K8S-Dashboard

部署dashboard

官网：https://github.com/kubernetes/dashboard

注：1.8版本的dashboard，默认是可以跳过验证的。跳过登录是不科学的，因为我们在配置dashboard的rbac权限时，绑定的角色是system:admin，这个是集群管理员的角色，权限很大，如果任何人都可跳过登录直接使用,那你就等着背锅。所以这边用了1.10.0版本，并配置证书。dashboard当前已经出到了 2.2.0版本。

1、获取dashboard

docker pull k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
docker tag 5c4ee6ca42ce harbor.example.com/public/dashboard:v1.10.1
docker push harbor.example.com/public/dashboard:v1.10.1

注：由于下载缓慢请找国内的镜像源下载该镜像。

2、配置资源配置清单，在运维主机上创建（方法与之前的插件配置文件创建方法一致）

RBCD授权清单

cat >/data/k8s-yaml/dashboard/rbac.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: Reconcile
  name: kubernetes-dashboard-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-admin
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: Reconcile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard-admin
  namespace: kube-system
EOF

deploy清单

cat >/data/k8s-yaml/dashboard/dp.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      priorityClassName: system-cluster-critical
      containers:
      - name: kubernetes-dashboard
        image: harbor.example.com/public/dashboard:v1.10.1
        resources:
          limits:
            cpu: 100m
            memory: 300Mi
          requests:
            cpu: 50m
            memory: 100Mi
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          # PLATFORM-SPECIFIC ARGS HERE
          - --auto-generate-certificates
        volumeMounts:
        - name: tmp-volume
          mountPath: /tmp
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard-admin
      tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"
EOF

service清单

cat >/data/k8s-yaml/dashboard/svc.yaml <<EOF
apiVersion: v1
kind: Service
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  selector:
    k8s-app: kubernetes-dashboard
  ports:
  - port: 443
    targetPort: 8443
EOF

ingress清单暴露服务

cat >/data/k8s-yaml/dashboard/ingress.yaml <<EOF
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
  - host: dashboard.example.com
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 443
EOF

注：从github官网上趴下来的，更改了镜像源地址为私有镜像仓库。在官网上的资源配置文件是将多个资源写在一个文件中的，根据实际需求进行更改配置。

3、创建资源

kubectl create -f http://k8s-yaml.example.com/dashboard/rbac.yaml
kubectl create -f http://k8s-yaml.example.com/dashboard/dp.yaml
kubectl create -f http://k8s-yaml.example.com/dashboard/svc.yaml
kubectl create -f http://k8s-yaml.example.com/dashboard/ingress.yaml

4、配置dashboard域名解析（由于前期已在nginx中添加了泛域名反向代理）

5、通过浏览器验证

使用本机浏览器访问：dashboard.example.com，可以看到安装1.10版本的dashboard，没有skip跳过验证。

注：由于没有配置证书文件，不能使用token令牌登录

6、申请证书（CFSSL证书服务器上操作）

创建json文件

cat >/opt/certs/dashboard-csr.json <<EOF
{
    "CN": "*.example.com",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "shanghai",
            "L": "shanghai",
            "O": "sevattal",
            "OU": "ops"
        }
    ]
}
EOF

生成申请证书

cfssl gencert -ca=ca.pem \
      -ca-key=ca-key.pem \
      -config=ca-config.json \
      -profile=server \
      dashboard-csr.json |cfssl-json -bare dashboard

7、将证书文件部署到前端的nginx反向代理服务器上（若是nginx集群则全部都需要配置上）

创建nginx证书文件目录

mkdir /etc/nginx/certs

将以下证书文件复制到nginx证书目录中

dashboard.pem dashboard-key.pem

创建nginx配置文件

cat >/etc/nginx/conf.d/dashboard.example.com.conf <<'EOF'
server {
    listen       80;
    server_name  dashboard.example.com;
    rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
    listen       443 ssl;
    server_name  dashboard.example.com;
    ssl_certificate     "certs/dashboard.pem";
    ssl_certificate_key "certs/dashboard-key.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    location / {
        proxy_pass http://default_backend_traefik;
        proxy_set_header Host       $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}
EOF

重启nginx服务

nginx -t
nginx -s reload

8、使用token登录

获取secret资源列表

kubectl get secret  -n kube-system

列表中有很多角色,不同到角色有不同的权限,找到想要的角色dashboard-admin后,再用describe命令获取详情

获取dashboard-admin用户的资源token

kubectl -n kube-system describe secrets kubernetes-dashboard-admin-token-r5v6k

注：以上的token字段，就是我们使用令牌登录的令牌。由于我这边是本地测试环境就不打马赛克了，这个令牌在生产环境中不能轻易给别人。因为这个令牌是admin的令牌，若要给他人使用dashboard仪表盘的话可以自建一个权限小的角色，然后将角色分配给用，再生成令牌给他人使用。

使用令牌登录dashboard

看到以上界面则dashboard部署完成了。