Dashboard

Dashboard

• kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml

• TEST

  kubectl proxy
  
  --> http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.

• User Account

  cat <<EOF | kubectl apply -f -
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: admin-user
    namespace: kubernetes-dashboard
  EOF
  
  
  cat <<EOF | kubectl apply -f -
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: admin-user
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: cluster-admin
  subjects:
  - kind: ServiceAccount
    name: admin-user
    namespace: kubernetes-dashboard
  EOF

• 인증서

  # mkdir ~/certs
  # cd ~/certs
  
  # openssl genrsa -out dashboard.key 2048
  # openssl rsa -in dashboard.key -out dashboard.key
  # openssl req -sha256 -new -key dashboard.key -out dashboard.csr -subj '/CN=localhost'
  # openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt

• Recommended setup

  # kubectl create secret generic kubernetes-dashboard-certs --from-file=$HOME/certs -n kube-system
  # kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml

• kubectl -n kubernetes-dashboard edit service kubernetes-dashboard

  # Please edit the object below. Lines beginning with a '#' will be ignored,
  # and an empty file will abort the edit. If an error occurs while saving this file will be
  # reopened with the relevant failures.
  #
  apiVersion: v1
  kind: Service
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}}
    creationTimestamp: "2020-09-26T14:01:45Z"
    labels:
      k8s-app: kubernetes-dashboard
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard
    resourceVersion: "3356"
    selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes-dashboard
    uid: f064c119-2560-42c2-aa2b-69302aa0866b
  spec:
    clusterIP: 10.97.63.192
    ports:
    - port: 443
      protocol: TCP
      targetPort: 8443
    selector:
      k8s-app: kubernetes-dashboard
    sessionAffinity: None
    type: ClusterIP
  status:
    loadBalancer: {}
  
  
  
  ---> 아래와 같이 변경 !!!
  
  
  
  
  # Please edit the object below. Lines beginning with a '#' will be ignored,
  # and an empty file will abort the edit. If an error occurs while saving this file will be
  # reopened with the relevant failures.
  #
  apiVersion: v1
  kind: Service
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"k8s-app":"kubernetes-dashboard"},"name":"kubernetes-dashboard","namespace":"kubernetes-dashboard"},"spec":{"ports":[{"port":443,"targetPort":8443}],"selector":{"k8s-app":"kubernetes-dashboard"}}}
    creationTimestamp: "2020-09-26T14:01:45Z"
    labels:
      k8s-app: kubernetes-dashboard
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard
    resourceVersion: "3356"
    selfLink: /api/v1/namespaces/kubernetes-dashboard/services/kubernetes-dashboard
    uid: f064c119-2560-42c2-aa2b-69302aa0866b
  spec:
    clusterIP: 10.97.63.192
    ports:
    - nodePort: 31055
      port: 443
      protocol: TCP
      targetPort: 8443
    selector:
      k8s-app: kubernetes-dashboard
    sessionAffinity: None
    type: NodePort
  status:
    loadBalancer: {}
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

• Dashboard 접속정보 확인

  # kubectl get service -n kubernetes-dashboard
  NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
  calico-typha           ClusterIP   10.109.234.181   <none>        5473/TCP                 47m
  kube-dns               ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP   51m
  kubernetes-dashboard   NodePort    10.105.161.59    <none>        443:31055/TCP            35m

• Dashboard 계정 생성

  # kubectl create serviceaccount cluster-admin-dashboard-sa
  # kubectl create clusterrolebinding cluster-admin-dashboard-sa --clusterrole=cluster-admin --serviceaccount=default:cluster-admin-dashboard-sa

• Dashboard 접속 시 필요한 계정 토큰 정보 확인

  hyunsu@kubemaster:~$ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep cluster-admin-dashboard-sa | awk '{print $1}')
  
  
  
  Name:         admin-user-token-wn487
  Namespace:    kubernetes-dashboard
  Labels:       <none>
  Annotations:  kubernetes.io/service-account.name: admin-user
                kubernetes.io/service-account.uid: ad6f92c1-3ed1-4680-80da-4d9dcf8440e8
  
  Type:  kubernetes.io/service-account-token
  
  Data
  ====
  ca.crt:     1066 bytes
  namespace:  20 bytes
  token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkVEQnlPWER5ek85WjF0VlFScXNJRzZGOW1TMFJRN1lSNVRHcHlnZVdtb00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXduNDg3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhZDZmOTJjMS0zZWQxLTQ2ODAtODBkYS00ZDlkY2Y4NDQwZTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.PINKyEp5yNQZv1HLvLHrP8GFUs9t3hI6OJ0EQtc7U_DhsNlBb6jMpvbPnKD7IlMJcECZrUZ6q6zlqYVbTLMuW89D-3_X-UDFlvymwfBfjWlH5AzY5h9oCtxhwA6fNljWgAEPhjJHr9ElWsSfIGWLShU_qxIX29gOcMCCZ1qSfQU8donNW-P7OtIYMfRbJe6VY5AqgDBDDFrXtd_Qc_Ne0EPdJpyRpVNpkrsCaZikue3zPqn6ORF-yVHWqulTqVU-gtg-eB0vA1WyYGgEc8lVImzyHogxJ3ysNblSxZt7LhVHB39ZdVr-dYh4UAEs-Iq8mi8OUT_eZjGLGCvR-zK6lg
  
  
  Name:         default-token-9x79k
  Namespace:    kubernetes-dashboard
  Labels:       <none>
  Annotations:  kubernetes.io/service-account.name: default
                kubernetes.io/service-account.uid: 9d2a8308-a11e-4183-aed2-be4aadcafabe
  
  Type:  kubernetes.io/service-account-token
  
  Data
  ====
  ca.crt:     1066 bytes
  namespace:  20 bytes
  token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkVEQnlPWER5ek85WjF0VlFScXNJRzZGOW1TMFJRN1lSNVRHcHlnZVdtb00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLTl4NzlrIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI5ZDJhODMwOC1hMTFlLTQxODMtYWVkMi1iZTRhYWRjYWZhYmUiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6ZGVmYXVsdCJ9.0UnxF2W-f4jLxat0QJ4GdSBDaEopxNSQ-UfbWJ65gKVgoxidB1t_YucsqHy5dupmvQVQuXKs7arzuavtWYkQ4Z4nzYtqXP6fDGn6i8TeRM9G6lCvv5zJqkkFQDQjW4XGsgK4UgOzpkIaxgMq4nkckmjt316daJKZ1bP9LxAtbttN6vySh2dj4BrV---ZugIu9CCKOkpWi-fFdvH4ogjNMzT6mXEUkOgJ_lJOXDq7pCbOEStBL5UTF3ybir5io3D5HYSyBH4s29tJqcoJA2pkVuccjPsQbeOfwSs-GD97v4YucxIAZEJEy1UEAelYd5nZFBBl-rTp490NFvun5hr5Ng
  
  
  Name:         kubernetes-dashboard-certs
  Namespace:    kubernetes-dashboard
  Labels:       k8s-app=kubernetes-dashboard
  Annotations:  <none>
  
  Type:  Opaque
  
  Data
  ====
  
  
  Name:         kubernetes-dashboard-csrf
  Namespace:    kubernetes-dashboard
  Labels:       k8s-app=kubernetes-dashboard
  Annotations:  <none>
  
  Type:  Opaque
  
  Data
  ====
  csrf:  256 bytes
  
  
  Name:         kubernetes-dashboard-key-holder
  Namespace:    kubernetes-dashboard
  Labels:       k8s-app=kubernetes-dashboard
  Annotations:  <none>
  
  Type:  Opaque
  
  Data
  ====
  priv:  1675 bytes
  pub:   459 bytes
  
  
  Name:         kubernetes-dashboard-token-glnd4
  Namespace:    kubernetes-dashboard
  Labels:       <none>
  Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
                kubernetes.io/service-account.uid: 58104d32-8e7e-4b4f-9e24-e8aafe8ead9a
  
  Type:  kubernetes.io/service-account-token
  
  Data
  ====
  ca.crt:     1066 bytes
  namespace:  20 bytes
  token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkVEQnlPWER5ek85WjF0VlFScXNJRzZGOW1TMFJRN1lSNVRHcHlnZVdtb00ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1nbG5kNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjU4MTA0ZDMyLThlN2UtNGI0Zi05ZTI0LWU4YWFmZThlYWQ5YSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.gqPgpjTrxmUqFJZTWJKd_LC0YkqfgmNZTdxdFBpymShL0tK8JOI8qnynzO2oZWJtPiK2a8EE3HqTBn-WwJEzOWHWiCTZhLca6e4RDQ-Mw_7vaTwxwdcBmm8fcTcMdupRbZIOl6kSLg7JmgQGXVS0q7fTQKdiMqNfU2b4cKC8TDZ_-YcT3offch0kuT8mu5Dug_c-CFpFd6uKJ_ox-ZajppWLvIjLRppxvR5km9SzksnpbszRggC6jMJIGI4OlU8sglGpAtF4-GN6LZnfG4NVSrTDiPFWno0HMH8zoVJH10_FTU0eRUHeq9ST_GHfjoyGO45mU6H9FufainwavxXGNQ
  
  
  

• 접근 시 인증서 오류 문제

  openssl pkcs12 -export -clcerts -inkey dashboard.key -in dashboard.crt -out dashboard.p12 -name "kubernetes-admin"

• Dash Board

  • https://medium.com/@smijar/installing-kubernetes-all-in-one-on-a-low-resource-vps-1c89dd5f0096

• 참고

  • http://www.cubrid.com/blog/3820603

  • https://hiseon.me/linux/ubuntu/ubuntu-kubernetes-install/

  • https://futurecreator.github.io/2019/02/25/kubernetes-cluster-on-google-compute-engine-for-developers/