Kubernetes学习笔记-手动搭建k8s-1.10.4集群插件之dashboard |坐而言不如起而行！ 二...

1，修改配置文件

将下载的 kubernetes-server-linux-amd64.tar.gz 解压后，再解压其中的 kubernetes-src.tar.gz 文件。

dashboard 对应的目录是：cluster/addons/dashboard。

1. $pwd
2. /home/k8s/k8s/kubernetes/cluster/addons/dashboard
3. $ cp dashboard-controller.yaml{,.orig}
4. #修改第33行镜像tag，并pull好自己定义的对应tag的镜像。
5. $ vim dashboard-controller.yaml
6. #修改前后对比
7. $diff dashboard-controller.yaml{,.orig}
8. 33c33
9. < image: cnych/kubernetes-dashboard-amd64:v1.8.3
10. ---
11. > image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
12. $ cp dashboard-service.yaml{,.orig}
13. #在第十一行添加一个labels，定义端口类型为NodePort。
14. $ vim dashboard-service.yaml
15. #修改前后对比
16. $ diff dashboard-service.yaml.orig dashboard-service.yaml
17. 10a11
18. > type: NodePort

• 指定端口类型为 NodePort，这样外界可以通过地址 nodeIP:nodePort 访问 dashboard。

2，执行所有定义文件

1. $ ls *.yaml
2. dashboard-configmap.yaml dashboard-controller.yaml dashboard-rbac.yaml dashboard-secret.yaml dashboard-service.yaml
3. $ kubectl create -f .

3，查看分配的 NodePort

1. $kubectl get deployment kubernetes-dashboard -n kube-system
2. NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
3. kubernetes-dashboard 1 1 1 1 15h
4. $kubectl --namespace kube-system get pods -o wide
5. NAME READY STATUS RESTARTS AGE IP NODE
6. coredns-77c989547b-j77lp 1/1 Running 0 15h 172.30.84.3 kube-node1
7. coredns-77c989547b-t6mxc 1/1 Running 0 15h 172.30.29.3 kube-node3
8. kubernetes-dashboard-5bb8d4d76c-8kkwt 1/1 Running 0 15h 172.30.84.5 kube-node1
9. $kubectl get svc kubernetes-dashboard -n kube-system
10. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
11. kubernetes-dashboard NodePort 10.254.147.2 <none> 443:8605/TCP 15h

• dashboard pod 443 端口通过NodePort映射到node的 8605端口。

dashboard 的 --authentication-mode 支持 token、basic，默认为 token。如果使用 basic，则 kube-apiserver 必须配置 ‘--authorization-mode=ABAC’ 和 ‘--basic-auth-file’ 参数。

4，查看 dashboard 支持的命令行参数

1. $kubectl exec --namespace kube-system -it kubernetes-dashboard-5bb8d4d76c-8kkwt -- /dashboard --help
2. 2018/11/24 04:04:18 Starting overwatch
3. Usage of /dashboard:
4. --alsologtostderr log to standard error as well as files
5. --apiserver-host string The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted.
6. --authentication-mode stringSlice Enables authentication options that will be reflected on login screen. Supported values: token, basic. Default: token.Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set. (default [token])
7. --auto-generate-certificates When set to true, Dashboard will automatically generate certificates used to serve HTTPS. Default: false.
8. --bind-address ip The IP address on which to serve the --secure-port (set to 0.0.0.0 for all interfaces). (default 0.0.0.0)
9. --default-cert-dir string Directory path containing '--tls-cert-file' and '--tls-key-file' files. Used also when auto-generating certificates flag is set. (default "/certs")
10. --disable-settings-authorizer When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page.
11. --enable-insecure-login When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. Default: false.
12. --heapster-host string The address of the Heapster Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.
13. --insecure-bind-address ip The IP address on which to serve the --port (set to 0.0.0.0 for all interfaces). (default 127.0.0.1)
14. --insecure-port int The port to listen to for incoming HTTP requests. (default 9090)
15. --kubeconfig string Path to kubeconfig file with authorization and master location information.
16. --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
17. --log_dir string If non-empty, write log files in this directory
18. --logtostderr log to standard error instead of files
19. --metric-client-check-period int Time in seconds that defines how often configured metric client health check should be run. Default: 30 seconds. (default 30)
20. --port int The secure port to listen to for incoming HTTPS requests. (default 8443)
21. --stderrthreshold severity logs at or above this threshold go to stderr (default 2)
22. --system-banner string When non-empty displays message to Dashboard users. Accepts simple HTML tags. Default: ''.
23. --system-banner-severity string Severity of system banner. Should be one of 'INFO|WARNING|ERROR'. Default: 'INFO'. (default "INFO")
24. --tls-cert-file string File containing the default x509 Certificate for HTTPS.
25. --tls-key-file string File containing the default x509 private key matching --tls-cert-file.
26. --token-ttl int Expiration time (in seconds) of JWE tokens generated by dashboard. Default: 15 min. 0 - never expires (default 900)
27. -v, --v Level log level for V logs
28. --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
29. command terminated with exit code 2

5，访问 dashboard

为了集群安全，从 1.7 开始，dashboard 只允许通过 https 访问，如果使用 kube proxy 则必须监听 localhost 或 127.0.0.1，对于 NodePort 没有这个限制，但是仅建议在开发环境中使用。

对于不满足这些条件的登录访问，在登录成功后浏览器不跳转，始终停在登录界面。

参考：
https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard—1.7.X-and-above
https://github.com/kubernetes/dashboard/issues/2540

• kubernetes-dashboard 服务暴露了 NodePort，可以使用 https://NodeIP:NodePort 地址访问 dashboard；
• 通过 kube-apiserver 访问 dashboard；
• 通过 kubectl proxy 访问 dashboard：

1，通过 kubectl proxy 访问 dashboard（了解）

启动代理：

1. $ kubectl proxy --address='localhost' --port=8086 --accept-hosts='^*$'
2. Starting to serve on 127.0.0.1:8086

• --address 必须为 localhost 或 127.0.0.1；
• 需要指定 \--accept-hosts 选项，否则浏览器访问 dashboard 页面时提示 “Unauthorized”；

浏览器访问 URL：http://127.0.0.1:8086/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy

2，通过 kube-apiserver 访问 dashboard（应用）

获取集群服务地址列表：

1. $kubectl cluster-info
2. Kubernetes master is running at https://192.168.106.110:8443
3. CoreDNS is running at https://192.168.106.110:8443/api/v1/namespaces/kube-system/services/coredns:dns/proxy
4. kubernetes-dashboard is running at https://192.168.106.110:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
5. To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

必须通过 kube-apiserver 的安全端口(https)访问 dashbaord，访问时浏览器需要使用自定义证书，否则会被 kube-apiserver 拒绝访问。

创建和导入自定义证书的步骤，参考：A.浏览器访问kube-apiserver安全端口

浏览器访问 URL：https://172.27.129.105:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
对于 virtuabox 做了端口映射： http://127.0.0.1:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

现在，直接使用刚刚通过kubectl cluster-info获取到的地址进行访问：

6，创建登录 Dashboard 的 token 和 kubeconfig 配置文件

上面提到，Dashboard 默认只支持 token 认证，所以如果使用 KubeConfig 文件，需要在该文件中指定 token，不支持使用 client 证书认证。

1，创建登录 token

1. $ kubectl create sa dashboard-admin -n kube-system
2. $ kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
3. $ ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')
4. $ DASHBOARD_LOGIN_TOKEN=$(kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{print $2}')
5. $ echo ${DASHBOARD_LOGIN_TOKEN}
6. eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbGJ4d2giLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYjBlYzMyMWMtZWYxYi0xMWU4LTk2NzAtNTI1NDAwYzdiYTk3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.g_llVGHmryCqQ61BdDlQJ4tsuX1bEg3hzYCZb_cvoz6RkNgPt85QUQJSKymXvpzFYv8sq09jR6hrkgJ8rJpSMVSgbOswu_w5aV9RbiLaquv0d9m6WDR7FGgDGAZxYf8ag0DDzHesnAOUuNnSweklbQTbyB90X5Okff8332PemnMzcZzZP4je70T-OTyCHygcckWji_ZEEC5k3WXRwEhMMZO5cWVAuneNCpVSEJOKw1jRei8CC26FcPVm4vU24u3b0xQDeE6gFya2zIsJPMyaWVKhx_CtIh-uwSbf8SiRBzk767BBFye3sEG-D5NPrq65eB1wDNOOE8YxzomMwtR5aA

将上边输出的token输入到刚刚dashboard需要验证的界面，点击令牌，然后复制进去

点击登录即可访问首页了。

2，创建使用 token 的 KubeConfig 文件

1. $ source /opt/k8s/bin/environment.sh
2. # 设置集群参数
3. $ kubectl config set-cluster kubernetes \
4. --certificate-authority=/etc/kubernetes/cert/ca.pem \
5. --embed-certs=true \
6. --server=${KUBE_APISERVER} \
7. --kubeconfig=dashboard.kubeconfig
8. # 设置客户端认证参数，使用上面创建的 Token
9. $ kubectl config set-credentials dashboard_user \
10. --token=${DASHBOARD_LOGIN_TOKEN} \
11. --kubeconfig=dashboard.kubeconfig
12. # 设置上下文参数
13. $ kubectl config set-context default \
14. --cluster=kubernetes \
15. --user=dashboard_user \
16. --kubeconfig=dashboard.kubeconfig
17. # 设置默认上下文
18. $ kubectl config use-context default --kubeconfig=dashboard.kubeconfig

将如上操作所生成的dashboard.kubeconfig下载到本地，然后在登录界面，选择kubeconfig的方式，将刚刚本地的config文件导入进来，点击登录登入到 Dashboard。

由于缺少 Heapster 插件，当前 dashboard 不能展示 Pod、Nodes 的 CPU、内存等统计数据和图表。

https://github.com/kubernetes/dashboard/wiki/Access-control
https://github.com/kubernetes/dashboard/issues/2558
https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/