kubernetes(K8S)学习（六）：K8S之Dashboard图形界面

一、dashboard简介

二、k8s安装dashboard

(1)下载dashboard镜像（可选）

提前下载dashboard镜像（可选）：

[root@m test]# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0

也可上传至私有仓库（可选）：

# 启动私有仓库
[root@m test]# docker start registry
# 给镜像打tag
[root@m test]# docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0 192.168.116.170:5000/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0
# push镜像到私有仓库
[root@m test]# docker push 192.168.116.70:5000/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0

(2)根据yaml文件创建资源

[root@m test]# vi dashboard.yaml

内容（如果可能，注意修改其中的dashboard镜像地址（大约44行））:

apiversion: v1
kind: configmap
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    # allows editing resource and makes sure it is created first.
    addonmanager.kubernetes.io/mode: ensureexists
  name: kubernetes-dashboard-settings
  namespace: kube-system
---
apiversion: v1
kind: serviceaccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: reconcile
  name: kubernetes-dashboard
  namespace: kube-system
---
apiversion: apps/v1
kind: deployment
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: reconcile
spec:
  selector:
    matchlabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
    spec:
      priorityclassname: system-cluster-critical
      containers:
      - name: kubernetes-dashboard
        image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.0
        resources:
          limits:
            cpu: 100m
            memory: 300mi
          requests:
            cpu: 50m
            memory: 100mi
        ports:
        - containerport: 8443
          protocol: tcp
        args:
          # platform-specific args here
          - --auto-generate-certificates
        volumemounts:
        - name: kubernetes-dashboard-certs
          mountpath: /certs
        - name: tmp-volume
          mountpath: /tmp
        livenessprobe:
          httpget:
            scheme: https
            path: /
            port: 8443
          initialdelayseconds: 30
          timeoutseconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretname: kubernetes-dashboard-certs
      - name: tmp-volume
        emptydir: {}
      serviceaccountname: kubernetes-dashboard
      tolerations:
      - key: "criticaladdonsonly"
        operator: "exists"
---
apiversion: rbac.authorization.k8s.io/v1
kind: role
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: reconcile
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # allow dashboard to get, update and delete dashboard exclusive secrets.
- apigroups: [""]
  resources: ["secrets"]
  resourcenames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # allow dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apigroups: [""]
  resources: ["configmaps"]
  resourcenames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # allow dashboard to get metrics from heapster.
- apigroups: [""]
  resources: ["services"]
  resourcenames: ["heapster"]
  verbs: ["proxy"]
- apigroups: [""]
  resources: ["services/proxy"]
  resourcenames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]
---
apiversion: rbac.authorization.k8s.io/v1
kind: rolebinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    addonmanager.kubernetes.io/mode: reconcile
roleref:
  apigroup: rbac.authorization.k8s.io
  kind: role
  name: kubernetes-dashboard-minimal
subjects:
- kind: serviceaccount
  name: kubernetes-dashboard
  namespace: kube-system
---
apiversion: v1
kind: secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    # allows editing resource and makes sure it is created first.
    addonmanager.kubernetes.io/mode: ensureexists
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: opaque
---
apiversion: v1
kind: secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
    # allows editing resource and makes sure it is created first.
    addonmanager.kubernetes.io/mode: ensureexists
  name: kubernetes-dashboard-key-holder
  namespace: kube-system
type: opaque
---
apiversion: v1
kind: service
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: reconcile
spec:
  selector:
    k8s-app: kubernetes-dashboard
  ports:
  - port: 443
    targetport: 8443
    nodeport: 30018
  type: nodeport

创建资源：

[root@m test]# kubectl apply -f dashboard.yaml
configmap/kubernetes-dashboard-settings created
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-key-holder created
service/kubernetes-dashboard created
[root@m test]# 

(3)查看资源

[root@m test]# kubectl get pods -n kube-system
[root@m test]# kubectl get pods -n kube-system -o wide
[root@m test]# kubectl get svc -n kube-system
[root@m test]# kubectl get deploy kubernetes-dashboard -n kube-system

# 查看pod创建详情：
[root@m test]# kubectl describe pod kubernetes-dashboard-7bdfc744fc-hmhh2 -n kube-system

(4)生成登录需要的token

# 创建service account
kubectl create sa dashboard-admin -n kube-system


kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

# 查看dashboard-admin的secret名字
admin_secret=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')
echo admin_secret

# 打印secret的token
kubectl describe secret -n kube-system ${admin_secret} | grep -e '^token' | awk '{print $2}'

# (1)创建service account
[root@m test]# kubectl create sa dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@m test]# 

# (2)创建角色绑定关系
[root@m test]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
[root@m test]# 

# (3)查看dashboard-admin的secret名字
[root@m test]# admin_secret=$(kubectl get secrets -n kube-system | grep dashboard-admin | awk '{print $1}')
[root@m test]# echo admin_secret
admin_secret
[root@m test]# 

# (4)打印secret的token（浏览器访问需要）
[root@m test]# kubectl describe secret -n kube-system ${admin_secret} | grep -e '^token' | awk '{print $2}'
eyjhbgcioijsuzi1niisimtpzci6iij9.eyjpc3mioijrdwjlcm5ldgvzl3nlcnzpy2vhy2nvdw50iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9uyw1lc3bhy2uioijrdwjllxn5c3rlbsisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vjcmv0lm5hbwuioijkyxnoym9hcmqtywrtaw4tdg9rzw4tddvjbjqilcjrdwjlcm5ldgvzlmlvl3nlcnzpy2vhy2nvdw50l3nlcnzpy2utywnjb3vudc5uyw1lijoizgfzagjvyxjklwfkbwluiiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9zzxj2awnllwfjy291bnqudwlkijoimzdjmdfmzmqtnty5mc0xmwvilthindqtmda1mdu2mjg0zjmwiiwic3viijoic3lzdgvtonnlcnzpy2vhy2nvdw50omt1ymutc3lzdgvtomrhc2hib2fyzc1hzg1pbij9.nafbf2tuqen-4lflqhdowz8xz08k1rzbmkr0vevfov6c0dvtuulwx4-uxe_ocep8gqgophlj3sxunwckfvonzxzr5799jeilr3ahuavhumb12m45khrpe-95prvgfzs7oppkiixen1cumterkddpro1znbb-pze95-5rgfimrdw-map2ymo1auagmow-jjhxhgtleujdacedcbwm5ybgfbad3akud_c9ejbokr4-yt4imd99td4twzqjypui_qm76rv54qqylyf5laossr2scoiwa2tvhga4elmmong_hqrjjjzmhux9-unaknfm5z8wttabjow8r7xhm6ifhxflsg
[root@m test]# 

(5)使用火狐 / 搜狗浏览器访问（个人用的搜狗）

访问地址(输入密钥)：https://192.168.116.170:30018/