k8sDashboard安装

源码仓库

GitHub

版本

dashboard v2.0.5

dashboard v2.0.0-beta5 —> kubernetes 1.16
dashboard v2.0.0 —> kubernetes 1.18
dashboard v2.0.1 —> kubernetes 1.18
dashboard v2.0.2 —> kubernetes 1.18
dashboard v2.0.3 —> kubernetes 1.18
dashboard v2.0.4 —> kubernetes 1.19
dashboard v2.0.5 —> kubernetes 1.19
dashboard v2.1.0 —> kubernetes 1.20
dashboard v2.2.0 —> kubernetes 1.20
dashboard v2.3.0 —> kubernetes 1.21
dashboard v2.3.1 —> kubernetes 1.21

通过官方配置文件安装

$ wget https://binglog.com/wp-content/uploads/myfile/dashboard-v2.0.5.yaml

kubernetes-dashboard.yaml

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
type: Opaque
data:
  dashboard.crt: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVuakNDQTRhZ0F3SUJBZ0lVS1Z2aGMvem1tS3ZlSEpXK1JsZkwrR29PUS9Fd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjJKbAphV3BwYm1jeER6QU5CZ05WQkFvVEJuTnZlWFZoYmpFTk1Bc0dBMVVFQ3hNRWMzQjZiREVQTUEwR0ExVUVBeE1HCmMyOTVkV0Z1TUI0WERUSXlNREV5TXpBM016Y3dNRm9YRFRNeU1ERXlNVEEzTXpjd01Gb3daVEVMTUFrR0ExVUUKQmhNQ1EwNHhFREFPQmdOVkJBZ1RCMEpsYVVwcGJtY3hFREFPQmdOVkJBY1RCMEpsYVVwcGJtY3hEREFLQmdOVgpCQW9UQTJzNGN6RVBNQTBHQTFVRUN4TUdVM2x6ZEdWdE1STXdFUVlEVlFRREV3cHJkV0psY201bGRHVnpNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6NTM3bmRkeHMzQ1Z4ZGIrOXFKajBzUVoKQ1FnTmdxU3FGS3lFNkFzc2VHcHFmdnZCKzhBUUtLZ0V6VG1rRWdYa0xrWmJkd1lHeFQzU09Nd2ZUNjd6WWZKMgprQ1FtcmxRWExsdXlnMUtLM2RPQ2tDN0NPSHZHbG1YNzlCV0Q0b1BPMTJkU0NBR1VCTXVJM2VlSW03c1hlSW4wCnNydHNnUTJzOW9lWTNTTzVkS1hTNy9TcUUxWG9pYUxvRlMvaU5YVWNvaDRGVG9qMkFTc3FHNlRpUXgzQmpWd2gKRlBHZFVFZ2FwQlJCQXQ5TzlQUXV5S1V3Q1RBSHdHc1ZVQjRSMlJLSE5yc0xFUWxjcVFHcTJHTnlVUG9xTnpCLwpJWlo1VDllMnExNmEwc0J0dWszb0RIK2FZOGJ1ckxqbE9sWnd5eFJaUGt5KzBBb3ptY1JUMU9jOWdTcnVXd0lECkFRQUJvNElCUnpDQ0FVTXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUIKQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjBHQTFVZERnUVdCQlJQOGJCVUhrYlBTN1dtN3VFVwpmZXplelhKUmNEQWZCZ05WSFNNRUdEQVdnQlN1NVYwa1F4eGNYTXFnRTlOdGlDNTd1cmJUV2pDQnd3WURWUjBSCkJJRzdNSUc0Z2hSbmFYUnNZV0l1YzI5NWRXRnVMbU52YlM1amJvSUthM1ZpWlhKdVpYUmxjNElTYTNWaVpYSnUKWlhSbGN5NWtaV1poZFd4MGdoWnJkV0psY201bGRHVnpMbVJsWm1GMWJIUXVjM1pqZ2g1cmRXSmxjbTVsZEdWegpMbVJsWm1GMWJIUXVjM1pqTG1Oc2RYTjBaWEtDSkd0MVltVnlibVYwWlhNdVpHVm1ZWFZzZEM1emRtTXVZMngxCmMzUmxjaTVzYjJOaGJJY0VDdjRBQVljRXJCQmtYSWNFckJCa1A0Y0VyQkJrUUljRXJCQmtSNGNFckJCazREQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBa3c3V0ZZbkJTVVNGdG5pclRJQVZ4TEV5OFVUY0QrUzhYajlOOGJKRApYWEtIM2lQVmxVdDQ2N2JHc1Z5TU9CWVRyNjBSZHFBYUN6aUs1OVp3VkNuWkJSOU4vT21uYzRGYk9OaEROeDJoCjFnZWpXckFlbTZaWVZ1eFlUdWF1SkdCQkZEYVorMS9HazZSb2liczBqdHVIL2x5dFBMYlJjY2RTY052SHNVaS8KMmhkS2VZbGpiejh0MjZFWG1QOHhvVnJ1SkVkR2dMdmJqWXhIQmJFbHRJbDdtODFoaGN0Y1hJL084dWNoTkg4aQphaXdBYUt5ZTllcmVqaDNZa3ZEZXFlcDNmQUVoc21HYURPQTd4SDNCMmpJTFJTUzhtTUd2VEszRWRXMUJJVnlVClNxUlZoVmVQMTZEWnVhaDdXTXlubzFkMmZPMlNMeDNZVkkyMEwyRXgzYlVMQnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
  dashboard.key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBejUzN25kZHhzM0NWeGRiKzlxSmowc1FaQ1FnTmdxU3FGS3lFNkFzc2VHcHFmdnZCCis4QVFLS2dFelRta0VnWGtMa1piZHdZR3hUM1NPTXdmVDY3ellmSjJrQ1FtcmxRWExsdXlnMUtLM2RPQ2tDN0MKT0h2R2xtWDc5QldENG9QTzEyZFNDQUdVQk11STNlZUltN3NYZUluMHNydHNnUTJzOW9lWTNTTzVkS1hTNy9TcQpFMVhvaWFMb0ZTL2lOWFVjb2g0RlRvajJBU3NxRzZUaVF4M0JqVndoRlBHZFVFZ2FwQlJCQXQ5TzlQUXV5S1V3CkNUQUh3R3NWVUI0UjJSS0hOcnNMRVFsY3FRR3EyR055VVBvcU56Qi9JWlo1VDllMnExNmEwc0J0dWszb0RIK2EKWThidXJMamxPbFp3eXhSWlBreSswQW96bWNSVDFPYzlnU3J1V3dJREFRQUJBb0lCQVFDc2UwVkVkbTRoY3hFYQprV2kwSVdqbytyMEp3Y1RubWtFcWQ4RGF2aDJ0MUVxeFFCcUNPYWV5L3hNdUpBcm9aamlSTVNaZmxZUWViU091CngvWGpUeWNuWWpXWnZrN2NXVVFBNFhGR3BGWjF2M2dpckpYeU12SmlsRXRqRmxUQTVGdjhtL3VNWnpNL1lKQk8KT2tKRmpvTUxReUVsTTR3TEV2OTB1R1lJb2RzNnllRDIwRnV4S3dtcElaeEJPcWQvUkdlc0MwVXdMME1wWU9MNQpLN0xrVnlSM2pBdDhCOGk0eUhudTN0cG00WW04ZURrMlE1Rk03YnMzamJMZU5Kalozem1hV1o4SG9QaDFWZGZzCmlpSjlEcStVZjNHdXJ5dlZad01tTDFIQy80aDJVSVY0MHlQS1RPNCtkUENMeC95RnBENEpIeFZkWmxlZStmenAKRTN0QkpaWUJBb0dCQVBPT0RSTXZMTWRnOG9BczlEczdVMGRoU0R6ZEN4V1BkWUJkNUwrMXR2NDNicGFJVzQvTQpNZXRJT2ZKYVFWandzYWJVb1Y5dGxiOG04UGVDY1pmQThBQ3dGQmZYTCtwTnNMRGQ1RytUL2ZMakczNjNGN0ZaCk1Gd1ljRDRKVFY4MWlBaFlkZHd6d0ZDZVJVcGRSNTltMWF0MjNvVTdWNUIwWkdWWGFHYkJ6bUNCQW9HQkFObzUKMUNzTThRcVI5OXZqeks4UWtmTkVvNkxVcExWSmZVSGdObHdDYkJ3cExEamdieGxDTjNzRCt0YW1BTWhqcVdrSAorYnhzeHJkR3YxT1ZrcmNFOWN0RkZVQVdQTGFEbkRoSlR5akZZdjh1bnpDWFZCOTdhYXZ1RzdlZ1VncmU1UHVQCmVTRFJRcDdlT1NmUVdjL1o0Z2l5dFcybHdmaFpCYlpDZzAzYWJtRGJBb0dBT1h2UmdqR2tNL3Fod2JiYWZoQm0KZTNadWdrNzVpc0V0VG5yYXZwUzQrQTlGUHFvNFVod3p2QUIwRE10WW1SRldITFlhMEZjZy9OaklEdUx1eEk1NQpGdkI0RFpod2FyQ2pmMXNmeTJYMmpoa2tLQ2cybzFrVm5PYjN0dXlqSWxHVUpjUWJMVG5acmkxczFUeG01eXh5ClNlSG9hekd5WFJuYmlEKzFHR3V0dGdFQ2dZQWtzcWJnV252S2lFT0RRZXF3NGZ0NVNtaXVRRTQyZ2xaREZyNXQKZUtiUGtZanpRNkxMUDV4dTNudDNUMUZBWWFvaWxJbkZ5eEVienhUcnJIS1F2by9MRUNJRHRmbWR3OElvb1FOagoydFhNRGY0TlFOV1B1Y1JLZW05RTBQd2JBZUxGL3htaWtDNUE0eVAvY3dVM2MrK1VBT0dMdjkwL3MxREhscVhZCkdNeUpFd0tCZ1FDQjF0OHNkWlJIa3ZMNmpHdjV0aGhhU2VyZGdWMDIzcDdGNTJRZkpkeFU4OXJkK2JyR2I0dnMKUS9uM3hadm9naVBQMTV5M1MzV2xHN2Y1VXpXSjdtc1NmZjE1R2FzOHdVYzNwaVBtYkJ1TThNWCtnNWFxcGxrbQp3N2p2YzRER01wSmM2MWRWSmhxZE9EMGxhRVhJYTFSS1ZhVEpJcm50OVNwd09zNldFWHBzSlE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo="

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
     # 节点选择器只能运行到92上
      nodeSelector: 
        type: master
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.5
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            #- --apiserver-host=http://127.0.0.1:8080
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
     # 节点选择器只能运行到92上
      nodeSelector: 
        type: master
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.6
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      volumes:
        - name: tmp-volume
          emptyDir: {}

证书的内容要base64编码

修改配置文件暴露端口

Service 部分增加 type=NodePort

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard

对外暴露端口：30001

增加k8s dashboard ssl证书

由于dashboard走的HTTPS，ssl证书制作，请看上面我的blog

$ kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system

把你的证书和私钥名称都改成dashboard，容器内部去的名称是dashboard.key,dashboard.crt

如果 secret kubernetes-dashboard-certs 已经存在可以修改 kubectl edit secret kubernetes-dashboard-certs -n kube-system，获取删除了重新创建

也可以直接把ssl的证书内容dashboard.key,dashboard.crt base64编码后，直接放到上面的yaml里面进行创建

下载镜像

如果镜像下来不下来可以使用下面的方式，先在阿里云下载下来，然后再把改签改成配置需要的

$ docker pull registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
$ docker tag registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

启动dashboard

$ kubectl create -f dashboard.yaml
# 查看pod状态
$ kubectl get pod -n kube-system
# 查看svc
$ kubectl get svc -n kube-system
# 查看deployment
$ kubectl get deployment -n kube-system

如果pod起不来，查看/var/log/messages 报 is forbidden: SecurityContext.RunAsUser is forbidden

解决办法，修改 api-server 启动参数 --enable-admission-plugins 把 SecurityContextDeny 去掉，然后重启 api-server

api-server 启动参数

KUBE_API_ADDRESS=" --insecure-bind-address=0.0.0.0 --insecure-port=8080 --logtostderr=false --log-dir=/soyuan/k8s/api-server/logs --v=0"
KUBE_ETCD_SERVERS=" --etcd-servers=http://172.16.100.92:2379"
KUBE_SERVICE_ADDRESSES=" --service-cluster-ip-range=10.254.0.0/16 --service-node-port-range=1-65535"
KUBE_ADMISSION_CONTROL=" --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota,ServiceAccount"
KUBE_API_ARGS=""

身份认证

登录 dashboard 的时候支持 Kubeconfig 和token 两种认证方式，Kubeconfig 中也依赖token 字段

生成token

创建admin用户会自动获取token，如果没有获取到，那就是api-server,和controller-manager 这个两个服务启动参数问题

api-server 启动参数里面要有 --admission-control 里面 要有 ServiceAccount

KUBE_API_ADDRESS=" --insecure-bind-address=0.0.0.0 --insecure-port=8080 --logtostderr=false --log-dir=/soyuan/k8s/api-server/logs --v=0"
KUBE_ETCD_SERVERS=" --etcd-servers=http://172.16.100.92:2379"
KUBE_SERVICE_ADDRESSES=" --service-cluster-ip-range=10.254.0.0/16 --service-node-port-range=1-65535"
KUBE_ADMISSION_CONTROL=" --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota,ServiceAccount"
KUBE_API_ARGS=""

controller-manager 要配置秘钥，签名token的时候需要

KUBE_CONTROLLER_MANAGER_AGE="--master=http://172.16.100.92:8080 --service-account-private-key-file=/soyuan/k8s/kubeservice/172.16.100.92.key --logtostderr=false --log-dir=/soyuan/k8s/controller-manager/logs --v=0"

--service-account-private-key-file=/soyuan/k8s/kubeservice/172.16.100.92.key

然后重启这两个服务

查看token

# 查看token
$ kubectl get secret -n kube-system
kubernetes-dashboard-token-jdj4m   kubernetes.io/service-account-token   2      4m38s
# 查看token
$ kubectl describe secret kubernetes-dashboard-token-s2lvs -n kubernetes-dashboard

# token
eyJhbGciOiJSUzI1NiIsImtpZCI6Ii1fT21WTVo1Q0hVeFRYakZwb1lMY2Y3eVVMVjRYQUIzWm9zOXJ0dlBUc00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1zMmx2cyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjVhZjcxNjYyLTQ0ZWUtNGI0NC1iYmZhLTViMjljM2YwMmRiMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.Q7WBzNlSq9Hk104kchJ7y1AMinKU1iS9hv3vpc34bpC6xuO-eOdZ9hrwH4rdgR-fHcq_ZE7bctxnKmG1nDoi-kWTkbBKV7sJdontDR5_EE2tKhF7XNUg7Rpe5pyemFxh4mHpnnmEXTB35ek2bAFnJ1cPY45kHuHmEWUZtey7O8F8WAdNDfnDH744ORdT6xte4nMrg0q2XosnOlEwgln9CticOCu-qUVZ5X3NiHdMxCZISMJtaF6cjLwS1vW1SUipK4niwlLlSSM3q-fVMCgFd6F8_x8qRtgZA0iWfFGrlAewtK4UbRNi5hHLDk-n26wyyi3sEY4dsdMxB11c3db10w

kubeconfig登录

用户kubernetes-dashboard的token

先查看生成的token

kubectl get secret -n kubernetes-dashboard kubernetes-dashboard-token-s2lvs -o jsonpath={.data.token}|base64 -d

配置一个环境变量DASH_TOCKEN

DASH_TOCKEN=$(kubectl get secret -n kubernetes-dashboard kubernetes-dashboard-token-s2lvs -o jsonpath={.data.token}|base64 -d)

kubectl config set-cluster kubernetes --server="https://172.16.100.92:6443" --certificate-authority=/soyuan/k8s/ca.crt --kubeconfig=/soyuan/k8s/def-ns-admin.conf

kubectl config set-credentials kubernetes-dashboard --token=$DASH_TOCKEN --kubeconfig=./def-ns-admin.conf

kubectl config set-context kubernetes-dashboard@kubernetes --cluster=kubernetes --user=kubernetes-dashboard --kubeconfig=./def-ns-admin.conf
kubectl config use-context kubernetes-dashboard@kubernetes --kubeconfig=./def-ns-admin.conf

暂时登录不上去先用token

错误

有可能会报找不到用户的错误

新建用户

kubectl create clusterrolebinding system:anonymous --clusterrole=cluster-admin --user=system:anonymous