[TOC]

0x00 前言导读

Q: 什么是 Web UI (Dashboard) ?

答: Kubernetes Dashboard 是一个通用的、基于web的Kubernetes集群UI。它允许用户管理在集群中运行的应用程序并对它们进行故障排除,以及管理集群本身。


Q: 为什么要使用 Dashboard?

答: 您可以使用 Dashboard 来概述集群上运行的应用程序,以及创建或修改单个Kubernetes资源(例如Deployments,Jobs,DaemonSets等)例如,您可以使用部署向导来扩展部署,启动滚动更新,重新启动Pod或部署新应用程序。
并且仪表板还提供有关集群中Kubernetes资源状态以及可能发生的任何错误的信息。

附录:
K8s官网介绍: https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
项目地址: https://github.com/kubernetes/dashboard


0x01 安装部署

(1) 环境准备

Kubernetes 环境: 集群环境实现业务高可用以及快速扩容缩

1
2
3
4
5
6
7
8
9
~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
weiyigeek-107 Ready master 25h v1.19.6
weiyigeek-108 Ready master 25h v1.19.6
weiyigeek-109 Ready master 25h v1.19.6
weiyigeek-223 Ready <none> 17h v1.19.6
weiyigeek-224 Ready <none> 17h v1.19.6
weiyigeek-225 Ready <none> 17h v1.19.6
weiyigeek-226 Ready <none> 17h v1.19.6


(2) 安装流程

描述: 我们可以通过原生的dashboardyaml资源清单文件或者helm的方式进行安装

官方 安装方式

安装参考: https://github.com/kubernetes/dashboard/blob/master/docs/user/installation.md

  • Step 1.要部署仪表板请执行以下命令:

    1
    $ wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml -O dashboard-v2.1.0.yaml
  • Step 2.默认情况下会生成自签名证书并将其存储在内存中,而如果您想使用自定义证书请按照以下步骤操作
    PS: 访问Dashboard应使用有效证书来建立安全的HTTPS连接(可以使用公共信任的证书颁发机构如Let's Encrypt生成它们,或者Cert-Manager可以自动颁发和自动更新它们)

1
2
3
4
5
6
7
8
9
10
11
12
# (1) 自定义证书必须存储在 kubernetes-dashboard-certs 与 Kubernetes 仪表板创建的名称空间中的secret中。
# 假设您已将tls.crt和tls.key文件存储在$HOME/certs目录下,则应使用以下文件的内容创建密钥:
kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kubernetes-dashboard

# (2) 编辑YAML定义并部署仪表板
kubectl create --edit -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml

# (3) 在“部署”部分下,将参数添加到pod定义中,其外观应如下所示:
containers:
- args:
- --tls-cert-file=/tls.crt
- --tls-key-file=/tls.key
  • Step 3.仪表板仅通过HTTP公开不使用证书方式部署(不推荐)

    1
    kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.1/aio/deploy/alternative.yaml
  • Step 4.权限修改

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    # (1) kubernetes-dashboard 管理员角色添加修改
    cat > dashboard-role-admin.yaml <<'EOF'
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    name: kubernetes-dashboard
    namespace: kube-system
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: kubernetes-dashboard
    # 权限来源
    roleRef:
    kind: ClusterRole
    name: cluster-admin
    apiGroup: rbac.authorization.k8s.io
    # 绑定对象
    subjects:
    - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system
    EOF
    kubectl apply -f dashboard-role-admin.yaml

    # (2) dashboard 资源清单构建
    kubectl create -f dashboard-v2.1.0.yaml
  • Step 5.集群网络访问端口修改

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    # (1) 修改 SVC 访问方式为 NodePort (30443)
    ~/k8s/dashboard$ kubectl edit svc -n kubernetes-dashboard
    # service/dashboard-metrics-scraper skipped
    # service/kubernetes-dashboard edited

    # (2) kubernetes-dashboard NodePort 为 10.96.167.225:443 => 30443
    ~$ kubectl get svc -n kubernetes-dashboard
    # NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
    # dashboard-metrics-scraper ClusterIP 10.108.185.162 <none> 8000/TCP 14h
    # kubernetes-dashboard NodePort 10.96.167.225 <none> 443:30443/TCP 14h

    # (3) 代理访问 kubectl -n kubernetes-dashboardport-forward kubernetes-dashboard 443:443
  • Step 6.Dashboard 认证 Token 获取

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    $ kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token | cut -d " " -f 1)
    Name: kubernetes-dashboard-token-mssqb
    Namespace: kubernetes-dashboard
    Labels: <none>
    Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
    kubernetes.io/service-account.uid: 71b738ab-0f07-4e2c-99f9-0236cddd9bb4
    Type: kubernetes.io/service-account-token

    Data
    ====
    ca.crt: 1066 bytes
    namespace: 20 bytes
    token: eyJhbG.....
  • Step 7.访问 https://192.168.11.107:30443/#/login 进入 Kubernetes Dashboard 登陆页面选择 Token 认证登陆即可

WeiyiGeek.Kubernetes Dashboard

WeiyiGeek.Kubernetes Dashboard

参考地址: https://github.com/kubernetes/dashboard/blob/master/README.md


Helm 安装方式

操作流程: 此处对于helm安装不再累述,二进制安装没有什么好说的;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ helm repo add k8s-dashboard https://kubernetes.github.io/dashboard
# "k8s-dashboard" has been added to your repositories
$ helm pull k8s-dashboard/kubernetes-dashboard --untar

~/K8s/Day10/dashboard$ tar -xzvf kubernetes-dashboard-3.0.0.tgz

~/K8s/Day10/dashboard$ ls kubernetes-dashboard
# charts Chart.yaml README.md requirements.lock requirements.yaml templates values.yaml

~/K8s/Day10/dashboard$ helm install kubernetes-dashboard kubernetes-dashboard/ --namespace kube-system
# NAME: kubernetes-dashboard
# LAST DEPLOYED: Sun Dec 6 21:45:22 2020
# NAMESPACE: kube-system
# STATUS: deployed
# REVISION: 1
# TEST SUITE: None
# NOTES:
# *********************************************************************************
# *** PLEASE BE PATIENT: kubernetes-dashboard may take a few minutes to install ***
# ********************************************************************************
# Get the Kubernetes Dashboard URL by running:
# export POD_NAME=$(kubectl get pods -n kube-system -l "app.kubernetes.io/name=kubernetes-dashboard,app.kubernetes.io/instance=kubernetes-dashboard" -o jsonpath="{.items[0].metadata.name}") # kubernetes-dashboard-879457794-kxvcr
# echo https://127.0.0.1:8443/
# kubectl -n kube-system port-forward $POD_NAME 8443:8443 # 端口转发

查看结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
~/K8s/Day10/dashboard$ helm list -n kube-system
# NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
# kubernetes-dashboard kube-system 1 2020-12-06 11:44:44.821856156 +0800 CST deployed kubernetes-dashboard-3.0.0 2.0.4

~/K8s/Day10/dashboard$ helm history kubernetes-dashboard -n kube-system
# REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION
# 1 Sun Dec 6 21:45:22 2020 deployed kubernetes-dashboard-3.0.0 2.0.4 Install complete

# 查看 Dashboard Pod 信息以及标签
~/K8s/Day10/dashboard$ kubectl get pod -n kube-system -o wide --show-labels | grep "kubernetes-dashboard-879457794-kxvcr"
# kubernetes-dashboard-879457794-kxvcr 1/1 Running 0 11m 10.244.2.55 k8s-node-5 app.kubernetes.io/component=kubernetes-dashboard,app.kubernetes.io/instance=kubernetes-dashboard,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/name=kubernetes-dashboard,app.kubernetes.io/version=2.0.4,helm.sh/chart=kubernetes-dashboard-3.0.0,pod-template-hash=879457794

# 查看 Dashboard 的 SVC
~/K8s/Day10/dashboard$ kubectl get svc -n kube-system -o wide | grep "kubernetes-dashboard"
# kubernetes-dashboard ClusterIP 10.104.18.192 <none> 443/TCP 13m app.kubernetes.io/component=kubernetes-dashboard,app.kubernetes.io/instance=kubernetes-dashboard,app.kubernetes.io/name=kubernetes-dashboard

以NodePort的方式进行访问:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
~/K8s/Day10/dashboard$ kubectl edit svc -n kube-system kubernetes-dashboard
service/kubernetes-dashboard edited

# 目的: 将通过集群IP:443访问的模式变成节点IP:30443进行访问
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: kubernetes-dashboard
meta.helm.sh/release-namespace: kube-system
creationTimestamp: "2020-12-06T13:45:22Z"
labels:
app.kubernetes.io/component: kubernetes-dashboard
app.kubernetes.io/instance: kubernetes-dashboard
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kubernetes-dashboard
app.kubernetes.io/version: 2.0.4
helm.sh/chart: kubernetes-dashboard-3.0.0
kubernetes.io/cluster-service: "true"
name: kubernetes-dashboard
namespace: kube-system
resourceVersion: "6111082"
selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard
uid: 51025b69-7c65-4ac0-a8f2-93a243a33e7d
spec:
clusterIP: 10.104.18.192
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
nodePort: 30443 # 修改点
selector:
app.kubernetes.io/component: kubernetes-dashboard
app.kubernetes.io/instance: kubernetes-dashboard
app.kubernetes.io/name: kubernetes-dashboard
sessionAffinity: None
type: NodePort # 修改点 修改 ClusterIP 为 NodePort
status:
loadBalancer: {}


简单使用:

  • 1) 认证的 Token 查看
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    ~/K8s/Day10/dashboard$ kubectl -n kube-system get secret | grep kubernetes-dashboard-token
    # kubernetes-dashboard-token-6nrqk kubernetes.io/service-account-token 3 19m

    kubectl describe secret kubernetes-dashboard-token-6nrqk -n kube-system
    # Name: kubernetes-dashboard-token-6nrqk
    # Namespace: kube-system
    # Labels: <none>
    # Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
    # kubernetes.io/service-account.uid: a1685c3b-247e-4802-9d2e-28d5f48e432a

    # Type: kubernetes.io/service-account-token

    # Data
    # ====
    # ca.crt: 1066 bytes
    # namespace: 11 bytes
    # token: .......
WeiyiGeek.Kubernetes-仪表盘

WeiyiGeek.Kubernetes-仪表盘

PS : 需要注意令牌过期时间,登录账户将自动退出;

  • 2) 登录Dashboard仪表盘控制台,可以看相关资源控制器下面的所属资源
WeiyiGeek.Dashboard仪表盘主页

WeiyiGeek.Dashboard仪表盘主页

参考地址:https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard?modal=install


(3) MetricServer

Q: MetricServer 是什么?

答: 它是kubernetes集群资源使用情况的聚合器,收集数据给kubernetes集群内使用,如 kubectl,hpa,scheduler等。
Kubernetes 推荐使用 metrics-server , 因为 heapster (https:/github.com/kubernetes/heapster) 已经DEPRECATED ,并从 Kubernetes 1.12开始将从 Kubernetes 各种安装脚本中移除,

PS : 如果采用官方的安装dashboard的方式则默认将Metric Server进行安装使用,而采用helm安装dashboard时候默认是将metrics-server禁用的需要手动启用;

helm 安装方式

下面我们使用Helm部署Dashboard时也可以利用第三方依赖进行安装metrics-server,只需要修改一个小小的注释

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# (1) 启用Metrics-server以及插件
$ ~/K8s/Day10/dashboard/kubernetes-dashboard$ vim +200 values.yaml
## Enable this is you don't already have metrics-server enabled on your cluster and
## want to use it with dashboard metrics-scraper
## refs:
## - https://hub.helm.sh/charts/stable/metrics-server
## - https://github.com/kubernetes-sigs/metrics-server
metrics-server:
enabled: true
## Example for additional args
args:
- --logtostderr
- --kubelet-preferred-address-types=InternalIP
- --kubelet-insecure-tls

# (2) 此时如果需要更新部署时需要将SVC改回集群IP通信
~/K8s/Day10/dashboard$ kubectl edit svc -n kube-system kubernetes-dashboard
service/kubernetes-dashboard edited

# (3) 更新指定的RELEASE_NAME
~/K8s/Day10/dashboard$ helm upgrade kubernetes-dashboard kubernetes-dashboard/ -n kube-system

# (4) 查看与dashboard相关的Pod信息
~/K8s/Day10/dashboard$ kubectl get pod -n kube-system -o wide | grep "kubernetes-dashboard"
# kubernetes-dashboard-879457794-kxvcr 1/1 Running 0 23h 10.244.2.55 k8s-node-5
# kubernetes-dashboard-metrics-server-7bc85c65bc-vrxft 0/1 ImagePullBackOff # 关键点 0 10m 10.244.2.57 k8s-node-5

# (5) 发现镜像拉取失败下面我们手动查看并下载该镜像
~/K8s/Day10/dashboard$ kubectl describe pod kubernetes-dashboard-metrics-server-7bc85c65bc-vrxft -n kube-system kubernetes-dashboard
# GFW 没办法,解决利用阿里云镜像站进行手动下载然后上传到node-5节点中(或者在安全前选择修改该k8s.gcr.io镜像源)
Warning Failed 10m (x4 over 12m) kubelet Failed to pull image "k8s.gcr.io/metrics-server-amd64:v0.3.6": rpc error: code = Unknown desc = Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
~/K8s/Day10/dashboard$ docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-server-amd64:v0.3.6
~/K8s/Day10/dashboard$ docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-server-amd64:v0.3.6 k8s.gcr.io/metrics-server-amd64:v0.3.6
~/K8s/Day10/dashboard$ docker save k8s.gcr.io/metrics-server-amd64:v0.3.6 -o metrics-server-amd64.tar
~/K8s/Day10/dashboard$ scp -P 20211 metrics-server-amd64.tar weiyigeek@10.10.107.215:~
# metrics-server-amd64.tar 100% 39MB 187.5MB/s 00:00
~/K8s/Day10/dashboard$ ssh -p 20211 weiyigeek@10.10.107.215 "docker load -i metrics-server-amd64.tar"
# Loaded image: k8s.gcr.io/metrics-server-amd64:v0.3.6

# (6) 此时可以看见metrics-server已经成功安装了
~/K8s/Day10/dashboard$ kubectl get pod -n kube-system -o wide | grep "kubernetes-dashboard-metrics-server-7bc85c65bc-vrxft"
# kubernetes-dashboard-metrics-server-7bc85c65bc-vrxft 1/1 Running 0 27m 10.244.2.57 k8s-node-5 <none> <none>

# (7) 验证安装的 metrics-server 它获取到关于集群节点基本的指标信息:
~$ kubectl top pod
# NAME CPU(cores) MEMORY(bytes)
# dashboard-create-696f45d5db-fj5dg 0m 2Mi
~$ kubectl top node
# NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
# ubuntu 194m 2% 1377Mi 17%
# k8s-node-4 32m 1% 1351Mi 35%
# k8s-node-5 26m 1% 1134Mi 29%

# (8) 采用port-forward转发的方式访问我们创建的应用,此处访问master节点的端口还是30443端口->Pod暴露的8443端口之中
export POD_NAME=$(kubectl get pods -n kube-system -l "app.kubernetes.io/name=kubernetes-dashboard,app.kubernetes.io/instance=kubernetes-dashboard" -o jsonpath="{.items[0].metadata.name}")
echo https://127.0.0.1:30443/
~/K8s/Day10/dashboard$ kubectl -n kube-system port-forward --address 10.10.107.202 $POD_NAME 30443:8443
# Forwarding from 10.10.107.202:30443 -> 8443
# Handling connection for 30443

# 新开一个Terminal获取访问的token
~/K8s/Day10/dashboard$ kubectl describe secrets -n kube-system kubernetes-dashboard-token-6nrqk

token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkNsYzNjT0FWNnFySDlrMGlQZlJzcEIyYjZ0UTEtdElRNGdRUDZ5eFRHY3MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi02bnJxayIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImExNjg1YzNiLTI0N2UtNDgwMi05ZDJlLTI4ZDVmNDhlNDMyYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.KEWLtVGXcS4EEpBthHPt8_gbV55nhX65wjm56rKe_hfrcgPx7UG_tD3PcMErgIt6HbG6k02AgRS3sJMyT6KjuA4fmUajlaOYSiOp1QRYBKGgpf5PDsz1GYa6A87CMcQLuAt_IA8keHIPhlddYrJ3ow4wpXX-apKIz-gs4Lyqw-yxbh5BUhp8ulVRYTwTDFd12xwwavGI9Qe4JHPK4Cnq17JMUZWU8aKWzqGy6Y-1d8yoqL6g7fBVFB1-ADEo60Iqo_yVFYj_wj8fJFjIFGZY3qqcv19x_2DFoOOyIOWgaVWgkkPa9on7t5t2fabnU1RoWQqx8v8fjknTWtKLBDUk-Q


# (9) 补充附录
~$ helm get all -n kube-system kubernetes-dashboard # 查看实际执行的资源清单
~$ helm uninstall kubernetes-dashboard -n kube-system # 卸载 Helm 安装的 kubernetes-dashboard
release "kubernetes-dashboard" uninstalled

WeiyiGeek.K8s-metrics-server

WeiyiGeek.K8s-metrics-server


0x03 使用实践

Dashboard-小试牛刀

  • Step 1.右上角点击+进行创建Deployment管理的Pod,按图所示输入应用名称和容器镜像名称,其次是Services资源控制器设置为内部的Internal;
WeiyiGeek.创建Deployment管理的Pod

WeiyiGeek.创建Deployment管理的Pod

  • Step 2.点击左边Workloads中的Deployments子菜单查看创建的Deployments资源

    1
    2
    3
    ~$ kubectl get pod -o wide --show-labels
    # NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES LABELS
    # dashboard-create-696f45d5db-fj5dg 1/1 Running 0 4m23s 10.244.2.56 k8s-node-5 <none> <none> k8s-app=dashboard-create,pod-template-hash=696f45d5db
    WeiyiGeek.Deployments

    WeiyiGeek.Deployments

  • Step 3.同样点击Service中的Services子菜单将可以看见我们创建的Service相关资源信息

    1
    2
    3
    ~$ kubectl get svc  -o wide --show-labels
    # NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR LABELS
    # dashboard-create ClusterIP 10.102.184.126 <none> 80/TCP 4m53s k8s-app=dashboard-create k8s-app=dashboard-create
WeiyiGeek.Service

WeiyiGeek.Service

  • Step 4.#验证 集群IP地址访问 以及 Pod地址访问效果一致
    1
    2
    3
    ~$ curl http://10.102.184.126/host.html && curl http://10.244.2.56/host.html
    # Hostname: dashboard-create-696f45d5db-fj5dg ,Image Version: 3.0, Nginx Version: 1.19.4
    # Hostname: dashboard-create-696f45d5db-fj5dg ,Image Version: 3.0, Nginx Version: 1.19.4

PS : 总结可以看出使用Kubernetes-Kuboard是可以非常简单的创建我们指定的应用到kubernetes之中;


0x04 入坑与出坑

问题1.pods is forbidden: User "system:serviceaccount:kube-system:namespace-controller" cannot create resource clusterroles” in API group “rbac.authorization.k8s.io” at the cluster scope

问题原因:

  • 1.API组中用户不能在默认命名空间创建Pod,也就是说使用原token认证登录的用户是无权操作
  • 2.其次是采用Helm创建的时候只是将kubernetes-dashboard-metrics与集群角色绑定
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    # 绑定的角色
    ~/K8s/Day10/dashboard/kubernetes-dashboard$ kubectl get ClusterRoleBinding -n kube-system | grep "kubernetes-dashboard"
    kubernetes-dashboard-metrics ClusterRole/kubernetes-dashboard-metrics

    # 查看集群所有权限
    ~/K8s/Day10/dashboard/kubernetes-dashboard$ kubectl get clusterrole

    # 权限非常有限
    ~/K8s/Day10/dashboard/kubernetes-dashboard$ kubectl get clusterrole kubernetes-dashboard-metrics -o yaml
    rules:
    - apiGroups:
    - metrics.k8s.io
    resources:
    - pods
    - nodes
    verbs:
    - get
    - list
    - watch

解决方法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# 1.创建kubernetes-dashboard管理员角色
cat > k8s-admin.yaml <<'EOF'
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
# 绑定对象
metadata:
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
# 权限来源
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
EOF
kubectl create -f k8s-admin.yaml


# 3.验证查看 ClusterRoleBinding 资源
~/K8s/Day10/dashboard/$ kubectl get ClusterRoleBinding -n kube-system | grep "kubernetes-dashboard"
# NAME ROLE AGE
# kubernetes-dashboard ClusterRole/cluster-admin 17m
# kubernetes-dashboard-metrics ClusterRole/kubernetes-dashboard-metrics 70m

~/K8s/Day10/dashboard/$ kubectl describe ClusterRoleBinding -n kube-system kubernetes-dashboard
# Name: kubernetes-dashboard
# Labels: <none>
# Annotations: <none>
# Role:
# Kind: ClusterRole
# Name: cluster-admin
# Subjects:
# Kind Name Namespace
# ---- ---- ---------
# ServiceAccount kubernetes-dashboard kube-system


# 2.获取dashboard管理员角色token
kubectl describe secret kubernetes-dashboard-token-7z6zm -n kube-system

# 3.使用第二步第12行的token登陆kubernetes-dashboard web界面即可

PS : 在使用Helm创建Kubenertes-Dashboard时候已创建了ServiceAccount资源,所以只需要创建ClusterRoleBinding资源即可;

参考地址: https://blog.csdn.net/qq_38900565/article/details/100729686


问题2.采用Helm安装metric-server时镜像有误导致Pod状态ImagePullBackOff

错误信息:

1
Warning  Failed     10m (x4 over 12m)     kubelet            Failed to pull image "k8s.gcr.io/metrics-server-amd64:v0.3.6": rpc error: code = Unknown desc = Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

解决办法:

  • 1.利用阿里云的K8s镜像站拉取metrics-server-amd64:v0.3.6镜像然后进行改名,随后上传到metrics-server运行的节点之上
  • 2.在进行更新时候指定或者说修改配置文件中的image.repository;
    1
    2
    3
    ~/K8s/Day10/dashboard$ grep "k8s.gcr.io" kubernetes-dashboard/charts/metrics-server/*
    # kubernetes-dashboard/charts/metrics-server/values.yaml: repository: k8s.gcr.io/metrics-server-amd64
    ~/K8s/Day10/dashboard$ sed -i "s#k8s.gcr.io#registry.cn-hangzhou.aliyuncs.com/google_containers#g" kubernetes-dashboard/charts/metrics-server/values.yaml: