1、k8s 搭建 参见https://blog.51cto.com/lizhenliang/2325770
[root@VM_0_48_centos ~]# kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-1 Healthy {"health": "true"} etcd-0 Healthy {"health": "true"} etcd-2 Healthy {"health": "true"}
注意:博客中有个别修改的.
/opt/kubernetes/cfg/kube-apiserver :
需要由:--enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
改为: --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction 去掉:SecurityContextDeny
2、dashboard 下载地址: /opt/dashboard/ 注意: admin-token.yaml 为手工创建
git clone https://github.com/kubernetes/kubernetes.git
[root@VM_0_48_centos dashboard]# ll *.yaml -rw-r--r-- 1 root root 515 Aug 8 10:11 admin-token.yaml -rw-r--r-- 1 root root 264 Aug 5 16:27 dashboard-configmap.yaml -rw-r--r-- 1 root root 1835 Aug 8 09:14 dashboard-controller.yaml -rw-r--r-- 1 root root 1353 Aug 5 16:27 dashboard-rbac.yaml -rw-r--r-- 1 root root 551 Aug 5 16:27 dashboard-secret.yaml -rw-r--r-- 1 root root 339 Aug 7 15:24 dashboard-service.yaml
3、修改dashboard-service.yaml 内容
[root@VM_0_48_centos dashboard]# cat dashboard-service.yaml apiVersion: v1 kind: Service metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: type: NodePort #添加Nodeport 以便访问 selector: k8s-app: kubernetes-dashboard ports: - port: 443 targetPort: 8443
4、 启动服务
kubectl apply -f dashboard-configmap.yaml
kubectl apply -f dashboard-secret.yaml
kubectl apply -f dashboard-rbac.yaml
kubectl apply -f dashboard-service.yaml
kubectl apply -f dashboard-controller.yaml
5、修改/usr/lib/systemd/system/kubelet.service 参数:cluster-dns cluster-domain
kubectl describe pod kubernetes-dashboard-746dfd476-mdv5n -n kube-system
b报错:kubelet does not have ClusterDNS IP configured and cannot create PodJ解决方案
[root@VM_0_48_centos dashboard]# cat /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
[root@VM_0_48_centos dashboard]# cat /opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true
--v=4
--hostname-override=172.19.0.48
--cluster-dns=10.0.0.2 ### 配置dns
--cluster-domain=cluster.local ###配置域名
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig
--cert-dir=/opt/kubernetes/ssl
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
修改完以后,重启服务发现正常
6、权限问题 发现官网yaml授权中只有默认的defalut ,需要重新绑定角色。
[root@VM_0_48_centos dashboard]# cat admin-token.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: admin
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-admin #词角色未系统搭建时候自动生成管理员角色
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
官网给的yaml:
[root@VM_0_48_centos dashboard]# cat dashboard-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-minimal
namespace: kube-system #只能看到systemo 空间
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
更新以后获取登录token:
[root@VM_0_48_centos dashboard]# kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system Name: admin-token-j8sjg Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: admin kubernetes.io/service-account.uid: d9e482cf-b981-11e9-9170-525400c318af Type: kubernetes.io/service-account-token Data ==== ca.crt: 1359 bytes namespace: 11 bytes token: *****************************************************************##设计保密信息
7、更新https证书有效期,解决只能由火狐浏览器访问,其他浏览器无法访问问题。
产生证书:
mkdir key && cd key openssl genrsa -out dashboard.key 2048 openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=172.19.0.48' openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt kubectl delete secret kubernetes-dashboard-certs -n kube-system kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system #新的证书 kubectl delete pod kubernetes-dashboard-746dfd476-b2r5f -n kube-system #重启服务
8、效果展示:
