Kubernetes Dashboard的安装与坑【h】

1.前言

https://github.com/kubernetes/dashboard/releases

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

Kubernetes Dashboard is a general purpose, web-based UI for Kubernetes clusters. It allows users to manage applications running in the cluster and troubleshoot them, as well as manage the cluster itself.

一句话简单介绍下Kubernetes Dashboard
Kubernetes Dashboard就是k8s集群的webui，集合了所有命令行可以操作的所有命令。界面如下所示：(ps：目前自动识别为中文版本)

dashboard-ui.png

2.安装

k8s的dashboard安装可以说是非常简单，参考github的指导既可。项目地址如下：

https://github.com/kubernetes/dashboard

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

但是这么安装存在几个问题：

镜像国内无法直接访问，需要设置docker代理，才能下载镜像
dashboard的默认webui证书是自动生成的，由于时间和名称存在问题，导致谷歌和ie浏览器无法打开登录界面，经过测试Firefox可以正常打开

2.1 设置docker代理

k8s dashboard 的 docker镜像是
k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
在执行 kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml 前，首先设置docker代理

以下提供个脚本，可以方便切换docker代理

#/bin/bash

# you should set it to your proxy ip 
proxy_ip="http://192.168.246.1:1080"
# you need set it to the  host ip 
proxy_none_ip="192.168.0.0/16"   

proxy=\'Environment="HTTPS_PROXY=\'${proxy_ip}\'"\
Environment="NO_PROXY=127.0.0.0/8"\
Environment="NO_PROXY=\'${proxy_none_ip}\'"\'
DOCKER_CONF="/usr/lib/systemd/system/docker.service"
#DOCKER_CONF="docker.service"
if [ ! -e $DOCKER_CONF ]; then 
    echo "INFO: docker not running "
    exit 2
fi
func_reload(){
    systemctl daemon-reload
    systemctl restart docker
    echo "INFO#: docker-reload finined!"
}
func_proxy_on(){
    if grep PROXY $DOCKER_CONF >> /dev/null ; then
        echo "INFO#: docker proxy may be on : "
        echo ""
        grep PROXY $DOCKER_CONF
        echo ""
    else
        echo "INFO: docker proxy on"
        sed -i "/ExecStart/i${proxy}" $DOCKER_CONF
        func_reload
    fi
}

func_proxy_off(){
    if grep PROXY $DOCKER_CONF >>/dev/null; then
            echo "INFO: docker proxy off"
        sed -i "/PROXY/d" $DOCKER_CONF
        func_reload
    else
            echo "INFO: docker proxy already off"
    fi
}

case $1 in
    on)
      func_proxy_on
      ;;
    off)
      func_proxy_off
      ;;
    *) 
      echo "userage `basename $0` {on|off}"
      exit 1
      ;;
esac

请将以上脚本中 proxy_ip="http://192.168.246.1:1080" 替换为你自己的代理地址，保存为dockersetproxy.sh ，通过chmod +x dockersetproxy.sh 增加执行权限。
然后执行 kubectl apply -f https://...... 命令参考上面
如果能够正常下载，通过docker image ls查看，应该如下所示：

[root@master ~]# docker image ls
REPOSITORY                              TAG                 IMAGE ID            CREATED             SIZE
k8s.gcr.io/kube-proxy                   v1.12.3             ab97fa69b926        2 weeks ago         96.5 MB
k8s.gcr.io/kube-apiserver               v1.12.3             6b54f7bebd72        2 weeks ago         194 MB
k8s.gcr.io/kube-controller-manager      v1.12.3             c79022eb8bc9        2 weeks ago         164 MB
k8s.gcr.io/kube-scheduler               v1.12.3             5e75513787b1        2 weeks ago         58.3 MB
k8s.gcr.io/etcd                         3.2.24              3cab8e1b9802        2 months ago        220 MB
k8s.gcr.io/coredns                      1.2.2               367cdc8433a4        3 months ago        39.2 MB
k8s.gcr.io/kubernetes-dashboard-amd64   v1.10.0             0dab2435c100        3 months ago        122 MB
quay.io/coreos/flannel                  v0.10.0-amd64       f0fad859c909        10 months ago       44.6 MB
k8s.gcr.io/pause                        3.1                 da86e6ba6ca1        11 months ago       742 kB

k8s.gcr.io/kubernetes-dashboard-amd64 即为下载的docker image 镜像文件
下载完成后，k8s dashboard 应该正常运行起来了，但是这时候我们还无法访问到。

2.2 修改service通过NodePort方式访问k8s dashboard

小技巧，由于后面的操作都是在 kube-system 名称空间中进行，可以设置个别名 ksys=kubectl -n kube-system 这样就可以使用ksys操作该名称空间了
命令参考：alias ksys=\'kubectl -n kube-system\'

[root@master ~]# alias ksys=\'kubectl -n kube-system\'
[root@master ~]# ksys get svc
NAME                   TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)         AGE
kube-dns               ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP   15d
kubernetes-dashboard   ClusterIP   10.106.68.90   <none>        443/TCP         15s
[root@master ~]#

可以看到 kubernetes-dashboard service 在集群内部，无法再外部访问，为了方便访问，我们暴露kubernetes-dashboard 443端口给NodePort
ksys edit svc kubernetes-dashboard 通过ksys edit svc 直接编辑service

[root@master ~]# ksys edit svc kubernetes-dashboard

找到type字段，将ClusterIP，修改为NodePort

spec:
  clusterIP: 10.106.68.90
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
  sessionAffinity: None
  type: ClusterIP ## <------修改为NodePort
status:
  loadBalancer: {}

wq 保存退出，然后重新查看 service

[root@master ~]# ksys get svc
NAME                   TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)         AGE
kube-dns               ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP   15d
kubernetes-dashboard   NodePort    10.106.68.90   <none>        443:32248/TCP   4m41s
[root@master ~]#

可以看到当前NodePort 端口是随机的32248，通过ifconfig 查看节点ip地址，该节点ip为：192.168.246.200

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        ether 02:42:3a:a2:76:1f  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.246.200  netmask 255.255.255.0  broadcast 192.168.246.255
        inet6 fe80::1d7c:9fdf:c738:7459  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:21:65:3b  txqueuelen 1000  (Ethernet)
        RX packets 10074  bytes 1051745 (1.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10716  bytes 7583211 (7.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

通过谷歌浏览器访问，发现居然无法继续，如下图所示：

image.png

通过360浏览器访问，发现居然直接无法访问

image.png

在测试IE、QQ等浏览器，均无法访问，
在测试windows机器上通过curl命令测试，可以确认网络和端口是通的。

image.png

难道就无解了么？
再拿出firefox测试，发现证书是0001年1月签发的

image.png

添加例外后，居然能正常打开了。

image.png

难道这就完事了么？通过Firefox查看证书，怀疑其他浏览器打不开和证书过期有关系。

image.png

2.2 解决证书过期问题

2.2.1 首先需要生成证书

生成证书通过openssl生成自签名证书即可，不再赘述，参考如下所示：

[root@master keys]# pwd
/root/keys
[root@master keys]# ls
[root@master keys]# openssl genrsa -out dashboard.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
.................................................+++
e is 65537 (0x10001)
[root@master keys]# openssl req -new -out dashboard.csr -key dashboard.key -subj \'/CN=192.168.246.200\'
[root@master keys]# ls
dashboard.csr  dashboard.key
[root@master keys]# 
[root@master keys]# openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt 
Signature ok
subject=/CN=192.168.246.200
Getting Private key
[root@master keys]# 
[root@master keys]# ls
dashboard.crt  dashboard.csr  dashboard.key
[root@master keys]# 
[root@master keys]# openssl x509 -in dashboard.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            f0:8a:26:aa:9f:24:bf:92
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=192.168.246.200
        Validity
            Not Before: Dec 13 08:10:36 2018 GMT
            Not After : Jan 12 08:10:36 2019 GMT
        Subject: CN=192.168.246.200
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f6:7a:b4:4a:ad:bd:b3:00:9c:d1:fe:06:2d:09:
                    cf:eb:28:54:0f:3f:6e:dc:29:6b:67:e1:9b:58:e4:
                    82: