K8S之Dashboard图形界面

一、Dashboard简介二、k8s安装Dashboard(1)下载Dashboard镜像（<code>可选）(2)根据yaml文件创建资源(3)查看资源(4)生成登录需要的token(5)使用火狐 / 搜狗浏览器访问（个人用的搜狗）

一、Dashboard简介

官网：https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/

 

Dashboard是基于web的Kubernetes用户界面。您可以使用指示板将容器化的应用程序部署到Kubernetes集群，对容器化的应用程序进行故障排除，并管理集群资源。您可以使用Dashboard来获得运行在集群上的应用程序的概览，以及创建或修改单独的Kubernetes资源(例如部署、作业、守护进程集等)。例如，您可以扩展部署、发起滚动更新、重新启动pod或使用部署向导部署新的应用程序。

二、k8s安装Dashboard

(1)下载Dashboard镜像（可选）

提前下载Dashboard镜像（可选）：

[root@m test]# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0

也可上传至私有仓库（可选）：

# 启动私有仓库

[root@m test]# docker start registry

# 给镜像打tag

[root@m test]# docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0 192.168.116.170:5000/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0

# push镜像到私有仓库

[root@m test]# docker push 192.168.116.70:5000/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0

(2)根据yaml文件创建资源

[root@m test]# vi dashboard.yaml

内容（如果可能，注意修改其中的dashboard镜像地址（大约44行））:

apiVersion: v1

kind: ConfigMap

metadata:

labels:

k8s-app: kubernetes-dashboard

# Allows editing resource and makes sure it is created first.

addonmanager.kubernetes.io/mode: EnsureExists

name: kubernetes-dashboard-settings

namespace: kube-system

---

apiVersion: v1

kind: ServiceAccount

metadata:

labels:

k8s-app: kubernetes-dashboard

addonmanager.kubernetes.io/mode: Reconcile

name: kubernetes-dashboard

namespace: kube-system

---

apiVersion: apps/v1

kind: Deployment

metadata:

name: kubernetes-dashboard

namespace: kube-system

labels:

k8s-app: kubernetes-dashboard

kubernetes.io/cluster-service: "true"

addonmanager.kubernetes.io/mode: Reconcile

spec:

selector:

matchLabels:

k8s-app: kubernetes-dashboard

template:

metadata:

labels:

k8s-app: kubernetes-dashboard

annotations:

scheduler.alpha.kubernetes.io/critical-pod: ''

seccomp.security.alpha.kubernetes.io/pod: 'docker/default'

spec:

priorityClassName: system-cluster-critical

containers:

- name: kubernetes-dashboard

image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0

resources:

limits:

cpu: 100m

memory: 300Mi

requests:

cpu: 50m

memory: 100Mi

ports:

- containerPort: 8443

protocol: TCP

args:

# PLATFORM-SPECIFIC ARGS HERE

- --auto-generate-certificates

volumeMounts:

- name: kubernetes-dashboard-certs

mountPath: /certs

- name: tmp-volume

mountPath: /tmp

livenessProbe:

httpGet:

scheme: HTTPS

path: /

port: 8443

initialDelaySeconds: 30

timeoutSeconds: 30

volumes:

- name: kubernetes-dashboard-certs

secret:

secretName: kubernetes-dashboard-certs

- name: tmp-volume

emptyDir: { }

serviceAccountName: kubernetes-dashboard

tolerations:

- key: "CriticalAddonsOnly"

operator: "Exists"

---

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

labels:

k8s-app: kubernetes-dashboard

addonmanager.kubernetes.io/mode: Reconcile

name: kubernetes-dashboard-minimal

namespace: kube-system

rules:

# Allow Dashboard to get, update and delete Dashboard exclusive secrets.

- apiGroups: [""]

resources: ["secrets"]

resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]

verbs: ["get", "update", "delete"]

# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.

- apiGroups: [""]

resources: ["configmaps"]

resourceNames: ["kubernetes-dashboard-settings"]

verbs: ["get", "update"]

# Allow Dashboard to get metrics from heapster.

- apiGroups: [""]

resources: ["services"]

resourceNames: ["heapster"]

verbs: ["proxy"]

- apiGroups: [""]

resources: ["services/proxy"]

resourceNames: ["heapster", "http:heapster:", "https:heapster:"]

verbs: ["get"]

---

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

name: kubernetes-dashboard-minimal

namespace: kube-system

labels:

k8s-app: kubernetes-dashboard

addonmanager.kubernetes.io/mode: Reconcile

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: Role

name: kubernetes-dashboard-minimal

subjects:

- kind: ServiceAccount

name: kubernetes-dashboard

namespace: kube-system

---

apiVersion: v1

kind: Secret

metadata:

labels:

k8s-app: kubernetes-dashboard

# Allows editing resource and makes sure it is created first.

addonmanager.kubernetes.io/mode: EnsureExists

name: kubernetes-dashboard-certs

namespace: kube-system

type: Opaque

---

apiVersion: v1

kind: Secret

metadata:

labels:

k8s-app: kubernetes-dashboard

# Allows editing resource and makes sure it is created first.

addonmanager.kubernetes.io/mode: EnsureExists

name: kubernetes-dashboard-key-holder

namespace: kube-system

type: Opaque

---

apiVersion: v1

kind: Service

metadata:

name: kubernetes-dashboard

namespace: kube-system

labels:

k8s-app: kubernetes-dashboard

kubernetes.io/cluster-service: "true"

addonmanager.kubernetes.io/mode: Reconcile

spec:

selector:

k8s-app: kubernetes-dashboard

ports:

- port: 443

targetPort: 8443

nodePort: 30018

type: NodePort

创建资源：

[root@m test]# kubectl apply -f dashboard.yaml

configmap/kubernetes-dashboard-settings created

serviceaccount/kubernetes-dashboard created

deployment.apps/kubernetes-dashboard created

role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created

rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created

secret/kubernetes-dashboard-certs created

secret/kubernetes-dashboard-key-holder created

service/kubernetes-dashboard created

[root@m test]#

(3)查看资源

[root@m test]# kubectl get pods -n kube-system

[root@m test]# kubectl get pods -n kube-system -o wide

[root@m test]# kubectl get svc -n kube-system

[root@m test]# kubectl get deploy kubernetes-dashboard -n kube-system

# 查看pod创建详情：

[root@m test]# kubectl describe pod kubernetes-dashboard-7bdfc744fc-hmhh2 -n kube-system

(4)生成登录需要的token

# 创建service account

kubectl create sa dashboard-admin -n kube-system

kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

# 查看dashboard-admin的secret名字

ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')

echo ADMIN_SECRET

# 打印secret的token

kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{print $2}'

# (1)创建service account

[root@m test]# kubectl create sa dashboard-admin -n kube-system

serviceaccount/dashboard-admin created

[root@m test]#

# (2)创建角色绑定关系

[root@m test]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created

[root@m test]#

# (3)查看dashboard-admin的secret名字

[root@m test]# ADMIN_SECRET=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')

[root@m test]# echo ADMIN_SECRET

ADMIN_SECRET

[root@m test]#

# (4)打印secret的token（浏览器访问需要）

[root@m test]# kubectl describe secret -n kube-system ${ADMIN_SECRET} | grep -E '^token' | awk '{print $2}'

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdDVjbjQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzdjMDFmZmQtNTY5MC0xMWViLThiNDQtMDA1MDU2Mjg0ZjMwIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.nafBF2TUqen-4LFLQHdOWZ8XZ08k1rzBMkR0vEvFov6c0DVTUUlwX4-Uxe_OCep8gQgOphlJ3SXUNwCkFvONzxzR5799JeiLr3ahUaVhuMB12m45KHRPE-95pRvgFzs7OpPKiIxEn1cUMtErKdDPRo1zNBB-PzE95-5RGFimrdw-maP2yMo1auAgMow-JjHXhGTLeujDacEdcBWm5YbgFbaD3AkUd_c9EjbokR4-yT4iMd99tD4TwZqjYpUI_Qm76rV54qqylyf5LaOssR2scoiwA2TVHGA4ElMMOng_HqRjJJzmHux9-unakNfM5z8wtTAbJow8r7XHM6IfhxfLSg

[root@m test]#

注：以上密钥，浏览器访问时需要输入。

(5)使用火狐 / 搜狗浏览器访问（个人用的搜狗）

说明：谷歌浏览器配置安全问题太麻烦。

访问地址(输入密钥)：https://192.168.116.170:30018/