网上各种各样的文章很多，实践一下，坑很多。今天特意整理一下。

(1) 准备镜像

因为众所周知的原因，谷歌的镜像无法在国内的服务器上下载。只好又使出阿里云搬运大法，搬运到阿里云上。

(2) 下载Dashboard配置yaml文件

参考

wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml -O kubernetes-dashboard.yaml

由于镜像的原因，修改默认镜像为笔者阿里云上的镜像。Dashboard Service的类型由ClusterIP改为NodePort，并对集群外暴露8001端口。否则用kubectl proxy访问非常麻烦。 修改后的文件请参考本文附录。(注意，笔者的k8s集群经过配置对外端口已设置成1-65536，如果读者的k8s集群没有配置过，请使用30000-32767之间的端口)

kubectl apply -f kubernetes-dashboard.yaml复制代码

(3) 生成Admin Token供Dashboard登录使用。

编辑admin-token.yaml为如下内容:

kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:  name: admin  annotations:    rbac.authorization.kubernetes.io/autoupdate: "true"roleRef:  kind: ClusterRole  name: cluster-admin  apiGroup: rbac.authorization.k8s.iosubjects:- kind: ServiceAccount  name: admin  namespace: kube-system---apiVersion: v1kind: ServiceAccountmetadata:  name: admin  namespace: kube-system  labels:    kubernetes.io/cluster-service: "true"    addonmanager.kubernetes.io/mode: Reconcile复制代码

kubectl apply -f admin-token.yaml复制代码

查看token

kubectl get secret -n kube-system | grep admin-toke | awk '{print $1}' | xargs kubectl -n kube-system describe secret复制代码

在我的master节点上可以看到以下输出。

kubectl get secret -n kube-system | grep admin-toke | awk '{print $1}' | xargs kubectl -n kube-system describe secretName:         admin-token-dm7dmNamespace:    kube-systemLabels:       
    
     Annotations:  kubernetes.io/service-account.name: admin              kubernetes.io/service-account.uid: 0cfcb5c9-6d4d-11e9-93e2-000c29c293beType:  kubernetes.io/service-account-tokenData====ca.crt:     1025 bytesnamespace:  11 bytestoken:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1kbTdkbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjBjZmNiNWM5LTZkNGQtMTFlOS05M2UyLTAwMGMyOWMyOTNiZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.bk46E3k8_zK0CiXZ4W0oJkkb7pqnEPeQUW_DZvRkhOpvhedkNvAveTMrzHTafMISZTlqyo0bRSnrfwfBsF1cSWBMO85FYqIPR3r7d6qv1BWNzq5Qh5MMXlUb5NgXjitZKLpxvPzY8JbIpIcgDMmw3zAj1kHj4K3oLPGkz8JpQ_qqrrYUZ0n4769cQfM8z1v6SPyMF3C1S6c0VqcnzG9FuluUmfmsIgPzs_39ANXoXPU-Ef_vt5Av1zzKepjV5rA0EzT6NKbsc1elpjf_Dk_2LdtPjtHh8CTzB-7dD-YLCuMxqp96GAeQWzdiZZugspeOegQ2JNKddcZz52gX6BM9ZA复制代码
    

(4) 访问k8s-dashboard

在浏览器上访问https://<k8s-master-ip>:8001

使用以上操作得到的token登录即可。

附录

修改后的yaml文件

# Copyright 2017 The Kubernetes Authors.## Licensed under the Apache License, Version 2.0 (the "License");# you may not use this file except in compliance with the License.# You may obtain a copy of the License at##     http://www.apache.org/licenses/LICENSE-2.0## Unless required by applicable law or agreed to in writing, software# distributed under the License is distributed on an "AS IS" BASIS,# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.# See the License for the specific language governing permissions and# limitations under the License.# ------------------- Dashboard Secret ------------------- #apiVersion: v1kind: Secretmetadata:  labels:    k8s-app: kubernetes-dashboard  name: kubernetes-dashboard-certs  namespace: kube-systemtype: Opaque---# ------------------- Dashboard Service Account ------------------- #apiVersion: v1kind: ServiceAccountmetadata:  labels:    k8s-app: kubernetes-dashboard  name: kubernetes-dashboard  namespace: kube-system---# ------------------- Dashboard Role & Role Binding ------------------- #kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:  name: kubernetes-dashboard-minimal  namespace: kube-systemrules:  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.- apiGroups: [""]  resources: ["secrets"]  verbs: ["create"]  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.- apiGroups: [""]  resources: ["configmaps"]  verbs: ["create"]  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.- apiGroups: [""]  resources: ["secrets"]  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]  verbs: ["get", "update", "delete"]  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.- apiGroups: [""]  resources: ["configmaps"]  resourceNames: ["kubernetes-dashboard-settings"]  verbs: ["get", "update"]  # Allow Dashboard to get metrics from heapster.- apiGroups: [""]  resources: ["services"]  resourceNames: ["heapster"]  verbs: ["proxy"]- apiGroups: [""]  resources: ["services/proxy"]  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]  verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:  name: kubernetes-dashboard-minimal  namespace: kube-systemroleRef:  apiGroup: rbac.authorization.k8s.io  kind: Role  name: kubernetes-dashboard-minimalsubjects:- kind: ServiceAccount  name: kubernetes-dashboard  namespace: kube-system---# ------------------- Dashboard Deployment ------------------- #kind: DeploymentapiVersion: apps/v1metadata:  labels:    k8s-app: kubernetes-dashboard  name: kubernetes-dashboard  namespace: kube-systemspec:  replicas: 1  revisionHistoryLimit: 10  selector:    matchLabels:      k8s-app: kubernetes-dashboard  template:    metadata:      labels:        k8s-app: kubernetes-dashboard    spec:      containers:      - name: kubernetes-dashboard        image: registry.cn-shanghai.aliyuncs.com/yingzhuo/kubernetes-dashboard-amd64:v1.10.1        ports:        - containerPort: 8443          protocol: TCP        args:          - --auto-generate-certificates          # Uncomment the following line to manually specify Kubernetes API server Host          # If not specified, Dashboard will attempt to auto discover the API server and connect          # to it. Uncomment only if the default does not work.          # - --apiserver-host=http://my-address:port        volumeMounts:        - name: kubernetes-dashboard-certs          mountPath: /certs          # Create on-disk volume to store exec logs        - mountPath: /tmp          name: tmp-volume        livenessProbe:          httpGet:            scheme: HTTPS            path: /            port: 8443          initialDelaySeconds: 30          timeoutSeconds: 30      volumes:      - name: kubernetes-dashboard-certs        secret:          secretName: kubernetes-dashboard-certs      - name: tmp-volume        emptyDir: {}      serviceAccountName: kubernetes-dashboard      # Comment the following tolerations if Dashboard must not be deployed on master      tolerations:      - key: node-role.kubernetes.io/master        effect: NoSchedule---# ------------------- Dashboard Service ------------------- #kind: ServiceapiVersion: v1metadata:  labels:    k8s-app: kubernetes-dashboard  name: kubernetes-dashboard  namespace: kube-systemspec:  type: NodePort  ports:    - port: 443      targetPort: 8443      nodePort: 8001  selector:    k8s-app: kubernetes-dashboard复制代码