[k8s Cluster Series-09] Kubernetes Component Dashboard

Kubernetes service

Kubernetes Dashboard is a generic web-based UI for Kubernetes clusters. It allows users to manage and troubleshoot applications running in a cluster, kubernetes certification what is kubernetes and to manage the cluster itself.

kubernetes service pod

Deploying Dashboard


Project GitHub Address
Official documentation Reference kubernetes vs docker

Kubernetes as service

Get Yaml file

curl -O https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml   # https访问的 选这个curl -O https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml   # http方式访问

Modify a mirrored address in a YAML file to see the mirror address kubernetes tutorial kubernetes ingress

>  grep image kubernetes-dashboard.yaml         image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3   # 这个地址被墙，可以去docker-hub搜索此镜像上传至自己的镜像库中

Replace Mirror Address


Here we directly use the mirror on the Docker-hub
Mirror Address

Kubernetes as a service


> grep image kubernetes-dashboard.yaml         image: anjia0532/kubernetes-dashboard-amd64:v1.8.3在deployment段加一个配置- --heapster-host=http://heapster

Introducing YAML Files

> kubectl apply -f kubernetes-dashboard.yaml > kubectl get pods -n kube-system | grep dashboardkubernetes-dashboard-bbc7b8b5-rj8hf   1/1       Running   0          10m> kubectl get svc -n kube-system | grep dashboard kubernetes-dashboard   ClusterIP   10.254.61.253   <none>        80/TCP          43s

Selector kubernetes service

To access the dashboard from a local workstation, you must create a secure channel for your kubernetes cluster.
Run the following command: kubernetes expose service port




kubectl proxy



Visit Dashboard Now




http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/.    # 可惜本地的服务器没有浏览器和GUI，可以使用elinks试下

Identity verification


Login Dashboard Support Kubeconfig and token two authentication methods, Kubeconfig also rely on the token field, so the token generation is essential.



Create Users and RBAC


We create an Admin user and grant the Admin role bindings, use the following Yaml file to create the Admin user and give him administrator privileges, then you can login to Dashbaord by token, kubernetes tutorialthis authentication method is essentially through the service account Authentication plus bearer token request API server implementation, refer to authentication in Kubernetes




# cat k8s-dashboard-admin-rbac.yaml kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: admin  annotations:    rbac.authorization.kubernetes.io/autoupdate: "true"roleRef:  kind: ClusterRole  name: cluster-admin  apiGroup: rbac.authorization.k8s.iosubjects:- kind: ServiceAccount  name: admin  namespace: kube-system---apiVersion: v1kind: ServiceAccountmetadata:  name: admin  namespace: kube-system  labels:    kubernetes.io/cluster-service: "true"    addonmanager.kubernetes.io/mode: Reconcile



Create




kubectl apply -f k8s-dashboard-admin-rbac.yaml

Get token


When the aboveadminuser is created, we can obtain the token for that user, such as the following command:



> kubectl get secret-n kube-system|grep admin-tokenadmin-token-ph8sh kubernetes.io/service-account-to Ken 3 11m> Kubectl get secret Admin-token-ph8sh-o Jsonpath={.data.token}-n kube-system |base64-d Eyjhbgcio Ijsuzi1niisimtpzci6iij9.eyjpc3mioijrdwjlcm5ldgvzl3nlcnzpy2vhy2nvdw50iiwia3vizxjuzxrlcy5pby9zzxj2awnlywnjb3vudc9uyw1lc3bhy 2uioijrdwjllxn5c3rlbsisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vjcmv0lm5hbwuioijhzg1pbi10b2tlbi1wadhzacisimt1ymvybmv0zx Muaw8vc2vydmljzwfjy291bnqvc2vydmljzs1hy2nvdw50lm5hbwuioijhzg1pbiisimt1ymvybmv0zxmuaw8vc2vydmljzwfjy291bnqvc2vydmljzs1hy2n vdw50lnvpzci6imywymm5zjfmltc2mdutmtfloc05ywq1ltawnta1njk4mdrmyyisinn1yii6inn5c3rlbtpzzxj2awnlywnjb3vuddprdwjllxn5c3rlbtph Zg1pbij9.tcgnylj7008bnatdddz070f4pu_ffxty0djjdaey_tii9ktqnsfcpgdqdcmel5xzekrhrt7wh_ 3jp7ltv6zdwu24cjb2mtapwaoslpasoyooiraej53jzncy_up3nb0rf1xqbo28gtvhal-snzdpancftdthhvvf2bcsa-dp__ Jcwg88vphta1h4twvghdsp2kcbh_56ntddfejg7ctxxs-kcwrs3k_3r4nwa1s1rscsepot8otbj-spvgzu9-g3-5xpncqKk_tucwmipp2zkwijscudopxwxx-8uc1_0wmpluyvwnpqlvjgpvnhioqhcnhsvsfzmedxv4hovskhga
This token is valid only for Dashborad in the current life cycle, and if created after deletion, a new token will be generated.

Integrated Heapster plug-in


Heapster is a container cluster monitoring and performance analysis tool that naturally supports kubernetes and CoreOS. Kubernetes has a well-known surveillancecAdvisor. The cadvisor is run on each kubernetes node, and it collects monitoring data (cpu,memory,filesystem,network,uptime) for both native and container.
In the newer version, K8S has integrated the Cadvisor functionality into the Kubelet component. Each node can be accessed directly from the Web. Cadvisor Web Interface Access:http://< Node-IP >:4194
Cadvisor also offers restful api:https://github.com/google/cadvisor/blob/master/docs/api.md





Go to heapster release page to download the latest version of Heapster



Get file

> wget https://github.com/kubernetes/heapster/archive/v1.5.3.tar.gz> tar -xf v1.5.3.tar.gz # 相关文件> cd heapster-1.5.3/deploy/kube-config/> ls rbac/ && ls influxdb/heapster-rbac.yamlgrafana.yaml  heapster.yaml  influxdb.yaml

Mirror address modification view mirror address

> grep image influxdb/*influxdb/grafana.yaml:        image: gcr.io/google_containers/heapster-grafana-amd64:v4.4.3influxdb/heapster.yaml:        image: gcr.io/google_containers/heapster-amd64:v1.5.3influxdb/influxdb.yaml:        image: gcr.io/google_containers/heapster-influxdb-amd64:v1.3.3

Modify the Mirror Address

> grep image influxdb/*      influxdb/grafana.yaml:        image: anjia0532/heapster-grafana-amd64:v4.4.3influxdb/heapster.yaml:        image: anjia0532/heapster-amd64:v1.5.3influxdb/influxdb.yaml:        image: anjia0532/heapster-influxdb-amd64:v1.3.3

Introducing YAML Files

> cp rbac/heapster-rbac.yaml influxdb/> cd influxdb/> lsgrafana.yaml  heapster-rbac.yaml  heapster.yaml  influxdb.yaml> kubectl create -f .

View Pod,svc
> kubectl get svc-n kube-system-o wide NAME TYPE cluster-ip external-ip PORT (S) Age Selectorcoredns Clusterip 10.254.0.2 <none> 53/udp,53/tcp 7d K8 S-app=corednsheapster clusterip 10.254.76.86 <none> 80/tcp 24s K8s-app=hea Psterkubernetes-dashboard clusterip 10.254.61.253 <none> 80/tcp 1h k8s-app=kubernetes- Dashboardmonitoring-grafana clusterip 10.254.234.193 <none> 80/tcp 24s K8s-app=grafana Monitoring-influxdb clusterip 10.254.83.156 <none> 8086/tcp 24s k8s-app=influxdb> Kub            Ectl get pod-n kube-system-o wide NAME ready STATUS restarts age IP NODECOREDNS-66C9F6F9F7-5K9FB 1/1 Running 1 3d 172.18.16.2 k8s-n2-16-239 Heapster-d59d66579-gr8sf               1/1 Running 0 33s 172.18.29.3 K8S-N3-16-240KUBERNETES-DASHBOARD-BBC7B8B5-RJ8HF 1/1 Running 0 1h 172.18.29.2 k8s-n3-16-240monitoring-grafana-bff95c48c-7kfjm 1/1 Runni          ng 0 10m 172.18.16.3 k8s-n2-16-239monitoring-influxdb-5d474bf6d5-56pxq 1/1 Running 0 34s 172.18.52.2 k8s-n1-16-238
Access mode KUBECTL Proxy local access mode


We used Kubectl proxy only to Loclahost access



Use the--address and--accept-hosts parameters to allow external access

kubectl proxy --address='0.0.0.0'  --accept-hosts='^*$'



Then visit




http://<master-ip>:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/  # 也是半天没出来

Nodeport


Nodeport is a way of exposing nodes directly to the external network and is only recommended for use in the development environment, single node installation.
Enabling Nodeport is simple, just executingkubectl editcommands for editing:




kubectl -n kube-system edit service kubernetes-dashboard



Output




apiVersion: v1kind: Servicemetadata:  annotations:    kubectl.kubernetes.io/last-applied-configuration: |      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kube-system"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}}  creationTimestamp: 2018-06-22T09:56:05Z  labels:    k8s-app: kubernetes-dashboard  name: kubernetes-dashboard  namespace: kube-system  resourceVersion: "1715288"  selfLink: /api/v1/namespaces/kube-system/services/kubernetes-dashboard  uid: 7abab091-7602-11e8-80c7-00505698f5d8spec:  clusterIP: 10.254.61.253  ports:  - port: 443    protocol: TCP    targetPort: 8443  selector:    k8s-app: kubernetes-dashboard  sessionAffinity: None  type: ClusterIPstatus:  loadBalancer: {}



Modify the above Type:clusterip totype: NodePortuse the Kubectl Get Service command to view the automatically produced ports after saving:




> kubectl -n kube-system get service kubernetes-dashboardNAME                   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGEkubernetes-dashboard   NodePort   10.254.61.253   <none>        443:30054/TCP   2hs> kubectl -n kube-system get pod  -o wide | grep dashboardkubernetes-dashboard-9d85bdcb6-n5ngf   1/1       Running   0          14m       172.18.16.4   k8s-n2-16-239



Access




https://192.168.16.239:30054/#!/login   # 登录界面，输入之前的令牌就可以登录

API Server


If the Kubernetes API server is public and can be accessed externally, then we can access it directly using the API server, which is a more recommended way.
Dashboard's access address is:




https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/https://api.kubernetes.master/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/



return results



Kind "Status"apiversion "V1"metadata {}Status "Failure"message the Services \ "Https:kubernetes-dashboard:\"  is Forbidden: User \ "System:anonymous\" cannot Get Services/proxy inch  the namespace \ "Kube-system\" "reason "Forbidden"Details name "Https:kubernetes-dashboard:"Kind "Services"Code 403


This is because the latest version of K8s is enabled by defaultRBACand gives the unauthenticated user a default identity:anonymous





For API server, it is authenticated with a certificate, and we need to create a certificate first:



1. First find the configuration file for the Kubectl command,/etc/kubernetes/admin.conf by default, in the previous article, we have copied to $home/.kube/config.
2. Then we use Client-certificate-data and client-key-data to generate a P12 file, using the following command:

# 生成client-certificate-datagrep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt# 生成client-key-datagrep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key# 生成p12openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
3. Finally, in the browser to import the above generated P12 file, re-open the browser

Because the certificate cannot be passed through the visa, or cannot access the

Ingress


Using open source reverse proxy load Balancing software (NGINX,HAPROXY) integrates with k8s for more convenient and flexible service exposure, it is recommended to use this, in the followingIngresswe will expose the use of dashboard servicetraefikto access





Reference Blog Address





[k8s Cluster Series-09] Kubernetes Component Dashboard