
if [ ! -e $DOCKER_CONF ]; then
echo "INFO: docker not running "
exit 2
fi
func_reload(){
systemctl daemon-reload
systemctl restart docker
echo "INFO#: docker-reload finined!"
}
func_proxy_on(){
if grep PROXY $DOCKER_CONF >> /dev/null ; then
echo "INFO#: docker proxy may be on : "
echo ""
grep PROXY $DOCKER_CONF
echo ""
else
echo "INFO: docker proxy on"
sed -i "/ExecStart/i${proxy}" $DOCKER_CONF
func_reload
fi
}
func_proxy_off(){
if grep PROXY $DOCKER_CONF >>/dev/null; then
echo "INFO: docker proxy off"
sed -i "/PROXY/d" $DOCKER_CONF
func_reload
else
echo "INFO: docker proxy already off"
fi
}
case $1 in
on)
func_proxy_on
;;
off)
func_proxy_off
;;
*)
echo "userage `basename $0` {on|off}"
exit 1
;;
esac
请将 以上脚本中 proxy_ip="http://192.168.246.1:1080" 替换为你自己的代理地址,保存为dockersetproxy.sh ,通过chmod +x dockersetproxy.sh 增加执行权限 。
然后执行 kubectl apply -f https://...... 命令参考上面
如果能够正常下载,通过docker image ls查看,应该如下所示:
[root@master ~]# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
k8s.gcr.io/kube-proxy v1.12.3 ab97fa69b926 2 weeks ago 96.5 MB
k8s.gcr.io/kube-apiserver v1.12.3 6b54f7bebd72 2 weeks ago 194 MB
k8s.gcr.io/kube-controller-manager v1.12.3 c79022eb8bc9 2 weeks ago 164 MB
k8s.gcr.io/kube-scheduler v1.12.3 5e75513787b1 2 weeks ago 58.3 MB
k8s.gcr.io/etcd 3.2.24 3cab8e1b9802 2 months ago 220 MB
k8s.gcr.io/coredns 1.2.2 367cdc8433a4 3 months ago 39.2 MB
k8s.gcr.io/kubernetes-dashboard-amd64 v1.10.0 0dab2435c100 3 months ago 122 MB
quay.io/coreos/flannel v0.10.0-amd64 f0fad859c909 10 months ago 44.6 MB
k8s.gcr.io/pause 3.1 da86e6ba6ca1 11 months ago 742 kB
k8s.gcr.io/kubernetes-dashboard-amd64 即为下载的docker image 镜像文件
下载完成后,k8s dashboard 应该正常运行起来了,但是这时候我们还无法访问到。
2.2 修改service通过NodePort方式访问k8s dashboard
小技巧,由于后面的操作都是在 kube-system 名称空间中进行,可以设置个别名 ksys=kubectl -n kube-system 这样就可以使用ksys操作该名称空间了
命令参考:alias ksys='kubectl -n kube-system'
[root@master ~]# alias ksys='kubectl -n kube-system'
[root@master ~]# ksys get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 15d
kubernetes-dashboard ClusterIP 10.106.68.90 <none> 443/TCP 15s
[root@master ~]#
可以看到 kubernetes-dashboard service 在集群内部,无法再外部访问,为了方便访问,我们暴露kubernetes-dashboard 443端口给NodePortksys edit svc kubernetes-dashboard 通过ksys edit svc 直接编辑service
[root@master ~]# ksys edit svc kubernetes-dashboard
找到type字段,将ClusterIP,修改为NodePort
spec:
clusterIP: 10.106.68.90
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: ClusterIP ## <------修改为NodePort
status:
loadBalancer: {}
wq 保存退出,然后重新查看 service
[root@master ~]# ksys get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 15d
kubernetes-dashboard NodePort 10.106.68.90 <none> 443:32248/TCP 4m41s
[root@master ~]#
可以看到当前NodePort 端口是随机的32248,通过ifconfig 查看节点ip地址,该节点ip为:192.168.246.200
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
ether 02:42:3a:a2:76:1f txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.246.200 netmask 255.255.255.0 broadcast 192.168.246.255
inet6 fe80::1d7c:9fdf:c738:7459 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:21:65:3b txqueuelen 1000 (Ethernet)
RX packets 10074 bytes 1051745 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10716 bytes 7583211 (7.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
通过谷歌浏览器访问,发现居然无法继续,如下图所示:
通过360浏览器访问,发现居然直接无法访问
在测试IE、QQ等浏览器,均无法访问,
在测试windows机器上通过curl命令测试,可以确认网络和端口是通的。
难道就无解了么?
再拿出firefox测试,发现证书是0001年1月签发的
添加例外后,居然能正常打开了。
难道这就完事了么? 通过Firefox查看证书,怀疑其他浏览器打不开和证书过期有关系。
2.2 解决证书过期问题
2.2.1 首先需要生成证书
生成证书通过openssl生成自签名证书即可,不再赘述,参考如下所示:
[root@master keys]# pwd
/root/keys
[root@master keys]# ls
[root@master keys]# openssl genrsa -out dashboard.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.................................................+++
e is 65537 (0x10001)
[root@master keys]# openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.246.200'
[root@master keys]# ls
dashboard.csr dashboard.key
[root@master keys]#
[root@master keys]# openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
Signature ok
subject=/CN=192.168.246.200
Getting Private key
[root@master keys]#
[root@master keys]# ls
dashboard.crt dashboard.csr dashboard.key
[root@master keys]#
[root@master keys]# openssl x509 -in dashboard.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
f0:8a:26:aa:9f:24:bf:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=192.168.246.200
Validity
Not Before: Dec 13 08:10:36 2018 GMT
Not After : Jan 12 08:10:36 2019 GMT
Subject: CN=192.168.246.200
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f6:7a:b4:4a:ad:bd:b3:00:9c:d1:fe:06:2d:09:
cf:eb:28:54:0f:3f:6e:dc:29:6b:67:e1:9b:58:e4:
82:00:15:ee:35:25:00:4c:c1:e0:1b:29:8b:b2:6b:
8d:e8:09:77:66:4d:f3:9e:9d:85:36:94:80:da:1b:
35:c8:a1:b3:0b:b2:7f:6f:1e:e9:fe:fc:15:1b:7b:
ba:85:1f:2b:70:16:d5:c3:7f:36:18:f1:8e:44:1e:
8a:13:a2:9c:b8:bf:b8:08:3f:a0:5c:ef:19:f5:ce:
73:0c:3e:0a:b5:87:7a:de:25:74:36:0e:26:52:ff:
4b:d0:24:40:c9:03:9a:44:f6:17:a7:d7:fa:7e:e0:
fb:6a:76:5b:dc:0f:43:c2:63:f4:22:20:4c:4e:5d:
b7:a0:83:54:58:1c:10:0f:57:ef:ad:1f:36:0b:8f:
8d:f4:a2:52:ab:e7:39:57:ea:30:c3:1d:30:93:ee:
44:7f:73:ef:41:94:e8:34:8c:c4:bb:02:d9:17:da:
55:07:ff:43:6c:f3:8e:91:5f:81:03:e9:94:2e:f1:
25:e7:41:86:e2:25:c4:b9:07:b4:9c:d9:04:36:31:
82:43:1b:26:10:17:8c:98:4a:f3:23:69:15:1b:76:
75:ae:4e:27:6f:70:4c:c6:f7:cc:75:e4:ed:48:b7:
51:c5
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
28:55:3c:0a:66:77:2a:fd:8a:b6:81:54:59:13:d7:03:17:7f:
d4:fa:e4:94:2b:bc:f4:11:ea:0c:18:e9:c0:2c:02:86:eb:39:
12:38:19:71:6c:b8:7a:4d:03:57:59:4f:c0:50:c4:19:92:c1:
9f:2f:0d:18:92:9e:2b:2e:a2:44:52:9a:32:2b:75:35:fb:43:
66:fb:fa:32:77:ce:b8:4e:80:cb:38:52:c4:2c:17:11:1a:38:
c3:a9:62:43:5e:60:ae:47:d4:f7:46:12:29:f5:e4:75:35:e5:
90:5d:2e:4f:2f:c5:65:9a:e5:6a:4d:8a:cd:69:ba:e0:4f:43:
d1:ab:9a:62:74:fc:d5:88:9c:3a:ba:22:2d:38:96:fc:35:b0:
3c:23:f7:8c:23:07:4e:05:8e:ae:53:82:9c:fd:54:24:86:75:
12:a6:e9:77:62:bd:f6:bb:f9:4d:5b:64:1e:d0:48:68:31:86:
f5:36:b5:6b:fc:b6:36:f0:01:3c:0a:9f:2b:27:56:28:1d:1f:
c4:e9:f7:c6:5d:16:5e:88:c5:e0:43:00:bf:79:d7:04:2f:45:
57:df:e6:17:dd:5a:f8:53:e9:ca:f6:33:ed:19:f0:d9:0a:ae:
f0:ba:c6:5b:7e:70:af:c3:f3:a5:b0:95:b0:ee:cd:35:29:5c:
34:4a:ce:49
这样就有了证书文件dashboard.crt 和 私钥 dashboad.key
2.2.2 下载yaml,并修改
wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
将该配置文件下载下来
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
....................省略一堆信息
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs <-----------这里可以看到secret挂载到了certs目录
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
。。。。。。。。。。省略无用信息
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs <---secret 可以看到secret创建为了volume
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
所以,我们需要重新生成secret,并且将该配置文件中创建secret的配置文件信息去掉,将以下内容 从配置文件中去掉:
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
可以在配置文件中,修改service 为nodeport类型,固定访问端口
修改前:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
修改后:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
nodePort:30001
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
2.2.3 生成secret
创建同名称的secret:
名称为: kubernetes-dashboard-certs
[root@master keys]# ls
dashboard.crt dashboard.csr dashboard.key kubernetes-dashboard.yaml
[root@master keys]# ksys create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt
secret/kubernetes-dashboard-certs created
[root@master keys]#
[root@master keys]# ksys get secret | grep dashboard
kubernetes-dashboard-certs Opaque 2 25s
kubernetes-dashboard-key-holder Opaque 2 25h
[root@master keys]#
[root@master keys]# ksys describe secret kubernetes-dashboard-certs
Name: kubernetes-dashboard-certs
Namespace: kube-system
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
dashboard.crt: 993 bytes
dashboard.key: 1675 bytes
[root@master keys]#
可以看到,已经成功创建了 secret文件
2.2.4 重新apply yaml文件
应用下载到本地并且修改过的yaml文件,如下所示:
[root@master keys]# ls
dashboard.crt dashboard.csr dashboard.key kubernetes-dashboard.yaml
[root@master keys]#
[root@master keys]#
[root@master keys]# kubectl apply -f kubernetes-dashboard.yaml
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
[root@master keys]#
查看服务状态:
[root@master keys]# ksys get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP 15d
kubernetes-dashboard NodePort 10.111.32.20 <none> 443:30001/TCP 2m14s
[root@master keys]#
通过浏览器访问:
查看证书信息如下所示:
firefox 上查看证书信息:
至此,k8s dashboard 部署完成。
Kubernetes Dashboard的安装与坑【h】的更多相关文章
- windows环境下Kubernetes及Docker安装(那些坑)
k8s 和 Docker容器技术,当前非常流行的技术. 让人日狗的是, 这套技术栈对CN的donet 程序员不怎么友好.娓娓道来,1. 好多镜像都是需要梯子才能访问: 2. window程序员天生 ...
- kubernetes dashboard 安装
环境:CentOS Linux release 7.3.1611 (Core)IP:192.168.0.103 [1]组件安装yum install device-mapperyum install ...
- Kubernetes用Helm安装Ingress并踩一下使用的坑
1 前言 欢迎访问南瓜慢说 www.pkslow.com获取更多精彩文章! Ingress是Kubernetes一个非常重要的Controller,它类似一个路由转发的组件,可以让外界访问Kubern ...
- Ubuntu环境Docker+K8s+Dashboard的安装配置(无坑亲测)
安装之前的准备: 安装docker 使用国内 daocloud 一键安装命令: curl -sSL https://get.daocloud.io/docker | sh 直接从dockerhub下载 ...
- kubernetes 1.14安装部署dashboard
简单介绍: Dashboard是一个基于web的Kubernetes用户界面.您可以使用Dashboard将容器化应用程序部署到Kubernetes集群,对容器化应用程序进行故障诊断,并管理集群资源. ...
- docker for mac 安装 kubernetes、kubernetes dashboard
安装参考地址(按照此文档,安装成功):https://yq.aliyun.com/articles/508460 官方说明:https://kubernetes.io/docs/tasks/acces ...
- kubernetes dashboard 安装时出现9090: getsockopt: connection refused错误
转载于:https://blog.csdn.net/lucy06/article/details/79082302 安装kubernetes dashboard时,出现错误: Error: 'dia ...
- install kubernetes dashboard 安装 kubernetes dashboard 详细
参考: http://www.bubuko.com/infodetail-2242562.html http://www.cnblogs.com/zhenyuyaodidiao/p/6500897.h ...
- 安装kubernetes dashboard
一.kubernetes dashboard kubernetes dashboard是k8s的web管理界面 二.安装 k8s的版本为1.5 1.创建dashboard-controller.yam ...
随机推荐
- 通过自动回复机器人学Mybatis---基础版
第1章 案例简介 介绍要实现的案例情况,后面会通过这个案例来学习 Mybatis 第2章 实战第一部----黎明前的黑暗 在没有 Mybatis 的情况下,使用 Jsp + Servlet + Jdb ...
- 用cmd 如何输入命令,进入文件夹
用cmd 如何输入命令 进入文件夹 盘符: 例如想进入D盘 d: cd 进入到当前盘某个目录.cd \ 进入当前盘根目录cd \windows 进入到当前盘Windows目录cd.. 退出到上一级目录 ...
- 软件测试能满足测试的sql
作为一个软件测试工程师,我们在测试过程中往往需要对数据库数据进行操作,但是我们的操作大多以查询居多,有时会涉及到新增,修改,删除等操作,所以我们其实并不需要对数据库的操作有特别深入的了解,以下是我在工 ...
- [唐胡璐]Selenium技巧- 抓图并保存到TestNG报告中
这里不讲解怎么在Eclipse安装配置TestNG,网上一搜一大把,大家自己去实践一下。 在这里主要说一下用Java来实现Selenium Webdriver的截图功能和把截图写到TestNG的报告中 ...
- Java实现文件的上传下载(含源代码和jar包)
1.需要使用的jar包 链接:https://pan.baidu.com/s/1IaxQRSwfzxDpe4w4JiaEKw 提取码:xwtz 2.如果想实现文件的下载,需要创建一张表,表的结构为 i ...
- learning armbian steps(6) ----- armbian 源码分析(一)
为了深入学习armbian,前面已经学习了如何手动构建arm ubuntu rootfs. 由于armbian官方的文档比较的匮乏,所以最终还是决定通过其编译的过程来深入地学习. 为了快速度深入地学习 ...
- 漫谈计算机编码:从ASCII码到UTF-8
第一阶段 盘古开天辟地——ASCII码 计算机大家都知道,本质是二进制运算和存储.在计算机中人类的几乎所有文字和字符都没法直接表示,所以美国人在发明计算机的时候为了让计算机可以用于保存和传输文字,就发 ...
- JavaWeb_(Spring框架)Spring整合Hibernate
Dao层类要继承HibernateDaoSupport.java父类 原先使用Hibernate框架hibernate.cfg.xml配置数据库 <hibernate-configuration ...
- Java如何接收前端传来的多层嵌套的复杂json串
想看问题直接解决方式,直接拉到博文底部. Spring的controller在接收前端传参的时候如果参数使用@RequestBody标注的时候 @RequestBody 则会把前端参数转为JSON的形 ...
- web工程中添加自建userLibary与将jar包放到lib文件夹下的区别
纯 java项目 使用的本地自己的JRE,那么classLoader在加载jar和class时候是分开的,对于我们自己编写的class,会在 APP_HOME/bin下.导入的jar包或者user l ...