上一节中,我装好了一个简陋的kubernetes集群,但是在登录dashboard的时候遇到了一些坑。

启动kube-dashboard

参考
https://segmentfault.com/a/1190000013681047
https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above

修改type为nodeport

1
kubectl -n kube-system edit service kubernetes-dashboard

kubectl检测到有修改会自动重启这个service

查看所有pod,找到dashboard的pod name

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]:~# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-node-d6bl9 1/1 Running 0 16h
kube-system calico-node-mw85c 1/1 Running 0 16h
kube-system kube-apiserver-node1 1/1 Running 0 16h
kube-system kube-controller-manager-node1 1/1 Running 0 16h
kube-system kube-dns-7bd4d5fbb6-dq2r6 3/3 Running 0 16h
kube-system kube-dns-7bd4d5fbb6-pggh9 3/3 Running 0 16h
kube-system kube-proxy-node1 1/1 Running 0 16h
kube-system kube-proxy-node2 1/1 Running 0 16h
kube-system kube-scheduler-node1 1/1 Running 0 16h
kube-system kubedns-autoscaler-679b8b455-f24b5 1/1 Running 0 16h
kube-system kubernetes-dashboard-55fdfd74b4-9qplr 1/1 Running 0 16h
kube-system nginx-proxy-node2 1/1 Running 0 16h

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
[email protected]:~# kubectl describe pods/kubernetes-dashboard-55fdfd74b4-9qplr -n kube-system
Name: kubernetes-dashboard-55fdfd74b4-9qplr
Namespace: kube-system
Node: node1/10.140.0.3
Start Time: Tue, 31 Jul 2018 09:20:18 +0000
Labels: k8s-app=kubernetes-dashboard
pod-template-hash=1198983060
Annotations: <none>
Status: Running
IP: 10.233.102.130
Controlled By: ReplicaSet/kubernetes-dashboard-55fdfd74b4
Containers:
kubernetes-dashboard:
Container ID: docker://9c20855413cca06756a812a4d7cf20308d14328f7691e347f040135d4de62b4b
Image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.8.3
Image ID: docker-pullable://gcr.io/google_containers/[email protected]:dc4026c1b595435ef5527ca598e1e9c4343076926d7d62b365c44831395adbd0
Port: 8443/TCP
Host Port: 0/TCP
Args:
--auto-generate-certificates
--authentication-mode=token
State: Running
Started: Tue, 31 Jul 2018 09:20:37 +0000
Ready: True
Restart Count: 0
Limits:
cpu: 100m
memory: 256M
Requests:
cpu: 50m
memory: 64M
Liveness: http-get https://:8443/ delay=30s timeout=30s period=10s #success=1 #failure=3
Environment: <none>
Mounts:
/certs from kubernetes-dashboard-certs (rw)
/tmp from tmp-volume (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kubernetes-dashboard-token-kkdvm (ro)
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes:
kubernetes-dashboard-certs:
Type: Secret (a volume populated by a Secret)
SecretName: kubernetes-dashboard-certs
Optional: false
tmp-volume:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
kubernetes-dashboard-token-kkdvm:
Type: Secret (a volume populated by a Secret)
SecretName: kubernetes-dashboard-token-kkdvm
Optional: false
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node-role.kubernetes.io/master:NoSchedule
Events: <none>

查看服务
kubectl -n kube-system get service kubernetes-dashboard

1
2
3
[email protected]:~# kubectl -n kube-system get service kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.233.5.30 <none> 443:31724/TCP 17h

得到映射到宿主机port为31724

查看token
kubectl -n kube-system describe secret kubernetes-dashboard-token-kkdvm
或者仅查看token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-token|awk ‘{print $1}’)|grep token:|awk ‘{print $2}’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[email protected]:~/.kube# kubectl -n kube-system describe secret kubernetes-dashboard-token-kkdvm
Name: kubernetes-dashboard-token-kkdvm
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=kubernetes-dashboard
kubernetes.io/service-account.uid=f0b59d2e-94a2-11e8-acc2-42010a8c0003

Type: kubernetes.io/service-account-token

Data
====
ca.crt: 1094 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsI....NB88GOupNZewlbGucsdFcB98cNlkMeyNJg1qPJP-f4oo0iiD9VAyNmkYMVoTXmbXi3003opcZ7MKMPR6iWFNEDXVejviUB5geg

浏览器访问 http://master-ip:master-port 就可以看到dashbaord了
使用token登录后发现有12条权限被禁用

网上搜到比较靠谱的一篇解决方法
http://blog.51cto.com/devingeng/2096639
但是我的yaml配置中没有serviceAccountName: kubernetes-dashboard-admin配置项

从google搜到以下两篇

https://devops.stackexchange.com/questions/3537/how-to-login-to-k8s-proxy-nowadays
https://github.com/kubernetes/dashboard/issues/2681#issuecomment-396644009

得知是RBAC的锅
因为 在Kubernetes1.6 版本及以上中新增角色访问控制机制(Role-Based Access,RBAC)让集群管理员可以针对特定使用者或服务账号的角色,进行更精确的资源访问控制

对应的k8s官方文档说明是:https://kubernetes.io/docs/reference/access-authn-authz/rbac/

创建如下ClusterRoleBinding来提升权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system

保存为dashboard-rolebinding.yaml

然后从这个yaml文件创建pod(?)

1
kubectl create -f dashboard-rolebinding.yaml

再次登录dashboard就不会报错了

On Securing the Kubernetes Dashboard

dashboard 证书问题

https://github.com/kubernetes/dashboard/wiki/Installation#recommended-setup

[to do]

api

kubectl proxy

curl http://localhost:8001/api/v1/namespaces/default/pods/nginx

https://docs.kubernetes.io/docs/tasks/access-kubernetes-api/http-proxy-access-api/#exploring-the-kubernetes-api

[to do]