文章目录
1. kubernetes容器资源限制
-
Kubernetes采用request和limit两种限制类型来对资源进行分配。
request(资源需求):即运行Pod的节点必须满足运行Pod的最基本需求才能运行Pod。
limit(资源限额):即运行Pod期间,可能内存使用量会增加,那最多能使用多少内存,这就是资源限额。 -
资源类型:
CPU 的单位是核心数,内存的单位是字节。
一个容器申请0.5个CPU,就相当于申请1个CPU的一半,你也可以加个后缀m 表示千分之一的概念。比如说100m的CPU,100豪的CPU和0.1个CPU都是一样的。
内存单位:
K、M、G、T、P、E #通常是以1000为换算标准的。
Ki、Mi、Gi、Ti、Pi、Ei #通常是以1024为换算标准的。
1.1 内存限制
[root@server1 docker]# docker search stress
[root@server1 harbor]# docker pull progrium/stress
[root@server1 harbor]# docker tag progrium/stress:latest reg.westos.org/library/stress:latest
[root@server1 harbor]# docker push reg.westos.org/library/stress:latest
[root@server2 ~]# mkdir limit/
[root@server2 ~]# cd limit/
[root@server2 limit]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: memory-demo
spec:
containers:
- name: memory-demo
image: stress
args:
- --vm
- "1"
- --vm-bytes
- 200M
resources:
requests:
memory: 50Mi
limits:
memory: 100Mi ##限制200M
[root@server2 limit]# kubectl apply -f pod.yaml
pod/memory-demo created
[root@server2 limit]# kubectl get pod
NAME READY STATUS RESTARTS AGE
memory-demo 0/1 CrashLoopBackOff 2 42s
[root@server2 limit]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
memory-demo 0/1 CrashLoopBackOff 3 53s 10.244.22.40 server4 <none> <none>
#如果容器超过其内存限制,则会被终止。如果可重新启动,则与所有其他类型的运行时故障一样,kubelet 将重新启动它。
#如果一个容器超过其内存请求,那么当节点内存不足时,它的 Pod 可能被逐出。
[root@server2 limit]# kubectl delete -f pod.yaml
pod "memory-demo" deleted
[root@server2 limit]# vim pod.yaml
[root@server2 limit]# kubectl apply -f pod.yaml
pod/memory-demo created
[root@server2 limit]# kubectl get pod
NAME READY STATUS RESTARTS AGE
memory-demo 1/1 Running 0 29s
[root@server2 limit]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
memory-demo 1/1 Running 0 35s 10.244.22.41 server4 <none> <none>
1.2 CPU限制
调度失败是因为申请的CPU资源超出集群节点所能提供的资源,但CPU 使用率过高,不会被杀死
[root@server2 limit]# kubectl delete -f pod.yaml
pod "memory-demo" deleted
[root@server2 limit]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-demo
spec:
containers:
- name: cpu-demo
image: stress
resources:
limits:
cpu: "10"
requests:
cpu: "5"
args:
- -c
- "2"
[root@server2 limit]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cpu-demo 0/1 Pending 0 22s
[root@server2 limit]# kubectl delete -f pod.yaml
pod "cpu-demo" deleted
[root@server2 limit]# vim pod.yaml
limits:
cpu: "10" ##上限太高
requests:
cpu: "2"
[root@server2 limit]# kubectl apply -f pod.yaml
pod/cpu-demo created
[root@server2 limit]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cpu-demo 0/1 Pending 0 14s
[root@server2 limit]# kubectl delete -f pod.yaml
pod "cpu-demo" deleted
[root@server2 limit]# vim pod.yaml
[root@server2 limit]# kubectl apply -f pod.yaml
pod/cpu-demo created
[root@server2 limit]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cpu-demo 1/1 Running 0 13s
[root@server2 limit]# kubectl delete -f pod.yaml
pod "cpu-demo" deleted
1.3 为namespace设置资源限制
root@server2 limit]# vim ns-limit.yaml
[root@server2 limit]# kubectl apply -f ns-limit.yaml
limitrange/limitrange-demo created
[root@server2 limit]# kubectl get limitranges
NAME CREATED AT
limitrange-demo 2021-03-25T08:38:04Z
[root@server2 limit]# kubectl describe limitranges limitrange-demo
Name: limitrange-demo
Namespace: default
Type Resource Min Max Default Request Default Limit Max Limit/Request Ratio
---- -------- --- --- --------------- ------------- -----------------------
Container cpu 100m 1 100m 500m -
Container memory 100Mi 1Gi 256Mi 512Mi
[root@server2 limit]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-demo
spec:
containers:
- name: cpu-demo
image: nginx
[root@server2 limit]# kubectl apply -f pod.yaml
pod/cpu-demo created
[root@server2 limit]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cpu-demo 1/1 Running 0 19s
[root@server2 limit]# kubectl describe pod cpu-demo ##查看默认分配的资源限制
[root@server2 limit]# kubectl describe limitranges -
为namespace设置资源限制
[root@server2 limit]# kubectl delete -f pod.yaml
pod "cpu-demo" deleted
[root@server2 limit]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-demo
spec:
containers:
- name: cpu-demo
image: nginx
resources:
limits:
cpu: "2"
requests:
cpu: "0.1"
[root@server2 limit]# kubectl apply -f pod.yaml
Error from server (Forbidden): error when creating "pod.yaml": pods "cpu-demo" is forbidden: maximum cpu usage per Container is 1, but limit is 2
[root@server2 limit]# kubectl delete -f pod.yaml
[root@server2 limit]# vim pod.yaml
resources:
limits:
cpu: "1"
memory: "2Gi"
requests:
cpu: "0.1"
[root@server2 limit]# kubectl apply -f pod.yaml
Error from server (Forbidden): error when creating "pod.yaml": pods "cpu-demo" is forbidden: maximum memory usage per Container is 1Gi, but limit is 2Gi
[root@server2 limit]# vim pod.yaml ##满足默认limitranges值,可成功
resources:
limits:
cpu: "1"
memory: "1Gi"
requests:
cpu: "0.1"
[root@server2 limit]# kubectl apply -f pod.yaml
pod/cpu-demo created
[root@server2 limit]# kubectl describe pod cpu-demo ## 若一方不设置,则Requests和limits保持一致;若两者都不设置,则使用limitranges默认值
[root@server2 limit]# kubectl delete -f pod.yaml
pod "cpu-demo" deleted
为 Namespace 配置Pod配额
- 创建的ResourceQuota对象将在default名字空间中添加以下限制:
每个容器必须设置内存请求(memory request),内存限额(memory limit),cpu请求(cpu request)和cpu限额(cpu limit)。
所有容器的内存请求总额不得超过1 GiB。
所有容器的内存限额总额不得超过2 GiB。
所有容器的CPU请求总额不得超过1 CPU。
所有容器的CPU限额总额不得超过2 CPU。
[root@server2 limit]# vim quota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: mem-cpu-demo
spec:
hard:
requests.cpu: "1"
requests.memory: 1G
limits.cpu: "2"
limits.memory: 2Gi
[root@server2 limit]# kubectl apply -f quota.yaml
resourcequota/mem-cpu-demo created
[root@server2 limit]# kubectl get resourcequotas ##查看状态
NAME AGE REQUEST LIMIT
mem-cpu-demo 18s requests.cpu: 0/1, requests.memory: 0/1G limits.cpu: 0/2, limits.memory: 0/2Gi
[root@server2 limit]# kubectl describe resourcequotas
Name: mem-cpu-demo
Namespace: default
Resource Used Hard
-------- ---- ----
limits.cpu 0 2
limits.memory 0 2Gi
requests.cpu 0 1
requests.memory 0 1G
[root@server2 limit]# vim pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: cpu-demo
spec:
containers:
- name: cpu-demo
image: nginx
[root@server2 limit]# kubectl delete -f ns-limit.yaml
limitrange "limitrange-demo" deleted
[root@server2 limit]# kubectl apply -f pod.yaml ##未设置资源限制 不能创建
Error from server (Forbidden): error when creating "pod.yaml": pods "cpu-demo" is forbidden: failed quota: mem-cpu-demo: must specify limits.cpu,limits.memory,requests.cpu,requests.memory
[root@server2 limit]# kubectl apply -f ns-limit.yaml
limitrange/limitrange-demo created
[root@server2 limit]# kubectl apply -f pod.yaml
pod/cpu-demo created
[root@server2 limit]# kubectl describe resourcequotas
Name: mem-cpu-demo
Namespace: default
Resource Used Hard
-------- ---- ----
limits.cpu 500m 2
limits.memory 512Mi 2Gi
requests.cpu 100m 1
requests.memory 256Mi 1G
[root@server2 limit]# vim quota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: mem-cpu-demo
spec:
hard:
requests.cpu: "1"
requests.memory: 1G
limits.cpu: "2"
limits.memory: 2Gi
---
apiVersion: v1
kind: ResourceQuota
metadata:
name: pod-demo
spec:
hard:
pods: "2" ##限制两个pod
[root@server2 limit]# kubectl apply -f quota.yaml
[root@server2 limit]# vim pod.yaml ### pod/cpu-demo-2
[root@server2 limit]# kubectl apply -f pod.yaml
pod/cpu-demo unchanged
pod/cpu-demo-2 created
[root@server2 limit]# kubectl get pod
NAME READY STATUS RESTARTS AGE
cpu-demo 1/1 Running 0 28m
cpu-demo-2 1/1 Running 0 9s
[root@server2 limit]# vim pod.yaml ### pod/cpu-demo-3
[root@server2 limit]# kubectl apply -f pod.yaml ## 第三个run不成功
pod/cpu-demo unchanged
pod/cpu-demo-2 unchanged
Error from server (Forbidden): error when creating "pod.yaml": pods "cpu-demo-3" is forbidden: exceeded quota: pod-demo, requested: pods=1, used: pods=2, limited: pods=2
[root@server2 limit]# kubectl delete -f ns-limit.yaml
limitrange "limitrange-demo" deleted
[root@server2 limit]# kubectl delete -f quota.yaml
resourcequota "mem-cpu-demo" deleted
resourcequota "pod-demo" deleted
[root@server2 limit]# kubectl delete -f pod.yaml
2. kubernetes资源监控
资源下载: https://github.com/kubernetes-incubator/metrics-server
2.1 Metrics-Server部署
-
Metrics-Server是集群核心监控数据(cpu、内存)的聚合器,用来替换之前的heapster。
-
容器相关的 Metrics 主要来自于 kubelet 内置的 cAdvisor 服务,有了Metrics-Server之后,用户就可以通过标准的 Kubernetes API 来访问到这些监控数据。
Metrics API 只可以查询当前的度量数据,并不保存历史数据。
Metrics API URI 为 /apis/metrics.k8s.io/,在 k8s.io/metrics 维护。
必须部署 metrics-server 才能使用该 API,metrics-server 通过调用 Kubelet Summary API 获取数据。 -
示例:
http://127.0.0.1:8001/apis/metrics.k8s.io/v1beta1/nodes
http://127.0.0.1:8001/apis/metrics.k8s.io/v1beta1/nodes/
http://127.0.0.1:8001/apis/metrics.k8s.io/v1beta1/namespace//pods/ -
Metrics Server 并不是 kube-apiserver 的一部分,而是通过 Aggregator 这种插件机制,在独立部署的情况下同 kube-apiserver 一起统一对外服务的。
-
kube-aggregator(默认自启动) 其实就是一个根据 URL 选择具体的 API 后端的代理服务器。
-
Metrics-server属于Core metrics(核心指标),提供API metrics.k8s.io,仅提供Node和Pod的CPU和内存使用情况。而其他Custom Metrics(自定义指标)由Prometheus等组件来完成。
-
Metrics-server部署:
$ kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.6/components.yaml
2.1.1 拉取镜像
##1.拉取镜像
[root@server1 harbor]# docker pull bitnami/metrics-server:0.4.0 ##拉取镜像,后面可以指定版本,最新的0.4.2
[root@server1 harbor]# docker tag bitnami/metrics-server:0.4.0 reg.westos.org/library/metrics-server:0.4.0 ##修改名字
[root@server1 harbor]# docker push reg.westos.org/library/metrics-server:0.4.0 ##上传镜像
2.1.2 配置
##2. 配置
[root@server2 metrics]# pwd ##创建实验目录
/root/metrics
[root@server2 metrics]# wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml ##部署配置文件
[root@server2 metrics]# vim components.yaml
[root@server2 metrics]# cat components.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: system:aggregated-metrics-reader
rules:
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
- nodes/stats
- namespaces
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
k8s-app: metrics-server
name: system:metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:metrics-server
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
selector:
k8s-app: metrics-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
selector:
matchLabels:
k8s-app: metrics-server
strategy:
rollingUpdate:
maxUnavailable: 0
template:
metadata:
labels:
k8s-app: metrics-server
spec:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
image: metrics-server:0.4.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: https
scheme: HTTPS
periodSeconds: 10
name: metrics-server
ports:
- containerPort: 4443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: https
scheme: HTTPS
periodSeconds: 10
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /tmp
name: tmp-dir
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: metrics-server
volumes:
- emptyDir: {}
name: tmp-dir
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
k8s-app: metrics-server
name: v1beta1.metrics.k8s.io
spec:
group: metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: true
service:
name: metrics-server
namespace: kube-system
version: v1beta1
versionPriority: 100
[root@server2 metrics]# kubectl -n kube-system get pod ##运行但是没有准备好
[root@server2 metrics]# kubectl -n kube-system describe pod metrics-server-cc476ccf8-m5zvl ##没有运行成功查看详细描述,就绪探针没有成功
[root@server2 metrics]# kubectl -n kube-system logs metrics-server-cc476ccf8-m5zvl ##运行成功出错查看日志,509证书问题
[root@server2 metrics]# vim /var/lib/kubelet/config.yaml ##解决错误2。每个机子都需要执行修改配置文件并重启。最后后一行添加serverTLSBootstrap: true
[root@server2 metrics]# systemctl restart kubelet.service
[root@server3 ~]# vim /var/lib/kubelet/config.yaml
[root@server3 ~]# systemctl restart kubelet.service
[root@server4 ~]# vim /var/lib/kubelet/config.yaml
[root@server4 ~]# systemctl restart kubelet.service
[root@server2 metrics]# kubectl get csr ##查看csr
[root@server2 metricsr]# kubectl certificate approve csr-dbl6s csr-q55sf csr-tfhpk ####签发证书
[root@server2 metrics]# kubectl -n kube-system get pod ##查看是否running
[root@server2 metrics]# kubectl -n kube-system get svc ##查看服务
[root@server2 metrics]# kubectl -n kube-system describe svc metrics-server
[root@server2 metrics]# kubectl -n kube-system get pod -o wide
[root@server2 metrics]# kubectl api-versions | grep metric
metrics.k8s.io/v1beta1
[root@server2 metrics]# kubectl -n kube-system top pod ##查看pod分配情况
[root@server2 metrics]# kubectl top node
2.1.3 Metrics-Server部署常见报错及解决方法
部署后查看Metrics-server的Pod日志:
错误1:dial tcp: lookup server2 on 10.96.0.10:53: no such host
这是因为没有内网的DNS服务器,所以metrics-server无法解析节点名字。可以直接修改coredns的configmap,讲各个节点的主机名加入到hosts中,这样所有Pod都可以从CoreDNS中解析各个节点的名字。
$ kubectl edit configmap coredns -n kube-system
apiVersion: v1
data:
Corefile: |
...
ready
hosts {
172.25.0.11 server1
172.25.0.12 server2
172.25.0.13 server3
fallthrough
}
kubernetes cluster.local in-addr.arpa ip6.arpa {
报错2:x509: certificate signed by unknown authority(新版本只有错误2)
Metric Server 支持一个参数 --kubelet-insecure-tls,可以跳过这一检查,然而官方也明确说了,这种方式不推荐生产使用。
启用TLS Bootstrap 证书签发
# vim /var/lib/kubelet/config.yaml
...
serverTLSBootstrap: true
# systemctl restart kubelet
$ kubectl get csr
NAME AGE REQUESTOR CONDITION
csr-f29hk 5s system:node:node-standard-2 Pending
csr-n9pvr 3m31s system:node:node-standard-3 Pending
$ kubectl certificate approve csr-n9pvr ##签发证书
报错3: Error from server (ServiceUnavailable): the server is currently unable to handle the request (get nodes.metrics.k8s.io)
如果metrics-server正常启动,没有错误,应该就是网络问题。修改metrics-server的Pod 网络模式:
hostNetwork: true
2.2 Dashboard部署(可视化)
Dashboard可以给用户提供一个可视化的 Web 界面来查看当前集群的各种信息。用户可以用 Kubernetes Dashboard 部署容器化的应用、监控应用的状态、执行故障排查任务以及管理 Kubernetes 各种资源。
资源网址: https://github.com/kubernetes/dashboard
2.2.1 拉取镜像
Dashboard部署(可视化)
##1. 拉取镜像
[root@server1 harbor]# docker pull kubernetesui/dashboard:v2.2.0
[root@server1 harbor]# docker tag kubernetesui/dashboard:v2.2.0 reg.westos.org/kubernetesui/kubernetesui/dashboard:v2.2.0
[root@server1 harbor]# docker push reg.westos.org/kubernetesui/kubernetesui/dashboard:v2.2.0
[root@server1 harbor]# docker pull kubernetesui/metrics-scraper:v1.0.6
[root@server1 harbor]# docker tag kubernetesui/metrics-scraper:v1.0.6 reg.westos.org/kubernetesui/metrics-scraper:v1.0.6
[root@server1 harbor]# docker push reg.westos.org/kubernetesui/metrics-scraper:v1.0.6
2.2.2 配置
## 2. 配置
[root@server2 metrics]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml ##下载配置文件,里面文件不需要改
[root@server2 metrics]# cat recommended.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.2.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.6
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
[root@server2 metrics]# kubectl apply -f recommended.yaml
[root@server2 metrics]# kubectl get ns ##使用metallb为了从外部访问,也可以使用nortport,ingress
metallb-system Active 7d1h
[root@server2 metrics]# kubectl -n kubernetes-dashboard get pod ##查看metallb对应的pod
[root@server2 metrics]# kubectl -n kubernetes-dashboard get all
[root@server2 metrics]# kubectl -n kubernetes-dashboard describe svc kubernetes-dashboard
[root@server2 metrics]# kubectl -n kubernetes-dashboard edit svc kubernetes-dashboard
type: NodePort
[root@server2 metrics]# kubectl -n kubernetes-dashboard get svc ##查看分配的vip
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.98.124.163 <none> 8000/TCP 8m33s
kubernetes-dashboard NodePort 10.97.120.65 <none> 443:32412/TCP 8m37s
2.2.3 授权
访问 https://192.168.0.2:32412/
[root@server2 metrics]# kubectl -n kubernetes-dashboard get sa
[root@server2 metrics]# kubectl -n kubernetes-dashboard describe sa kubernetes-dashboard
[root@server2 metrics]# kubectl -n kubernetes-dashboard get secrets
[root@server2 metrics]# kubectl -n kubernetes-dashboard describe secrets kubernetes-dashboard-token-rtb66
2.2.4 默认dashboard对集群没有操作权限,需要授权
[root@server2 dashboard]# vim rbac.yaml
[root@server2 dashboard]# cat rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
[root@server2 dashboard]# kubectl apply -f rbac.yaml
2.2.5 通过web操作集群