在上一节中,我装好了一个简陋的kubernetes集群,但是在登录dashboard的时候遇到了一些坑。
启动kube-dashboard
参考
https://segmentfault.com/a/1190000013681047
https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
修改type为nodeport1
kubectl -n kube-system edit service kubernetes-dashboard
kubectl检测到有修改会自动重启这个service
查看所有pod,找到dashboard的pod name1
2
3
4
5
6
7
8
9
10
11
12
13
14root@kube-master:~# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-node-d6bl9 1/1 Running 0 16h
kube-system calico-node-mw85c 1/1 Running 0 16h
kube-system kube-apiserver-node1 1/1 Running 0 16h
kube-system kube-controller-manager-node1 1/1 Running 0 16h
kube-system kube-dns-7bd4d5fbb6-dq2r6 3/3 Running 0 16h
kube-system kube-dns-7bd4d5fbb6-pggh9 3/3 Running 0 16h
kube-system kube-proxy-node1 1/1 Running 0 16h
kube-system kube-proxy-node2 1/1 Running 0 16h
kube-system kube-scheduler-node1 1/1 Running 0 16h
kube-system kubedns-autoscaler-679b8b455-f24b5 1/1 Running 0 16h
kube-system kubernetes-dashboard-55fdfd74b4-9qplr 1/1 Running 0 16h
kube-system nginx-proxy-node2 1/1 Running 0 16h
1 | root@kube-master:~# kubectl describe pods/kubernetes-dashboard-55fdfd74b4-9qplr -n kube-system |
查看服务
kubectl -n kube-system get service kubernetes-dashboard1
2
3root@kube-master:~# kubectl -n kube-system get service kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.233.5.30 <none> 443:31724/TCP 17h
得到映射到宿主机port为31724
查看token
kubectl -n kube-system describe secret kubernetes-dashboard-token-kkdvm
或者仅查看token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token|awk ‘{print $1}’)|grep token:|awk ‘{print $2}’
1 | root@kube-master:~/.kube# kubectl -n kube-system describe secret kubernetes-dashboard-token-kkdvm |
浏览器访问 http://master-ip:master-port 就可以看到dashbaord了
使用token
登录后发现有12条权限被禁用
网上搜到比较靠谱的一篇解决方法
http://blog.51cto.com/devingeng/2096639
但是我的yaml配置中没有serviceAccountName: kubernetes-dashboard-admin
配置项
从google搜到以下两篇
https://devops.stackexchange.com/questions/3537/how-to-login-to-k8s-proxy-nowadays
https://github.com/kubernetes/dashboard/issues/2681#issuecomment-396644009
得知是RBAC
的锅
因为 在Kubernetes1.6 版本及以上中新增角色访问控制机制(Role-Based Access,RBAC)让集群管理员可以针对特定使用者或服务账号的角色,进行更精确的资源访问控制
对应的k8s官方文档说明是:https://kubernetes.io/docs/reference/access-authn-authz/rbac/
创建如下ClusterRoleBinding
来提升权限1
2
3
4
5
6
7
8
9
10
11
12
13
14apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
保存为dashboard-rolebinding.yaml
然后从这个yaml文件创建pod(?)1
kubectl create -f dashboard-rolebinding.yaml
再次登录dashboard就不会报错了
On Securing the Kubernetes Dashboard
dashboard 证书问题
https://github.com/kubernetes/dashboard/wiki/Installation#recommended-setup
[to do]
api
kubectl proxy
curl http://localhost:8001/api/v1/namespaces/default/pods/nginx
[to do]