摘要
部署 Dashboard UI
1 $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
创建用户
Dashboard 支持使用 Bearer 令牌登录。
创建用户
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard
授权
这里创建一个 sa admin-user
和 ClusterRoleBinding admin-user
,利用 ClusterRoleBinding 赋予 sa 访问集群的 admin 权限
1 2 3 4 $ k apply -f dashboard-adminuser.yaml serviceaccount/admin-user created clusterrolebinding.rbac.authorization.k8s.io/admin-user created
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ kubectl -n kubernetes-dashboard create token admin-user eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzMWNkMmM1YTE0YWYzZmYzZWU1MzQwYWIxZWRmNmRjN2Q3ZmI1NGQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY4OTMwNjUyMSwiaWF0IjoxNjg5MzAyOTIxLCJpc3MiOiJodHRwczovL29pZGMuZWtzLnVzLXdlc3QtMi5hbCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiNDdiZGE0MmQtYTc3YS00NzUzLTg3NjItOTZmNmFmODA3ODI2In19LCJuYmYiOjE2ODkzMDI5MjEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.fELZiBXQfh2Mn0h8EHbb6BjDSCvHvB2cUDPenbwgMuKIE2NY-pHJdWA0ydZZYGM1aGg2TN0CHZQSMCEAyD3xqXzJF12dThlgVIAXWUWB_PK5_OQ9FSEHJuY2pSvnS0yhtRirbhJFzovYuxymFZjnZWuAJiPlt9k4DCp7rSIIZu89TRzwAlKh_SEnjCMaV4Fvy_Eq7eAxaXHPtatYLrz7vO12vZSA $ kubectl -n kubernetes-dashboard create token admin-user -o yaml apiVersion: authentication.k8s.io/v1 kind: TokenRequest metadata: creationTimestamp: "2023-07-07T02:48:41Z" name: admin-user namespace: kubernetes-dashboard spec: audiences: - https://kubernetes.default.svc boundObjectRef: null expirationSeconds: 3600 status: expirationTimestamp: "2023-07-07T03:48:41Z" token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzMWNkMmM1YTE0YWYzZmYzZWU1MzQwYWIxZWRmNmRjN2Q3ZmI1NGQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTY4OTMwNjUyMSwiaWF0IjoxNjg5MzAyOTIxLCJpc3MiOiJodHRwczovL29pZGMuZWtzLnVzLXdlc3QtMi5hbCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiNDdiZGE0MmQtYTc3YS00NzUzLTg3NjItOTZmNmFmODA3ODI2In19LCJuYmYiOjE2ODkzMDI5MjEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.fELZiBXQfh2Mn0h8EHbb6BjDSCvHvB2cUDPenbwgMuKIE2NY-pHJdWA0ydZZYGM1aGg2TN0CHZQSMCEAyD3xqXzJF12dThlgVIAXWUWB_PK5_OQ9FSEHJuY2pSvnS0yhtRirbhJFzovYuxymFZjnZWuAJiPlt9k4DCp7rSIIZu89TRzwAlKh_SEnjCMaV4Fvy_Eq7eAxaXHPtatYLrz7vO12vZSA
访问Dashboard
1 2 3 4 $ kubectl get svc -n kubernetes-dashboard NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE dashboard-metrics-scraper ClusterIP 10.100.76.198 <none> 8000/TCP 12m kubernetes-dashboard ClusterIP 10.100.171.79 <none> 443/TCP 12m
这时我们有两种方法访问 Dashboard
把 Dashboard 映射到本地
利用 ingress 和 ALB 把外部请求转发到 Dashboard
把 Dashboard 映射到本地
利用 kubectl proxy
1 2 3 4 5 6 7 8 9 10 ~ kubectl proxy Starting to serve on 127.0.0.1:8001 ~ kubectl proxy --port 8888 Starting to serve on 127.0.0.1:8888 Ctrl+C
利用 kubectl port-forward
1 2 3 4 $ kubectl get ep -n kubernetes-dashboard NAME ENDPOINTS AGE dashboard-metrics-scraper 192.168.10.200:8000 5d4h kubernetes-dashboard 192.168.20.125:8443 5d4h
1 2 3 4 $ kubectl get deployment -n kubernetes-dashboard NAME READY UP-TO-DATE AVAILABLE AGE dashboard-metrics-scraper 1/1 1 1 5d4h kubernetes-dashboard 1/1 1 1 5d4h
1 2 3 $ kubectl port-forward deployment/kubernetes-dashboard -n kubernetes-dashboard 8888:8443 Forwarding from 127.0.0.1:8888 -> 8443 Forwarding from [::1]:8888 -> 8443
利用 ingress 和 ALB 把外部请求转发到 Dashboard
proxy,port-forward 可以把 apiserver 或者某个 deployment 映射到本地,这对调试一些应用来说很有用处。
不过,这两个都是前台命令,每次查看 Dashboard 都要先运行一下,使用起来确实不方便,下面介绍如何利用 ALB 访问 Dashboard。
前面我们已经介绍过创建基于LoadBalancer的service和ingress ,接下来我们就在此基础上完成后续的步骤。
创建ingress
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 apiVersion: networking.k8s.io/v1 kind: Ingress metadata: namespace: kubernetes-dashboard name: dashboard annotations: alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:743263909655:certificate/e2e3fa54-98ab-427a-9f09-4861122831323e alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/backend-protocol: HTTPS spec: ingressClassName: alb rules: - host: dashboard.hanqunfeng.com http: paths: - path: / pathType: Prefix backend: service: name: ssl-redirect port: name: use-annotation - path: / pathType: Prefix backend: service: name: kubernetes-dashboard port: number: 443
1 Client sent an HTTP request to an HTTPS server.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 $ k apply -f dashboard-ingress.yaml ingress.networking.k8s.io/dashboard created $ k describe ing -n kubernetes-dashboard dashboard Name: dashboard Labels: <none> Namespace: kubernetes-dashboard Address: k8s-kubernet-dashboar-043481379b-1952890389.us-west-2.elb.amazonaws.com Ingress Class: alb Default backend: <default> Rules: Host Path Backends ---- ---- -------- dashboard.hanqunfeng.com / ssl-redirect:use-annotation (<error: endpoints "ssl-redirect" not found>) / kubernetes-dashboard:443 (192.168.20.125:8443) Annotations: alb.ingress.kubernetes.io/actions.ssl-redirect: {"Type" : "redirect" , "RedirectConfig" :{ "Protocol" : "HTTPS" , "Port" : "443" , "StatusCode" : "HTTP_301" }} alb.ingress.kubernetes.io/backend-protocol: HTTPS alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:743263909655:certificate/e2e3fa54-98ab-427a-9f09-4861122831323e alb.ingress.kubernetes.io/listen-ports: [{"HTTP" : 80}, {"HTTPS" :443}] alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/target-type: ip Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal SuccessfullyReconciled 9m16s ingress Successfully reconciled
清理帐号
1 2 3 $ kubectl -n kubernetes-dashboard delete serviceaccount admin-user $ kubectl -n kubernetes-dashboard delete clusterrolebinding admin-user
后记
这玩意就是查看资源方便一些,创建资源还是需要精通yaml。