一.准备工作
1.下载yaml文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
复制代码2.准备镜像
3.分析yaml文件
3.1Dashboard Secret
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: OpaqueapiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
复制代码3.2 Dashboard Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
复制代码3.3 Dashboard Role & Role Binding
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
复制代码3.4 Dashboard Deployment
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
复制代码3.5 Dashboard Service
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
复制代码四.修改配置文件
4.1默认访问方式是集群ip,并适合实际使用,所以先修改访问方式
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
复制代码4.2默认证书问题只能使用火狐浏览器才能访问到,如果要修改chrome浏览器能使用必须重新更新生成证书,如果只使用火狐浏览器,则可以跳过该步骤
4.2.1删除 Dashboard Secret 部分
4.2.2重新生成证书,注意换成自己的ip
[root@dev-api ca]# openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.246.200'
[root@dev-api ca]# ls
dashboard.csr dashboard.key
[root@dev-api ca]# openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
Signature ok
subject=/CN=192.168.246.200
Getting Private key
You have new mail in /var/spool/mail/root
[root@dev-api ca]# ls
dashboard.crt dashboard.csr dashboard.key
[root@dev-api ca]# openssl x509 -in dashboard.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:07:50:1a:19:79:36:6b
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=192.168.246.200
Validity
Not Before: Jun 27 09:00:51 2019 GMT
Not After : Jul 27 09:00:51 2019 GMT
Subject: CN=192.168.246.200
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c5:a4:ad:9f:80:82:9f:ff:b0:04:8d:3f:99:3b:
65:93:76:a9:c3:89:87:da:21:41:45:a6:ab:da:01:
f8:b4:08:cc:6a:2a:b4:94:05:9e:8d:38:9d:f7:a5:
d7:f9:40:11:d8:85:18:04:9e:90:60:36:32:57:8f:
f4:f8:59:5b:4b:74:f9:da:ec:30:a1:5e:86:45:83:
d7:90:12:c7:ee:b6:b9:63:9b:1c:3b:fe:b2:79:95:
f2:90:80:c8:be:2d:48:2f:fe:7d:ba:9a:3c:93:8f:
7d:82:04:4b:65:ef:70:7c:5b:92:5c:45:96:54:7e:
77:e9:a4:1b:ee:8a:44:14:c9:67:1e:f8:46:f1:a1:
ef:78:e1:ed:21:01:6e:5b:b6:85:de:40:93:54:d2:
5c:a1:6f:9b:45:0c:d8:5f:77:a0:d1:e3:d8:0c:07:
28:cc:38:ed:a3:cb:ab:2e:33:3a:83:e3:18:3f:06:
ac:21:2e:c0:e2:3e:af:f8:33:a7:06:2f:4e:6f:6d:
8d:c4:5d:56:52:b9:83:d9:d6:7d:f2:f5:9e:58:77:
47:47:f0:f8:da:09:a1:47:cf:16:f2:72:3a:c1:99:
b2:eb:61:5a:a2:3c:49:7e:e4:b4:bd:76:05:d0:fe:
13:d1:8e:e4:9c:7b:fc:fb:97:16:41:40:2f:87:8c:
8f:fd
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
70:d9:a1:3a:19:d6:76:9e:91:fc:39:92:4f:bc:3b:3e:70:f3:
72:d6:c2:f3:13:be:f8:0e:75:d3:3e:68:c1:43:95:a0:9a:3f:
96:f8:9c:de:23:a0:49:da:ce:fb:a8:cc:e6:34:9b:a9:aa:9f:
9d:86:bb:a9:6d:d2:80:8c:b2:3d:89:c9:ff:44:e6:b1:90:e2:
99:2e:c1:9a:83:d0:7a:f4:cd:2a:02:4f:51:2c:c5:f2:c4:cd:
34:79:36:e1:8a:ee:10:a0:e7:6d:31:14:02:57:27:53:9d:40:
02:4b:ee:e0:7d:17:ee:80:fa:b0:10:66:03:98:26:b3:16:a0:
62:5a:ac:7b:f8:5b:98:15:c8:68:26:bd:f4:c3:df:35:34:ab:
c1:dc:fc:8f:5e:85:5d:cf:70:2f:83:72:68:4c:69:49:42:da:
28:06:a9:71:86:85:db:79:28:8e:5a:f2:cc:24:e1:71:b2:dc:
3f:6f:94:cf:19:8d:cd:18:3a:c8:be:e8:dc:8c:05:30:21:09:
54:ac:22:6d:e0:47:14:9f:16:07:4e:ed:6b:c5:d0:3e:73:37:
3b:12:85:83:34:1c:18:74:e4:96:af:6e:b5:b7:3f:60:58:e5:
09:8c:07:b2:19:77:bd:61:d0:a5:0a:56:6b:c3:4b:f7:c5:bc:
3d:d0:74:9e
[root@dev-api ca]# ls
dashboard.crt dashboard.csr dashboard.key
复制代码4.2.3 生成自己的secret
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt
kubectl -n kube-system get secret |grep kubernetes-dashboard-certs
kubernetes-dashboard-certs Opaque 2 88m
复制代码4.3 修改默认集群角色绑定(RoleBinding)
由于默认权限很低,本文档只能作为测试环境,所以给的最高权限
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
复制代码到这里配置文件修改就完成了
