参考:在centos stream 9上搭建k8s最新版本(当前:v1.26.1)集群环境
查找dashboard 对应的版本
https://github.com/kubernetes/dashboard/releases
下载 kubernetes-dashboard.yaml 使用的2.7.0
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml -O kubernetes-dashboard.yaml
-------------------------------------
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 30001
type: NodePort
selector:
k8s-app: kubernetes-dashboard
-------------------------------------
添加
nodePort: 30001
type: NodePort
-------------------------------安装dashboard
kubectl apply -f kubernetes-dashboard.yaml
创建用户
wget https://raw.githubusercontent.com/cby-chen/Kubernetes/main/yaml/dashboard-user.yaml
kubectl apply -f dashboard-user.yaml
创建登录Token,过期了再重新创建
kubectl -n kubernetes-dashboard create token admin-user
放到一个变量里,后面生成kubeconfig时可以用
DASH_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
修改k8s dashboard token认证的过期时间
两种方法修改k8s dashboard token认证的过期时间
重新生成token
[root@k8s-master01 ~]# kubeadm token create
xxxxxxxxxxxxxxxx
查看token
- [root@k8s-master01 ~]# kubeadm token list
- TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
- o66dni.mhu79izcjwqn5h4z 23h 2023-11-11T00:59:02Z authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
获取集群名称
[root@k8s-master01 pki]# kubectl cluster-info dump |grep cluster-name
"--cluster-name=kubernetes",
生成dashboard-admin.kubeconfig配置文件
K8S-Dashbord部署、Token、Kubeconfig认证登录
$kubectl config set-cluster kubernetes
--certificate-authority=/etc/kubernetes/pki/
--embed-certs=true
--server=https://192.168.221.131:6443
--kubeconfig=dashboard-admin.kubeconfig
$DASH_TOKEN前面已设置了该变量
$kubectl config set-credentials dashboard-admin
--token=$DASH_TOKEN
--kubeconfig=dashboard-admin.kubeconfig
$kubectl config set-context dashboard-admin@kubernetes
--cluster=kubernetes
--user=dashboard-admin
--kubeconfig=dashboard-admin.kubeconfig
$kubectl config use-context dashboard-admin@kubernetes --kubeconfig=dashboard-admin.kubeconfig
普通用户
创建ServiceAccount
[root@master01 dashboard]# cat developer-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2023-12-06T01:50:51Z"
name: developer
namespace: develop
resourceVersion: "5328458"
uid: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
配置普通用户角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"creationTimestamp":null,"name":"developer","namespace":"develop"},"rules":[{"apiGroups":[""],"resources":["pods","services"],"verbs":["list","get","watch","create","delete","patch"]},{"apiGroups":["apps"],"resources":["deployments"],"verbs":["list","get","watch","create","delete","patch"]},{"apiGroups":[""],"resources":["namespaces"],"verbs":["list","get","watch"]}]}
creationTimestamp: "2023-12-06T02:23:32Z"
name: developer
namespace: develop
resourceVersion: "11102812"
uid: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- pods/exec
- services
verbs:
- list
- get
- watch
- create
- delete
- patch
- apiGroups:
- apps
resources:
- deployments
- replicasets
verbs:
- list
- get
- watch
- create
- delete
- patch
- apiGroups:
- batch
- batch/v1
resources:
- jobs
verbs:
- list
- get
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- list
- get
- watch
角色绑定
[root@master01 dashboard]# cat developer-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"developer-rolebinding","namespace":"develop"},"roleRef":{"apiGroup":"","kind":"Role","name":"developer"},"subjects":[{"apiGroup":"","kind":"User","name":"developer"}]}
creationTimestamp: "2023-12-06T02:23:36Z"
name: developer-rolebinding
namespace: develop
resourceVersion: "11086248"
uid: xxxxxxxxxxxxxxxxxxxxxx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: developer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: developer
- kind: ServiceAccount
name: developer
获取普通用户token
kubectl -n develop create token developer
登录Dashboard
选择不了命名空间,直接输入develop
右边显示的是serviceaccount
