Kubernetes service
Kubernetes Dashboard is a generic web-based UI for Kubernetes clusters. It allows users to manage and troubleshoot applications running in a cluster, kubernetes certification what is kubernetes and to manage the cluster itself.
kubernetes service pod
Deploying Dashboard
Project GitHub Address
Official documentation Reference kubernetes vs docker
Kubernetes as service
Get Yaml file
curl -O https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml # https访问的 选这个curl -O https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml # http方式访问
Modify a mirrored address in a YAML file to see the mirror address kubernetes tutorial kubernetes ingress
> grep image kubernetes-dashboard.yaml image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3 # 这个地址被墙,可以去docker-hub搜索此镜像上传至自己的镜像库中
Replace Mirror Address
Here we directly use the mirror on the Docker-hub
Mirror Address
Kubernetes as a service
> grep image kubernetes-dashboard.yaml image: anjia0532/kubernetes-dashboard-amd64:v1.8.3在deployment段加一个配置- --heapster-host=http://heapster
Introducing YAML Files
> kubectl apply -f kubernetes-dashboard.yaml > kubectl get pods -n kube-system | grep dashboardkubernetes-dashboard-bbc7b8b5-rj8hf 1/1 Running 0 10m> kubectl get svc -n kube-system | grep dashboard kubernetes-dashboard ClusterIP 10.254.61.253 <none> 80/TCP 43s
Selector kubernetes service
To access the dashboard from a local workstation, you must create a secure channel for your kubernetes cluster.
Run the following command: kubernetes expose service port
kubectl proxy
Visit Dashboard Now
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/. # 可惜本地的服务器没有浏览器和GUI,可以使用elinks试下
Identity verification
Login Dashboard Support Kubeconfig and token two authentication methods, Kubeconfig also rely on the token field, so the token generation is essential.
Create Users and RBAC
We create an Admin user and grant the Admin role bindings, use the following Yaml file to create the Admin user and give him administrator privileges, then you can login to Dashbaord by token, kubernetes tutorialthis authentication method is essentially through the service account Authentication plus bearer token request API server implementation, refer to authentication in Kubernetes
# cat k8s-dashboard-admin-rbac.yaml kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: admin annotations: rbac.authorization.kubernetes.io/autoupdate: "true"roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.iosubjects:- kind: ServiceAccount name: admin namespace: kube-system---apiVersion: v1kind: ServiceAccountmetadata: name: admin namespace: kube-system labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile
Create
kubectl apply -f k8s-dashboard-admin-rbac.yaml
Get token
When the aboveadminuser is created, we can obtain the token for that user, such as the following command:
> kubectl get secret-n kube-system|grep admin-tokenadmin-token-ph8sh kubernetes.io/service-account-to Ken 3 11m> Kubectl get secret Admin-token-ph8sh-o Jsonpath={.data.token}-n kube-system |base64-d Eyjhbgcio Ijsuzi1niisimtpzci6iij9.eyjpc3mioijrdwjlcm5ldgvzl3nlcnzpy2vhy2nvdw50iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9uyw1lc3bhy 2uioijrdwjllxn5c3rlbsisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vjcmv0lm5hbwuioijhzg1pbi10b2tlbi1wadhzacisimt1ymvybmv0zx Muaw8vc2vydmljzwfjy291bnqvc2vydmljzs1hy2nvdw50lm5hbwuioijhzg1pbiisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vydmljzs1hy2n vdw50lnvpzci6imywymm5zjfmltc2mdutmtfloc05ywq1ltawnta1njk4mdrmyyisinn1yii6inn5c3rlbtpzzxj2awnlywnjb3vuddprdwjllxn5c3rlbtph Zg1pbij9.tcgnylj7008bnatdddz070f4pu_ffxty0djjdaey_tii9ktqnsfcpgdqdcmel5xzekrhrt7wh_ 3jp7ltv6zdwu24cjb2mtapwaoslpasoyooiraej53jzncy_up3nb0rf1xqbo28gtvhal-snzdpancftdthhvvf2bcsa-dp__ Jcwg88vphta1h4twvghdsp2kcbh_56ntddfejg7ctxxs-kcwrs3k_3r4nwa1s1rscsepot8otbj-spvgzu9-g3-5xpncqKk_tucwmipp2zkwijscudopxwxx-8uc1_0wmpluyvwnpqlvjgpvnhioqhcnhsvsfzmedxv4hovskhga
This token is valid only for Dashborad in the current life cycle, and if created after deletion, a new token will be generated.
Integrated Heapster plug-in
Heapster is a container cluster monitoring and performance analysis tool that naturally supports kubernetes and CoreOS. Kubernetes has a well-known surveillancecAdvisor. The cadvisor is run on each kubernetes node, and it collects monitoring data (cpu,memory,filesystem,network,uptime) for both native and container.
In the newer version, K8S has integrated the Cadvisor functionality into the Kubelet component. Each node can be accessed directly from the Web. Cadvisor Web Interface Access:http://< Node-IP >:4194
Cadvisor also offers restful api:https://github.com/google/cadvisor/blob/master/docs/api.md
Go to heapster release page to download the latest version of Heapster
Get file
> wget https://github.com/kubernetes/heapster/archive/v1.5.3.tar.gz> tar -xf v1.5.3.tar.gz # 相关文件> cd heapster-1.5.3/deploy/kube-config/> ls rbac/ && ls influxdb/heapster-rbac.yamlgrafana.yaml heapster.yaml influxdb.yaml
Mirror address modification view mirror address
> grep image influxdb/*influxdb/grafana.yaml: image: gcr.io/google_containers/heapster-grafana-amd64:v4.4.3influxdb/heapster.yaml: image: gcr.io/google_containers/heapster-amd64:v1.5.3influxdb/influxdb.yaml: image: gcr.io/google_containers/heapster-influxdb-amd64:v1.3.3
Modify the Mirror Address
> grep image influxdb/* influxdb/grafana.yaml: image: anjia0532/heapster-grafana-amd64:v4.4.3influxdb/heapster.yaml: image: anjia0532/heapster-amd64:v1.5.3influxdb/influxdb.yaml: image: anjia0532/heapster-influxdb-amd64:v1.3.3
Introducing YAML Files
> cp rbac/heapster-rbac.yaml influxdb/> cd influxdb/> lsgrafana.yaml heapster-rbac.yaml heapster.yaml influxdb.yaml> kubectl create -f .
View Pod,svc
> kubectl get svc-n kube-system-o wide NAME TYPE cluster-ip external-ip PORT (S) Age Selectorcoredns Clusterip 10.254.0.2 <none> 53/udp,53/tcp 7d K8 S-app=corednsheapster clusterip 10.254.76.86 <none> 80/tcp 24s K8s-app=hea Psterkubernetes-dashboard clusterip 10.254.61.253 <none> 80/tcp 1h k8s-app=kubernetes- Dashboardmonitoring-grafana clusterip 10.254.234.193 <none> 80/tcp 24s K8s-app=grafana Monitoring-influxdb clusterip 10.254.83.156 <none> 8086/tcp 24s k8s-app=influxdb> Kub Ectl get pod-n kube-system-o wide NAME ready STATUS restarts age IP NODECOREDNS-66C9F6F9F7-5K9FB 1/1 Running 1 3d 172.18.16.2 k8s-n2-16-239 Heapster-d59d66579-gr8sf 1/1 Running 0 33s 172.18.29.3 K8S-N3-16-240KUBERNETES-DASHBOARD-BBC7B8B5-RJ8HF 1/1 Running 0 1h 172.18.29.2 k8s-n3-16-240monitoring-grafana-bff95c48c-7kfjm 1/1 Runni ng 0 10m 172.18.16.3 k8s-n2-16-239monitoring-influxdb-5d474bf6d5-56pxq 1/1 Running 0 34s 172.18.52.2 k8s-n1-16-238
Access mode KUBECTL Proxy local access mode
We used Kubectl proxy only to Loclahost access
Use the--address and--accept-hosts parameters to allow external access
kubectl proxy --address='0.0.0.0' --accept-hosts='^*$'
Then visit
http://<master-ip>:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ # 也是半天没出来
Nodeport
Nodeport is a way of exposing nodes directly to the external network and is only recommended for use in the development environment, single node installation.
Enabling Nodeport is simple, just executingkubectl editcommands for editing:
kubectl -n kube-system edit service kubernetes-dashboard
Output
apiVersion: v1kind: Servicemetadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kube-system"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}} creationTimestamp: 2018-06-22T09:56:05Z labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system resourceVersion: "1715288" selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard uid: 7abab091-7602-11e8-80c7-00505698f5d8spec: clusterIP: 10.254.61.253 ports: - port: 443 protocol: TCP targetPort: 8443 selector: k8s-app: kubernetes-dashboard sessionAffinity: None type: ClusterIPstatus: loadBalancer: {}
Modify the above Type:clusterip totype: NodePortuse the Kubectl Get Service command to view the automatically produced ports after saving:
> kubectl -n kube-system get service kubernetes-dashboardNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEkubernetes-dashboard NodePort 10.254.61.253 <none> 443:30054/TCP 2hs> kubectl -n kube-system get pod -o wide | grep dashboardkubernetes-dashboard-9d85bdcb6-n5ngf 1/1 Running 0 14m 172.18.16.4 k8s-n2-16-239
Access
https://192.168.16.239:30054/#!/login # 登录界面,输入之前的令牌就可以登录
API Server
If the Kubernetes API server is public and can be accessed externally, then we can access it directly using the API server, which is a more recommended way.
Dashboard's access address is:
https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/https://api.kubernetes.master/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
return results
Kind "Status"apiversion "V1"metadata {}Status "Failure"message the Services \ "Https:kubernetes-dashboard:\" is Forbidden: User \ "System:anonymous\" cannot Get Services/proxy inch the namespace \ "Kube-system\" "reason "Forbidden"Details name "Https:kubernetes-dashboard:"Kind "Services"Code 403
This is because the latest version of K8s is enabled by defaultRBACand gives the unauthenticated user a default identity:anonymous
For API server, it is authenticated with a certificate, and we need to create a certificate first:
1. First find the configuration file for the Kubectl command,/etc/kubernetes/admin.conf by default, in the previous article, we have copied to $home/.kube/config.
2. Then we use Client-certificate-data and client-key-data to generate a P12 file, using the following command:
# 生成client-certificate-datagrep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt# 生成client-key-datagrep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key# 生成p12openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
3. Finally, in the browser to import the above generated P12 file, re-open the browser
Because the certificate cannot be passed through the visa, or cannot access the
Ingress
Using open source reverse proxy load Balancing software (NGINX,HAPROXY) integrates with k8s for more convenient and flexible service exposure, it is recommended to use this, in the followingIngresswe will expose the use of dashboard servicetraefikto access
Reference Blog Address
[k8s Cluster Series-09] Kubernetes Component Dashboard