本文共 3843 字，大约阅读时间需要 12 分钟。

1.部署dashboard

mkdir -p /home/yaml/dashboard && cd /home/yaml/dashboardwget https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml#默认Dashboard只能集群内部访问，修改Service为NodePort类型，暴露到外部：vi recommended.yaml...kind: ServiceapiVersion: v1metadata:  labels:    k8s-app: kubernetes-dashboard  name: kubernetes-dashboard  namespace: kubernetes-dashboardspec:  ports:    - port: 443      targetPort: 8443      nodePort: 30001  type: NodePort  selector:    k8s-app: kubernetes-dashboard  #启动kubectl apply -f recommended.yaml

2.chrome 可以访问

vi recommended.yaml...#在 args 下面增加证书两行args:       # PLATFORM-SPECIFIC ARGS HERE       - --auto-generate-certificates       - --tls-key-file=server-key.pem       - --tls-cert-file=server.pem...#删除默认的 secretkubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard#查看secretkubectl get secrets -n kubernetes-dashboardNAME                               TYPE                                  DATA   AGEdefault-token-krq7c                kubernetes.io/service-account-token   3      17mkubernetes-dashboard-certs         Opaque                                0      16m #这里一定要是0或者没有这个，因为我们删除了证书kubernetes-dashboard-csrf          Opaque                                1      17mkubernetes-dashboard-key-holder    Opaque                                2      17mkubernetes-dashboard-token-sbgrp   kubernetes.io/service-account-token   3      17m# 用自签证书创建新的 secretkubectl create secret generic kubernetes-dashboard-certs \--from-file=/opt/kubernetes/ssl/server-key.pem --from-file=/opt/kubernetes/ssl/server.pem -n kubernetes-dashboard#再次查看secretkubectl get secrets -n kubernetes-dashboardNAME                               TYPE                                  DATA   AGEdefault-token-krq7c                kubernetes.io/service-account-token   3      17mkubernetes-dashboard-certs         Opaque                                2      16m #这里2个就说明已经使用了我们的证书kubernetes-dashboard-csrf          Opaque                                1      17mkubernetes-dashboard-key-holder    Opaque                                2      17mkubernetes-dashboard-token-sbgrp   kubernetes.io/service-account-token   3      17m#重启 kubernetes-dashboard 应用加载kubectl get pod -n kubernetes-dashboardNAME                                         READY   STATUS    RESTARTS   AGEdashboard-metrics-scraper-694557449d-9tcnh   1/1     Running   0          69skubernetes-dashboard-9774cc786-xj7wl         1/1     Running   0          29s #重启这个就好#删除pod，它会自动重启kubectl delete po kubernetes-dashboard-9774cc786-xj7wl  -n kubernetes-dashboard

3.创建管理角色

#创建service account并绑定默认cluster-admin管理员集群角色：kubectl create serviceaccount dashboard-admin -n kube-systemkubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-adminkubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')

4.安装监控插件 metrics-server

#github地址:https://github.com/kubernetes-sigs/metrics-servermkdir -p /home/yaml/metricscd /home/yaml/metricswget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml#修改yaml文件spec:hostNetwork: truecontainers:- args:  - --cert-dir=/tmp  - --secure-port=4443  #添加上这一行，不然启动不成功  - --kubelet-insecure-tls  - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname  - --kubelet-use-node-status-port  #docker.hub 上查找，官方的下载不下来  image: bitnami/metrics-server:0.4.4  imagePullPolicy: IfNotPresent#启动kubectl apply -f components.yamlkubectl  get pod -n kube-system | grep metrics-servermetrics-server-6d59d8cdd6-hmjw7   1/1     Running   0          21m

5.dashboard 500错误

如果dashboard 显示 500 的错误，日志提示有 http: TLS handshake error from 10.244.159.128:35885: remote error: tls: unknown certificate#解决方法在master 节点上执行 kubectl proxy Starting to serve on 127.0.0.1:8001再次访问就没有问题了