kubernetes-dashboard-2.0.3

1. 部署dashboard

文档:https://www.jianshu.com/p/40c0405811ee

github地址: https://github.com/kubernetes/dashboard/blob/master/aio/deploy/recommended.yaml


1.1 下载部署文件recommended.yaml 并将镜像的地址改为本地镜像的地址

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml

1.2 下载镜像

docker pull kubernetesui/dashboard:v2.0.3
docker tag kubernetesui/dashboard:v2.0.3 harbor.od.com/k8s/dashboard:v2.0.3
docker push harbor.od.com/k8s/dashboard:v2.0.3

docker pull kubernetesui/metrics-scraper:v1.0.4
docker tag kubernetesui/metrics-scraper:v1.0.4 harbor.od.com/k8s/metrics-scraper:v1.0.4
docker push harbor.od.com/k8s/metrics-scraper:v1.0.4

1.3 修改yaml文件

  • 注释掉Dashboard Secret ,不然后面访问显示网页不安全,证书过期,我们自己生成证书


  • 将镜像修改为镜像仓库地址


  • 添加ingress配置
---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: kubernetes-dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
  rules:
    - host: k8s-dashboard.paic.com.cn
      http:
        paths: 
          - path: /
            backend:
              serviceName: kubernetes-dashboard
              servicePort: 443

  • 生成新的secret

    这里的secret必须在kubernetes-dashboard 名称空间生成, 否则dashboard会起不来, dashboard是启动在kubernetes-dashboard 这个名称空间, 所以secret 也必须在这个空间生成

mkdir key && cd key
openssl genrsa -out dashboard.key 2048
openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.31.10'
openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kubernetes-dashboard

  • 部署dashboard
kubectl apply -f recommended.yaml

1.4 设置权限文件

  • admin-user.yaml
CopyapiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
  • admin-user-role-binding.yaml
CopyapiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

  • 部署权限文件
kubectl create -f admin-user.yaml 
kubectl create -f admin-user-role-binding.yaml

1.5 访问dashboard

  • 设置本地dns解析

    因为dashboard是跑在ingress上, 域名所对应的ip设置成ingress-controller 所在的ip地址

kubectl get all -n ingress-nginx -owide


  • 本地配置dns (C:\Windows\System32\drivers\etc\hosts)
192.168.31.40 k8s-dashboard.paic.com.cn

  • 访问 k8s-dashboard.paic.com.cn


  • master 上查看token
kubectl describe secret `kubectl get secret -n kube-system |grep admin |awk '{print $1}'` -n kube-system |grep ^token|awk '{print $2}'


2. dashboard 分权

根据名称空间访问相关资源, 下面的例子是ingress-nginx 和 kubernetes-dashboard的rbac部署文件,

ingress-nginx这里的secret只能在ingress-nginx 这个名称空间访问

kubernetes-dashboard 这里的secret只能在 kubernetes-dashboard 这个名称空间访问

mkdir dashboard-access-sa
cd dashboard-access-sa

2.1 编写部署文件

access-sa.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress-nginx-sa
  namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubernetes-dashboard-sa
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-readonly
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: namespace-readonly
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-sa
    namespace: ingress-nginx
    apiGroup: ""
  - kind: ServiceAccount
    name: kubernetes-dashboard-sa
    namespace: kubernetes-dashboard
    apiGroup: ""
roleRef:
  kind: ClusterRole
  name: namespace-readonly
  apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: non-admin-user
rules:
  - apiGroups: ["", "extensions", "apps", "batch"]
    resources: ["replicasets", "pods", "configmaps", "pods/log", 'daemonsets', "jobs", "cronjobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments","services", "replicationcontrollers", "secrets", "serviceaccounts", "statefulsets", "ingresses", "persistentvolumeclaims", "events"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-sa-rolebinding
  namespace: ingress-nginx
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-sa
    namespace: ingress-nginx
roleRef:
  kind: ClusterRole
  name: non-admin-user
  apiGroup: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-sa-rolebinding
  namespace: kubernetes-dashboard
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard-sa
    namespace: kubernetes-dashboard
roleRef:
  kind: ClusterRole
  name: non-admin-user
  apiGroup: ""

2.2 应用部署文件

kubectl apply -f access-sa.yaml

2.3 查看生成的secret

kubectl get secret -A |grep sa

使用各自的密钥登陆dashboard查看

ingress-nginx这里的secret只能在ingress-nginx 这个名称空间访问, 其他的名称空间无权限

kubernetes-dashboard 这里的secret只能在 kubernetes-dashboard 这个名称空间访问, 其他的名称空间无权限

posted @ 2020-08-02 16:02  cjw1219  阅读(1375)  评论(0编辑  收藏  举报