kubernetes的dashboard及ingress-nginx安装 作者: sysit 分类: d 发表于 2021-07-05 324人围观 ## 1. ingress-nginx 安装 我们希望通过ingress代理的方式访问dashboard。 * 安装ingress-nginx ``` # 获取文件 wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml # 备份 [root@master1 ~]# cp deploy.yaml{,.ori} # 修改文件,以DaemonSet运行 [root@master1 ~]# diff deploy.yaml deploy.yaml.ori < kind: DaemonSet --- > kind: Deployment 321d320 < hostNetwork: true 324c323 < image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0 --- > image: k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a 398d396 < ingress-controller: 'true' # 部分配置,配置太多就不粘出来了,我们重点看下deployment部分 # Source: ingress-nginx/templates/controller-deployment.yaml apiVersion: apps/v1 kind: DaemonSet metadata: labels: helm.sh/chart: ingress-nginx-3.33.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/version: 0.47.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx spec: selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller revisionHistoryLimit: 10 minReadySeconds: 0 template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/component: controller spec: dnsPolicy: ClusterFirst hostNetwork: true containers: - name: controller image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0 imagePullPolicy: IfNotPresent lifecycle: preStop: exec: command: - /wait-shutdown args: - /nginx-ingress-controller - --election-id=ingress-controller-leader - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - --validating-webhook=:8443 - --validating-webhook-certificate=/usr/local/certificates/cert - --validating-webhook-key=/usr/local/certificates/key securityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICE runAsUser: 101 allowPrivilegeEscalation: true env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 ports: - name: http containerPort: 80 protocol: TCP - name: https containerPort: 443 protocol: TCP - name: webhook containerPort: 8443 protocol: TCP volumeMounts: - name: webhook-cert mountPath: /usr/local/certificates/ readOnly: true resources: requests: cpu: 100m memory: 90Mi nodeSelector: kubernetes.io/os: linux ingress-controller: 'true' serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 volumes: - name: webhook-cert secret: secretName: ingress-nginx-admission --- # 标记节点调度到指定节点 kubectl label node master1.sysit.cn ingress-controller="true" kubectl label node master2.sysit.cn ingress-controller="true" kubectl label node master3.sysit.cn ingress-controller="true" # 执行配置文件 kubectl apply -f deploy.yaml ``` * 检查 ``` [root@master1 ~]# kubectl get pods -n ingress-nginx -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES ingress-nginx-admission-create-kpgmb 0/1 Completed 0 7m54s 10.244.197.132 node1.sysit.cn <none> <none> ingress-nginx-admission-patch-qtp5t 0/1 Completed 0 7m54s 10.244.96.129 master3.sysit.cn <none> <none> ingress-nginx-controller-2mgp5 1/1 Running 0 2m23s 192.168.112.141 master1.sysit.cn <none> <none> ingress-nginx-controller-mwczj 1/1 Running 1 2m23s 192.168.112.142 master2.sysit.cn <none> <none> ingress-nginx-controller-xgldp 1/1 Running 0 2m23s 192.168.112.143 master3.sysit.cn <none> <none> [root@master1 ~]# kubectl get daemonset -n ingress-nginx NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE ingress-nginx-controller 3 3 3 3 3 ingress-controller=true,kubernetes.io/os=linux 8m29s ``` ## 2. 安装dashboard ### 2.1 安装dashboard ``` kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml ``` * 通过proxy访问 ``` # 执行如下命令,代理出一个只能本地访问的地址。 kubectl proxy ``` 可供访问的地址如下: ``` http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ ``` * 通过apiserver访问 还可以通过apiserver访问,访问地址: ``` https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ # 如我通过master1访问,则访问地址如下: https://192.168.112.141:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ ``` 访问界面如下:  这个是因为kubernetes基于安全性的考虑,浏览器必须要一个根证书,防止中间人攻击,见`https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/` 解决访问问题参考:[关于kubernetes-dashboard出现forbidden无法访问的解决办法](https://www.sysit.cn/blog/post/sysit/%E5%85%B3%E4%BA%8Ekubernetes-dashboard%E5%87%BA%E7%8E%B0forbidden%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E7%9A%84%E8%A7%A3%E5%86%B3%E5%8A%9E%E6%B3%95) * 通过nginx-ingress代理访问(本文推荐) ### 2.2 创建ssl证书 多种方式可以创建ssl证书,我们这里选取2中方式。 * openssl工具生成证书 ``` cat >openssl.cnf<<EOF [req] distinguished_name = req_distinguished_name prompt = yes [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_value = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_value = Sichuan localityName = Locality Name (eg, city) localityName_value = Chengdu organizationName = Organization Name (eg, company) organizationName_value = Sysit organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_value = R & D Department commonName = Common Name (eg, your name or your server\'s hostname) commonName_value = *.sysit.cn emailAddress = Email Address emailAddress_value = admin@sysit.cn EOF openssl req -newkey rsa:4096 -nodes -config openssl.cnf -days 3650 -x509 -out dashboard.crt -keyout dashboard.key ``` > 上面dashboard.crt和dashboard.key就是我们需要的文件。 * cfssl工具生成证书 ``` cat > ca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "dashboard": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat >ca-csr.json<<EOF { "CN": "dashboard", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Chengdu", "ST": "Chengdu" } ] } EOF cfssl gencert --initca ca-csr.json |cfssljson -bare ca - cat >dashbaord-csr.json<<EOF { "CN": "*.sysit.cn", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Chengdu", "ST": "Chengdu" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile=dashboard dashbaord-csr.json |cfssljson -bare dashboard ``` > 生成的dashboard.pem和dashboard-key.pem就是我们需要的文件 * 导入kubernetes ``` kubectl create -n kube-system secret tls dashboard-ssl-name --cert dashboard.pem --key dashboard-key.pem # 输出:secret/dashboard-ssl-name created ``` ### 2.3 ingress-dashboard配置 ``` cat > ingress-dashboard.yaml<<EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: dashboard-ingress namespace: kubernetes-dashboard annotations: nginx.ingress.kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/secure-backends: "true" nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: tls: - hosts: - dashboard.sysit.cn secretName: dashboard-ssl-name rules: - host: dashboard.sysit.cn http: paths: - path: / pathType: Prefix backend: service: name: kubernetes-dashboard port: number: 443 EOF kubectl apply -f ingress-dashboard.yaml ``` https://dashboard.sysit.cn访问界面如下:  * 登录 创建管理用户 ``` kubectl create serviceaccount admin-user -n kubernetes-dashboard ``` 绑定用户为集群管理用户 ``` kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user ``` token登录 ``` # 直接获取token [root@master1 ~]# kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}" # 得到 eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw ``` 使用获取的token进行页面访问  kubeconfig登录 ``` # 以通过如下操只获取上一个步骤生成的token DASHBOARD_LOGIN_TOKEN=$(kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}") echo ${DASHBOARD_LOGIN_TOKEN} eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw #创建使用 token 的 KubeConfig 文件 kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.112.140:6443 \ --kubeconfig=dashboard-admin.kubeconfig # 设置客户端认证参数,使用上面创建的 Token kubectl config set-credentials admin-user \ --token=${DASHBOARD_LOGIN_TOKEN} \ --kubeconfig=dashboard-admin.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=admin-user \ --kubeconfig=dashboard-admin.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=dashboard-admin.kubeconfig ``` 登录界面如下:   如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作! 赞赏支持