Appearance
通常我们使用kubectl
命令来管理k8s的各种资源,进行各种操作。还有一种方式就是通过Dashboard,以可视化的方式,在网页上进行操作。
一、安装
执行:
sh
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
这将会在kube-system
这个namespace下创建一系列资源:
secret "kubernetes-dashboard-certs" configured
serviceaccount "kubernetes-dashboard" configured
role.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" configured
rolebinding.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" configured
deployment.apps "kubernetes-dashboard" configured
service "kubernetes-dashboard" configured
接下来查看这些资源。
执行:
sh
$ kubectl get deploy kubernetes-dashboard --namespace=kube-system
输出:
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
kubernetes-dashboard 1 1 1 1 17s
执行:
sh
$ kubectl get service kubernetes-dashboard --namespace=kube-system
输出:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard ClusterIP 10.101.235.135 <none> 443/TCP 1m
二、访问
执行:
sh
$ kubectl describe service kubernetes-dashboard --namespace=kube-system
输出:
Name: kubernetes-dashboard
Namespace: kube-system
Labels: k8s-app=kubernetes-dashboard
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":...
Selector: k8s-app=kubernetes-dashboard
Type: ClusterIP
IP: 10.101.235.135
Port: <unset> 443/TCP
TargetPort: 8443/TCP
Endpoints: 10.1.0.26:8443
Session Affinity: None
Events: <none>
可以看到Type字段为ClusterIP,因此Dashboard暂时只能在k8s集群内访问,无法从外部访问。如果想要从外部访问,有两种方式。
1. kubectl proxy
执行:
sh
$ kubectl proxy
然后访问 http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
.
2. 修改Type
执行:
sh
$ kubectl edit service kubernetes-dashboard --namespace=kube-system
修改type为NodePort:
yaml
spec:
clusterIP: 10.101.235.135
ports:
- port: 443
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: NodePort
然后查看Service:
sh
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.101.235.135 <none> 443:30756/TCP 17m
可以看到Service的443端口映射到了主机的30756端口,然后访问https://localhost:30576
即可。
注意:必须是https,而且由于默认使用的是自签名证书,因此浏览器可能会弹出安全警告。
三、登录
打开页面后,登录页如图:
登录方式支持Kubeconfig和Token两种。
1. Token登录
通过执行:
sh
$ kubectl get serviceaccount --namespace=kube-system
可以看到,默认已经创建了kubernetes-dashboard账号。
执行:
sh
$ kubectl describe secret kubernetes-dashboard-token --namespace=kube-system
得到:
Name: kubernetes-dashboard-token-n4f4g
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=kubernetes-dashboard
kubernetes.io/service-account.uid=0531dc48-319d-11e9-9020-025000000001
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1uNGY0ZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjA1MzFkYzQ4LTMxOWQtMTFlOS05MDIwLTAyNTAwMDAwMDAwMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.YqR0TUTpnAQ-dJ-daGpjrLs4DJbg0g-nAxKnrYm1S0R32EhMUNKojdJpJ_FzTaf1UFrZrcNkWSvT3YrpqcYBXezhontGI2sDPZrnS7VWjw7DgDQ9jRgy8Svs4SvX7HzQJuEUBrJe2MtoraD6z7_KDuIIdPivdPAAC0emnuc9ghfxDTKSlyjx5QIrs3ljaTbaxhfigu1pb9gbDAGz8YGkQzOBtGx2gHzTZgiXqxSxqp56YG10LWUxPVE7cLRIRxih1eq_pvfX0Xt70gn-7WDC-6Sz-zn-ObnRzdntyD1Y9_OpIVdXnFmTutnBAXpG_uE0XM1oCGRQahJrxVFOr1LYtQ
使用这里的token即可登录。
当然也可以自己创建账号来登录,例如:
yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
这里创建了一个admin-user的账号,然后执行:
sh
$ kubectl describe secret admin-user-token --namespace=kube-system
获取token用来登录即可。