搭建k8s的Dashboard服务

前言

这篇文章记录下自己搭建一个Kubernetes Dashboard的过程。

什么是Kubernetes Dashboard

Kubernetes Dashboard是一套基于Web的通用UI,可以允许用户对集群中运行的应用进行管理以及故障修复,还可以管理集群本身。安装完k8s后,大部分操作都是基于kubectl命令来操作的,使用Kubernetes Dashboard可以更方便的管理集群。

怎么搭建Kubernetes Dashboard

搭建Kubernetes Dashboard 大致需要以下几个步骤:

  1. 生成Https证书
  2. 创建认证Token
  3. 部署服务
  4. 获取认证Token
  5. 访问登录

生成Https证书

mkdir certs
openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard"
openssl x509 -req -sha256 -days 10000 -in certs/dashboard.csr -signkey certs/dashboard.key -out certs/dashboard.crt

第一行命令openssl req 创建新的PKCS#10格式证书请求和新私钥。其中dashboard.key是私钥,dashboard.csr是证书请求。所谓的CSR就是Certificate Signing Request。

第二行命令,openssl x509 对上面生成的csr,用dashboard.key私钥自签名,生成dashboard.crt。所谓的CRT就是certificate的缩写,即证书。

创建认证Token

官方wiki里,推荐使用https的链接来访问Dashboard。默认情况下会生成自签名证书并将其存储在内存中。如果要自定义证书,就需要按照下面的命令操作。自定义证书必须存储在命名 空间kubernetes-dashboard-certskube-system命名的机密中。假设你有dashboard.crtdashboard.key文件存储在$HOME/certs目录下,你应该用这些文件的内容创建Token,该命令如下:

kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system

部署服务

根据kubernetes-dashboard-lb.yaml 文件来部署服务,详细配置文件如下:

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  annotations:
    service.kubernetes.io/qcloud-loadbalancer-clusterid: cls-xxxxxx
    service.kubernetes.io/qcloud-loadbalancer-internal-subnetid: subnet-8uouk8f0
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

这个配置文件主要定义创建账户,绑定对应的角色以及如何部署该服务:

  1. 服务账户 Dashboard Service Account
  2. 账户角色的绑定 Dashboard Role & Role Binding
  3. 服务的部署 Dashboard Deployment

部署的命令如下:

CLUSTER_ID=$(cat /etc/kubernetes/config | grep KUBE_CLUSTER | awk -F '"' '{print $2}')
sed -i "154s/cls-[a-z0-9]*/${CLUSTER_ID}/" kubernetes-dashboard-lb.yaml
kubectl create -f kubernetes-dashboard-lb.yaml

这一行命令是这样运行的:

  1. 从/etc/kubernetes/config的配置文件,获取KUBE_CLUSTER变量值,使用awk流编辑器,以双引号作为字段分隔符,获取第二列的值保存到临时变量CLUSTER_ID
  2. 使用sed 编辑替换第154行的cls-后面字符为当前获取到CLUSTER_ID变量值。
  3. kubectl 对该配置文件进行部署。

获取认证Token

通过以下命令,检查部署服务的状态,即name为Kubernetes-dashboard开头的服务status为Running。

kubectl get pod -n kube-system

这一行命令是这样获取资源信息的:

  1. kubectl get 列举应用实例的信息
  2. -n 参数指定namespace 为kube-system

按照以下配置文件admin-role.yaml进行部署:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile

执行部署命令:

kubectl create -f admin-role.yaml

获取认证Token:

kubectl -n kube-system describe secret admin-token

这一行命令,从命名空间kube-system获取描述信息,复制记录token: 后的字符串,方便后面登录Dashboard。

访问登录

执行以下命令获取访问地址:

kubectl get service kubernetes-dashboard -n kube-system

从EXTERNAL-IP获取到对外可访问的ip地址,输入浏览器https://ip即可访问。访问成功后,选择Token登录即可。这样我们就成功部署了Kubernetes Dashboard服务了。

总结

这篇文章介绍如何搭建Kubernetes Dashboard服务,这仅仅是学习Kubernetes的第一步,使用Kubernetes Dashboard服务可以更好的管理你的集群。K8s的架构设计可能要复杂得多,一篇文章可能还无法窥见全貌,希望通过搭建Dashboard服务可以更好的了解学习K8s服务。

发表评论

电子邮件地址不会被公开。 必填项已用*标注