确认如何设置Kubernetes的Web UI仪表板
首先
我們來確認一下如何設定Kubernetes的儀表板。
这是一个使用的集群。顺便说一下,它是在OCI的计算实例上创建的。
$ kubectl get node
NAME STATUS ROLES AGE VERSION
master05 Ready control-plane,master 6d17h v1.23.3
worker05 Ready <none> 6d17h v1.23.3
部署仪表盘
由于默认没有部署,所以我们将进行部署。
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
Warning: spec.template.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: deprecated since v1.19, non-functional in v1.25+; use the "seccompProfile" field instead
deployment.apps/dashboard-metrics-scraper created
我会确认。
$ kubectl get ns
NAME STATUS AGE
default Active 6d17h
kube-node-lease Active 6d17h
kube-public Active 6d17h
kube-system Active 6d17h
kubernetes-dashboard Active 24s
$ kubectl -n kubernetes-dashboard get all
NAME READY STATUS RESTARTS AGE
pod/dashboard-metrics-scraper-79459f84f-9cchf 1/1 Running 0 33s
pod/kubernetes-dashboard-76dc96b85f-4df2m 1/1 Running 0 33s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dashboard-metrics-scraper ClusterIP 10.104.189.193 <none> 8000/TCP 33s
service/kubernetes-dashboard ClusterIP 10.106.55.147 <none> 443/TCP 34s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/dashboard-metrics-scraper 1/1 1 1 33s
deployment.apps/kubernetes-dashboard 1/1 1 1 33s
NAME DESIRED CURRENT READY AGE
replicaset.apps/dashboard-metrics-scraper-79459f84f 1 1 1 33s
replicaset.apps/kubernetes-dashboard-76dc96b85f
部署编辑
这一次我们将通过http进行访问,所以需要编辑部署。请参考这里的说明。
–auto-generate-certificatesを削除
–insecure-port=9090を追加
做。
$ kubectl -n kubernetes-dashboard edit deploy kubernetes-dashboard
### 省略 ###
template:
metadata:
creationTimestamp: null
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- args:
# - --auto-generate-certificates #delete
- --namespace=kubernetes-dashboard
- --insecure-port=9090 #add
image: kubernetesui/dashboard:v2.0.0
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /
port: 8443
scheme: HTTPS
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
name: kubernetes-dashboard
ports:
- containerPort: 8443
protocol: TCP
resources: {}
### 省略 ###
服务设置更改
检查服务以访问仪表盘。
$ kubectl -n kubernetes-dashboard get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.104.189.193 <none> 8000/TCP 13m
kubernetes-dashboard ClusterIP 10.106.55.147 <none> 443/TCP 13m
为了从外部访问,将kubernetes-dashboard更改为NodePort。
另外,将端口更改为insecure-port的默认端口9090。
$ kubectl -n kubernetes-dashboard edit svc kubernetes-dashboard
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}}
creationTimestamp: "2022-05-22T06:32:38Z"
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
resourceVersion: "91757"
uid: 3ffecf67-aa7c-409d-a357-e79e7e8db44c
spec:
clusterIP: 10.106.55.147
clusterIPs:
- 10.106.55.147
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- nodePort: 30743
port: 9090 #change
protocol: TCP
targetPort: 9090 #change
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: NodePort #change
status:
loadBalancer: {}
我会确认。
$ kubectl -n kubernetes-dashboard get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.104.189.193 <none> 8000/TCP 15m
kubernetes-dashboard NodePort 10.106.55.147 <none> 9090:30743/TCP 15m
确认访问
根据所使用的基础设施,在浏览器中访问http://<工作节点的IP地址>:<端口号>。
请注意,根据所使用的基础设施需保持端口开放。
此外,由于目前没有权限,因此只能查看仪表板的界面,无法查看其内容。
权限设置 de
查看默认的ServiceAccount和ClusterRole。
$ kubectl -n kubernetes-dashboard get sa
NAME SECRETS AGE
default 1 47m
kubernetes-dashboard 1 47m
$ kubectl get clusterroles |grep view
system:aggregate-to-view 2022-05-15T12:45:12Z
system:public-info-viewer 2022-05-15T12:45:12Z
view 2022-05-15T12:45:12Z
在这里,我们会创建一个名为insecure-dashboard的ClusterRoleBinding,让默认的ServiceAccount kubernetes-dashboard与默认的ClusterRole view进行关联。
$ kubectl create clusterrolebinding insecure-dashboard --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view
clusterrolebinding.rbac.authorization.k8s.io/insecure-dashboard created
$ kubectl describe clusterrolebindings insecure-dashboard
Name: insecure-dashboard
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: view
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount kubernetes-dashboard kubernetes-dashboard
当您重新加载浏览器时,您将能够在控制面板上查看所有NameSpace的资源。
要实现在仪表板上只能查看特定NameSpace的资源,而不是所有NameSpace的资源,需要在该NameSpace中创建RoleBinding而不是ClusterRoleBinding。
