Skip to main content

安装部署 Kubernetes Dashboard

以下是安装部署 Kubernetes Dashboard 的详细步骤:


1. 部署 Kubernetes Dashboard

# 部署最新版 Dashboard (兼容 Kubernetes v1.22+)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

2. 创建管理员服务账户

创建文件 dashboard-adminuser.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

应用配置:

kubectl apply -f dashboard-adminuser.yaml

手动创建管理员账号

# 创建管理员账号
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
EOF

# 绑定角色
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
EOF

3. 获取访问令牌

kubectl -n kubernetes-dashboard create token admin-user

复制输出的令牌(Token),用于登录。


4. 访问 Dashboard

方式一:端口转发(临时测试)

kubectl proxy
kubectl proxy &

访问地址:
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

方式二:NodePort 暴露服务(生产慎用)

修改服务类型:

kubectl -n kubernetes-dashboard patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'

获取端口:

kubectl get svc -n kubernetes-dashboard
kubectl -n kubernetes-dashboard get svc

访问地址:
https://<节点IP>:<NodePort>

方式三:获取访问 URL

minikube service kubernetes-dashboard -n kubernetes-dashboard --url

5. 登录 Dashboard

  1. 选择 Token 登录方式
  2. 粘贴步骤3获取的令牌
  3. 点击登录

6. 安全建议(生产环境必做)

启用 HTTPS Ingress

示例 Ingress 配置:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - dashboard.example.com
    secretName: dashboard-tls
  rules:
  - host: dashboard.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kubernetes-dashboard
            port:
              number: 443

限制访问IP

kubectl -n kubernetes-dashboard edit svc kubernetes-dashboard

添加 spec.loadBalancerSourceRanges 字段指定允许的IP。


7. 卸载 Dashboard

kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
kubectl delete sa admin-user -n kubernetes-dashboard
kubectl delete clusterrolebinding admin-user
kubectl delete -f dashboard-adminuser.yaml

其他方式 1:使用 Minikube 插件卸载**

minikube addons disable dashboard

这会删除 Dashboard 相关资源。


常见问题解决

问题1:Token 无效

检查令牌是否过期(默认有效期2小时),重新生成:

kubectl -n kubernetes-dashboard create token admin-user --duration=24h  # 延长有效期

确保 ServiceAccount 和 ClusterRoleBinding 已正确创建:

kubectl get sa -n kubernetes-dashboard
kubectl get clusterrolebinding admin-user

问题2:无法访问

检查防火墙规则:

sudo ufw allow 6443/tcp  # 如果使用NodePort,替换为实际端口

确保 kubectl proxy 正在运行(如果手动部署)。 检查 Minikube 是否正常运行:

minikube status

问题3:证书错误

浏览器添加例外,或使用自签名证书:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout dashboard.key -out dashboard.crt -subj "/CN=dashboard.example.com"
kubectl -n kubernetes-dashboard create secret tls dashboard-tls --key=dashboard.key --cert=dashboard.crt

问题3:其他问题

尝试重启 Minikube:

minikube stop
minikube start

Dashboard 拉取镜像失败

# 检查服务状态
kubectl describe pod dashboard-metrics-scraper -n kubernetes-dashboard
# 手动下载镜像
minikube ssh
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-scraper:v1.0.8
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.7.0

# 由于是从阿里云下载的镜像,所以需要给镜像打标签 -> docker.io/
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-scraper:v1.0.8 docker.io/kubernetesui/metrics-scraper:v1.0.8
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.7.0 kubernetesui/dashboard:v2.7.0

# 进一步排查问题 镜像名称中的 @sha256 摘要替换为纯标签格式
# 删掉@sha字符
kubectl edit deployment kubernetes-dashboard -n kubernetes-dashboard
kubectl edit deployment dashboard-metrics-scraper -n kubernetes-dashboard

Dashboard 无法访问

# 检查服务状态
kubectl -n kubernetes-dashboard get pods

# 重新生成令牌
kubectl -n kubernetes-dashboard create token admin-user

HTTP协议

编辑 Dashboard 部署:

kubectl -n kubernetes-dashboard edit deployment kubernetes-dashboard

args 部分添加 --enable-insecure-login 参数:

args:
  - --auto-generate-certificates
  - --enable-insecure-login  # 添加这一行

修改 Service 为 HTTP:

kubectl -n kubernetes-dashboard edit service kubernetes-dashboard

targetPort: 8443 改为 targetPort: 9090