Introduction to Kubernetes Dashboard
1.1 Web UI Overview
Dashboard is the Web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to Kubernetes clusters, troubleshoot containerized applications, and manage cluster resources. Dashboards can be used to outline the applications running on the cluster, as well as to create or modify individual Kubernetes resources (such as deployments, tasks, daemons, and so on). You can use the Deployment wizard to extend deployment, start rolling updates, restart pods, or deploy new applications.
Dashboard also provides information about the status of the Kubernetes resources in the cluster and any errors that may occur.
The dashboard deployment
2.1 download the yaml
1 [root@master ~]# mkdir dashboard # Suggest storing YAML locally 2 [root@master ~]# CD dashboard/ 3 [root@master dashboard]# wget https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yamlCopy the code
2.2 Change to domestic source
1 [root@master ~]# CD dashboard/ 2 [root@master dashboard]# vi kubernetes-dashboard.yaml 3... Image: mirrorgooglecontainers/kubernetes - dashboard - amd64: v1.10.1 5...Copy the code
Tip: to modify the image field in the yaml files into mirrorgooglecontainers/kubernetes – dashboard – amd64: v1.10.1.
2.3 installation
1 [root@master dashboard]# kubectl apply -f kubernetes-dashboard.yaml 2 [root@master ~]# kubectl get pod Wide - all namespaces - o | grep kubernetes - dashboard # 3 kube validating - system kubernetes ddcc97fc dashboard - 68 - c5thv 0/1 Running 0 30s <none> node2 <none> <none>Copy the code
Dashboard access mode
3.1 Overview of Access Modes
After installing Dashboard, you need to configure access control over cluster resources for users. Starting with version 1.7, Dashboard no longer has the full administrator rights granted by default. By default, all permissions are revoked and only the minimum permissions required to make Dashboard work are granted.
Note: This note is only for users who use Dashboard 1.7 or later. If you are sure that Dashboard needs to grant administrator rights, please refer to attached 006.Kubernetes Authentication.
In general, other applications should not have direct access to Dashboard.
The dashboard has the following access modes:
Kubectl proxy: only accessible on localhost. Access the address: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
NodePort: Edit the kubernetes-dashboard.yaml file and change type: ClusterIP to type: NodePort to check which node dashboard is running on. Access address: https://<node-ip>:<nodePort>
Apiserver: The user certificate needs to be installed in the browser. IP access address: https:// < master – > : < apiserver – port > / API/v1 / namespaces/kube – system/services/HTTPS: kubernetes – dashboard: / proxy
Note: Kubectl proxy is not recommended. You are advised to use a valid certificate to establish a secure HTTPS connection.
3.2 kubectl proxy
1 [root@master ~]# kubectl proxy 2 [root@master ~]# curl # visit http://127.0.0.1:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/Copy the code
Tip: It is recommended to use the backend format and allow all hosts to access:
1 [root@master ~]# nohup kubectl proxy --address='0.0.0.0' --accept-hosts='^*$' &
Copy the code
3.3 NodePort
NodePort access to dashboards is only recommended for Kubernetes environments in a single-node setup.
1 [root@master ~]# kubectl -n kube-system edit service kubernetes-dashboard 2...... 3 Type: NodePort 4...... 5 # change type: ClusterIP to type: NodePort.Copy the code
Note: The above operations can also be completed in one step by using the following command:
1 [root@master ~]# kubectl get pods --namespace=kube-system | grep dashboard 2 kubernetes-dashboard-68ddcc97fc-c5thv 1/1 Running 0 3h14m 3 [root@master ~]# kubectl describe pod kubernetes-dashboard-68ddcc97fc-c5thv --namespace=kube-system | Grep Node 4 Node: node2/172.24.8.73Copy the code
Test access:
Browser visit: http://172.24.8.73:30343/
Note: If the Kubernetes cluster is a multi-node cluster, perform the preceding steps to find the node where the dashboard is located. If the Kubernetes cluster is a single-node cluster, visit http://<master>:<port>.
3.4 apiserver
If the Kubernetes API server is public and externally accessible, it can be accessed directly by the browser: https://172.24.8.71:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Note: Apiserver is accessed by default using the System :anonymous user, so it does not have permission to open the corresponding resource. This way of accessing the dashboard can only be used if you choose to install the user certificate in the browser.
Authentication must be configured for both NodePort and Apiserver. You need to configure the authentication type after determining the authentication mode.
3.5 Ingress
Dashboard can also use ingress for resource exposure.
Reference: kubernetes. IO/docs/concep…
4 Dashboard authentication mode
A certificate needs to be loaded for browser access. By default, a certificate has been created after the deployment is complete. For details, see Section 01 to export the certificate. Because the Kubernetes default certificate may expire, the dashboard cannot be accessed. In this experiment, manually create the certificate after Kubernetes has been successfully deployed.
4.1 Creating a Certificate
1 [root@master ~]# mkdir /etc/kubernetes/dash_pki 2 [root@master ~]# cd /etc/kubernetes/dash_pki/ 3 [root@master Key 2048 # Generate a 2048-bit ca.key 4 [root@master dash_pki]# openssl req-x509-new -nodes -key ca.key -subj "/CN=172.24.8.71" -days 10000 -out ca. CRT # Generates a ca. CRT based on the ca.key (using -days to set the certificate validity period) 5 [root@master dash_pki]# openssl genrsa -out server.key 2048 # Generate a 2048-bit server.key 6 [root@master dash_pki]# Openssl req -new -key server.key -subj "/CN=172.24.8.71" -out server. CSR # Generate a server. CSR 7 [root@master Dash_pki]# openSSL x509 -req -in server. CSR -ca ca.crt -cakey ca.key -cacreateserial -out server. CRT -days 10000 # Based on CRT, ca. CRT, and server. CSR generate server. CRT 8 Subject =/CN=172.24.8.71 9 Getting CA Private key 10 [root@master dash_pki]# Openssl x509 -noout -text -in./server. CRTCopy the code
4.2 Modifying the Default Certificate Configuration
1 [root@master ~]# cd dashboard/ 2 [root@master dashboard]# kubectl delete -f kubernetes-dashboard.yaml # delete dashboard 3 [root@master dashboard]# ll /etc/kubernetes/dash_pki/4 [root@master dashboard]# kubectl create secret generic kubernetes-dashboard-certs - from - the file = "/ etc/kubernetes dash_pki/server. The CRT, / etc/kubernetes dash_pki/server. The key" - n kube - system new certificate to the dashboard in 5 # mount [root@master dashboard]# kubectl get secret kubernetes-dashboard-certs -n kube-system -o yaml #Copy the code
4.3 Redeploying the Dashboard
1 [root@master dashboard]# kubectl apply -f kubernetes-dashboard.yaml 2 [root@master dashboard]# kubectl get pods - the namespace = kube - system | grep dashboard # validatingCopy the code
4.4 Importing a Certificate
Import server. CRT to Internet Explorer.
4.5 Access Tests
This experiment is based on apiserver access +Kubeconfig authentication for login.
By apiserver form visit: https://172.24.8.71:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
Tip: Refer to the dashboard login process:www.cnadn.net/post/2613.h…
Note: Apiserver mode see 3.4, Kubeconfig authentication mode see 3.5 in Attached 006.Kubernetes Authentication.
Appendix 001: Export the current Kubernetes certificate
[root@master ~]# grep ‘client-certificate-data’ ~/.kube/config | head -n 1 | awk ‘{print $2}’ | base64 -d >> kubecfg.crt
[root@master ~]# grep ‘client-key-data’ ~/.kube/config | head -n 1 | awk ‘{print $2}’ | base64 -d >> kubecfg.key
[root@master ~]# openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out k8s.crt -name “kubernetes-client”
Enter Export Password:[x120952576]
Verifying – Enter Export Password:[x120952576]
Use the password to import k8s. CRT to Internet Explorer.