AWS-EKS-12--部署 Dashboard UI

发表于 更新于 分类于 置顶 精品
阅读次数: 本文字数: 1.6k 阅读时长 ≈ 6 分钟

摘要

部署 Dashboard UI

1
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

  • 创建用户

    • Dashboard 支持使用 Bearer 令牌登录。
    • 创建用户
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# dashboard-adminuser.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

  • 授权

    • 这里创建一个 sa admin-user和 ClusterRoleBinding admin-user,利用 ClusterRoleBinding 赋予 sa 访问集群的 admin 权限
1
2
3
4
# 向dashboard的服务帐户授予管理员权限
$ k apply -f dashboard-adminuser.yaml
serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin-user created

  • 获取登录令牌
    k8s-1.24后就不再为ServiceAccout提供默认的无到期时间的Secret了,而是需要获取有效期为3600秒的token

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 获取登录令牌,这就是一个JWT,可以在 https://jwt.io 中查看解析后的内容
$ kubectl -n kubernetes-dashboard create token admin-user
eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzMWNkMmM1YTE0YWYzZmYzZWU1MzQwYWIxZWRmNmRjN2Q3ZmI1NGQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY4OTMwNjUyMSwiaWF0IjoxNjg5MzAyOTIxLCJpc3MiOiJodHRwczovL29pZGMuZWtzLnVzLXdlc3QtMi5hbCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiNDdiZGE0MmQtYTc3YS00NzUzLTg3NjItOTZmNmFmODA3ODI2In19LCJuYmYiOjE2ODkzMDI5MjEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.fELZiBXQfh2Mn0h8EHbb6BjDSCvHvB2cUDPenbwgMuKIE2NY-pHJdWA0ydZZYGM1aGg2TN0CHZQSMCEAyD3xqXzJF12dThlgVIAXWUWB_PK5_OQ9FSEHJuY2pSvnS0yhtRirbhJFzovYuxymFZjnZWuAJiPlt9k4DCp7rSIIZu89TRzwAlKh_SEnjCMaV4Fvy_Eq7eAxaXHPtatYLrz7vO12vZSA

# 令牌有效期为3600秒,到期后需要重启获取令牌并重新登录。这点不是很方便。加上 -o yaml 即可看到过期时间
$ kubectl -n kubernetes-dashboard create token admin-user -o yaml
apiVersion: authentication.k8s.io/v1
kind: TokenRequest
metadata:
  creationTimestamp: "2023-07-07T02:48:41Z"
  name: admin-user
  namespace: kubernetes-dashboard
spec:
  audiences:
  - https://kubernetes.default.svc
  boundObjectRef: null
  expirationSeconds: 3600
status:
  expirationTimestamp: "2023-07-07T03:48:41Z"
  token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzMWNkMmM1YTE0YWYzZmYzZWU1MzQwYWIxZWRmNmRjN2Q3ZmI1NGQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY4OTMwNjUyMSwiaWF0IjoxNjg5MzAyOTIxLCJpc3MiOiJodHRwczovL29pZGMuZWtzLnVzLXdlc3QtMi5hbCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiNDdiZGE0MmQtYTc3YS00NzUzLTg3NjItOTZmNmFmODA3ODI2In19LCJuYmYiOjE2ODkzMDI5MjEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.fELZiBXQfh2Mn0h8EHbb6BjDSCvHvB2cUDPenbwgMuKIE2NY-pHJdWA0ydZZYGM1aGg2TN0CHZQSMCEAyD3xqXzJF12dThlgVIAXWUWB_PK5_OQ9FSEHJuY2pSvnS0yhtRirbhJFzovYuxymFZjnZWuAJiPlt9k4DCp7rSIIZu89TRzwAlKh_SEnjCMaV4Fvy_Eq7eAxaXHPtatYLrz7vO12vZSA

访问Dashboard

  • 查看Dashboard 的 service,可以看到 Dashboard 的 Service 的类型都是 ClusterIP,所以我们是无法从外部访问到 Dashboard 的。

1
2
3
4
$ kubectl get svc -n kubernetes-dashboard
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
dashboard-metrics-scraper   ClusterIP   10.100.76.198   <none>        8000/TCP   12m
kubernetes-dashboard        ClusterIP   10.100.171.79   <none>        443/TCP    12m

  • 这时我们有两种方法访问 Dashboard

    • 把 Dashboard 映射到本地
    • 利用 ingress 和 ALB 把外部请求转发到 Dashboard

把 Dashboard 映射到本地

  • 我们可以用 kubectl proxy,也可以用 port-forward

利用 kubectl proxy

  • 开启代理

1
2
3
4
5
6
7
8
9
10
# 默认8001端口
~ kubectl proxy
Starting to serve on 127.0.0.1:8001

# 指定端口
~ kubectl proxy --port 8888
Starting to serve on 127.0.0.1:8888

# 关闭代理
Ctrl+C

利用 kubectl port-forward

  • 上面利用 kubectl proxy的方法是把整个 apiserver 通过 proxy 映射到本地,下面我们只把 dashboard 的 deployment(Pod)映射到本地。

  • 首先,我们先要获得 Pod 的访问端口

1
2
3
4
$ kubectl get ep -n kubernetes-dashboard
NAME                        ENDPOINTS             AGE
dashboard-metrics-scraper   192.168.10.200:8000   5d4h
kubernetes-dashboard        192.168.20.125:8443   5d4h

  • 说明:kubernetes-dashboard 对应的 ENDPOINTS 就是pod的ip和端口,这里开启的就是pod的8443端口。

  • 运行以下命令获得 Dashboard deployment 的 name

1
2
3
4
$ kubectl get deployment -n kubernetes-dashboard
NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
dashboard-metrics-scraper   1/1     1            1           5d4h
kubernetes-dashboard        1/1     1            1           5d4h

  • 说明:kubernetes-dashboard 是 Deployment 的名称

  • 开启本地端口映射,这里映射到本地的8888端口

1
2
3
$ kubectl port-forward deployment/kubernetes-dashboard -n kubernetes-dashboard 8888:8443
Forwarding from 127.0.0.1:8888 -> 8443
Forwarding from [::1]:8888 -> 8443

  • 可以通过 https://localhost:8888/#/login 访问。

  • 登录时选择token登录,输入上面获取到的令牌即可,令牌有效期为3600秒,到期后需要重启获取令牌并重新登录。

利用 ingress 和 ALB 把外部请求转发到 Dashboard

  • proxy,port-forward 可以把 apiserver 或者某个 deployment 映射到本地,这对调试一些应用来说很有用处。

  • 不过,这两个都是前台命令,每次查看 Dashboard 都要先运行一下,使用起来确实不方便,下面介绍如何利用 ALB 访问 Dashboard。

  • 前面我们已经介绍过创建基于LoadBalancer的service和ingress,接下来我们就在此基础上完成后续的步骤。

创建ingress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# dashboard-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: kubernetes-dashboard
  name: dashboard
  annotations:
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'  # http重定向到https
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:743263909655:certificate/e2e3fa54-98ab-427a-9f09-4861122831323e # https证书,就是上面创建的证书的arn
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' # 监听端口
    alb.ingress.kubernetes.io/scheme: internet-facing # 开放外网访问
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/backend-protocol: HTTPS # 转发请求用的协议,默认是HTTP
spec:
  ingressClassName: alb # 指定ingressclass类型,k8s-1.18及以后的版本推荐这种配置方式,旧版本需要在注释中加入 kubernetes.io/ingress.class: alb
  rules:
    - host: dashboard.hanqunfeng.com # 域名绑定,需要到域名服务商处进行域名解析,CNAME到当前生成的elb
      http:
        paths:
        - path: / # 重定向配置,这里必须配置,否则不能实现重定向
          pathType: Prefix
          backend:
            service:
              name: ssl-redirect
              port:
                name: use-annotation
        - path: /
          pathType: Prefix
          backend:
            service:
              name: kubernetes-dashboard
              port:
                number: 443

  • 这里要注意一点,一定要配置alb.ingress.kubernetes.io/backend-protocol: HTTPS,这是转发请求用的协议,默认是HTTP,但是Dashboard应用本身要求访问请求使用HTTPS,所以这里指定HTTPS。如果不指定,则在后面用浏览器访问Dashboard时会报下列错误

1
Client sent an HTTP request to an HTTPS server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# 部署ingress
$ k apply -f dashboard-ingress.yaml
ingress.networking.k8s.io/dashboard created

# 查看ingress状态
$ k describe ing -n kubernetes-dashboard dashboard
Name:             dashboard
Labels:           <none>
Namespace:        kubernetes-dashboard
Address:          k8s-kubernet-dashboar-043481379b-1952890389.us-west-2.elb.amazonaws.com
Ingress Class:    alb
Default backend:  <default>
Rules:
  Host                      Path  Backends
  ----                      ----  --------
  dashboard.hanqunfeng.com
                            /   ssl-redirect:use-annotation (<error: endpoints "ssl-redirect" not found>)
                            /   kubernetes-dashboard:443 (192.168.20.125:8443)
Annotations:                alb.ingress.kubernetes.io/actions.ssl-redirect:
                              {"Type": "redirect", "RedirectConfig":{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}
                            alb.ingress.kubernetes.io/backend-protocol: HTTPS
                            alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:743263909655:certificate/e2e3fa54-98ab-427a-9f09-4861122831323e
                            alb.ingress.kubernetes.io/listen-ports: [{"HTTP": 80}, {"HTTPS":443}]
                            alb.ingress.kubernetes.io/scheme: internet-facing
                            alb.ingress.kubernetes.io/target-type: ip
Events:
  Type    Reason                  Age    From     Message
  ----    ------                  ----   ----     -------
  Normal  SuccessfullyReconciled  9m16s  ingress  Successfully reconciled

清理帐号

1
2
3
# 删除管理员ServiceAccount和ClusterRoleBinding
$ kubectl -n kubernetes-dashboard delete serviceaccount admin-user
$ kubectl -n kubernetes-dashboard delete clusterrolebinding admin-user

后记

这玩意就是查看资源方便一些,创建资源还是需要精通yaml。