One. Preparation
1. Download the YAML file
Wget HTTP: / / https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yamlCopy the code
2. Prepare an image
3. Analyze the YAML file
3.1 Dashboard Secret
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: OpaqueapiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
Copy the code
3.2 Dashboard Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
Copy the code
3.3 Dashboard Role & Role Binding
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder"."kubernetes-dashboard-certs"]
verbs: ["get"."update"."delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get"."update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster"."http:heapster:"."https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
Copy the code
3.4 Dashboard Deployment
kind: Deployment apiVersion: apps/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: containers: - name: IO/kubernetes-dashboard-AMd64 :v1.10.1 ports: -containerPort: 8443 protocol: k8s.gcr. IO /kubernetes-dashboard-amd64:v1.10.1 ports: -containerPort: 8443 protocol: TCP args: - --auto-generate-certificates# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
Copy the code
3.5 Dashboard Service
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
Copy the code
4. Modify the configuration file
4.1 The default access mode is the cluster IP address. Therefore, change the access mode first
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
Copy the code
4.2 Default Certificate Issue The certificate can be accessed only by using Firefox. If you want to modify chrome, you must update the certificate again. If you only use Firefox, skip this step
4.2.1 Deleting the Dashboard Secret part
4.2.2 Regenerating the Certificate using your own IP address
[root@dev-api ca]# openssl req -new-out dashboard. CSR -key dashboard.key -subj '/CN=192.168.246.200' # openssl req -new-out dashboard. CSR -key dashboard.key -subj '/CN=192.168.246.200'
[root@dev-api ca]# ls
dashboard.csr dashboard.key
[root@dev-api ca]# openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crtSignature OK Subject =/CN=192.168.246.200 Getting Private key You have new mailin /var/spool/mail/root
[root@dev-api ca]# ls
dashboard.crt dashboard.csr dashboard.key
[root@dev-api ca]# openssl x509 -in dashboard.crt -text -nooutCertificate: Data: Version: 1 (0x0) Serial Number: b9:07:50:1a:19:79:36:6b Signature Algorithm: Sha256WithRSAEncryption Issuer: CN=192.168.246.200 Validity Not Before: Jun 27 09:00:51 2019 GMT Not After: Jul 27 09:00:51 2019 GMT Subject: CN=192.168.246.200 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c5:a4:ad:9f:80:82:9f:ff:b0:04:8d:3f:99:3b: 65:93:76:a9:c3:89:87:da:21:41:45:a6:ab:da:01: f8:b4:08:cc:6a:2a:b4:94:05:9e:8d:38:9d:f7:a5: d7:f9:40:11:d8:85:18:04:9e:90:60:36:32:57:8f: f4:f8:59:5b:4b:74:f9:da:ec:30:a1:5e:86:45:83: d7:90:12:c7:ee:b6:b9:63:9b:1c:3b:fe:b2:79:95: f2:90:80:c8:be:2d:48:2f:fe:7d:ba:9a:3c:93:8f: 7d:82:04:4b:65:ef:70:7c:5b:92:5c:45:96:54:7e: 77:e9:a4:1b:ee:8a:44:14:c9:67:1e:f8:46:f1:a1: ef:78:e1:ed:21:01:6e:5b:b6:85:de:40:93:54:d2: 5c:a1:6f:9b:45:0c:d8:5f:77:a0:d1:e3:d8:0c:07: 28:cc:38:ed:a3:cb:ab:2e:33:3a:83:e3:18:3f:06: ac:21:2e:c0:e2:3e:af:f8:33:a7:06:2f:4e:6f:6d: 8d:c4:5d:56:52:b9:83:d9:d6:7d:f2:f5:9e:58:77: 47:47:f0:f8:da:09:a1:47:cf:16:f2:72:3a:c1:99: b2:eb:61:5a:a2:3c:49:7e:e4:b4:bd:76:05:d0:fe: 13:d1:8e:e4:9c:7b:fc:fb:97:16:41:40:2f:87:8c:
8f:fd
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
70:d9:a1:3a:19:d6:76:9e:91:fc:39:92:4f:bc:3b:3e:70:f3:
72:d6:c2:f3:13:be:f8:0e:75:d3:3e:68:c1:43:95:a0:9a:3f:
96:f8:9c:de:23:a0:49:da:ce:fb:a8:cc:e6:34:9b:a9:aa:9f:
9d:86:bb:a9:6d:d2:80:8c:b2:3d:89:c9:ff:44:e6:b1:90:e2:
99:2e:c1:9a:83:d0:7a:f4:cd:2a:02:4f:51:2c:c5:f2:c4:cd:
34:79:36:e1:8a:ee:10:a0:e7:6d:31:14:02:57:27:53:9d:40:
02:4b:ee:e0:7d:17:ee:80:fa:b0:10:66:03:98:26:b3:16:a0:
62:5a:ac:7b:f8:5b:98:15:c8:68:26:bd:f4:c3:df:35:34:ab:
c1:dc:fc:8f:5e:85:5d:cf:70:2f:83:72:68:4c:69:49:42:da:
28:06:a9:71:86:85:db:79:28:8e:5a:f2:cc:24:e1:71:b2:dc:
3f:6f:94:cf:19:8d:cd:18:3a:c8:be:e8:dc:8c:05:30:21:09:
54:ac:22:6d:e0:47:14:9f:16:07:4e:ed:6b:c5:d0:3e:73:37:
3b:12:85:83:34:1c:18:74:e4:96:af:6e:b5:b7:3f:60:58:e5:
09:8c:07:b2:19:77:bd:61:d0:a5:0a:56:6b:c3:4b:f7:c5:bc:
3d:d0:74:9e
[root@dev-api ca]# ls
dashboard.crt dashboard.csr dashboard.key
Copy the code
4.2.3 Generate your own Secret
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt
kubectl -n kube-system get secret |grep kubernetes-dashboard-certs
kubernetes-dashboard-certs Opaque 2 88m
Copy the code
4.3 modifying the default cluster RoleBinding (RoleBinding)
Because the default permissions are low, this document can only be used as a test environment, so the highest permissions are given
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Copy the code
At this point the configuration file modification is complete