Kubernetes Dashboard 设置用户密码登陆
标签(空格分隔): Kubernetes2019年05月20日
K8s 文档
K8s 1.13源码安装
k8s dashboard token访问
仪表板是基于Web的Kubernetes用户界面。您可以使用仪表板将容器化应用程序部署到Kubernetes集群,对容器化应用程序进行故障排除,并管理集群本身及其伴随资源。您可以使用仪表板来概述群集上运行的应用程序,以及创建或修改单个Kubernetes资源(例如部署,作业,守护进程等)。例如,您可以使用部署向导扩展部署,启动滚动更新,重新启动Pod或部署新应用程序。
默认Kubernetes UI界面是使用token登陆,但是由于token相比较麻烦。我们这里使用密码登陆
</br>
1.首先确保K8S集群内部一切正常
[[email protected] ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
yzsjhl82-138.opi.com Ready <none> 22h v1.13.5
yzsjhl82-139.opi.com Ready <none> 22h v1.13.5
yzsjhl82-140.opi.com Ready <none> 22h v1.13.5
yzsjhl82-142.opi.com Ready <none> 22h v1.13.5
[[email protected] ~]# kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default busybox 1/1 Running 23 22h
kube-system coredns-d7964c8db-2t8wl 1/1 Running 1 22h
kube-system coredns-d7964c8db-sbztp 1/1 Running 1 22h
kube-system kube-flannel-ds-amd64-cv5hx 1/1 Running 2 22h
kube-system kube-flannel-ds-amd64-f2f7x 1/1 Running 2 22h
kube-system kube-flannel-ds-amd64-vmm74 1/1 Running 2 22h
kube-system kube-flannel-ds-amd64-zgfmq 1/1 Running 1 22h2.配置
首先需要说明一点,默认kubernetes Dashboard是需要token登陆。不方便登记,我们可以让dashboard使用用户密码验证登陆
需要注意几点
- 修改apiserver
- 创建用户密码文件
- 创建yaml文件
[一] 在master上节点上创建文件(用户密码文件)
cat /etc/kubernetes/basic_auth_file
admin,admin,1
cyh,cyh,2
#前面为用户,后面为密码,数字为用户ID不可重复[二] 在所有master的apiserver启动文件添加一行配置
vim /usr/lib/systemd/system/kube-apiserver.service
--basic-auth-file=/etc/kubernetes/basic_auth_file
#添加完毕后重启api-server这里需要说明,以上操作在所有master上执行,在所有节点操作是为了防止有pod飘到非master节点,当然也可以做pod亲和力
[三]创建yaml文件
wget http://down.i4t.com/k8s-passwd-dashboard.yaml| kubectl apply -f k8s-passwd-dashboard.yaml为了防止地址失效,我这里在手动cp一份
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create ‘kubernetes-dashboard2-key-holder‘ secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create ‘kubernetes-dashboard2-settings‘ config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update ‘kubernetes-dashboard2-settings‘ config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.8.3
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --authentication-mode=basic
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 80
targetPort: 8443
nodePort: 30000
selector:
k8s-app: kubernetes-dashboard我们可以用过下面命令进行检查kubectl get pod,svc -n kube-system
这里要说一点,我这里的镜像使用的是v1.8.3如果觉得版本低可以更高版本的。
访问dashboard界面
由于没有ingress,使用的是IP访问。所以会提示我们证书不安全,我们这里点击忽略直接访问。个别浏览器会造成打不开的,建议使用谷歌或火狐
在任意一台master上访问即可
这里需要我们输入api-server指定的文件里面的账号密码
跳过是没有权限查看k8s里面所有的信息
原文地址:https://blog.51cto.com/abcdocker/2397969
时间: 2024-11-06 09:33:20