安装kubernetes-dashboard
第一步:准备需要的镜像和配置文件
按官方建议的k8s与dashboard兼容的版本下载对应的文件:
由于我使用的k8s是1.14.1版本,所以将dashboard对应版本的yaml文件下载到服务器root路径下:
执行安装命令:
kubectl apply -f recommended-v2.0.0-beta1.yaml
查看Deployment和Pod的运行状态:
如果已经是running状态,接下来将dashboard的service端口暴露。
第二步:暴露dashboard service端口为NodePort模式
kubectl edit service kubernetes-dashboard -n kubernetes-dashboard
指定nodeport即可通过访问master机器得到实现访问dashboard ui
第三步:创建Service Account与集群管理员用户绑定
admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
生效service account
kubectl apply -f admin.yaml
此时输入https://masterip:nodeport访问ui会得到类似如下证书问题:
证书过期,所以需要生成自签名证书
第四步:生成自签名证书
在master机器上执行如下操作,步骤如下:
mkdir /root/keys
cd /root/keys
openssl genrsa -out dashboard.key 2048
openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=10.238.5.37'
# 证书过期时间设置为1年
openssl x509 -req -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
查询到kubernetes-dashboard容器位于vm-vmw63586-app节点
在vm-vmw63586-app节点上查询kubernetes-dashboard容器ID
在vm-vmw63586-app节点上查询kubernetes-dashboard容器挂载目录
从master机器将证书文件拷贝到vm-vmw63586-app节点上kubernetes-dashboard容器挂载目录
在vm-vmw63586-app节点重启kubernetes-dashboard容器
从master节点获取token输入即可正常查看ui:
第五步:添加访问用户和密码
https://www.jianshu.com/p/5dca6b639e62
添加不同权限的访问账号
首先建一个定制权限的集群用户,例如我新建了一个访问范围与管理员用户相同,但是是只有查看权限的集群用户:
cluster-guest.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-guest
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/portforward", "pods/proxy"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps", "extensions"]
resources: ["replicasets"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list", "create"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "watch", "list"]
- apiGroups: ["batch"]
resources: ["cronjobs"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["replicationcontrollers"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "watch", "list"]
生效新建集群用户:
kubectl create -f cluster-guest.yaml
然后新建 kubernetes-dashboard的ServiceAccount,并将这个ServiceAccount与刚才新建的集群账号绑定:
guest.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: guest-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: guest-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-guest
subjects:
- kind: ServiceAccount
name: guest-user
namespace: kubernetes-dashboard
生效新建ServiceAccount,并将其与新建集群用户绑定:
kubectl create -f guest.yaml
最后,将新建的集群用户与dashboard ui的登入账号绑定,即可:
kubectl create clusterrolebinding login-on-dashboard-with-cluster-guest --clusterrole=cluster-guest --user=guest
安装metrics-server
metric server简易pod监控,效果如下:
1486
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
