如何部署kubernetes-dashboard改成http免密登录

修改Service端口

增加80端口，改成http访问

修改前:

spec:
ports:
– port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard

修改后：

spec:
ports:
– port: 443
targetPort: 8443
name: https
– port: 80
targetPort: 9090
name: http
selector:
k8s-app: kubernetes-dashboard

如果想用 ip+端口的方式访问，这里需要增加配置，改成 nodeport 的形式，nodePort 改成自己主机空闲的端口，取值范围在 apiserver 的 –service-node-port-range 参数里面可以看得到

最终修改如下:

spec:
ports:
– port: 443
targetPort: 8443
name: https
nodePort: 32001
– port: 80
targetPort: 9090
name: http
nodePort: 32002
type: NodePort
selector:
k8s-app: kubernetes-dashboard

修改 deployment 内容

修改探针检测

后面要修改 dashboard 的启动参数，这里不改的话，活性检测会失败，导致 pod 会不断重启

修改前:

livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443

修改后:

livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 9090

修改镜像拉取策略

官方 yaml 里面默认配置的是 Always

sed -i \’s/imagePullPolicy: Always/imagePullPolicy: IfNotPresent/g\’ recommended.yaml

修改容器端口

修改前:

ports:
– containerPort: 8443
protocol: TCP

修改后:

ports:
– containerPort: 8443
protocol: TCP
– containerPort: 9090
protocol: TCP

关闭 token 登录

注释掉 –auto-generate-certificates 参数

修改前:

args:
– –auto-generate-certificates
– –namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# – –apiserver-host=http://my-address:port

修改后:

args:
# – –auto-generate-certificates
– –namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# – –apiserver-host=http://my-address:port

完整版yaml

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the \”License\”);
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an \”AS IS\” BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
—
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
—
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
– port: 443
targetPort: 8443
name: https
nodePort: 30000
– port: 80
targetPort: 9090
name: http
nodePort: 30001
type: NodePort
selector:
k8s-app: kubernetes-dashboard
—
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
—
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: \”\”
—
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
—
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
—
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
– apiGroups: [\”\”]
resources: [\”secrets\”]
resourceNames: [\”kubernetes-dashboard-key-holder\”, \”kubernetes-dashboard-certs\”, \”kubernetes-dashboard-csrf\”]
verbs: [\”get\”, \”update\”, \”delete\”]
# Allow Dashboard to get and update \’kubernetes-dashboard-settings\’ config map.
– apiGroups: [\”\”]
resources: [\”configmaps\”]
resourceNames: [\”kubernetes-dashboard-settings\”]
verbs: [\”get\”, \”update\”]
# Allow Dashboard to get metrics.
– apiGroups: [\”\”]
resources: [\”services\”]
resourceNames: [\”heapster\”, \”dashboard-metrics-scraper\”]
verbs: [\”proxy\”]
– apiGroups: [\”\”]
resources: [\”services/proxy\”]
resourceNames: [\”heapster\”, \”http:heapster:\”, \”https:heapster:\”, \”dashboard-metrics-scraper\”, \”http:dashboard-metrics-scraper\”]
verbs: [\”get\”]
—
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
– apiGroups: [\”metrics.k8s.io\”]
resources: [\”pods\”, \”nodes\”]
verbs: [\”get\”, \”list\”, \”watch\”]
—
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
– kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
—
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
– kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
—
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
– name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
ports:
– containerPort: 8443
protocol: TCP
– containerPort: 9090
protocol: TCP
args:
# – –auto-generate-certificates
– –namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# – –apiserver-host=http://my-address:port
volumeMounts:
– name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
– mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 9090
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
– name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
– name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
\”kubernetes.io/os\”: linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
– key: node-role.kubernetes.io/master
effect: NoSchedule
—
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
– port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
—
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
– name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.8
ports:
– containerPort: 8000
protocol: TCP
– containerPort: 9090
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
– mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
\”kubernetes.io/os\”: linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
– key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
– name: tmp-volume
emptyDir: {}