k3s 基础 —— 配置 kubernetes dashboard

安装

另参考

部署仪表盘

VERSION_KUBE_DASHBOARD=v2.7.0
k3s kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/${VERSION_KUBE_DASHBOARD}/aio/deploy/recommended.yaml

配置 RBAC

创建以下文件

dashboard.admin-user.yml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

dashboard.admin-user-role.yml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

部署 admin-user 配置：

k3s kubectl create -f dashboard.admin-user.yml -f dashboard.admin-user-role.yml

访问仪表盘

端口转发

① 本地访问

kubectl proxy --address='0.0.0.0' --accept-hosts='^*$'

访问地址：http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

② 远程访问

kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 10443:443 --address 0.0.0.0

配置域名

参考

1、创建 ingress 配置文件 k8s-dashboard-web.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: k8s-dashboard-transport
  namespace: kubernetes-dashboard
spec:
  serverName: "k8s-dashboard.domain.com"
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: k8s-dashboard-web
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - web
  routes:
    - match: "Host(`k8s-dashboard.domain.com`)"
      kind: Rule
      services:
      - name: kubernetes-dashboard
        namespace: kubernetes-dashboard
        port: 443
        serversTransport: k8s-dashboard-transport

2、执行部署

kubectl apply -f k8s-dashboard-web.yaml

3、配置 HTTPS 证书（可选）（手动配置较繁琐，参考traefik 自动生成证书配置）

① 使用 certbot 等工具生成证书，本地生成的证书通常存放在 /etc/letsencrypt/live 目录下。

② 创建本地 tls secret

# 需指定证书文件的路径
kubectl create secret tls domain-tls \
  --key /etc/letsencrypt/live/domain.com/privkey.pem \
  --cert /etc/letsencrypt/live/domain.com/fullchain.pem

复制 tls secret 到 kubernetes-dashboard 命名空间

kubectl get secret domain-tls --namespace=default -o yaml | sed 's/namespace: .*/namespace: kubernetes-dashboard/' | kubectl apply  --namespace=kubernetes-dashboard -f -

③ 配置 HTTPS 访问

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: k8s-dashboard-transport
  namespace: kubernetes-dashboard
spec:
  serverName: "k8s-dashboard.domain.com"
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: k8s-dashboard-web
  namespace: kubernetes-dashboard
spec:
  entryPoints:
    - websecure
  routes:
    - match: "Host(`k8s-dashboard.domain.com`)"
      kind: Rule
      services:
      - name: kubernetes-dashboard
        namespace: kubernetes-dashboard
        port: 443
        serversTransport: k8s-dashboard-transport
  tls:
    secretName: domain-tls

4、配置好 DNS 解析，最后通过 https://k8s-dashboard.domain.com 进行访问

创建访问令牌

# 配置参数 --duration=240h，设置令牌的有效期
kubectl -n kubernetes-dashboard create token admin-user --duration=240h

修改网站访问令牌的有效期

默认情况，网站的访问令牌会在一个小时后过期，到期后需要重新设置。下面是修改此令牌有效期的方法：

拉取 deploy 配置

kubectl get deploy kubernetes-dashboard -n kubernetes-dashboard -o yaml > dashboard-deploy.yaml

修改 dashboard-deploy.yaml 文件，找到如下位置，并增加参数

    spec:
      containers:
      - args:
        - --auto-generate-certificates
        - --namespace=kubernetes-dashboard
        - --token-ttl=86400 # 此行为新增

重新部署

kubectl apply -f dashboard-deploy.yaml