kubernetes Dashboard

作为Kubernetes的Web用户界面,用户可以通过Dashboard在Kubernetes集群中部署容器化的应用,对应用进行问题处理和管理,并对集群本身进行管理。通过Dashboard,用户可以查看集群中应用的运行情况,同时也能够基于Dashboard创建或修改部署、任务、服务等Kubernetes的资源。通过部署向导,用户能够对部署进行扩缩容,进行滚动更新、重启Pod和部署新应用。当然,通过Dashboard也能够查看Kubernetes资源的状态。

Kubernetes Dashboard Github地址

安装

1
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

安装部署成功之后执行:

1
kubectl proxy

打开:http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
就可以通过UI来管理了。

kubernetes Dashboard访问权限问题

现在新版的kubernetes Dashboard似乎都没有了跳过这个button.

image

点击跳过进入dashboard 使用的是默认的 kubernetes-dashboard 角色,比如Azure的AKS就是直接没有登录界面,直接进入主页。可能有很多黄色警告:

1
2
3
4
5
6
7
8
configmaps is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list configmaps in the namespace "default"
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list persistentvolumeclaims in the namespace "default"
secrets is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list secrets in the namespace "default"
services is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list services in the namespace "default"
....

说明 kubernetes-dashboard权限不足。

法一:创建一个管理员权限的用户,生成Token访问dashboard

参考自:Creating-sample-user

创建一个管理员Service Account文件

在本地创建一个dashboard-adminuser.yaml,内容是:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

然后执行:

1
kubectl apply -f dashboard-adminuser.yaml
生成Bearer Token
1
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

然后复制粘贴token,就能进入kubernetes Dashboard的管理界面了。

查看所有的ServiceAccount
1
kubectl get serviceaccount --all-namespaces

法二:也可以把kubernetes-dashboard 用户的权限绑定成 admin 的权限

直接执行下面命令:

1
kubectl create clusterrolebinding kubernetes-dashboard -n kube-system --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard

或者创建一个文件然后再create:

vi kube-dashboard-access.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system
1
kubectl create -f kube-dashboard-access.yaml