Kubernetes系列——使用kubenetes交付dashboard

举报
郁唯xiaolin 发表于 2021/02/25 16:45:17 2021/02/25
【摘要】 使用kubenetes交付dashboard,其中涉及到了ingress ,nginx以及ssl证书的配置,使用yaml文件的方式交付dashboard服务,通过token验证登录dashboard

1、环境及准备

  • harbor作为私有镜像仓库;

  • 已经交付到kubenetes中的服务又coredns、traefick(ingress 控制器实现软件)、ingress;

  • 一台nginx 作为流量的入口,所有请求来了,根据域名分发到kubenetes的ingress控制器;

2、交付kubenetes-dashboard

  1. 下载镜像并上传至自建的harbor中

    #从公网下载镜像
    docker pull  k8scn/kubernetes-dashboard-amd64:v1.8.3
    ​
    #给镜像重新打一个tag
    ## 查找到dashboard的id
    docker images |grep dashboard
    ## 打标签
    docker tag xxxxxxxxx harbor.xxxx.com/public/dashboard:v1.8.3
    ​
    # 上传至自建harbor
    docker push harbor.xxxx.com/public/dashboard:v1.8.3


  2. 交付dashboard需要用到的yaml文件

    dp.yaml

    kind: Deployment
    apiVersion: apps/v1
    metadata:
      name: kubernetes-dashboard
      namespace: kube-system
      labels:
        k8s-app: kubernetes-dashboard
    ​
    spec:
      replicas: 1
      revisionHistoryLimit: 10
      selector:
        matchLabels:
          k8s-app: kubernetes-dashboard
      template:
        metadata:
          labels:
            k8s-app: kubernetes-dashboard
        spec:
          containers:
          - name: kubernetes-dashboard
            image: harbor.xxxxxx.com/public/dashboard:v1.8.3
            resources:
              limits:
                cpu: 100m
                memory: 300Mi
              requests:
                cpu: 50m
                memory: 100Mi
            ports:
            - containerPort: 8443
              protocol: TCP
            env:
            - name: ACCEPT_LANGUAGE
              value: english
              # 上面value english的配置,是限定dashboard的UI是英文,不使用中文。
            args:
              - --auto-generate-certificates
              # Uncomment the following line to manually specify Kubernetes API server Host
              # If not specified, Dashboard will attempt to auto discover the API server and connect
              # to it. Uncomment only if the default does not work.
              # - --apiserver-host=http://my-address:port
            volumeMounts:
            # - name: kubernetes-dashboard-certs
            #   mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
            livenessProbe:
              httpGet:
                scheme: HTTPS
                path: /
                port: 8443
              initialDelaySeconds: 30
              timeoutSeconds: 30
          volumes:
          # 这个地方跟上面volumeMounts 中注释掉的是对应的
          # - name: kubernetes-dashboard-certs
          #   secret:
          #     secretName: kubernetes-dashboard-certs
          - name: tmp-volume
            emptyDir: {}
          serviceAccountName: kubernetes-dashboard-admin
          # Comment the following tolerations if Dashboard must not be deployed on master
          tolerations:
          - key: "CriticalAddonsOnly"
            operator: "Exists"
          # - key: node-role.kubernetes.io/master
          #   effect: NoSchedule
    ​

    svc.yaml

    kind: Service
    apiVersion: v1
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
        kubernetes.io/cluster-service: "true"
        addonmanager.kubernetes.io/mode: "Reconcile"
      name: kubernetes-dashboard
      namespace: kube-system
    spec:
      ports:
        - port: 443
          targetPort: 8443
      selector:
        k8s-app: kubernetes-dashboard

    ingress.yaml

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: kubernetes-dashboard
      namespace: kube-system
      annotations:
        kubernetes.io/ingress.class: traefik
    spec:
      rules:
      - host: dashboard.xxxxxx.com
        http:
          paths:
          - path: /
            backend:
              serviceName: kubernetes-dashboard
              servicePort: 443
    ​

    rbac.yaml

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
        addonmanager.kubernetes.io/mode: Reconcile
      name: kubernetes-dashboard-admin
      namespace: kube-system
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: kubernetes-dashboard-admin
      namespace: kube-system
      labels:
        k8s-app: kubernetes-dashboard-admin
        addonmanager.kubernetes.io/mode: Reconcile
    ​
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: kubernetes-dashboard-admin
      namespace: kube-system


    使用kubectl命令交付dashboard服务

    kubectl -f rabc.yaml dp.yaml svc.yaml ingress.yaml
    ​
    # 检查交付是否成功
    # kubectl get pods -n kube-system  -o wide
    NAME                                   READY   STATUS    RESTARTS   AGE   IP           NODE                NOMINATED NODE   READINESS GATES
    coredns-6b6c4f9648-hztdz               1/1     Running   0          25d   172.7.21.2   xxxxxxx   <none>           <none>
    kubernetes-dashboard-64c88d6c7-wnw4n   1/1     Running   0          19h   172.7.22.6   xxxxxxx   <none>           <none>
    traefik-ingress-nvjbz                  1/1     Running   0          25d   172.7.21.5   xxxxxxx  <none>           <none>
    traefik-ingress-ssprm                  1/1     Running   0          25d   172.7.22.5   xxxxxxx   <none>           <none>
    # 看到dashboard 已经是running的状态,表示交付成功,其余状态自己去百度吧。


  3. 在nginx配置dashboard访问

    nginx 主配置文件写法

    #vim /etc/nginx/nginx.conf
    user  nginx;
    worker_processes  1;
    ​
    error_log  /var/log/nginx/error.log warn;
    pid        /var/run/nginx.pid;
    ​
    ​
    events {
        worker_connections  1024;
    }
    ​
    http {
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    ​
        access_log  /var/log/nginx/access.log  main;
    ​
        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;
    ​
        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;
    ​
        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See http://nginx.org/en/docs/ngx_core_module.html#include
        # for more information.
        include /etc/nginx/conf.d/*.conf;
    }
    }
    ​

    dashboard配置文件的写法

    # vim /etc/nginx/conf.d/dashboard.xxxx.com.conf
    upstream default_backend_traefik {
        server 10.4.7.21:81    max_fails=3 fail_timeout=10s;        # 此ip为node ip+81端口,每个node节点都需要加上
        server 10.4.7.21:81    max_fails=3 fail_timeout=10s;
    ​
    }
    server {
        listen 80;
        server_name dashboard.od.com;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
    }
    server{
        listen 443 ssl;
        server_name dashboard.od.com;
    ​
        ssl_certificate      "certs/dashboard.xxxxxx.com.crt";
        ssl_certificate_key  "certs/dashboard.xxxxxx.com.key";
    ​
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
    ​
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
    ​
        location / {
            proxy_pass http://default_backend_traefik;
            proxy_set_header Host $http_host;
            proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
        }
    ​
    }


  4. 自生成dashboard的ssl证书

    # 创建私钥,并且使用umask限定生成的文件权限是600
    (umask 077;  openssl genrsa -out dashboard.xxxxxx.com.key 2048)
    # 生成证书签发的请求文件
    openssl req -new -key dashboard.xxxxxx.com.key -out dashboard.xxxxxx.com.csr -subj "/CN=dashboard.od.com/C=CN/ST=BJ/L=BeiJing/O=OldboyEdu/OU=OPS"
    # 生成证书,其中CA是kubenetes中的的ca证书,cakey也是kubenetes的
    openssl  x509 -req -in dashboard.xxxxxx.com.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dashboard.xxxxxx.com.crt -days 3650

    将生成的crt和key文件,放到nginx目录下

    cp dashboard.xxxxxx.com.crt /etc/nginx/conf.d/
    cp dashboard.xxxxxx.com.key /etc/nginx/conf.d/


  5. 检查nginx配置并重启

    nginx -t

    nginx -s reload

  6. 访问dashboard.xxxxxx.com,看是否能成功,不成功,先看nginx日志,再去查kubectl中pod

3、配置dashboard使用token登录

访问dashboard的时候,是需要登录的,1.8.3 之前有跳过登录的选项,1.10.1之后,就不能跳过登录,必须登录,此事选择token登录,token在那边找呢?

# 获取kube-system命名空间下的所有secret
kubectl get secret  -n kube-system
# 通过上命令,找到dashboard-admin的podname,下调命令的xxx表示刚刚找到的podname
kubectl describe secret  xxxxxxx   -n kube-system(xxxxxxx表示podname)
此处省略获取到的内容若干.....
ca.crt:     1346 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi01cHZ4diIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjdjNzI2MTQwLWY5YWEtNDgwYy1iZWU3LTc3NGU3ZjA3YmRiMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.utqbmIYOtgNxiZPo_sq_F1pXPt307laFkuRh0NR13YybP1wuiW4VK0lhXH2X1vnvrNBlcjKqgw_she0TA0gOUKO2v-HY7pLrsjnsYfNNdGz3VgxQxe5zkh97G65mcQi80UlK-57t-RtKAC7mWIqfNEo1zC2r_7sGzkCFqX9GKvlj0z5Oyw1iY95nNyUfZEKCoGndnN5QApnyLKtK0WW9r0jjb1iI7dR58P1g9fWxvPMkvYvvpy03v4IlQXZYO5CO8RFMiDDH2Mcnm5BTVQYn--H9fqhy-ArENfVWO9f3hohh23DGueFH0Q-ZvX-KvLjIuWX3HNZ6CISZnMBCrgJFFQ
#上面的token就是要找的dashboard的admin的 token

在登录界面,选择token验证,输入上面找到的token,即可登录到dashboard ,并且界面是英文的


至此,dashboard交付成功

【版权声明】本文为华为云社区用户原创内容,未经允许不得转载,如需转载请自行联系原作者进行授权。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。