kubernetes的dashboard及ingress-nginx安装

作者: sysit 分类: d 发表于 2021-07-05 282人围观

## 1. ingress-nginx 安装

我们希望通过ingress代理的方式访问dashboard。

* 安装ingress-nginx

```
# 获取文件
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/baremetal/deploy.yaml

# 备份
[root@master1 ~]# cp deploy.yaml{,.ori}

# 修改文件，以DaemonSet运行
[root@master1 ~]# diff deploy.yaml deploy.yaml.ori   
< kind: DaemonSet
---
> kind: Deployment
321d320
<       hostNetwork: true
324c323
<           image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0
---
>           image: k8s.gcr.io/ingress-nginx/controller:v0.46.0@sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a
398d396
<         ingress-controller: 'true'

# 部分配置，配置太多就不粘出来了，我们重点看下deployment部分

# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.47.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10
  minReadySeconds: 0
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:
      dnsPolicy: ClusterFirst
      hostNetwork: true
      containers:
        - name: controller
          image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v0.46.0
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --election-id=ingress-controller-leader
            - --ingress-class=nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            runAsUser: 101
            allowPrivilegeEscalation: true
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:
            failureThreshold: 5
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: webhook
              containerPort: 8443
              protocol: TCP
          volumeMounts:
            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 90Mi
      nodeSelector:
        kubernetes.io/os: linux
        ingress-controller: 'true'
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
---

# 标记节点调度到指定节点
kubectl label node master1.sysit.cn ingress-controller="true"
kubectl label node master2.sysit.cn ingress-controller="true"
kubectl label node master3.sysit.cn ingress-controller="true"

# 执行配置文件
kubectl apply -f deploy.yaml
```

* 检查

```
[root@master1 ~]# kubectl get pods -n ingress-nginx -o wide
NAME                                   READY   STATUS      RESTARTS   AGE     IP                NODE               NOMINATED NODE   READINESS GATES
ingress-nginx-admission-create-kpgmb   0/1     Completed   0          7m54s   10.244.197.132    node1.sysit.cn     <none>           <none>
ingress-nginx-admission-patch-qtp5t    0/1     Completed   0          7m54s   10.244.96.129     master3.sysit.cn   <none>           <none>
ingress-nginx-controller-2mgp5         1/1     Running     0          2m23s   192.168.112.141   master1.sysit.cn   <none>           <none>
ingress-nginx-controller-mwczj         1/1     Running     1          2m23s   192.168.112.142   master2.sysit.cn   <none>           <none>
ingress-nginx-controller-xgldp         1/1     Running     0          2m23s   192.168.112.143   master3.sysit.cn   <none>           <none>

[root@master1 ~]# kubectl get daemonset -n ingress-nginx
NAME                       DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                                    AGE
ingress-nginx-controller   3         3         3       3            3           ingress-controller=true,kubernetes.io/os=linux   8m29s
```

## 2. 安装dashboard

### 2.1 安装dashboard

```
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
```

* 通过proxy访问

```
# 执行如下命令，代理出一个只能本地访问的地址。
kubectl proxy
```
可供访问的地址如下：
```
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
```

* 通过apiserver访问

还可以通过apiserver访问，访问地址：

```
https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

# 如我通过master1访问，则访问地址如下：
https://192.168.112.141:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
```

访问界面如下：

![title](/api/file/getImage?fileId=5d75f5763cd7c90522004cf8)

这个是因为kubernetes基于安全性的考虑，浏览器必须要一个根证书，防止中间人攻击，见`https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/`

解决访问问题参考：[关于kubernetes-dashboard出现forbidden无法访问的解决办法](https://www.sysit.cn/blog/post/sysit/%E5%85%B3%E4%BA%8Ekubernetes-dashboard%E5%87%BA%E7%8E%B0forbidden%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E7%9A%84%E8%A7%A3%E5%86%B3%E5%8A%9E%E6%B3%95)

* 通过nginx-ingress代理访问（本文推荐）

### 2.2 创建ssl证书

多种方式可以创建ssl证书，我们这里选取2中方式。

* openssl工具生成证书
```
cat >openssl.cnf<<EOF
[req]
distinguished_name = req_distinguished_name
prompt = yes

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_value               = CN

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_value       = Sichuan

localityName                    = Locality Name (eg, city)
localityName_value              = Chengdu

organizationName                = Organization Name (eg, company)
organizationName_value          = Sysit

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_value    = R & D Department

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_value                = *.sysit.cn

emailAddress                    = Email Address
emailAddress_value              = admin@sysit.cn
EOF

openssl req -newkey rsa:4096 -nodes -config openssl.cnf -days 3650 -x509 -out dashboard.crt -keyout dashboard.key
```
> 上面dashboard.crt和dashboard.key就是我们需要的文件。

* cfssl工具生成证书

```
cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "dashboard": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat >ca-csr.json<<EOF
{
    "CN": "dashboard",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu"
        }
    ]
}
EOF

cfssl gencert --initca ca-csr.json |cfssljson -bare ca -

cat >dashbaord-csr.json<<EOF
{
    "CN": "*.sysit.cn",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Chengdu",
            "ST": "Chengdu"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json --profile=dashboard dashbaord-csr.json |cfssljson -bare dashboard

```

> 生成的dashboard.pem和dashboard-key.pem就是我们需要的文件

* 导入kubernetes

```
kubectl create -n kube-system secret tls dashboard-ssl-name --cert dashboard.pem --key dashboard-key.pem     
# 输出:secret/dashboard-ssl-name created
```

### 2.3 ingress-dashboard配置
```
cat > ingress-dashboard.yaml<<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - dashboard.sysit.cn
    secretName: dashboard-ssl-name
  rules:
  - host: dashboard.sysit.cn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kubernetes-dashboard
            port:
              number: 443
EOF

kubectl apply -f ingress-dashboard.yaml

```
https://dashboard.sysit.cn访问界面如下：

![title](/api/file/getImage?fileId=5d75fae73cd7c90522004cfa)

* 登录

创建管理用户
```
kubectl create serviceaccount admin-user -n kubernetes-dashboard
```

绑定用户为集群管理用户

```

kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-user

```

token登录

```
# 直接获取token
[root@master1 ~]# kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

# 得到
eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw
```

使用获取的token进行页面访问

![title](/api/file/getImage?fileId=60d9ef8ee0dda66a8a00cd71)

kubeconfig登录
```
# 以通过如下操只获取上一个步骤生成的token

DASHBOARD_LOGIN_TOKEN=$(kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}")

echo ${DASHBOARD_LOGIN_TOKEN}
eyJhbGciOiJSUzI1NiIsImtpZCI6IkhwcEI0czdnbm9rOG5SdmVfOHJDcFBXcGZ0WThoNE5VR3BqbVlaM2lWcmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTVqNHRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTllYTE0Zi1hMWViLTRkNDgtOTU1YS00MDIwMjdkNDg5OWMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.TwmQr4BzT25mDu0tRGVcWVtEDrLrWs3-Isy9Cdv7h66rU_EuSxOIroB6v5fuQAynS8VyyAzg2ygX5TICJeEqdtCsxhvCZgX7Zny5jefrRtDEgNnV7wh5-7eShmICD0cF-pVUFeAqA-Ei-trEIaTPSkI7PaDSSIDVBlUfGFGFFR_Fg5oPErBfn9SqXvVly-2lAa4jQFfoMUsPjNk7PLaNGwnQj4yP-u_jY7GLy8a1Uv4DyqN2j_kyP5SjLjNOgnLrd2Hv51BEihVNbegTSJfGrkAfnjs3Tb_4JzjcO0ir1qKdm6KXRYuoaPt6SvoK8v_WGZMTZnbruGhlbaAUw4rlZw

#创建使用 token 的 KubeConfig 文件

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=https://192.168.112.140:6443 \
  --kubeconfig=dashboard-admin.kubeconfig
  
# 设置客户端认证参数，使用上面创建的 Token
kubectl config set-credentials admin-user \
  --token=${DASHBOARD_LOGIN_TOKEN} \
  --kubeconfig=dashboard-admin.kubeconfig

# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=admin-user \
  --kubeconfig=dashboard-admin.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=dashboard-admin.kubeconfig
```

登录界面如下：

![title](/api/file/getImage?fileId=60d9f198e0dda66a8a00cd72)

![title](/api/file/getImage?fileId=60d9f254e0dda66a8a00cd73)

如果觉得我的文章对您有用，请随意赞赏。您的支持将鼓励我继续创作！