當(dāng)前位置：首頁(yè) > 编程资源 > 编程问答 >内容正文

编程问答

有史以来最详细安装部署Kubernetes Dashboard (补充解决官方出现的一些RBAC CERT等问题)

發(fā)布時(shí)間：2025/3/11 编程问答 57 豆豆

生活随笔收集整理的這篇文章主要介紹了有史以来最详细安装部署Kubernetes Dashboard (补充解决官方出现的一些RBAC CERT等问题) 小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

安裝部署Kubernetes Dashboard (補(bǔ)充解決官方出現(xiàn)的一些RBAC CERT等問(wèn)題)

官方文檔：https://github.com/kubernetes/dashboard

參考文章：https://kuboard.cn/install/install-k8s-dashboard.html#

前言

Kubernetes Dashboard 是 Kubernetes 的官方 Web UI。使用 Kubernetes Dashboard，你可以：

向 Kubernetes 集群部署容器化應(yīng)用
診斷容器化應(yīng)用的問(wèn)題
管理集群的資源
查看集群上所運(yùn)行的應(yīng)用程序
創(chuàng)建、修改Kubernetes 上的資源（例如 Deployment、Job、DaemonSet等）
展示集群上發(fā)生的錯(cuò)誤

例如：您可以伸縮一個(gè) Deployment、執(zhí)行滾動(dòng)更新、重啟一個(gè) Pod 或部署一個(gè)新的應(yīng)用程序

1. 準(zhǔn)備安裝kubernetes dashboard的yaml文件

wget??https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml

Kubernetes Dashboard 默認(rèn)部署時(shí)，只配置了最低權(quán)限的 RBAC

參考文檔：https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md

2. 創(chuàng)建 serviceaccount

[@kube-test.master.mango.com ~/manifests/dashboard]# cat dashboard-sa.yaml

apiVersion: v1kind: ServiceAccountmetadata:name: dashboard-adminnamespace: kubernetes-dashboard

3. 創(chuàng)建clusterrolebinding為dashboard sa授權(quán)集群權(quán)限cluster-admin

[@kube-test.master.mango.com ~/manifests/dashboard]# cat dashboard-clusterrolebinding.yamlapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: dashboard-adminroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-adminsubjects:- kind: ServiceAccountname: dashboard-adminnamespace: kubernetes-dashboard

4. 啟動(dòng)服務(wù)

kubectl apply -f recommended.yaml dashboard-sa.yaml dashboard-clusterrolebinding.yaml

5. 訪問(wèn)

修改kubernetes-dashboard namespace中的svc kubernetes-dashboard 的spec.type為NodePort，便于我們從集群外使用瀏覽器訪問(wèn)dashboard

方法1. 修改 recommended.yaml文件

service段配置更改如下：(nodePort: 30001可以省略，缺省則為隨機(jī)端口，服務(wù)啟動(dòng)后使用kubectl get svc -n kubernetes-dashboard查看)

kind: ServiceapiVersion: v1metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboardspec:type: NodePortports:- port: 443targetPort: 8443nodePort: 30001selector:k8s-app: kubernetes-dashboard

方法2. 熱更新打補(bǔ)丁的方式修改svc

kubectl -n kubernetes-dashboard patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'

此時(shí)通過(guò)chrome瀏覽器訪問(wèn)https://ip:30001

顯然，無(wú)法正常訪問(wèn)，k8s舊版本可能不存在此問(wèn)題，使用Firefox瀏覽器添加例外可能可以跳過(guò)證書(shū)問(wèn)題，但這里我們使用重新制作自簽證書(shū)，重建secret，更新證書(shū)，解決此錯(cuò)誤

6. 解決證書(shū)過(guò)期問(wèn)題

為dashboard制作自簽證書(shū)

[@kube-test.master.mango.com ~]# (umask 077; openssl genrsa -out dashboard.key 2048)[@kube-test.master.mango.com ~]# openssl req -key dashboard.key -out dashboard.csr -subj "/O=mango/CN=dashboard"[@kube-test.master.mango.com ~]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=mango/CN=dashboard"[@kube-test.master.mango.com ~]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650

修改官方的recommended.yaml文件

刪除secret部分：

---apiVersion: v1kind: Secretmetadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-certsnamespace: kubernetes-dashboardtype: Opaque---

這里順便修改一下service資源對(duì)象，更改為nodeport類(lèi)型

---kind: ServiceapiVersion: v1metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboardspec:type: NodePortports:- port: 443targetPort: 8443nodePort: 30001selector:k8s-app: kubernetes-dashboard---

7. 重新部署dashboard

kubectl apply -f recommended.yaml dashboard-sa.yaml dashboard-clusterrolebinding.yaml

8. 創(chuàng)建dashboard的secret

kubectl create secret generic kubernetes-dashboard-certs -n kubernetes-dashboard --from-file=dashboard.crt=./dashboard.crt --from-file=dashboard.key=./dashboard.key

9. 查看服務(wù)狀態(tài)

[@kube-test.master.mango.com ~/manifests/dashboard]# kubectl get svc -n kubernetes-dashboardNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEdashboard-metrics-scraper ClusterIP 10.96.73.251 <none> 8000/TCP 58mkubernetes-dashboard NodePort 10.96.236.10 <none> 443:30001/TCP 58m

10. 瀏覽器訪問(wèn)

https://ip:30001

11. 獲取驗(yàn)證token

[@kube-test.master.mango.com ~/manifests/dashboard]# kubectl describe secret -n kubernetes-dashboard $(kubectl get secret -n kubernetes-dashboard | grep dashboard-admin | awk '{print $1}')Name: dashboard-admin-token-n7795Namespace: kubernetes-dashboardLabels: <none>Annotations: kubernetes.io/service-account.name: dashboard-adminkubernetes.io/service-account.uid: 286e2ee6-b03d-4e65-a386-7b0a9d03d47dType: kubernetes.io/service-account-tokenData====ca.crt: 1025 bytesnamespace: 20 bytestoken: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbjc3OTUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjg2ZTJlZTYtYjAzZC00ZTY1LWEzODYtN2IwYTlkMDNkNDdkIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmRhc2hib2FyZC1hZG1pbiJ9.koV8lmBHo49jj1Nzrp1CjyiAKuU_7vxYmdsxkQPpjAi-WyZ8IJt3Al85l07HNY48m9nK-3w1yDIPYxoXNDTLVO88enk1JMqmvXrsbeyGHOLm3z5SwS8W7mCP22JO_A9dFDupGQ26MIE0quJhQ0MkgzAGVRpRjrgFqY4upi8_2j6VISgcVS6tG-do6TBZrv2fv6VKhn0njJ4Y2oc3ZxU4_nd4_2tsoAQS9LtZrOUbiF8xmNVSyUFZGF7JxpeW1JFpAtbUruQUC0sPGKfJ9vSKeDlIF3QV9frw4v8J7Roi1IoavKfRmzfNbWtiiu3S59GDgd_w5mP9k9H6f1ryz69Zgg

復(fù)制token填寫(xiě)至令牌處

總結(jié)

以上是生活随笔為你收集整理的有史以来最详细安装部署Kubernetes Dashboard (补充解决官方出现的一些RBAC CERT等问题)的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇：解决go build报错cannot f
下一篇： vm虚拟远程部署windows驱动