k8s部署Dashboard2.5
kubectl proxy
kubectl proxy creates a proxy server between your machine and Kubernetes API server. By default, it is only accessible locally (from the machine that started it).
Kubectl 代理在您的计算机和 Kubernetes API 服务器之间创建一个代理服务器。默认情况下,它只能在本地(从启动它的机器)访问。
First let's check if kubectl is properly configured and has access to the cluster. In case of error follow this guide to install and set up kubectl.
首先,让我们检查 kubectl 是否配置正确,是否可以访问集群。在出现错误的情况下,按照本指南安装和设置 kubectl。
kubectl cluster-info
The output is similar to this:
输出结果类似于以下内容:
Kubernetes master is running at https://192.168.30.148:6443
KubeDNS is running at https://192.168.30.148:6443/api/v1/namespaces/kube-system/services/kube-dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
Start local proxy server.
启动本地代理服务器。
kubectl proxy
The output is similar to this:
输出结果类似于以下内容:
Starting to serve on 127.0.0.1:8001
Once the proxy server has been started you should be able to access Dashboard from your browser.
一旦代理服务器已经启动,您应该能够从您的浏览器访问 Dashboard。
To access the HTTPS endpoint of dashboard go to:
要访问 dashboard 的 HTTPS 端点,请访问:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
kubectl port-forward
Instead of kubectl proxy, you can use kubectl port-forward and access dashboard with simpler URL than using kubectl proxy.
与使用 kubectl 代理相比,您可以使用更简单的 URL 来使用 kubectl 端口转发和访问指示板。
kubectl port-forward -n kubernetes-dashboard service/kubernetes-dashboard 8080:443
To access Kubernetes Dashboard go to:
要访问 Kubernetes Dashboard,请访问:
https://localhost:8080
NodePort
This way of accessing Dashboard is only recommended for development environments in a single node setup.
这种访问 Dashboard 的方式只适用于单节点设置的开发环境。
Edit kubernetes-dashboard service.
编辑 kubernetes-dashboard 服务。
kubectl -n kubernetes-dashboard edit service kubernetes-dashboard
You should see yaml representation of the service. Change type: ClusterIP to type: NodePort and save file. If it's already changed go to next step.
您应该看到该服务的 yaml 表示。将类型: ClusterIP 更改为类型: NodePort 并保存文件。如果已经改变了,那么就进入下一步。
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
...
name: kubernetes-dashboard
namespace: kubernetes-dashboard
resourceVersion: "343478"
selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes-dashboard
uid: 8e48f478-993d-11e7-87e0-901b0e532516
spec:
clusterIP: 10.100.124.90
externalTrafficPolicy: Cluster
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {}
Next we need to check port on which Dashboard was exposed.
接下来我们需要检查 Dashboard 暴露在哪个端口上。
kubectl -n kubernetes-dashboard get service kubernetes-dashboard
The output is similar to this:
输出结果类似于以下内容:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.100.124.90 <nodes> 443:31707/TCP 21h
Dashboard has been exposed on port 31707 (HTTPS). Now you can access it from your browser at: https://<master-ip>:31707. master-ip can be found by executing kubectl cluster-info. Usually it is either 127.0.0.1 or IP of your machine, assuming that your cluster is running directly on the machine, on which these commands are executed.
仪表板已经在端口31707(HTTPS)上公开。现在你可以通过你的浏览器来访问它: https://< master-ip > : 31707。可以通过执行 kubectl cluster-info 来找到 master-ip。假设集群直接运行在执行这些命令的机器上,通常它是机器的127.0.0.1或 IP。
In case you are trying to expose Dashboard using NodePort on a multi-node cluster, then you have to find out IP of the node on which Dashboard is running to access it. Instead of accessing https://<master-ip>:<nodePort> you should access https://<node-ip>:<nodePort>.
如果您试图在多节点集群上使用 NodePort 公开 Dashboard,那么您必须找出正在运行 Dashboard 的节点的 IP,以便对其进行访问。与其访问 https://< master-ip > : < nodeport > ,不如访问 https://< node-ip > : < nodeport > 。
API Server API 服务器
In case Kubernetes API server is exposed and accessible from outside you can directly access dashboard at: https://<master-ip>:<apiserver-port>/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
如果 Kubernetes API 服务器公开并可从外部访问,您可以直接访问 dashboard: https://< master-ip > : < apiserver-port >/API/v1/namespaces/Kubernetes-dashboard/services/ https:Kubernetes-dashboard:/proxy/
Note: This way of accessing Dashboard is only possible if you choose to install your user certificates in the browser. In example, certificates used by the kubeconfig file to contact API Server can be used.
注意: 只有当您选择在浏览器中安装您的用户证书时,才可能使用这种方式访问 Dashboard。例如,可以使用 kubeconfig 文件用于联系 API 服务器的证书。
Ingress 进入
Dashboard can be also exposed using Ingress resource. For more information check: https://kubernetes.io/docs/concepts/services-networking/ingress.
也可以使用入口资源显示 Dashboard,更多信息请查看: https://kubernetes.io/docs/concepts/services-networking/Ingress。
Login not available 无法登入
If your login view displays below error, this means that you are trying to log in over HTTP and it has been disabled for the security reasons.
如果您的登录视图显示在错误下面,这意味着您正在尝试通过 HTTP 登录,并且由于安全原因已经禁用了它。
Logging in is available only if URL used to access Dashboard starts with:
只有当用于访问 Dashboard 的 URL 以下列开头时,才可以登录:
http://localhost/...http://127.0.0.1/...https://<domain_name>/...
Install 安装
To deploy Dashboard, execute following command:
要部署 Dashboard,执行以下命令:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.0/aio/deploy/recommended.yaml
Alternatively, you can install Dashboard using Helm as described at https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard.
或者,你也可以使用 https://artifacthub.io/packages/Helm/k8s-Dashboard/kubernetes-Dashboard 中描述的 Helm 来安装 Dashboard。
Access 访问
要从本地工作站访问 Dashboard,必须创建到 Kubernetes 集群的安全通道。运行以下命令:
kubectl proxy
Now access Dashboard at:
现在访问 Dashboard:
Create An Authentication Token (RBAC) 创建认证标记(RBAC)
Creating a Service Account
We are creating Service Account with the name admin-user in namespace kubernetes-dashboard first.
apiVersion: v1kind: ServiceAccountmetadata:
name: admin-user
namespace: kubernetes-dashboard
Creating a ClusterRoleBinding
In most cases after provisioning the cluster using kops, kubeadm or any other popular tool, the ClusterRole cluster-admin already exists in the cluster. We can use it and create only a ClusterRoleBinding for our ServiceAccount. If it does not exist then you need to create this role first and grant required privileges manually.
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:
name: admin-userroleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-adminsubjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
Getting a Bearer Token
Now we need to find the token we can use to log in. Execute the following command:
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"
It should print something like:
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXY1N253Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwMzAzMjQzYy00MDQwLTRhNTgtOGE0Ny04NDllZTliYTc5YzEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.Z2JrQlitASVwWbc-s6deLRFVk5DWD3P_vjUFXsqVSY10pbjFLG4njoZwh8p3tLxnX_VBsr7_6bwxhWSYChp9hwxznemD5x5HLtjb16kI9Z7yFWLtohzkTwuFbqmQaMoget_nYcQBUC5fDmBHRfFvNKePh_vSSb2h_aYXa8GV5AcfPQpY7r461itme1EXHQJqv-SN-zUnguDguCTjD80pFZ_CmnSE1z9QdMHPB8hoB4V68gtswR1VLa6mSYdgPwCHauuOobojALSaMc3RH7MmFUumAgguhqAkX3Omqd3rJbYOMRuMjhANqd08piDC3aIabINX6gP5-Tuuw2svnV6NYQ
Now copy the token and paste it into the Enter token field on the login screen.
浙公网安备 33010602011771号