Kubernetes系列——使用kubenetes交付dashboard
【摘要】 使用kubenetes交付dashboard,其中涉及到了ingress ,nginx以及ssl证书的配置,使用yaml文件的方式交付dashboard服务,通过token验证登录dashboard
-
harbor作为私有镜像仓库;
-
已经交付到kubenetes中的服务又coredns、traefick(ingress 控制器实现软件)、ingress;
-
一台nginx 作为流量的入口,所有请求来了,根据域名分发到kubenetes的ingress控制器;
-
下载镜像并上传至自建的harbor中
#从公网下载镜像 docker pull k8scn/kubernetes-dashboard-amd64:v1.8.3 #给镜像重新打一个tag ## 查找到dashboard的id docker images |grep dashboard ## 打标签 docker tag xxxxxxxxx harbor.xxxx.com/public/dashboard:v1.8.3 # 上传至自建harbor docker push harbor.xxxx.com/public/dashboard:v1.8.3 -
交付dashboard需要用到的yaml文件
dp.yaml
kind: Deployment apiVersion: apps/v1 metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: containers: - name: kubernetes-dashboard image: harbor.xxxxxx.com/public/dashboard:v1.8.3 resources: limits: cpu: 100m memory: 300Mi requests: cpu: 50m memory: 100Mi ports: - containerPort: 8443 protocol: TCP env: - name: ACCEPT_LANGUAGE value: english # 上面value english的配置,是限定dashboard的UI是英文,不使用中文。 args: - --auto-generate-certificates # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. # - --apiserver-host=http://my-address:port volumeMounts: # - name: kubernetes-dashboard-certs # mountPath: /certs # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 timeoutSeconds: 30 volumes: # 这个地方跟上面volumeMounts 中注释掉的是对应的 # - name: kubernetes-dashboard-certs # secret: # secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard-admin # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: "CriticalAddonsOnly" operator: "Exists" # - key: node-role.kubernetes.io/master # effect: NoSchedule svc.yaml
kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: "Reconcile" name: kubernetes-dashboard namespace: kube-system spec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboardingress.yaml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: kubernetes-dashboard namespace: kube-system annotations: kubernetes.io/ingress.class: traefik spec: rules: - host: dashboard.xxxxxx.com http: paths: - path: / backend: serviceName: kubernetes-dashboard servicePort: 443 rbac.yaml
apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile name: kubernetes-dashboard-admin namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard-admin namespace: kube-system labels: k8s-app: kubernetes-dashboard-admin addonmanager.kubernetes.io/mode: Reconcile roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard-admin namespace: kube-system使用kubectl命令交付dashboard服务
kubectl -f rabc.yaml dp.yaml svc.yaml ingress.yaml # 检查交付是否成功 # kubectl get pods -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES coredns-6b6c4f9648-hztdz 1/1 Running 0 25d 172.7.21.2 xxxxxxx <none> <none> kubernetes-dashboard-64c88d6c7-wnw4n 1/1 Running 0 19h 172.7.22.6 xxxxxxx <none> <none> traefik-ingress-nvjbz 1/1 Running 0 25d 172.7.21.5 xxxxxxx <none> <none> traefik-ingress-ssprm 1/1 Running 0 25d 172.7.22.5 xxxxxxx <none> <none> # 看到dashboard 已经是running的状态,表示交付成功,其余状态自己去百度吧。 -
在nginx配置dashboard访问
nginx 主配置文件写法
#vim /etc/nginx/nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; } } dashboard配置文件的写法
# vim /etc/nginx/conf.d/dashboard.xxxx.com.conf upstream default_backend_traefik { server 10.4.7.21:81 max_fails=3 fail_timeout=10s; # 此ip为node ip+81端口,每个node节点都需要加上 server 10.4.7.21:81 max_fails=3 fail_timeout=10s; } server { listen 80; server_name dashboard.od.com; rewrite ^(.*)$ https://${server_name}$1 permanent; } server{ listen 443 ssl; server_name dashboard.od.com; ssl_certificate "certs/dashboard.xxxxxx.com.crt"; ssl_certificate_key "certs/dashboard.xxxxxx.com.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://default_backend_traefik; proxy_set_header Host $http_host; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; } } -
自生成dashboard的ssl证书
# 创建私钥,并且使用umask限定生成的文件权限是600 (umask 077; openssl genrsa -out dashboard.xxxxxx.com.key 2048) # 生成证书签发的请求文件 openssl req -new -key dashboard.xxxxxx.com.key -out dashboard.xxxxxx.com.csr -subj "/CN=dashboard.od.com/C=CN/ST=BJ/L=BeiJing/O=OldboyEdu/OU=OPS" # 生成证书,其中CA是kubenetes中的的ca证书,cakey也是kubenetes的 openssl x509 -req -in dashboard.xxxxxx.com.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dashboard.xxxxxx.com.crt -days 3650将生成的crt和key文件,放到nginx目录下
cp dashboard.xxxxxx.com.crt /etc/nginx/conf.d/ cp dashboard.xxxxxx.com.key /etc/nginx/conf.d/ -
检查nginx配置并重启
nginx -t
nginx -s reload
-
访问dashboard.xxxxxx.com,看是否能成功,不成功,先看nginx日志,再去查kubectl中pod
3、配置dashboard使用token登录
访问dashboard的时候,是需要登录的,1.8.3 之前有跳过登录的选项,1.10.1之后,就不能跳过登录,必须登录,此事选择token登录,token在那边找呢?
# 获取kube-system命名空间下的所有secret
kubectl get secret -n kube-system
# 通过上命令,找到dashboard-admin的podname,下调命令的xxx表示刚刚找到的podname
kubectl describe secret xxxxxxx -n kube-system(xxxxxxx表示podname)
此处省略获取到的内容若干.....
ca.crt: 1346 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi01cHZ4diIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdjNzI2MTQwLWY5YWEtNDgwYy1iZWU3LTc3NGU3ZjA3YmRiMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.utqbmIYOtgNxiZPo_sq_F1pXPt307laFkuRh0NR13YybP1wuiW4VK0lhXH2X1vnvrNBlcjKqgw_she0TA0gOUKO2v-HY7pLrsjnsYfNNdGz3VgxQxe5zkh97G65mcQi80UlK-57t-RtKAC7mWIqfNEo1zC2r_7sGzkCFqX9GKvlj0z5Oyw1iY95nNyUfZEKCoGndnN5QApnyLKtK0WW9r0jjb1iI7dR58P1g9fWxvPMkvYvvpy03v4IlQXZYO5CO8RFMiDDH2Mcnm5BTVQYn--H9fqhy-ArENfVWO9f3hohh23DGueFH0Q-ZvX-KvLjIuWX3HNZ6CISZnMBCrgJFFQ
#上面的token就是要找的dashboard的admin的 token在登录界面,选择token验证,输入上面找到的token,即可登录到dashboard ,并且界面是英文的
【版权声明】本文为华为云社区用户原创内容,未经允许不得转载,如需转载请自行联系原作者进行授权。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)