# 安装部署 Kubernetes Dashboard

以下是安装部署 Kubernetes Dashboard 的详细步骤：

---

### **1. 部署 Kubernetes Dashboard**
```bash
# 部署最新版 Dashboard (兼容 Kubernetes v1.22+)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
```
---

### **2. 创建管理员服务账户**
创建文件 `dashboard-adminuser.yaml`：
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
```
应用配置：
```bash
kubectl apply -f dashboard-adminuser.yaml
```
手动创建管理员账号

```bash
# 创建管理员账号
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
EOF

# 绑定角色
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
EOF
```
---

### **3. 获取访问令牌**
```bash
kubectl -n kubernetes-dashboard create token admin-user
```
复制输出的令牌（Token），用于登录。

---

### **4. 访问 Dashboard**
#### **方式一：端口转发（临时测试）**
```bash
kubectl proxy
kubectl proxy &
```
访问地址：  
http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

#### **方式二：NodePort 暴露服务（生产慎用）**
修改服务类型：
```bash
kubectl -n kubernetes-dashboard patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}'
```
获取端口：
```bash
kubectl get svc -n kubernetes-dashboard
kubectl -n kubernetes-dashboard get svc
```
访问地址：  
`https://<节点IP>:<NodePort>`

#### **方式三：获取访问 URL**
```bash
minikube service kubernetes-dashboard -n kubernetes-dashboard --url
```
---

### **5. 登录 Dashboard**
1. 选择 **Token** 登录方式
2. 粘贴步骤3获取的令牌
3. 点击登录

---

### **6. 安全建议（生产环境必做）**
#### **启用 HTTPS Ingress**
示例 Ingress 配置：
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - dashboard.example.com
    secretName: dashboard-tls
  rules:
  - host: dashboard.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kubernetes-dashboard
            port:
              number: 443
```

#### **限制访问IP**
```bash
kubectl -n kubernetes-dashboard edit svc kubernetes-dashboard
```
添加 `spec.loadBalancerSourceRanges` 字段指定允许的IP。

---

### **7. 卸载 Dashboard**
```bash
kubectl delete -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
kubectl delete sa admin-user -n kubernetes-dashboard
kubectl delete clusterrolebinding admin-user
kubectl delete -f dashboard-adminuser.yaml
```

其他方式 1：使用 Minikube 插件卸载**
```bash
minikube addons disable dashboard
```
这会删除 Dashboard 相关资源。

---

### **常见问题解决**
#### **问题1：Token 无效**
检查令牌是否过期（默认有效期2小时），重新生成：
```bash
kubectl -n kubernetes-dashboard create token admin-user --duration=24h  # 延长有效期
```
确保 ServiceAccount 和 ClusterRoleBinding 已正确创建：
```bash
kubectl get sa -n kubernetes-dashboard
kubectl get clusterrolebinding admin-user
```

#### **问题2：无法访问**
检查防火墙规则：
```bash
sudo ufw allow 6443/tcp  # 如果使用NodePort，替换为实际端口
```
确保 `kubectl proxy` 正在运行（如果手动部署）。
检查 Minikube 是否正常运行：
```bash
minikube status
```

#### **问题3：证书错误**
浏览器添加例外，或使用自签名证书：
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout dashboard.key -out dashboard.crt -subj "/CN=dashboard.example.com"
kubectl -n kubernetes-dashboard create secret tls dashboard-tls --key=dashboard.key --cert=dashboard.crt
```
#### **问题3：其他问题**
尝试重启 Minikube：
```bash
minikube stop
minikube start
```
#### **Dashboard 拉取镜像失败**
```bash
# 检查服务状态
kubectl describe pod dashboard-metrics-scraper -n kubernetes-dashboard
# 手动下载镜像
minikube ssh
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-scraper:v1.0.8
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.7.0

# 由于是从阿里云下载的镜像，所以需要给镜像打标签 -> docker.io/
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-scraper:v1.0.8 docker.io/kubernetesui/metrics-scraper:v1.0.8
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/dashboard:v2.7.0 kubernetesui/dashboard:v2.7.0

# 进一步排查问题 镜像名称中的 @sha256 摘要替换为纯标签格式
# 删掉@sha字符
kubectl edit deployment kubernetes-dashboard -n kubernetes-dashboard
kubectl edit deployment dashboard-metrics-scraper -n kubernetes-dashboard

```

#### **Dashboard 无法访问**
```bash
# 检查服务状态
kubectl -n kubernetes-dashboard get pods

# 重新生成令牌
kubectl -n kubernetes-dashboard create token admin-user
```
#### **HTTP协议**
编辑 Dashboard 部署：
```bash
kubectl -n kubernetes-dashboard edit deployment kubernetes-dashboard
```
在 `args` 部分添加 `--enable-insecure-login` 参数：
```yaml
args:
  - --auto-generate-certificates
  - --enable-insecure-login  # 添加这一行
```

修改 Service 为 HTTP：
```bash
kubectl -n kubernetes-dashboard edit service kubernetes-dashboard
```
将 `targetPort: 8443` 改为 `targetPort: 9090`

---