部署Dashboard
項目地址:https://github.com/kubernetes/dashboard
1.下載官方提供的 Dashboard 組件部署的 yaml 文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
也可以使用Kubernetes中addon庫中的yaml文件部署,地址在這裏dashboard addon
2.修改 yaml 文件中的鏡像
由於國內防火牆的問題導致無法從k8s.gcr.io
倉庫中拉取鏡像,因此需要修改鏡像源:
也可以修改成阿里的地址:
registry.cn-hangzhou.aliyuncs.com/google_containers
3.修改 yaml 文件中的 Dashboard Service,暴露服務使外部能夠訪問
Dashboard有多種方式可以訪問:
kubectl proxy方式
:只支持127.0.0.1和localhost爲來源地址的方式訪問,需要配置SSH隧道,比較麻煩,不建議使用。Node Port方式
:該方式容易配置,只建議在開發環境的環境中使用。本文采用這種方式實現。Ingress方式
:通過Ingress Controller來暴露應用,比較靈活,是最推薦的方式,但較複雜。參考文章API Server方式
:由於API服務器是公開的,可以從外部訪問,是比較推薦的方式。參考文章
4.修改yaml文件中的授權
默認的RoleBinding
定義了Dashboard的角色綁定,其名稱爲kubernetes-dashboard-minimal
,roleRef
中爲被綁定的角色,也叫kubernetes-dashboard-minimal
,subjects
中爲綁定的用戶:kubernetes-dashboard
。
這樣我們在啓Dashboard後看到很多權限錯誤提示,主要是system:serviceaccount:kube-system:kubernetes-dashboard的權限不足引起的。
我們可以更改RoleBinding
修改爲ClusterRoleBinding
,並且修改roleRef
中的kind
和name
,使用cluster-admin
這個非常牛逼的CusterRole
(超級用戶權限,其擁有訪問kube-apiserver的所有權限):
5.啓動 Dashboard
kubectl apply -f kubernetes-dashboard.yaml
6.訪問 Dashboard
地址:https://<IP>:nodeport
注意:dashboard的默認webui證書是自動生成的,由於時間和名稱存在問題,導致谷歌和ie瀏覽器無法打開登錄界面,經過測試Firefox可以正常打開,稍後解決這個問題。
7.獲取登錄 Dashboard 的令牌 (Token)
命令:kubectl -n kube-system describe secret $(kubectl -n kube-system get secret |grep 'dashboard-token' |awk '{print $1}')
# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret |grep 'dashboard-token' |awk '{print $1}')
Name: kubernetes-dashboard-token-bwcp5
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: 8b0e6813-1d4e-11e9-b75b-000c29e44b03
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1id2NwNSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjhiMGU2ODEzLTFkNGUtMTFlOS1iNzViLTAwMGMyOWU0NGIwMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.DZgBItO6c0VkBZWFFH4W69vwCvdNI7hKxB0K15yWJBKXONg1MALYd8nAoLC6iiq8xz3DdHjAeAfBgv8efj5GxfW1vcRFgClV9NlVxnZ9B8L0MBIERLuYTlWGPk7ZSWknTFe165GIBEGFoTdt4gvHpLbazbHaotBV3ze863MrNIECTIJMe0yAzUcKmY2biGmB_TD4-kxrF_0mAwEFPU7NFKdogxsKlfJ4CF04KjHOklwbp6XIpsVR-c28rD62FHTKXY8pv5U7THh1uPaqzQJOLgft-OXhnlMIuXKywoKBi01yACIPeoobikFVezJZfBNodpi4tuLppNClKZ4nSU_24g
8.登錄 Dashboard 面板
解決谷歌瀏覽器無法訪問的問題
前面在第六步的時候我們提到過dashboard的默認webui證書是自動生成的,由於時間和名稱存在問題,導致谷歌和ie瀏覽器無法打開登錄界面。
通過谷歌瀏覽器訪問,發現居然無法繼續:
通過Firefox發現證書是0001年1月簽發的,懷疑其他瀏覽器打不開和證書過期有關係。
解決證書過期問題
(1)生成證書:通過openssl生成自簽名證書
openssl genrsa -out dashboard.key 2048
openssl req -x509 -new -nodes -key dashboard.key -subj "/CN=192.168.20.203" -days 3650 -out dashboard.crt
(2)刪除dashboard服務,修改配置文件:將配置文件中創建secret的配置文件信息去掉
kubectl delete -f kubernetes-dashboard.yaml
將配置文件中如下內容註釋或刪除:
(3)重現生成secret:創建同名稱的secret,名稱爲: kubernetes-dashboard-certs
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt
(4)重新生成
kubectl apply -f kubernetes-dashboard.yaml
如上通過重新生成secret,解決了由於證書過期導致的谷歌瀏覽器無法訪問的問題,再此基礎上我們可以通過查看kubernetes-dashboard-certs
的YAML文件,將裏面的內容添加到kubernetes-dashboard.yaml
文件中。
完整的配置文件如下所示:
# cat kubernetes-dashboard.yaml
# ------------------- Dashboard Secret ------------------- #
kind: Secret
apiVersion: v1
metadata:
name: kubernetes-dashboard-certs
namespace: kube-system
data:
dashboard.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lKQUkwRGF0SUpQRGdwTUEwR0NTcUdTSWIzRFFFQkN3VUFNQmt4RnpBVkJnTlYKQkFNTURqRTVNaTR4TmpndU1qQXVNakF6TUI0WERURTVNREV4T0RBeE5UZzFPVm9YRFRJNU1ERXhOVEF4TlRnMQpPVm93R1RFWE1CVUdBMVVFQXd3T01Ua3lMakUyT0M0eU1DNHlNRE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUUM2Qlhvd3U5eWY1aVF1aGRNSERuNHJaR1Jnb0g3UlZiMTQzVTRMVENndTJwTG0KQ3JFZGJUMWw2K1kwQ3lXWkxYNytFeTBSS0ZsL3BReXdIc1pqUk5FUXVVS0NXd2pTVVJKVWJMQ01oQnIxK0ptTApQSEx5NE1pcWR1UW1MSnJYbFg3QmtTN0g3OCt4ZUsrNGxLUWVibVJrQ3o4dlBDRmNZcmNHUEJTR0VyMTk4eWhwCnNXT2RMWHhNL0xmTDV6MGZjeGxZb1FWUlIzUjVUN1NqQVgvS3dJOFVHb3M3RUlXa2RMQzNnUndnN0xHMDVwTjcKa2ZBby9zT3hPQ09wQ0pJTUlnbFRaLzcvN1hBZllrUGJ4U1JPWGZ6bmw3NGtsZENIeWR0bGFaVXQrbVJ6SnFMagpwcXVxTy9uYnY4QmxqUXhUNzJNRC9zOWx5ZHJFa3ArRGplVzhUcjBOQWdNQkFBR2pVREJPTUIwR0ExVWREZ1FXCkJCUU9kK1pBa1d6QkFTNDlMT1JsMzNUVmYvN3lXVEFmQmdOVkhTTUVHREFXZ0JRT2QrWkFrV3pCQVM0OUxPUmwKMzNUVmYvN3lXVEFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ0Q4Nkg1RHlCUQoyZ05rVW1HTFVJTllFZjVxT2g5N3g5NzMvdkgyc2RuRGFBTGxTcUduT2kxUWFzV2laMW5FZmJaZXVFcDcrajZHCmdmNmlKbDVyRnBGcnBSa1o3aUFiSFpTSGRqQktOVG1RZ3hZTU9NUzR5dmhuaXlHWGJsZjNITzlsdHlHd2xjVWQKRDYzaTRwOGdZY0I0c0ZxdVgwWnhCWkQ1WHViTVpuSjdIeFBxemJ3Y3Azd2JoK0d1dmRzbkg2T3djUDBVSUdGdgpTTFQyUVNQRlNDWnlWc0RaUE5yNDFhZ08yYWkzRldmdHQySXF4d2I1UVprMk1NaWdkelNiWTBjclA2b2xDY1ozClA2VStpVmR4VVBVL2tMZkxvVGllYm04Zkx5UXFmR0Q5bjU2TDhOejIyUVhCekNmRGUzTExUWGdvZTRqQk04VVMKRnl6dmE5bXpHSFozCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
dashboard.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdWdWNk1MdmNuK1lrTG9YVEJ3NStLMlJrWUtCKzBWVzllTjFPQzB3b0x0cVM1Z3F4CkhXMDlaZXZtTkFzbG1TMSsvaE10RVNoWmY2VU1zQjdHWTBUUkVMbENnbHNJMGxFU1ZHeXdqSVFhOWZpWml6eHkKOHVESXFuYmtKaXlhMTVWK3daRXV4Ky9Qc1hpdnVKU2tIbTVrWkFzL0x6d2hYR0szQmp3VWhoSzlmZk1vYWJGagpuUzE4VFB5M3krYzlIM01aV0tFRlVVZDBlVSswb3dGL3lzQ1BGQnFMT3hDRnBIU3d0NEVjSU95eHRPYVRlNUh3CktQN0RzVGdqcVFpU0RDSUpVMmYrLysxd0gySkQyOFVrVGwzODU1ZStKSlhRaDhuYlpXbVZMZnBrY3lhaTQ2YXIKcWp2NTI3L0FaWTBNVSs5akEvN1BaY25heEpLZmc0M2x2RTY5RFFJREFRQUJBb0lCQUdKRmpuMjhZUnRmKzNGUQpaV0Z1K0p4MzFzZHRRbEhZbDlZSUk3aTRMT3BEc2lNeE5zd3k3Nkt1Y3RpL29zYy9UNzF0NS9zT2MrbUpDaURvCndTbWtLMFpJZUtoZzYxSWdYaXlYbHRWRTNQRmd1Y3ppekY4ZS9TT0ExNXFMS2VvR0lnYWthakJac2tFeFhyT0cKWXdWb2tFU0I1SWxSbk5Zdm1EMEU5RnEzLzc5UEZTSVNRQmJ4aHNYTkZXSGxFK2VTSzEvcDNBQm5MN0pKVWlaZQpJYXFrajJVdWFueHcxZEVzQWpucEQ5eVVud1ROeWZRcWc2Q1l1MlZzMGFVUk5JQWd6OFg1OUIwUm53RXRyMGlYCkluSHFnVGhOdXp3aWE1SXVyOW9mK3diNnZyZE05dUFDazJFYXYxc0J0eGdSTE1HWlZjdTUrU1BhWkFLcUlKYksKeE9jbUFvRUNnWUVBNHp3NWRMNzJTM0NJWkFKUGN5MEhqVHVBanZmem94NHpFNEF1aVU5UEZzaU5iOUwyaTVObAo0eTZnamxDeFN3SmZpR3IzRnh5UDdvQlhDT3NGOFhCakorOHJ2TlAxM2RtY29yK0tEbURNVGRYRmtWVXlub2pzCng5MGlyL1A1Ukg1bTF0YkVVdUtITE11eEkwS0VIYjZiV29keFhCSk9xNEdSbkNUWS91SXJjLzBDZ1lFQTBaR3QKci9Nb25KbEpmZDRoWlRSUTc2cjdVSlBsSUhLU3hSTG82SXZBeDNrNEJJbWhyQmFFRjl4M1A0NXpQcVBoa2szVwo5cmh1emFJSnBXSWNEVGZ1QnJZYStDbmlScFNIZ0JZRVFnRU5rbHdOR0ZDRmRrRDY1MjE3VjBnUjJrWDRCVlU3CmhsREs3NGs1Y0tBdnFBbVgwNzVnZk5uZHBXSDhBV1YwY1IrSVVsRUNnWUVBbjVlUWt0bjdpUWhFQWxsTkM0czQKbm95SHdlR0xENmtLSGt3TVl3dDhkSGZ1UGZkZ2lLN0JCRW1mSWRTeWNBZitxSVRYZlRmbUxvK2NrUHJmZGE2RgpOV3JZd1Fuc3lCOHB6M1BPdGtKdHVzekVzVW13LzM4VExWdTJIUFd3djlZMnkvU1NkZFA3TkE3ckhlUjlmWlo4CjdadnFsY3VWelFaM0NiOG5WL3Zvb05FQ2dZQlFBMnpySnMyMHJKbndvcVRoZlE0QjA2aE1aWXN2ems3WFM1YjkKWW81aUdwZ1dzMjIweEl2K2lFQkhWZDRPWm9lelVtRG1waGc0RHN2Y0J3OXF4Slh1bmd6Qi8wdlRZdFl4UXphdwo5TEgzMVlseVpSdnZ3SE9MZExPSTZZMVhaeXVBN2IvaVVtcUk5ajJtRUtMaFozZytjZ3RvMzgzT1hSRFlmNkhyCnB2eG5ZUUtCZ1FESURRZlRoZkFoV0tQbzFpbjlYaE9vVFZLQ0hFb2dUL0E0dnZvR2N1QkFRdUY5aWNVMDdtODMKN3FKUXgwelpSUmZMWnVNQnJtNjF2dUhaOG1hdC85SkF5WUpTUnJtU3B4RGNGL2s5NHYxZEVRbkpkd2svejgrbAptS05uNXR3R3ZKTFdyQ0NOR000SEJKZjNWc1pmcWFhV1NJQ1g1VFJlUFNkc0QyUHhXMXcwc2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
nodePort: 30000
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
部署Heapster
由於缺少 Heapster 插件,當前 dashboard 不能展示 Pod、Nodes 的 CPU、內存等 metric 圖形
1.到heapster release 頁面下載最新版的heapster:
# wget https://github.com/kubernetes-retired/heapster/archive/v1.5.4.tar.gz
# tar xf v1.5.4.tar.gz
查看部署所用相關配置文件:
# cd heapster-1.5.4/deploy/kube-config/
# ls influxdb/ && ls rbac/
grafana.yaml heapster.yaml influxdb.yaml
heapster-rbac.yaml
新建文件夾,用於存放 Heapster 部署所需的 yaml 文件,將上述文件拷貝至此目錄
# mkdir heapster
# ls heapster/
grafana.yaml heapster-rbac.yaml heapster.yaml influxdb.yaml
2.修改 yaml 中 image 的值
# grep 'image:' heapster.yaml
image: mirrorgooglecontainers/heapster-amd64:v1.5.3
# grep 'image:' grafana.yaml
image: mirrorgooglecontainers/heapster-grafana-amd64:v4.4.3
# grep 'image:' influxdb.yaml
image: mirrorgooglecontainers/heapster-influxdb-amd64:v1.3.3
k8s.gcr.io
全部修改爲mirrorgooglecontainers
或者registry.cn-hangzhou.aliyuncs.com/google_containers
3.修改 grafana.yaml 文件,暴露服務到外部
4.部署 Heapster
# cd heapster/
# kubectl apply -f .
5.查看dashboard
6.訪問grafana
地址:http://192.168.20.203:30001
參考鏈接
https://www.jianshu.com/p/6f42ac331d8a
https://www.jianshu.com/p/c6d560d12d50
https://www.qikqiak.com/post/manual-install-high-available-kubernetes-cluster/