一、获取相关镜像
需要科学上网方式获取到dashboard相关的镜像文件,仓库可纳入本地仓库统一管理
cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment=“HTTP_PROXY=http://192.168.115.2:1080”
systemctl daemon-reload
systemctl restart docker
docker pull k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
docker pull k8s.gcr.io/heapster-influxdb-amd64:v1.3.3
docker pull k8s.gcr.io/heapster-amd64:v1.4.2
K8S使用dashboard管理集群
二、准备配置文件
1、k8s-dashborad-sa.yaml文件,secrct和serviceaccount配置
cat k8s-dashborad-sa.yaml
------------------- Dashboard Secret -------------------
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
------------------- Dashboard Service Account -------------------
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
2、k8s-dashborad-rbac.yaml文件,配置 Role和Role Binding
cat k8s-dashborad-rbac.yaml
------------------- Dashboard Role & Role Binding -------------------
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
Allow Dashboard to create ‘kubernetes-dashboard-key-holder’ secret.
- apiGroups: [""]
resources: [“secrets”]
verbs: [“create”]Allow Dashboard to create ‘kubernetes-dashboard-settings’ config map.
- apiGroups: [""]
resources: [“configmaps”]
verbs: [“create”]Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: [“secrets”]
resourceNames: [“kubernetes-dashboard-key-holder”, “kubernetes-dashboard-certs”]
verbs: [“get”, “update”, “delete”]Allow Dashboard to get and update ‘kubernetes-dashboard-settings’ config map.
- apiGroups: [""]
resources: [“configmaps”]
resourceNames: [“kubernetes-dashboard-settings”]
verbs: [“get”, “update”]Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: [“services”]
resourceNames: [“heapster”]
verbs: [“proxy”] - apiGroups: [""]
resources: [“services/proxy”]
resourceNames: [“heapster”, “http:heapster:”, “https:heapster:”]
verbs: [“get”]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
3、k8s-dashborad-deployment.yaml配置文件,定义创建pod的模板和副本数
cat k8s-dashborad-deployment.yaml
------------------- Dashboard Deployment -------------------
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
4、 k8s-dashborad-service.yaml配置文件,定义service
cat k8s-dashborad-service.yaml
------------------- Dashboard Service -------------------
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 8490
type: NodePort
selector:
k8s-app: kubernetes-dashboard
三、通过配置文件创建dashboard
kubectl create -f .
kubectl get pod,deployment,svc -n kube-system
K8S使用dashboard管理集群
四、配置使用basic认证方式
默认情况下只支持kubeconfig和令牌认证
K8S使用dashboard管理集群
echo ‘admin,admin,1’ > /etc/kubernetes/basic_auth_file
grep ‘auth’ /usr/lib/systemd/system/kube-apiserver.service
–authorization-mode=Node,RBAC
–runtime-config=rbac.authorization.k8s.io/v1alpha1
–enable-bootstrap-token-auth=true
–token-auth-file=/etc/kubernetes/token.csv
–basic-auth-file=/etc/kubernetes/basic_auth_file \
grep ‘basic’ k8s-dashborad-deployment.yaml (配置在args下面)
- --authentication-mode=basic
systemctl daemon-reload
systemctl restart kube-apiserver
kubectl apply -f k8s-dashborad-deployment.yaml
将admin用户和cluter-admin role进行角色绑定
curl --insecure https://vm1:6443 -basic -u admin:admin
kubectl create clusterrolebinding \
login-on-dashboard-with-cluster-admin
–clusterrole=cluster-admin --user=admin
curl --insecure https://vm1:6443 -basic -u admin:admin
K8S使用dashboard管理集群
五、访问测试
K8S使用dashboard管理集群
K8S使用dashboard管理集群
六、整合heapster和influxdb
在没有配置heapster和influxdb的情况下,pod的metric信息是无法获取到的,而早前版本K8S的HPA特性依赖的metric数据来源恰巧就是heapster和influxdb。
1、准备yaml配置文件
cat heapster-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
cat heapster-rbac.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: heapster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:heapster
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
cat heapster-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: heapster
namespace: kube-system
spec:
replicas: 1
template:
metadata:
labels:
task: monitoring
k8s-app: heapster
spec:
serviceAccountName: heapster
containers:
- name: heapster
image: k8s.gcr.io/heapster-amd64:v1.4.2
imagePullPolicy: IfNotPresent
command:
- /heapster
- --source=kubernetes:https://kubernetes.default
- --sink=influxdb:http://monitoring-influxdb.kube-system.svc:8086
cat heapster-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
task: monitoring
kubernetes.io/cluster-service: ‘true’
kubernetes.io/name: Heapster
name: heapster
namespace: kube-system
spec:
ports:
- port: 80
targetPort: 8082
selector:
k8s-app: heapster
cat influxdb-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: monitoring-influxdb
namespace: kube-system
spec:
replicas: 1
template:
metadata:
labels:
task: monitoring
k8s-app: influxdb
spec:
containers:
- name: influxdb
image: k8s.gcr.io/heapster-influxdb-amd64:v1.3.3
volumeMounts:
- mountPath: /data
name: influxdb-storage
volumes:
- name: influxdb-storage
emptyDir: {}
cat influxdb-service.yaml
apiVersion: v1
kind: Service
metadata:
labels:
task: monitoring
kubernetes.io/cluster-service: ‘true’
kubernetes.io/name: monitoring-influxdb
name: monitoring-influxdb
namespace: kube-system
spec:
ports:
- port: 8086
targetPort: 8086
selector:
k8s-app: influxdb
K8S使用dashboard管理集群
K8S使用dashboard管理集群
获取heapster中的获取支持的metrics
kubectl run -i --tty curl --namespace=kube-system \
–image=registry.59iedu.com/webwurst/curl-utils /bin/sh
K8S使用dashboard管理集群
kubectl get node
kubectl top node
K8S使用dashboard管理集群
当heapster和influxdb pod都正常运行的时候
深圳网站建设www.sz886.com