安裝管理工具
按照文章前面三節(jié)步驟益缎,我們已經(jīng)搭建好1個Master 3個Worker節(jié)點的Kubernetes群集颤诀,可以通過kubectl命令操作群集字旭,為了直觀的查看群集狀態(tài)对湃,本節(jié)將內(nèi)容包括安裝Kubernetes Dashboard和Kuboard兩個工具對群集進行可視化管理。
目錄
- 從零開始部署Kubernetes v1.17.1集群(一) 安裝Centos 7
- 從零開始部署Kubernetes v1.17.1集群(二) 部署Master節(jié)點
- 從零開始部署Kubernetes v1.17.1集群(三) 部署Worker節(jié)點
- 從零開始部署Kubernetes v1.17.1集群(四) 部署可視化管理工具
環(huán)境
- Kubernetes ApiServer:apiserver.k8s.com
- master:192.168.1.20
- worker1:192.168.1.21
- worker2:192.168.1.22
- worker3:192.168.1.23
Kuboard
安裝
Kuboard 是 Kubernetes 的一款圖形化管理界面遗淳。官方安裝教程在這里
使用Kuboard在線腳本安裝非常簡單拍柒,在Master節(jié)點執(zhí)行安裝命令。
# 在 master節(jié)點執(zhí)行安裝
kubectl apply -f https://kuboard.cn/install-script/kuboard.yaml
kubectl apply -f https://addons.kuboard.cn/metrics-server/0.3.6/metrics-server.yaml
# 檢查安裝狀態(tài)
kubectl get pods -l k8s.eip.work/name=kuboard -n kube-system
# 輸出中查看狀態(tài)已經(jīng)是Running屈暗,大概等了6分鐘才是Running
NAME READY STATUS RESTARTS AGE
kuboard-756d46c4d4-gz2d2 1/1 Running 0 6m26s
訪問
1斤儿、獲取登陸Token
# 如果您參考 www.kuboard.cn 提供的文檔安裝 Kuberenetes,可在第一個 Master 節(jié)點上執(zhí)行此命令
kubectl -n kube-system get secret $(kubectl -n kube-system get secret | grep kuboard-user | awk '{print $1}') -o go-template='{{.data.token}}' | base64 -d
2恐锦、 使用任意一個worker節(jié)點的IP訪問Kuboard,并使用上一步的Token登陸疆液。
安裝成功一铅。
Kubernetes Dashboard
Kubernetes Dashboard 是 Kubernetes 的官方 Web UI。使用 Kubernetes Dashboard堕油,您可以:
- 向 Kubernetes 集群部署容器化應用
- 診斷容器化應用的問題
- 管理集群的資源
- 查看集群上所運行的應用程序
- 創(chuàng)建潘飘、修改Kubernetes 上的資源(例如 Deployment、Job掉缺、DaemonSet等)
- 展示集群上發(fā)生的錯誤
在Master節(jié)點上執(zhí)行以下命令完成在線安裝卜录。
在線安裝
# 在線安裝,網(wǎng)絡(luò)訪問不了的改離線文件安裝
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
離線安裝
如果你無法訪問raw.githubusercontent.com這個網(wǎng)站可以把下面的內(nèi)容保存為dashboard.yaml眶明,再本地安裝艰毒。
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.0-beta8
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.1
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
# 使用保存在當前目錄的文件安裝
kubectl apply -f dashboard.yaml
查看安裝狀態(tài)
現(xiàn)在我們可以使用前一步安裝的Kuboard查看Dashboard的安裝狀態(tài)了,進入Kuboard搜囱,訪問名字空間->Kubernetes-Dashboard->容器組列表可以看到以下界面丑瞧,顯示了Dashboard兩個Pod的狀態(tài)∈裰猓看得出我在寫這篇教程時绊汹,已經(jīng)過了19分鐘才running了一個Pod,所以在墻內(nèi)就得有耐心扮宠。
訪問
Kubernetes Dashboard 當前西乖,只支持使用 Bearer Token登錄。 由于 Kubernetes Dashboard 默認部署時坛增,只配置了最低權(quán)限的 RBAC获雕。因此,我們要創(chuàng)建一個名為 admin-user 的 ServiceAccount收捣,再創(chuàng)建一個 ClusterRolebinding典鸡,將其綁定到 Kubernetes 集群中默認初始化的 cluster-admin 這個 ClusterRole。
- 創(chuàng)建 Service Account 和 ClusterRoleBinding
使用 kubeadm 安裝集群時坏晦,默認創(chuàng)建了 ClusterRole cluster-admin萝玷。此時我們可以直接為剛才的 ServiceAccount 創(chuàng)建 ClusterRoleBinding嫁乘。
將以下內(nèi)容保存到auth.yaml中。
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
- 創(chuàng)建賬號
kubectl apply -f auth.yaml
- 獲取Bearer Token
創(chuàng)建好賬號后球碉,通過以下命令輸出admin-user的token蜓斧。
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
輸出以下內(nèi)容,從中復制出token睁冬。
Name: admin-user-token-mn4gn
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: e79fae6d-fd55-488a-ac6e-1554b6e6043d
Type: kubernetes.io/service-account-token
Data
====
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlpvamF6Z3lIdlpHZHMwelByNGh2WXdjckZjRVVkOVRHY2F3clRVTnluWmMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLW1uNGduIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlNzlmYWU2ZC1mZDU1LTQ4OGEtYWM2ZS0xNTU0YjZlNjA0M2QiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.UjWu4SOLYOdZ41aFckMjh8Ag4TG8S-kFtnfomgxtzLkx14fDQoUZlxrzRyNXz9C4sVrfIQOQHDj2oHn0CYPvSk1yKhXC2E1cEpdYFj3pTlHJMxpw3h_-AO0p7npc8DxkuujK2EovOK2GL9uvGnfsf6_D8beLq3zHGSMKfeEp5FmG60I2wFWldn9Ao-9TZP_QlSbw5ck_pqVJ_afC82YSq2iqBqgVFcPfE9M-DLby7B1KTQY51lxBjHSz3oQzf4Luf5_JcqLkP7w4q1q6mCRpWGMrC6eiHRYqYScwb5dXj5-XkAC8c4m10XLO_aHu8wlfR2BzYilxnZrlDSX5RUjwHA
ca.crt: 1025 bytes
- 使用Node Port訪問Dashboard
進入Kuboard挎春,訪問名字空間->Kubernetes-Dashboard->Pod(Kubernetes-Dashboard)點擊編輯,修改訪問方式 Service為NodePort(VPC內(nèi)訪問)后保存豆拨。
稍后等待Dashboard 的Pod重新部署后直奋,可以看到節(jié)點端口為30388。
這樣我們用任意的Worker節(jié)點IP就可以訪問Dashboard了施禾,不過注意https協(xié)議的證書是自己頒發(fā)的脚线,只有使用FireFox瀏覽器才能強制接受風險訪問。現(xiàn)在我們就用Firefox訪問https://192.168.0.21:30388弥搞。
選擇Token方式登陸邮绿,輸入之前獲取的adimi-user的token,就能正常登陸Dashboard了攀例。
總結(jié)
到這里我們就完成的Kubernetes群集的基礎(chǔ)搭建船逮。
