安装部署 Kubernetes Dashboard
以下是安装部署 Kubernetes Dashboard 的详细步骤:
1. 部署 Kubernetes Dashboard
# 部署最新版 Dashboard (兼容 Kubernetes v1.22+)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
2. 创建管理员服务账户
创建文件 dashboard-adminuser.yaml
:
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
应用配置:
kubectl apply -f dashboard-adminuser.yaml
手动创建管理员账号
# 创建管理员账号
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
EOF
# 绑定角色
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
EOF
3. 获取访问令牌
kubectl -n kubernetes-dashboard create token admin-user
复制输出的令牌(Token),用于登录。
4. 访问 Dashboard
方式一:端口转发(临时测试)
kubectl proxy
kubectl proxy &
访问地址:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
方式二:NodePort 暴露服务(生产慎用)
修改服务类型:
kubectl -n kubernetes-dashboard patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'
获取端口:
kubectl get svc -n kubernetes-dashboard
kubectl -n kubernetes-dashboard get svc
访问地址:
https://<节点IP>:<NodePort>
方式三:获取访问 URL
minikube service kubernetes-dashboard -n kubernetes-dashboard --url
5. 登录 Dashboard
- 选择 Token 登录方式
- 粘贴步骤3获取的令牌
- 点击登录
6. 安全建议(生产环境必做)
启用 HTTPS Ingress
示例 Ingress 配置:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard-ingress
namespace: kubernetes-dashboard
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- dashboard.example.com
secretName: dashboard-tls
rules:
- host: dashboard.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
限制访问IP
kubectl -n kubernetes-dashboard edit svc kubernetes-dashboard
添加 spec.loadBalancerSourceRanges
字段指定允许的IP。
7. 卸载 Dashboard
kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
kubectl delete sa admin-user -n kubernetes-dashboard
kubectl delete clusterrolebinding admin-user
kubectl delete -f dashboard-adminuser.yaml
其他方式 1:使用 Minikube 插件卸载**
minikube addons disable dashboard
这会删除 Dashboard 相关资源。
常见问题解决
问题1:Token 无效
检查令牌是否过期(默认有效期2小时),重新生成:
kubectl -n kubernetes-dashboard create token admin-user --duration=24h # 延长有效期
确保 ServiceAccount 和 ClusterRoleBinding 已正确创建:
kubectl get sa -n kubernetes-dashboard
kubectl get clusterrolebinding admin-user
问题2:无法访问
检查防火墙规则:
sudo ufw allow 6443/tcp # 如果使用NodePort,替换为实际端口
确保 kubectl proxy
正在运行(如果手动部署)。
检查 Minikube 是否正常运行:
minikube status
问题3:证书错误
浏览器添加例外,或使用自签名证书:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout dashboard.key -out dashboard.crt -subj "/CN=dashboard.example.com"
kubectl -n kubernetes-dashboard create secret tls dashboard-tls --key=dashboard.key --cert=dashboard.crt
问题3:其他问题
尝试重启 Minikube:
minikube stop
minikube start
Dashboard 拉取镜像失败
# 检查服务状态
kubectl describe pod dashboard-metrics-scraper -n kubernetes-dashboard
# 手动下载镜像
minikube ssh
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-scraper:v1.0.8
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.7.0
# 由于是从阿里云下载的镜像,所以需要给镜像打标签 -> docker.io/
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-scraper:v1.0.8 docker.io/kubernetesui/metrics-scraper:v1.0.8
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.7.0 kubernetesui/dashboard:v2.7.0
# 进一步排查问题 镜像名称中的 @sha256 摘要替换为纯标签格式
# 删掉@sha字符
kubectl edit deployment kubernetes-dashboard -n kubernetes-dashboard
kubectl edit deployment dashboard-metrics-scraper -n kubernetes-dashboard
Dashboard 无法访问
# 检查服务状态
kubectl -n kubernetes-dashboard get pods
# 重新生成令牌
kubectl -n kubernetes-dashboard create token admin-user
HTTP协议
编辑 Dashboard 部署:
kubectl -n kubernetes-dashboard edit deployment kubernetes-dashboard
在 args
部分添加 --enable-insecure-login
参数:
args:
- --auto-generate-certificates
- --enable-insecure-login # 添加这一行
修改 Service 为 HTTP:
kubectl -n kubernetes-dashboard edit service kubernetes-dashboard
将 targetPort: 8443
改为 targetPort: 9090
No Comments