11、kubernetes之dashboard
一、准备dashboard使用的证书
# cd /etc/kubernetes/pki/
pki]# (umask 077; openssl genrsa -out dashboard.key 2048)
pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=dongfei/CN=dashboard"
pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365
pki]# kubectl create secret generic dashboard-cert -n kube-system --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key
二、部署dashboard
# docker pull k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
# kubectl apply -f kubernetes-dashboard.yaml
# kubectl get pods -n kube-system
kubernetes-dashboard-7d75c474bb-xn784 1/1 Running 0 19s
- 修改svc服务的网络为NodePort,从而使集群外部可以访问
# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
# kubectl get svc -n kube-system
kubernetes-dashboard NodePort 10.110.42.26 <none> 443:30121/TCP 7m1s
三、使用token认证
# kubectl create serviceaccount dashboard-admin -n kube-system
# kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
# kubectl get secret -n kube-system |grep dashboard-admin
# kubectl describe secret dashboard-admin-token-5k7d7 -n kube-system
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tNWs3ZDciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYjU4MDM0NTUtYjVhNS00Mzg3LWIwYjktZTNlNGNmZGY0ZjQ4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.YXGDW9nk-5idQUVc66-Utcsc8G_D9kX9bOnVw_cz0wujjYKxGAjMBAXQFmZcnlqBZoF4OdX2kXHmywrOI-Y346SE2632UVHGrwoxdvsYRFFlteRvUTyeTqvaogt0xeWmSmvLnxN5JSol-SDbx7v14RHsR-_BMKZdeXUk8EDAFUJIEy6SSYaViyCP19kg2pyjZkk3C4K0zhZhb5zRrVrWV55OPLsMUae8B-VzmVPQ0sI7xnffdLgC0Vo1tV8-QdVGPHyKD4I8k5mpPr7f83Laz97hlElj7j09RPjAzm-8fh6btM2SlV4ZHzPEmMfsvzh8x3d5OJU6ZZ-pczQRCtwp3g
将此token复制到页面的令牌认证页
四、使用kubeconfig认证
- 使用token做kubeconfig
# kubectl create serviceaccount def-ns-admin -n default
~]# kubectl get secret |grep def-ns-admin
def-ns-admin-token-m57kk kubernetes.io/service-account-token 3 10m
~]# DEF_NS_ADMIN_SECRET=$(kubectl get secret def-ns-admin-token-m57kk -o jsonpath={.data.token} |base64 -d)
~]# kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_SECRET --kubeconfig=/root/def-ns-admin.conf
~]# kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf
~]# kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf
~]# kubectl config view --kubeconfig=/root/def-ns-admin.conf
- 使用证书做kubeconfig
# cd /etc/kubernetes/pki/
pki]# kubectl config set-cluster kubernetes --certificate-authority=./ca.crt --server="https://192.168.100.51:6443" --embed-certs=true --kubeconfig=/root/def-ns-admin.conf
11、kubernetes之dashboard的更多相关文章
- 一文吃透如何部署kubernetes之Dashboard
kubernetes Dashboard是什么? Dashboard是kubernetes的Web GUI,可用于在kubernetes集群上部署容器化应用,应用排错,管理集群本身及其附加的资源等,它 ...
- Helm 安装部署Kubernetes的dashboard
Kubernetes Dashboard 是 k8s集群的一个 WEB UI管理工具,代码托管在 github 上,地址:https://github.com/kubernetes/dashboard ...
- Kubernetes 配置管理 Dashboard(十三)
目录 一.安装配置 1.1 下载 镜像 1.2.安装 1.3.修改 NodePort 二.配置授权 Kubernetes 所有的操作我们都是通过命令行工具 kubectl 完成的.为了提供更丰富的用户 ...
- Kubernetes之dashboard
部署dashboard $ wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommen ...
- Kubernetes及Dashboard详细安装配置(Ubuntu14.04)
前些日子部门计划搞并行开发,需要对开发及测试环境进行隔离,所以打算用kubernetes对docker容器进行版本管理,搭建了下Kubernetes集群,过程如下: 本流程使用了阿里云加速器,配置流程 ...
- Kubernetes 学习11 kubernetes ingress及ingress controller
一.上集回顾 1.Service 3种模型:userspace,iptables,ipvs 2.Service类型 ClusterIP,NodePort NodePort:client -> N ...
- kubernetes安装dashboard步骤 【h】
本篇文章参考kubernetes---dashboardv1.8.3版本安装详细步骤及 kubernetes-dashboard(1.8.3)部署与踩坑这两篇文章,详细写了自己部署过程中的操作.遇到的 ...
- K8S从入门到放弃系列-(11)kubernetes集群网络Calico部署
摘要: 前面几个篇幅,已经介绍master与node节点集群组件部署,由于K8S本身不支持网络,当 node 全部启动后,由于网络组件(CNI)未安装会显示为 NotReady 状态,需要借助第三方网 ...
- kubernetes搭建dashboard报错
warningconfigmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard&qu ...
随机推荐
- Git复习(八)之快速理解Git结构
git pull:拉取远程服务器最新代码到本地(会自动merge) git add:将本地代码添加到暂存区 git commit:将暂存区的所有内容提交到当前分支(git会自动为我们创建第一个分支 ...
- springboot(十八)-session共享
前言 在传统的单服务架构中,一般来说,只有一个服务器,那么不存在 Session 共享问题,但是在分布式/集群项目中,Session 共享则是一个必须面对的问题,先看一个简单的架构图: 在这样的架构中 ...
- jquery简单实现表格隔行变色
小知识点:odd的过滤选择器大的使用 html代码: <table> <tr> <td>用户名</td> <td>年龄</td> ...
- 构建docker基本镜像
1.准备: 创建一个目录oldboy-hello 2.编写Dockerfile 内容如下,只有三行 FROM scratch ADD hello / CMD ["/hello"] ...
- Tensorflowlite移植ARM平台iMX6
一.LINUX环境下操作: 1.安装交叉编译SDK (仅针对该型号:i.MX6,不同芯片需要对应的交叉编译SDK) 编译方法参考:手动编译用于i.MX6系列的交叉编译SDK 2.下载Tensorflo ...
- PAT Basic 1093 字符串A+B (20 分)
给定两个字符串 A 和 B,本题要求你输出 A+B,即两个字符串的并集.要求先输出 A,再输出 B,但重复的字符必须被剔除. 输入格式: 输入在两行中分别给出 A 和 B,均为长度不超过 1的.由可见 ...
- pikachu-file
1.不安全的文件下载 1.1.概述 文件下载功能在很多web系统上都会出现,一般我们当点击下载链接,便会向后台发送一个下载请求,一般这个请求会包含一个需要下载的文件名称,后台在收到请求后 会开始执行下 ...
- Notepad++设置运行快捷键
python: 先按F5,之后将下面的命令保存,再设置快捷键. cmd /k c:\python27\python "$(FULL_CURRENT_PATH)" & PAU ...
- myleecode
目录 # myleecode 1.冒泡排序 2.快速排序 3.进度条打印 4.打印 九九乘法表 5.打印 金字塔 6.接雨滴 7.一行代码实现1-100个数相加 8.如何在不使用内置方法强制转换的情况 ...
- 如何让一个sprite绕一个点旋转,同时又可以实现指定旋转角度并慢慢停下的效果
如何让一个sprite绕一个点旋转,同时又可以实现指定旋转角度并慢慢停下的效果 首先列出sprite围绕一个点旋转的公式,这个可以自己推导,假设sprite的起始位置为(x1,y1),围绕旋转的中心点 ...