Web UI (Dashboard) Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard. Dashboard also provides information on the state of Kubernetes resources in your cluster and on any errors that may have occurred.
[root@elasticsearch01 /]# mkdir /certs [root@elasticsearch01 /]# openssl req -nodes -newkey rsa:2048 -keyout certs/dashboard.key -out certs/dashboard.csr -subj "/C=/ST=/L=/O=/OU=/CN=kubernetes-dashboard" Generating a 2048 bit RSA private key ................+++ ..............................................+++ writing new private key to 'certs/dashboard.key' ----- No value provided for Subject Attribute C, skipped No value provided for Subject Attribute ST, skipped No value provided for Subject Attribute L, skipped No value provided for Subject Attribute O, skipped No value provided for Subject Attribute OU, skipped [root@elasticsearch01 /]# ls /certs dashboard.csr dashboard.key
[root@elasticsearch01 /]# kubectl create -f /k8s/yaml/kubernetes-dashboard.yaml serviceaccount/kubernetes-dashboard created role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created deployment.apps/kubernetes-dashboard created service/kubernetes-dashboard created Error from server (AlreadyExists): error when creating "/k8s/yaml/kubernetes-dashboard.yaml": secrets "kubernetes-dashboard-certs" already exists
[root@elasticsearch01 /]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE kubernetes-dashboard-cb55bd5bd-4jsh7 1/1 Running 0 21s [root@elasticsearch01 /]# kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes-dashboard NodePort 10.254.140.115 <none> 443:41579/TCP 31s [root@elasticsearch01 /]# kubectl get pods -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES kubernetes-dashboard-cb55bd5bd-4jsh7 1/1 Running 0 40s 10.254.73.2 10.2.8.34 <none> <none>
[root@elasticsearch01 yaml]# kubectl create -f admin-token.yaml clusterrolebinding.rbac.authorization.k8s.io/admin created serviceaccount/admin created
Apiserver hosts绑定ip错误10.0.0.1应该是10.254.0.1,默认pods网端是10.254.0.0/16,其中10.254.0.1会用来kubenetes的clusterip [root@elasticsearch01 ~]# kubectl get svc –all-namespaces=true NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default kubernetes ClusterIP 10.254.0.1 443/TCP 6d1h
解决方法 ×××文件重启apiserver服务即可(配置前多检查,否则后面会增加很多排错过程)
1 2 3 4 5 6
[root@elasticsearch01 yaml]# kubectl logs kubernetes-dashboard-865b64d96f-g5f9t --namespace=kube-system 2018/12/29 07:49:44 Starting overwatch 2018/12/29 07:49:44 Using in-cluster config to connect to apiserver 2018/12/29 07:49:44 Using service account token for csrf signing 2018/12/29 07:49:44 Error while initializing connection to Kubernetes apiserver. This most likely means that the cluster is misconfigured (e.g., it has invalid apiserver certificates or service account's configuration) or the --apiserver-host param points to a server that does not exist. Reason: Get https://10.254.0.1:443/version: x509: certificate is valid for 10.0.0.1, 127.0.0.1, 10.2.8.44, 10.2.8.65, 10.2.8.34, not 10.254.0.1 Refer to our FAQ and wiki pages for more information: https://github.com/kubernetes/dashboard/wiki/FAQ
[root@elasticsearch01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 2018/12/29 15:57:02 [INFO] generate received request 2018/12/29 15:57:02 [INFO] received CSR 2018/12/29 15:57:02 [INFO] generating key: rsa-2048 2018/12/29 15:57:03 [INFO] encoded CSR 2018/12/29 15:57:03 [INFO] signed certificate with serial number 57756035754570455349189088480535470836534926573 2018/12/29 15:57:03 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").