共计 7786 个字符,预计需要花费 20 分钟才能阅读完成。
[root@k8s-master ~]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml | |
# 文件内容如下,已修改dashboard service为nodeport方式 | |
[root@k8s-master ~]# cat recommended.yaml | |
# Copyright 2017 The Kubernetes Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: kubernetes-dashboard | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard | |
namespace: kubernetes-dashboard | |
kind: Service | |
apiVersion: v1 | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard | |
namespace: kubernetes-dashboard | |
spec: | |
# 增加了此行 | |
type: NodePort | |
ports: | |
- port: 443 | |
targetPort: 8443 | |
# 增加了此行 | |
nodePort: 30000 | |
selector: | |
k8s-app: kubernetes-dashboard | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard-certs | |
namespace: kubernetes-dashboard | |
type: Opaque | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard-csrf | |
namespace: kubernetes-dashboard | |
type: Opaque | |
data: | |
csrf: "" | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard-key-holder | |
namespace: kubernetes-dashboard | |
type: Opaque | |
kind: ConfigMap | |
apiVersion: v1 | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard-settings | |
namespace: kubernetes-dashboard | |
kind: Role | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard | |
namespace: kubernetes-dashboard | |
rules: | |
# Allow Dashboard to get, update and delete Dashboard exclusive secrets. | |
- apiGroups: [""] | |
resources: ["secrets"] | |
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] | |
verbs: ["get", "update", "delete"] | |
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. | |
- apiGroups: [""] | |
resources: ["configmaps"] | |
resourceNames: ["kubernetes-dashboard-settings"] | |
verbs: ["get", "update"] | |
# Allow Dashboard to get metrics. | |
- apiGroups: [""] | |
resources: ["services"] | |
resourceNames: ["heapster", "dashboard-metrics-scraper"] | |
verbs: ["proxy"] | |
- apiGroups: [""] | |
resources: ["services/proxy"] | |
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] | |
verbs: ["get"] | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard | |
rules: | |
# Allow Metrics Scraper to get metrics from the Metrics server | |
- apiGroups: ["metrics.k8s.io"] | |
resources: ["pods", "nodes"] | |
verbs: ["get", "list", "watch"] | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard | |
namespace: kubernetes-dashboard | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: kubernetes-dashboard | |
subjects: | |
- kind: ServiceAccount | |
name: kubernetes-dashboard | |
namespace: kubernetes-dashboard | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: kubernetes-dashboard | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: kubernetes-dashboard | |
subjects: | |
- kind: ServiceAccount | |
name: kubernetes-dashboard | |
namespace: kubernetes-dashboard | |
kind: Deployment | |
apiVersion: apps/v1 | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
name: kubernetes-dashboard | |
namespace: kubernetes-dashboard | |
spec: | |
replicas: 1 | |
revisionHistoryLimit: 10 | |
selector: | |
matchLabels: | |
k8s-app: kubernetes-dashboard | |
template: | |
metadata: | |
labels: | |
k8s-app: kubernetes-dashboard | |
spec: | |
containers: | |
- name: kubernetes-dashboard | |
image: kubernetesui/dashboard:v2.0.0 | |
imagePullPolicy: Always | |
ports: | |
- containerPort: 8443 | |
protocol: TCP | |
args: | |
- --auto-generate-certificates | |
- --namespace=kubernetes-dashboard | |
# Uncomment the following line to manually specify Kubernetes API server Host | |
# If not specified, Dashboard will attempt to auto discover the API server and connect | |
# to it. Uncomment only if the default does not work. | |
# - --apiserver-host=http://my-address:port | |
volumeMounts: | |
- name: kubernetes-dashboard-certs | |
mountPath: /certs | |
# Create on-disk volume to store exec logs | |
- mountPath: /tmp | |
name: tmp-volume | |
livenessProbe: | |
httpGet: | |
scheme: HTTPS | |
path: / | |
port: 8443 | |
initialDelaySeconds: 30 | |
timeoutSeconds: 30 | |
securityContext: | |
allowPrivilegeEscalation: false | |
readOnlyRootFilesystem: true | |
runAsUser: 1001 | |
runAsGroup: 2001 | |
volumes: | |
- name: kubernetes-dashboard-certs | |
secret: | |
secretName: kubernetes-dashboard-certs | |
- name: tmp-volume | |
emptyDir: {} | |
serviceAccountName: kubernetes-dashboard | |
nodeSelector: | |
"kubernetes.io/os": linux | |
# Comment the following tolerations if Dashboard must not be deployed on master | |
tolerations: | |
- key: node-role.kubernetes.io/master | |
effect: NoSchedule | |
kind: Service | |
apiVersion: v1 | |
metadata: | |
labels: | |
k8s-app: dashboard-metrics-scraper | |
name: dashboard-metrics-scraper | |
namespace: kubernetes-dashboard | |
spec: | |
ports: | |
- port: 8000 | |
targetPort: 8000 | |
selector: | |
k8s-app: dashboard-metrics-scraper | |
kind: Deployment | |
apiVersion: apps/v1 | |
metadata: | |
labels: | |
k8s-app: dashboard-metrics-scraper | |
name: dashboard-metrics-scraper | |
namespace: kubernetes-dashboard | |
spec: | |
replicas: 1 | |
revisionHistoryLimit: 10 | |
selector: | |
matchLabels: | |
k8s-app: dashboard-metrics-scraper | |
template: | |
metadata: | |
labels: | |
k8s-app: dashboard-metrics-scraper | |
annotations: | |
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default' | |
spec: | |
containers: | |
- name: dashboard-metrics-scraper | |
image: kubernetesui/metrics-scraper:v1.0.4 | |
ports: | |
- containerPort: 8000 | |
protocol: TCP | |
livenessProbe: | |
httpGet: | |
scheme: HTTP | |
path: / | |
port: 8000 | |
initialDelaySeconds: 30 | |
timeoutSeconds: 30 | |
volumeMounts: | |
- mountPath: /tmp | |
name: tmp-volume | |
securityContext: | |
allowPrivilegeEscalation: false | |
readOnlyRootFilesystem: true | |
runAsUser: 1001 | |
runAsGroup: 2001 | |
serviceAccountName: kubernetes-dashboard | |
nodeSelector: | |
"kubernetes.io/os": linux | |
# Comment the following tolerations if Dashboard must not be deployed on master | |
tolerations: | |
- key: node-role.kubernetes.io/master | |
effect: NoSchedule | |
volumes: | |
- name: tmp-volume | |
emptyDir: {} |
创建admin SA来登录dashboard
[root@k8s-master ~]# cat admin-role.yaml | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: admin-kd | |
annotations: | |
rbac.authorization.kubernetes.io/autoupdate: "true" | |
roleRef: | |
kind: ClusterRole | |
name: cluster-admin | |
apiGroup: rbac.authorization.k8s.io | |
subjects: | |
- kind: ServiceAccount | |
name: admin-kd | |
namespace: kubernetes-dashboard | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: admin-kd | |
namespace: kubernetes-dashboard | |
labels: | |
kubernetes.io/cluster-service: "true" | |
addonmanager.kubernetes.io/mode: Reconcile |
查看token
[root@k8s-master ~]# kubectl -n kubernetes-dashboard describe secret admin-kd-token-cqpbv | |
Name: admin-kd-token-cqpbv | |
Namespace: kubernetes-dashboard | |
Labels: <none> | |
Annotations: kubernetes.io/service-account.name: admin-kd | |
kubernetes.io/service-account.uid: 59c0082b-49d1-4d45-a215-9e113fbbcc31 | |
Type: kubernetes.io/service-account-token | |
Data | |
==== | |
namespace: 20 bytes | |
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlFIUGRLbmhUeVhQU0c3LUxvUk9VdHVwVW9lbGFHYzlWM2JPQmo1d1FJRW8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi1rZC10b2tlbi1jcXBidiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbi1rZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjU5YzAwODJiLTQ5ZDEtNGQ0NS1hMjE1LTllMTEzZmJiY2MzMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi1rZCJ9.BU-N5yS_Xle4DOX6fznpNW-vtxpH1gmHdw5DZH98HcQ5KUWuZ8Nf7TtXrDAB3Nq1NAu_ll1cGU-IBOY1dvGCqIbaNQ9Ti1Uyi36tQXoAjmmomVTKSc1xb67mpobLkpE_xXf1bLau6BdcYXWRutswImHFNfVEAgAGftRnkb32swLW3z8ZRjY4GmTRSGFBYFBdPRBsR7Im_HLEosz_WxCBRRYtVc8o3O2T7ZQyEm59uAxVn7qPszwnDwgDTR8kOPRG7rJy6KIWEDfQG6lRrlr9X1M73tH7gfOQAiTSOSBjIEDK7FY5eTuu_XkLTpzNq6nj941z3nx3M23tgTYVY_59HQ | |
ca.crt: 1025 bytes | |
# 使用上面的token登录即可 |

正文完