今日目标:
-k8s服务管理
-lngress安装与策略配置
-Dashboard安装
-RBAC权限管理
kubernetes
service 管理
clusterIP
创建服务
# 资源对象模板 [root@master ~]# kubectl create service clusterip mysvc --tcp=80:80 --dry-run=client -o yaml #自动生成模板 [root@master ~]# vim mysvc.yaml --- kind: Service apiVersion: v1 metadata: name: mysvc spec: type: ClusterIP selector: app: web ports: - protocol: TCP port: 80 targetPort: 80 [root@master ~]# kubectl apply -f mysvc.yaml service/mysvc created [root@master ~]# kubectl get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) kubernetes ClusterIP 10.245.0.1 <none> 443/TCP mysvc ClusterIP 10.245.5.18 <none> 80/TCP
解析域名
# 安装工具软件包 [root@master ~]# dnf install -y bind-utils # 查看 DNS 服务地址 [root@master ~]# kubectl -n kube-system get service kube-dns NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) kube-dns ClusterIP 10.245.0.10 <none> 53/UDP,53/TCP,9153/TCP # 域名解析测试 [root@master ~]# host mysvc.default.svc.cluster.local 10.245.0.10 Using domain server: Name: 10.245.0.10 Address: 10.245.0.10#53 Aliases: mysvc.default.svc.cluster.local has address 10.245.5.18
创建后端应用
[root@master ~]# vim myweb.yaml --- kind: Pod apiVersion: v1 metadata: name: web1 labels: app: web # 服务靠标签寻找后端 spec: containers: - name: apache image: myos:httpd [root@master ~]# kubectl apply -f myweb.yaml pod/web1 created [root@master ~]# curl http://10.245.5.18 Welcome to The Apache.
负载均衡
[root@master ~]# sed 's,web1,web2,' myweb.yaml |kubectl apply -f - pod/web2 created [root@master ~]# sed 's,web1,web3,' myweb.yaml |kubectl apply -f - pod/web3 created [root@master ~]# curl -s http://10.245.5.18/info.php |grep php_host php_host: web1 [root@master ~]# curl -s http://10.245.5.18/info.php |grep php_host php_host: web2 [root@master ~]# curl -s http://10.245.5.18/info.php |grep php_host php_host: web3
固定 IP 服务
[root@master ~]# vim mysvc.yaml --- kind: Service apiVersion: v1 metadata: name: mysvc spec: type: ClusterIP clusterIP: 10.245.1.80 # 可以设置 ClusterIP selector: app: web ports: - protocol: TCP port: 80 targetPort: 80 [root@master ~]# kubectl delete service mysvc service "mysvc" deleted [root@master ~]# kubectl apply -f mysvc.yaml service/mysvc created [root@master ~]# kubectl get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) kubernetes ClusterIP 10.245.0.1 <none> 443/TCP mysvc ClusterIP 10.245.1.80 <none> 80/TCP
端口别名
[root@master ~]# kubectl delete pod --all pod "web1" deleted pod "web2" deleted pod "web3" deleted [root@master ~]# vim mysvc.yaml --- kind: Service apiVersion: v1 metadata: name: mysvc spec: type: ClusterIP clusterIP: 10.245.1.80 selector: app: web ports: - protocol: TCP port: 80 targetPort: myhttp # 使用别名查找后端服务端口 [root@master ~]# kubectl apply -f mysvc.yaml service/mysvc configured [root@master ~]# vim myweb.yaml --- kind: Pod apiVersion: v1 metadata: name: web1 labels: app: web spec: containers: - name: apache image: myos:httpd ports: # 配置端口规范 - name: myhttp # 端口别名 protocol: TCP # 协议 containerPort: 80 # 端口号 [root@master ~]# kubectl apply -f myweb.yaml pod/web1 created [root@master ~]# curl http://10.245.1.80 Welcome to The Apache.
服务拍错
--- kind: Service apiVersion: v1 metadata: name: web123 spec: type: ClusterIP clusterIP: 192.168.1.88 selector: app: apache ports: - protocol: TCP port: 80 targetPort: web
修改错误
[root@master ~]# cat abc.yaml --- kind: Service apiVersion: v1 metadata: name: web123 spec: type: ClusterIP clusterIP: 10.245.1.82 selector: app: web ports: - protocol: TCP port: 80 targetPort: myhttp [root@master ~]# kubectl apply -f abc.yaml service/web123 configured [root@master ~]# curl 10.245.1.82 Welcome to The Apache.
nodePort
对外发布服务
[root@master ~]# cp -a mysvc.yaml mysvc1.yaml [root@master ~]# vim mysvc1.yaml --- kind: Service apiVersion: v1 metadata: name: mysvc1 spec: type: NodePort # 服务类型 selector: app: web ports: - protocol: TCP port: 80 nodePort: 30080 # 映射端口号 targetPort: myhttp [root@master ~]# kubectl apply -f mysvc1.yaml service/mysvc configured [root@master ~]# kubectl get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) kubernetes ClusterIP 10.245.0.1 <none> 443/TCP mysvc ClusterIP 10.245.1.80 <none> 80/TCP mysvc1 NodePort 10.245.1.88 <none> 80:30080/TCP [root@master ~]# curl http://node-0001:30080 Welcome to The Apache. [root@master ~]# curl http://node-0002:30080 Welcome to The Apache. [root@master ~]# curl http://node-0003:30080 Welcome to The Apache. [root@master ~]# curl http://node-0004:30080 Welcome to The Apache. [root@master ~]# curl http://node-0005:30080 Welcome to The Apache.
Ingress
安装控制器
[root@master ~]# cd plugins/ingress [root@master ingress]# docker load -i ingress.tar.xz [root@master ingress]# docker images|while read i t _;do [[ "${t}" == "TAG" ]] && continue [[ "${i}" =~ ^"harbor:443/".+ ]] && continue docker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t} docker push harbor:443/plugins/${i##*/}:${t} docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t} done [root@master ingress]# sed -ri 's,^(\s*image: )(.*/)?(.+)@.*,\1harbor:443/plugins/\3,' deploy.yaml 458: image: harbor:443/plugins/controller:v1.5.1 565: image: harbor:443/plugins/kube-webhook-certgen:v20220916-gd32f8c343 614: image: harbor:443/plugins/kube-webhook-certgen:v20220916-gd32f8c343 [root@master ingress]# kubectl apply -f deploy.yaml # 通过标签指定在那台机器上发布应用 [root@master ingress]# kubectl label nodes node-0001 ingress-ready="true" node/node-0001 labeled [root@master ingress]# kubectl -n ingress-nginx get pods NAME READY STATUS RESTARTS ingress-nginx-admission-create--1-lm52c 0/1 Completed 0 ingress-nginx-admission-patch--1-sj2lz 0/1 Completed 0 ingress-nginx-controller-5664857866-tql24 1/1 Running 0
验证后端服务
[root@master ~]# kubectl get pods,services NAME READY STATUS RESTARTS AGE pod/web1 1/1 Running 0 35m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) service/kubernetes ClusterIP 10.245.0.1 <none> 443/TCP service/mysvc ClusterIP 10.245.1.80 <none> 80/TCP service/mysvc1 NodePort 10.245.1.88 <none> 80:30080/TCP [root@master ~]# curl http://10.245.1.80 Welcome to The Apache.
对外发布服务
[root@master ~]# kubectl get ingressclasses.networking.k8s.io NAME CONTROLLER PARAMETERS AGE nginx k8s.io/ingress-nginx <none> 5m7s # 资源对象模板 [root@master ~]# kubectl create ingress mying --class=nginx --rule=nsd.tedu.cn/*=mysvc:80 --dry-run=client -o yaml [root@master ~]# vim mying.yaml --- kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: mying spec: ingressClassName: nginx rules: - host: nsd.tedu.cn http: paths: - path: / pathType: Prefix backend: service: name: mysvc port: number: 80 [root@master ~]# kubectl apply -f mying.yaml ingress.networking.k8s.io/mying created [root@master ~]# kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS mying nginx nsd.tedu.cn 192.168.1.51 80 [root@master ~]# curl -H "Host: nsd.tedu.cn" http://192.168.1.51 Welcome to The Apache.
web 管理插件
安装 Dashboard
[root@master ~]# cd plugins/dashboard [root@master dashboard]# docker load -i dashboard.tar.xz [root@master dashboard]# docker images|while read i t _;do [[ "${t}" == "TAG" ]] && continue [[ "${i}" =~ ^"harbor:443/".+ ]] && continue docker tag ${i}:${t} harbor:443/plugins/${i##*/}:${t} docker push harbor:443/plugins/${i##*/}:${t} docker rmi ${i}:${t} harbor:443/plugins/${i##*/}:${t} done [root@master dashboard]# sed -ri 's,^(\s*image: )(.*/)?(.+),\1harbor:443/plugins/\3,' recommended.yaml 193: image: harbor:443/plugins/dashboard:v2.7.0 278: image: harbor:443/plugins/metrics-scraper:v1.0.8 [root@master dashboard]# kubectl apply -f recommended.yaml [root@master dashboard]# kubectl -n kubernetes-dashboard get pods NAME READY STATUS RESTARTS dashboard-metrics-scraper-66f6f56b59-b42ng 1/1 Running 0 kubernetes-dashboard-65ff57f4cf-lwtsk 1/1 Running 0
发布服务
# 查看服务状态 [root@master dashboard]# kubectl -n kubernetes-dashboard get service NAME TYPE CLUSTER-IP PORT(S) dashboard-metrics-scraper ClusterIP 10.245.205.236 8000/TCP kubernetes-dashboard ClusterIP 10.245.215.40 443/TCP # 获取服务资源对象文件 [root@master dashboard]# sed -n '30,45p' recommended.yaml >dashboard-svc.yaml [root@master dashboard]# vim dashboard-svc.yaml --- kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: type: NodePort ports: - port: 443 nodePort: 30443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard [root@master dashboard]# kubectl apply -f dashboard-svc.yaml service/kubernetes-dashboard configured [root@master dashboard]# kubectl -n kubernetes-dashboard get service NAME TYPE CLUSTER-IP PORT(S) dashboard-metrics-scraper ClusterIP 10.245.205.236 8000/TCP kubernetes-dashboard NodePort 10.245.215.40 443:30443/TCP
-
通过浏览器访问 Dashboard 登录页面
弹性负载均衡添加30443端口,通过Kubernetes Dashboard访问
服务账号与权限
创建服务账号
# 资源对象模板 [root@master ~]# kubectl -n kubernetes-dashboard create serviceaccount kube-admin --dry-run=client -o yaml [root@master ~]# vim admin-user.yaml --- kind: ServiceAccount apiVersion: v1 metadata: name: kube-admin namespace: kubernetes-dashboard [root@master ~]# kubectl apply -f admin-user.yaml serviceaccount/kube-admin created [root@master ~]# kubectl -n kubernetes-dashboard get serviceaccounts NAME SECRETS AGE default 0 16m kube-admin 0 11s kubernetes-dashboard 0 16m
获取用户 token
[root@master ~]# kubectl -n kubernetes-dashboard create token kube-admin <Base64 编码的令牌数据>
角色与鉴权
资源对象 描述 作用域 ServiceAccount 服务账号,为 Pod 中运行的进程提供了一个身份 单一名称空间 Role 角色,包含一组代表相关权限的规则 单一名称空间 ClusterRole 角色,包含一组代表相关权限的规则 全集群 RoleBinding 将权限赋予用户,Role、ClusterRole 均可使用 单一名称空间 ClusterRoleBinding 将权限赋予用户,只可以使用 ClusterRole 全集群 资源对象权限
create delete deletecollection get list patch update watch 创建 删除 删除集合 获取属性 获取列表 补丁 更新 监控
普通角色
[root@master ~]# kubectl cluster-info dump |grep authorization-mode "--authorization-mode=Node,RBAC", # 资源对象模板 [root@master ~]# kubectl -n default create role myrole --resource=pods --verb=get,list --dry-run=client -o yaml [root@master ~]# kubectl -n default create rolebinding kube-admin-role --role=myrole --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml [root@master ~]# vim myrole.yaml --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: myrole namespace: default rules: - apiGroups: - "" resources: - pods verbs: - get - list --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kube-admin-role namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: myrole subjects: - kind: ServiceAccount name: kube-admin namespace: kubernetes-dashboard [root@master ~]# kubectl apply -f myrole.yaml role.rbac.authorization.k8s.io/myrole created rolebinding.rbac.authorization.k8s.io/kube-admin-role created [root@master ~]# kubectl delete -f myrole.yaml role.rbac.authorization.k8s.io "myrole" deleted rolebinding.rbac.authorization.k8s.io "kube-admin-role" deleted
集群管理员
[root@master ~]# kubectl get clusterrole NAME CREATED AT admin 2022-06-24T08:11:17Z cluster-admin 2022-06-24T08:11:17Z ... ... # 资源对象模板 [root@master ~]# kubectl create clusterrolebinding kube-admin-role --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kube-admin --dry-run=client -o yaml [root@master ~]# vim admin-user.yaml --- kind: ServiceAccount apiVersion: v1 metadata: name: kube-admin namespace: kubernetes-dashboard --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kube-admin-role roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kube-admin namespace: kubernetes-dashboard [root@master ~]# kubectl apply -f admin-user.yaml serviceaccount/kube-admin unchanged clusterrolebinding.rbac.authorization.k8s.io/kube-admin-role created