Centos7 kubeadm搭建k8s集群(v1.19.8)--k8s系列
一、部署环境
主机列表:
主机名 Centos版本 ip docker version flannel version 主机配置 k8s版本
master 7.8.2003 192.168.214.128 19.03.13 v0.13.0-rc2 2C2G v1.19.8
node01 7.8.2003 192.168.214.129 19.03.13 / 2C2G v1.19.8
node02 7.8.2003 192.168.214.130 19.03.13 / 2C2G v1.19.8
共有3台服务器 1台master,2台node。
二、安装准备工作
1. 配置主机名
1.0 关闭防火墙以及永久关闭selinux
1 [root@centos7 ~] systemctl stop firewalld && systemctl disable firewalld
2 # 永久关闭selinux
3 [root@centos7 ~] sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config;cat /etc/selinux/config
4 # 临时关闭selinux
5 root@centos7 ~] setenforce 0
1.1 修改主机名
三个机器对应分别执行
1 [root@centos7 ~] hostnamectl set-hostname master
2 [root@centos7 ~] hostnamectl set-hostname node01
3 [root@centos7 ~] hostnamectl set-hostname node02
退出重新登陆即可显示新设置的主机名master
1.2 修改hosts文件
[root@master ~] cat >> /etc/hosts << EOF
192.168.214.128 master
192.168.214.129 node01
192.168.214.130 node02
EOF
2. 验证mac地址uuid
[root@master ~] cat /sys/class/dmi/id/product_uuid
保证各节点mac和uuid唯一
3. 禁用swap
3.1 临时禁用
[root@master ~] swapoff -a
3.2 永久禁用
若需要重启后也生效,在禁用swap后还需修改配置文件/etc/fstab,注释swap
[root@master ~] sed -i.bak '/swap/s/^/#/' /etc/fstab
4. 内核参数修改
本文的k8s网络使用flannel,该网络需要设置内核参数bridge-nf-call-iptables=1
4.1 内核参数临时修改
[root@master ~] sysctl net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-iptables = 1
[root@master ~] sysctl net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-ip6tables = 1
4.2 内核参数永久修改
[root@master ~] cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
[root@master ~] sysctl -p /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
5. 设置kubernetes源
5.1 新增kubernetes源
[root@master ~] cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
5.2 更新缓存
1 [root@master ~] yum clean all
2 [root@master ~] yum -y makecache
三、Docker安装(已安装可跳过)
master node节点都执行本部分操作。
1. 安装依赖包
1 [root@master ~] yum install -y yum-utils device-mapper-persistent-data lvm2
2. 设置Docker源
#3.设置镜像的仓库
1 [root@master ~] yum-config-manager \
2 --add-repo \
3 https://download.docker.com/linux/centos/docker-ce.repo
4 #默认是从国外的,不推荐
5 #推荐使用国内的
6 [root@master ~] yum-config-manager \
7 --add-repo \
8 http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
3. 安装Docker CE
3.1 docker安装版本查看
1 [root@master ~] yum list docker-ce | sort -r
3.2 安装docker
1 [root@master ~] yum install docker
指定安装的docker版本为19.03.13。
4. 启动Docker并开机自启
1 [root@master ~] systemctl start docker
2 [root@master ~] systemctl enable docker
5. 命令补全
5.1 安装bash-completion
1 [root@master ~] yum -y install bash-completion
5.2 加载bash-completion
1 [root@master ~] source /etc/profile.d/bash_completion.sh
6. 镜像加速
由于Docker Hub的服务器在国外,下载镜像会比较慢,可以配置镜像加速器。主要的加速器有:Docker官方提供的中国registry mirror、阿里云加速器、DaoCloud 加速器,本文以阿里加速器配置为例。
6.1 登陆阿里云容器模块
6.2 配置镜像加速器
配置daemon.json文件
1 [root@master ~] mkdir -p /etc/docker
2 [root@master ~] tee /etc/docker/daemon.json <<-'EOF'
3 {
4 "registry-mirrors": ["https://23h04een.mirror.aliyuncs.com"]
5 }
6 EOF
重启服务
1 [root@master ~] systemctl daemon-reload
2 [root@master ~] systemctl restart docker
加速器配置完成
7. 验证
1 [root@master ~] docker --version
2 [root@master ~] docker run hello-world
通过查询docker版本和运行容器hello-world来验证docker是否安装成功。
四、k8s安装
master node节点都执行本部分操作。
1. 版本查看
1 [root@master ~] yum list kubelet | sort -r
本文安装的kubelet版本是1.16.4,该版本支持的docker版本为1.13.1, 17.03, 17.06, 17.09, 18.06, 18.09。
2. 安装kubelet、kubeadm和kubectl
2.1 安装三个包
1 [root@master ~] yum install -y kubelet-1.19.8 kubeadm-1.19.8 kubectl-1.19.8
2.2 安装包说明
kubelet 运行在集群所有节点上,用于启动Pod和容器等对象的工具
kubeadm 用于初始化集群,启动集群的命令工具
kubectl 用于和集群通信的命令行,通过kubectl可以部署和管理应用,查看各种资源,创建、删除和更新各种组件
2.3 启动kubelet
启动kubelet并设置开机启动
1 [root@master ~] systemctl enable kubelet && systemctl start kubelet
2.4 kubectl命令补全
[root@master ~] echo "source <(kubectl completion bash)" >> ~/.bash_profile
[root@master ~] source .bash_profile
2.5 查询kubelet是否运行起来了
master需要运行起来没有报错,再往下走,而node节点这里状态不是active,只要没报错可以往下走。
1 [root@master ~]# systemctl status kubelet
2 ● kubelet.service - kubelet: The Kubernetes Node Agent
3 Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
4 Drop-In: /usr/lib/systemd/system/kubelet.service.d
5 └─10-kubeadm.conf
6 Active: active (running) since Wed 2021-03-03 07:56:55 EST; 52min ago
7 Docs: https://kubernetes.io/docs/
8 Main PID: 1350 (kubelet)
9 Tasks: 19
10 Memory: 139.0M
11 CGroup: /system.slice/kubelet.service
12 └─1350 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=k8s.gcr.io/pause:3.2
13
14 Mar 03 07:59:58 master kubelet[1350]: E0303 07:59:58.872371 1350 pod_workers.go:191] Error syncing pod 6e1a9d9d-148c-4866-b6f2-4c1fbfaef8fa ("coredns-f9fd979d6-tgwj5_kube-system(6e1a9d9d-148c-4866-b6f2-4c1fbfaef8fa)"), skipping: failed to "C...148c-4866-b6f2-4c1fb
15 Mar 03 07:59:59 master kubelet[1350]: W0303 07:59:59.292810 1350 docker_sandbox.go:402] failed to read pod IP from plugin/docker: networkPlugin cni failed on the status hook for pod "coredns-f9fd979d6-ttb6f_kube-system": CNI failed to retrieve network namespace...
16 Mar 03 07:59:59 master kubelet[1350]: W0303 07:59:59.339552 1350 pod_container_deletor.go:79] Container "81bc507c034f6e55212e82d1f3f4d12ecd28c3634095d3230e714eb6b3d03be3" not found in pod's containers
17 Mar 03 07:59:59 master kubelet[1350]: W0303 07:59:59.341532 1350 cni.go:333] CNI failed to retrieve network namespace path: cannot find network namespace for the terminated container "81bc507c034f6e55212e82d1f3f4d12ecd28c3634095d3230e714eb6b3d03be3"
18 Mar 03 07:59:59 master kubelet[1350]: W0303 07:59:59.347622 1350 docker_sandbox.go:402] failed to read pod IP from plugin/docker: networkPlugin cni failed on the status hook for pod "coredns-f9fd979d6-tgwj5_kube-system": CNI failed to retrieve network namespace...
19 Mar 03 07:59:59 master kubelet[1350]: W0303 07:59:59.383585 1350 pod_container_deletor.go:79] Container "b0c032c78d077d21930da33ea95a971251c97e8c64bde258cc462da3bb5fe3c3" not found in pod's containers
20 Mar 03 07:59:59 master kubelet[1350]: W0303 07:59:59.384676 1350 cni.go:333] CNI failed to retrieve network namespace path: cannot find network namespace for the terminated container "b0c032c78d077d21930da33ea95a971251c97e8c64bde258cc462da3bb5fe3c3"
21 Mar 03 08:00:04 master kubelet[1350]: E0303 08:00:04.605581 1350 docker_sandbox.go:572] Failed to retrieve checkpoint for sandbox "9fca6d888406d4620913e3ccf7bc8cca41fb44cc56158dc8daa6e78479724e5b": checkpoint is not found
22 Mar 03 08:00:04 master kubelet[1350]: E0303 08:00:04.661462 1350 kuberuntime_manager.go:951] PodSandboxStatus of sandbox "55306b6580519c06a5b0c78a6eeaccdf38fe8331170aa7c011c0aec567dfd16b" for pod "coredns-f9fd979d6-tgwj5_kube-system(6e1a9d9d-148c-4866-b6f2-4c1f...
23 Mar 03 08:00:05 master kubelet[1350]: E0303 08:00:05.695207 1350 kuberuntime_manager.go:951] PodSandboxStatus of sandbox "5380257f06e5f7ea0cc39094b97825d737afa1013f003ff9097a5d5ef34c78ae" for pod "coredns-f9fd979d6-ttb6f_kube-system(63f24147-b4d2-4635-bc61-f7da...
24 Hint: Some lines were ellipsized, use -l to show in full.
3. 下载镜像
3.1 镜像下载的脚本
Kubernetes几乎所有的安装组件和Docker镜像都放在goolge自己的网站上,直接访问可能会有网络问题,这里的解决办法是从阿里云镜像仓库下载镜像,拉取到本地以后改回默认的镜像tag。本文通过运行image.sh脚本方式拉取镜像。
1 [root@master ~] vim image.sh
2 #!/bin/bash
3 url=registry.aliyuncs.com/google_containers
4 version=v1.19.8
5 images=(`kubeadm config images list --kubernetes-version=$version|awk -F '/' '{print $2}'`)
6 for imagename in ${images[@]} ; do
7 docker pull $url/$imagename
8 docker tag $url/$imagename k8s.gcr.io/$imagename
9 docker rmi -f $url/$imagename
10 done
3.2 下载镜像
运行脚本image.sh,下载指定版本的镜像
1 [root@master ~] chmod 775 image.sh
2 [root@master ~] ./image.sh
3 [root@master ~] docker images
五、初始化Master
master节点执行本部分操作。
1. master初始化
1 [root@master ~] kubeadm init --apiserver-advertise-address=192.168.214.128 --kubernetes-version v1.19.8 --service-cidr=10.96.0.0/12 --pod-network-cidr=10.244.0.0/16
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
记录kubeadm join的输出,后面需要这个命令将node节点和其他control plane节点加入集群中。
1 kubeadm join 192.168.214.128:6443 --token 4xpmwx.nw6psmvn9qi4d3cj \
2 > --discovery-token-ca-cert-hash sha256:c7cbe95a66092c58b4da3ad20874f0fe2b6d6842d28b2762ffc8d36227d
1.1 查询是否运行正常
coredns是Pending状态,没有运行起来,没有关系,跟后面的flannel-ds有关
kube-system coredns-66bff467f8-c79f7 0/1 Pending 0 24h
kube-system coredns-66bff467f8-ncpd6 0/1 Pending 0 24h
# flannel运行起来后,这两个就会变为running
1 [root@master ~]# kubectl get pod -n kube-system -o wide
2 NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
3 coredns-f9fd979d6-tgwj5 1/1 Running 4 9h 10.244.0.11 master <none> <none>
4 coredns-f9fd979d6-ttb6f 1/1 Running 4 9h 10.244.0.10 master <none> <none>
5 etcd-master 1/1 Running 8 9h 172.17.114.109 master <none> <none>
6 kube-apiserver-master 1/1 Running 5 132m 172.17.114.109 master <none> <none>
7 kube-controller-manager-master 1/1 Running 8 130m 172.17.114.109 master <none> <none>
8 kube-flannel-ds-hs79q 1/1 Running 5 9h 172.17.114.109 master <none> <none>
9 kube-flannel-ds-qtt7s 1/1 Running 2 9h 172.17.114.103 node01 <none> <none>
10 kube-proxy-24dnq 1/1 Running 2 9h 172.17.114.103 node01 <none> <none>
11 kube-proxy-vbdg2 1/1 Running 4 9h 172.17.114.109 master <none> <none>
12 kube-scheduler-master 1/1 Running 7 130m 172.17.114.109 master <none> <none>
健康检查
1 [root@master ~]# kubectl get cs
2 Warning: v1 ComponentStatus is deprecated in v1.19+
3 NAME STATUS MESSAGE ERROR
4 scheduler Healthy ok
5 controller-manager Healthy ok
6 etcd-0 Healthy {"health":"true"}
7
8 [root@master ~]# kubectl get ns
9 NAME STATUS AGE
10 default Active 9h
11 kube-node-lease Active 9h
12 kube-public Active 9h
13 kube-system Active 9h
14 kubernetes-dashboard Active 7h6m
2. 初始化失败:
如果初始化失败,可执行kubeadm reset后重新初始化
1 [root@master ~] kubeadm reset
2 [root@master ~] rm -rf $HOME/.kube/config
3. 加载环境变量
1 [root@master ~] echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
2 [root@master ~] source .bash_profile
本文所有操作都在root用户下执行,若为非root用户,则执行如下操作:
1 mkdir -p $HOME/.kube
2 cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
3 chown $(id -u):$(id -g) $HOME/.kube/config
4. 安装flannel网络
4.1 配置host(省略,下面有下载链接)
因为国内网络无法解析raw.githubusercontent.com,因此先访问https://tool.chinaz.com/dns/?type=1&host=raw.githubusercontent.com&ip=查看raw.githubusercontent.com的真实IP,并对应修改host
cat >> /etc/hosts << EOF
151.101.108.133 raw.githubusercontent.com
EOF
4.2 在master上新建flannel网络
vi kube-flannel.yml文件内容如下
1 ---
2 apiVersion: policy/v1beta1
3 kind: PodSecurityPolicy
4 metadata:
5 name: psp.flannel.unprivileged
6 annotations:
7 seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
8 seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
9 apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
10 apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
11 spec:
12 privileged: false
13 volumes:
14 - configMap
15 - secret
16 - emptyDir
17 - hostPath
18 allowedHostPaths:
19 - pathPrefix: "/etc/cni/net.d"
20 - pathPrefix: "/etc/kube-flannel"
21 - pathPrefix: "/run/flannel"
22 readOnlyRootFilesystem: false
23 # Users and groups
24 runAsUser:
25 rule: RunAsAny
26 supplementalGroups:
27 rule: RunAsAny
28 fsGroup:
29 rule: RunAsAny
30 # Privilege Escalation
31 allowPrivilegeEscalation: false
32 defaultAllowPrivilegeEscalation: false
33 # Capabilities
34 allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
35 defaultAddCapabilities: []
36 requiredDropCapabilities: []
37 # Host namespaces
38 hostPID: false
39 hostIPC: false
40 hostNetwork: true
41 hostPorts:
42 - min: 0
43 max: 65535
44 # SELinux
45 seLinux:
46 # SELinux is unused in CaaSP
47 rule: 'RunAsAny'
48 ---
49 kind: ClusterRole
50 apiVersion: rbac.authorization.k8s.io/v1
51 metadata:
52 name: flannel
53 rules:
54 - apiGroups: ['extensions']
55 resources: ['podsecuritypolicies']
56 verbs: ['use']
57 resourceNames: ['psp.flannel.unprivileged']
58 - apiGroups:
59 - ""
60 resources:
61 - pods
62 verbs:
63 - get
64 - apiGroups:
65 - ""
66 resources:
67 - nodes
68 verbs:
69 - list
70 - watch
71 - apiGroups:
72 - ""
73 resources:
74 - nodes/status
75 verbs:
76 - patch
77 ---
78 kind: ClusterRoleBinding
79 apiVersion: rbac.authorization.k8s.io/v1
80 metadata:
81 name: flannel
82 roleRef:
83 apiGroup: rbac.authorization.k8s.io
84 kind: ClusterRole
85 name: flannel
86 subjects:
87 - kind: ServiceAccount
88 name: flannel
89 namespace: kube-system
90 ---
91 apiVersion: v1
92 kind: ServiceAccount
93 metadata:
94 name: flannel
95 namespace: kube-system
96 ---
97 kind: ConfigMap
98 apiVersion: v1
99 metadata:
100 name: kube-flannel-cfg
101 namespace: kube-system
102 labels:
103 tier: node
104 app: flannel
105 data:
106 cni-conf.json: |
107 {
108 "name": "cbr0",
109 "cniVersion": "0.3.1",
110 "plugins": [
111 {
112 "type": "flannel",
113 "delegate": {
114 "hairpinMode": true,
115 "isDefaultGateway": true
116 }
117 },
118 {
119 "type": "portmap",
120 "capabilities": {
121 "portMappings": true
122 }
123 }
124 ]
125 }
126 net-conf.json: |
127 {
128 "Network": "10.244.0.0/16",
129 "Backend": {
130 "Type": "vxlan"
131 }
132 }
133 ---
134 apiVersion: apps/v1
135 kind: DaemonSet
136 metadata:
137 name: kube-flannel-ds
138 namespace: kube-system
139 labels:
140 tier: node
141 app: flannel
142 spec:
143 selector:
144 matchLabels:
145 app: flannel
146 template:
147 metadata:
148 labels:
149 tier: node
150 app: flannel
151 spec:
152 affinity:
153 nodeAffinity:
154 requiredDuringSchedulingIgnoredDuringExecution:
155 nodeSelectorTerms:
156 - matchExpressions:
157 - key: kubernetes.io/os
158 operator: In
159 values:
160 - linux
161 hostNetwork: true
162 priorityClassName: system-node-critical
163 tolerations:
164 - operator: Exists
165 effect: NoSchedule
166 serviceAccountName: flannel
167 initContainers:
168 - name: install-cni
169 image: quay.io/coreos/flannel:v0.13.1-rc2
170 command:
171 - cp
172 args:
173 - -f
174 - /etc/kube-flannel/cni-conf.json
175 - /etc/cni/net.d/10-flannel.conflist
176 volumeMounts:
177 - name: cni
178 mountPath: /etc/cni/net.d
179 - name: flannel-cfg
180 mountPath: /etc/kube-flannel/
181 containers:
182 - name: kube-flannel
183 image: quay.io/coreos/flannel:v0.13.1-rc2
184 command:
185 - /opt/bin/flanneld
186 args:
187 - --ip-masq
188 - --kube-subnet-mgr
189 resources:
190 requests:
191 cpu: "100m"
192 memory: "50Mi"
193 limits:
194 cpu: "100m"
195 memory: "50Mi"
196 securityContext:
197 privileged: false
198 capabilities:
199 add: ["NET_ADMIN", "NET_RAW"]
200 env:
201 - name: POD_NAME
202 valueFrom:
203 fieldRef:
204 fieldPath: metadata.name
205 - name: POD_NAMESPACE
206 valueFrom:
207 fieldRef:
208 fieldPath: metadata.namespace
209 volumeMounts:
210 - name: run
211 mountPath: /run/flannel
212 - name: flannel-cfg
213 mountPath: /etc/kube-flannel/
214 volumes:
215 - name: run
216 hostPath:
217 path: /run/flannel
218 - name: cni
219 hostPath:
220 path: /etc/cni/net.d
221 - name: flannel-cfg
222 configMap:
223 name: kube-flannel-cfg
1 [root@master ~] kubectl apply -f kube-flannel.yml
六、node节点加入集群
1. node加入集群
1 kubeadm join 192.168.214.128:6443 --token 4xpmwx.nw6psmvn9qi4d3cj \
2 --discovery-token-ca-cert-hash sha256:c7cbe95a66092c58b4da3ad20874f0fe2b6d6842d28b2762ffc8d36227d7a0a7
2. 集群节点查看
1 [root@master ~] kubectl get nodes
七、Dashboard搭建
Dashboard提供了可以实现集群管理、工作负载、服务发现和负载均衡、存储、字典配置、日志视图等功能。
1. 下载yaml
vi recommended.yaml
文件内容如下
1 # Copyright 2017 The Kubernetes Authors.
2 #
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
14
15 apiVersion: v1
16 kind: Namespace
17 metadata:
18 name: kubernetes-dashboard
19
20 ---
21
22 apiVersion: v1
23 kind: ServiceAccount
24 metadata:
25 labels:
26 k8s-app: kubernetes-dashboard
27 name: kubernetes-dashboard
28 namespace: kubernetes-dashboard
29
30 ---
31
32 kind: Service
33 apiVersion: v1
34 metadata:
35 labels:
36 k8s-app: kubernetes-dashboard
37 name: kubernetes-dashboard
38 namespace: kubernetes-dashboard
39 spec:
40 ports:
41 - port: 443
42 targetPort: 8443
43 nodePort: 30001
44 type: NodePort
45 selector:
46 k8s-app: kubernetes-dashboard
47
48 ---
49
50 apiVersion: v1
51 kind: Secret
52 metadata:
53 labels:
54 k8s-app: kubernetes-dashboard
55 name: kubernetes-dashboard-certs
56 namespace: kubernetes-dashboard
57 type: Opaque
58
59 ---
60
61 apiVersion: v1
62 kind: Secret
63 metadata:
64 labels:
65 k8s-app: kubernetes-dashboard
66 name: kubernetes-dashboard-csrf
67 namespace: kubernetes-dashboard
68 type: Opaque
69 data:
70 csrf: ""
71
72 ---
73
74 apiVersion: v1
75 kind: Secret
76 metadata:
77 labels:
78 k8s-app: kubernetes-dashboard
79 name: kubernetes-dashboard-key-holder
80 namespace: kubernetes-dashboard
81 type: Opaque
82
83 ---
84
85 kind: ConfigMap
86 apiVersion: v1
87 metadata:
88 labels:
89 k8s-app: kubernetes-dashboard
90 name: kubernetes-dashboard-settings
91 namespace: kubernetes-dashboard
92
93 ---
94
95 kind: Role
96 apiVersion: rbac.authorization.k8s.io/v1
97 metadata:
98 labels:
99 k8s-app: kubernetes-dashboard
100 name: kubernetes-dashboard
101 namespace: kubernetes-dashboard
102 rules:
103 # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
104 - apiGroups: [""]
105 resources: ["secrets"]
106 resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
107 verbs: ["get", "update", "delete"]
108 # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
109 - apiGroups: [""]
110 resources: ["configmaps"]
111 resourceNames: ["kubernetes-dashboard-settings"]
112 verbs: ["get", "update"]
113 # Allow Dashboard to get metrics.
114 - apiGroups: [""]
115 resources: ["services"]
116 resourceNames: ["heapster", "dashboard-metrics-scraper"]
117 verbs: ["proxy"]
118 - apiGroups: [""]
119 resources: ["services/proxy"]
120 resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
121 verbs: ["get"]
122
123 ---
124
125 kind: ClusterRole
126 apiVersion: rbac.authorization.k8s.io/v1
127 metadata:
128 labels:
129 k8s-app: kubernetes-dashboard
130 name: kubernetes-dashboard
131 rules:
132 # Allow Metrics Scraper to get metrics from the Metrics server
133 - apiGroups: ["metrics.k8s.io"]
134 resources: ["pods", "nodes"]
135 verbs: ["get", "list", "watch"]
136
137 ---
138
139 apiVersion: rbac.authorization.k8s.io/v1
140 kind: RoleBinding
141 metadata:
142 labels:
143 k8s-app: kubernetes-dashboard
144 name: kubernetes-dashboard
145 namespace: kubernetes-dashboard
146 roleRef:
147 apiGroup: rbac.authorization.k8s.io
148 kind: Role
149 name: kubernetes-dashboard
150 subjects:
151 - kind: ServiceAccount
152 name: kubernetes-dashboard
153 namespace: kubernetes-dashboard
154
155 ---
156
157 apiVersion: rbac.authorization.k8s.io/v1
158 kind: ClusterRoleBinding
159 metadata:
160 name: kubernetes-dashboard
161 roleRef:
162 apiGroup: rbac.authorization.k8s.io
163 kind: ClusterRole
164 name: kubernetes-dashboard
165 subjects:
166 - kind: ServiceAccount
167 name: kubernetes-dashboard
168 namespace: kubernetes-dashboard
169
170 ---
171
172 kind: Deployment
173 apiVersion: apps/v1
174 metadata:
175 labels:
176 k8s-app: kubernetes-dashboard
177 name: kubernetes-dashboard
178 namespace: kubernetes-dashboard
179 spec:
180 replicas: 1
181 revisionHistoryLimit: 10
182 selector:
183 matchLabels:
184 k8s-app: kubernetes-dashboard
185 template:
186 metadata:
187 labels:
188 k8s-app: kubernetes-dashboard
189 spec:
190 containers:
191 - name: kubernetes-dashboard
192 image: kubernetesui/dashboard:v2.2.0
193 imagePullPolicy: Always
194 ports:
195 - containerPort: 8443
196 protocol: TCP
197 args:
198 - --auto-generate-certificates
199 - --namespace=kubernetes-dashboard
200 # Uncomment the following line to manually specify Kubernetes API server Host
201 # If not specified, Dashboard will attempt to auto discover the API server and connect
202 # to it. Uncomment only if the default does not work.
203 # - --apiserver-host=http://my-address:port
204 volumeMounts:
205 - name: kubernetes-dashboard-certs
206 mountPath: /certs
207 # Create on-disk volume to store exec logs
208 - mountPath: /tmp
209 name: tmp-volume
210 livenessProbe:
211 httpGet:
212 scheme: HTTPS
213 path: /
214 port: 8443
215 initialDelaySeconds: 30
216 timeoutSeconds: 30
217 securityContext:
218 allowPrivilegeEscalation: false
219 readOnlyRootFilesystem: true
220 runAsUser: 1001
221 runAsGroup: 2001
222 volumes:
223 - name: kubernetes-dashboard-certs
224 secret:
225 secretName: kubernetes-dashboard-certs
226 - name: tmp-volume
227 emptyDir: {}
228 serviceAccountName: kubernetes-dashboard
229 nodeSelector:
230 "kubernetes.io/os": linux
231 # Comment the following tolerations if Dashboard must not be deployed on master
232 tolerations:
233 - key: node-role.kubernetes.io/master
234 effect: NoSchedule
235
236 ---
237
238 kind: Service
239 apiVersion: v1
240 metadata:
241 labels:
242 k8s-app: dashboard-metrics-scraper
243 name: dashboard-metrics-scraper
244 namespace: kubernetes-dashboard
245 spec:
246 ports:
247 - port: 8000
248 targetPort: 8000
249 selector:
250 k8s-app: dashboard-metrics-scraper
251
252 ---
253
254 kind: Deployment
255 apiVersion: apps/v1
256 metadata:
257 labels:
258 k8s-app: dashboard-metrics-scraper
259 name: dashboard-metrics-scraper
260 namespace: kubernetes-dashboard
261 spec:
262 replicas: 1
263 revisionHistoryLimit: 10
264 selector:
265 matchLabels:
266 k8s-app: dashboard-metrics-scraper
267 template:
268 metadata:
269 labels:
270 k8s-app: dashboard-metrics-scraper
271 annotations:
272 seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
273 spec:
274 containers:
275 - name: dashboard-metrics-scraper
276 image: kubernetesui/metrics-scraper:v1.0.6
277 ports:
278 - containerPort: 8000
279 protocol: TCP
280 livenessProbe:
281 httpGet:
282 scheme: HTTP
283 path: /
284 port: 8000
285 initialDelaySeconds: 30
286 timeoutSeconds: 30
287 volumeMounts:
288 - mountPath: /tmp
289 name: tmp-volume
290 securityContext:
291 allowPrivilegeEscalation: false
292 readOnlyRootFilesystem: true
293 runAsUser: 1001
294 runAsGroup: 2001
295 serviceAccountName: kubernetes-dashboard
296 nodeSelector:
297 "kubernetes.io/os": linux
298 # Comment the following tolerations if Dashboard must not be deployed on master
299 tolerations:
300 - key: node-role.kubernetes.io/master
301 effect: NoSchedule
302 volumes:
303 - name: tmp-volume
304 emptyDir: {}
2. 配置yaml
2.1 修改镜像地址(省略,直接用文件里面的镜像)
1 [root@client ~] sed -i 's/kubernetesui/registry.cn-hangzhou.aliyuncs.com\/loong576/g' recommended.yaml
由于默认的镜像仓库网络访问不通,故改成阿里镜像
2.2 外网访问
1 [root@client ~] sed -i '/targetPort: 8443/a\ \ \ \ \ \ nodePort: 30001\n\ \ type: NodePort' recommended.yaml
配置NodePort,外部通过https://NodeIp:NodePort 访问Dashboard,此时端口为30001
3. 部署访问
3.1 部署Dashboard
1 [root@client ~] kubectl apply -f recommended.yaml
3.2 状态查看
1 [root@client ~] kubectl get all -n kubernetes-dashboard
3.3 令牌生成
创建service account并绑定默认cluster-admin管理员集群角色:
1 # 创建用户
2 $ kubectl create serviceaccount dashboard-admin -n kube-system
3 # 用户授权
4 $ kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
3.4 令牌查看
1 [root@client ~] kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
令牌为:
1 eyJhbGciOiJSUzI1NiIsImtpZCI6ImhPdFJMQVZCVmRlZ25HOUJ5enNUSFV5M3Z6NnVkSTBQR0gzbktqbUl3bGMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tczhtbTciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiN2JjNWY0ZTktNmQwYy00MjYxLWFiNDItMDZhM2QxNjVkNmI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.N5eoH_rjPVX4a4BJwi2P-f3ohVLq2W0afzkaWomFk5iBe1KMczv5zAzz0EYZwnHkNOZ-Ts7Z6Z778vo7fR5_B-6KRNvdE5rg5Cq6fZKBlRvqB9FqYA0a_3JXCc0FK1et-97ycM20XtekM1KBt0uyHkKnPzJJBkqAedtALbJ0ccWU_WmmKVHKzfgXTiQNdiM-mqyelIxQa7i0KFFdnyN7Euhh4uk_ueXeLlZeeijxWTOpu9p91jMuN45xFuny0QkxxQcWlnjL8Gz7mELemEMOQEbhZRcKSHleZ72FVpjvHwn0gg7bQuaNc-oUKUxB5VS-h7CF8aOjk-yrLvoaY3Af-g
3.5 访问
请使用浏览器访问:https://192.168.214.128:30001/
接受风险,输入令牌,即可图形化管理k8s集群。
参考来源:https://www.cnblogs.com/jay763190097/p/14477402.html