10-部署配置dashboard插件

時間  2019-11-08
標籤 部署 配置 dashboard 插件 简体版
原文   原文鏈接

配置和安裝 dashboard

官方文件目錄:kubernetes/cluster/addons/dashboardnode

咱們須要使用的yaml文件git

$ ls *.yaml
dashboard-controller.yaml  dashboard-service.yaml dashboard-rbac.yaml

已經修改好的 yaml 文件見:dashboardgithub

因爲 kube-apiserver 啓用了 RBAC 受權,而官方源碼目錄的 dashboard-controller.yaml 沒有定義受權的 ServiceAccount,因此後續訪問 kube-apiserver 的 API 時會被拒絕,web中提示:web

Forbidden (403)

User "system:serviceaccount:kube-system:default" cannot list jobs.batch in the namespace "default". (get jobs.batch)

增長了一個dashboard-rbac.yaml文件,定義一個名爲 dashboard 的 ServiceAccount,而後將它和 Cluster Role view 綁定。api

配置dashboard-service

# cat dashboard-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  type: NodePort 
  selector:
    k8s-app: kubernetes-dashboard
  ports:
  - port: 80
    targetPort: 9090
  • 指定端口類型爲 NodePort,這樣外界能夠經過地址 nodeIP:nodePort 訪問 dashboard;

配置dashboard-controller

# cat dashboard-controller.yaml 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
  labels:
    k8s-app: kubernetes-dashboard
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      serviceAccountName: dashboard
      containers:
      - name: kubernetes-dashboard
        image: index.tenxcloud.com/jimmy/kubernetes-dashboard-amd64:v1.6.0
        resources:
          limits:
            cpu: 100m
            memory: 50Mi
          requests:
            cpu: 100m
            memory: 50Mi
        ports:
        - containerPort: 9090
        livenessProbe:
          httpGet:
            path: /
            port: 9090
          initialDelaySeconds: 30
          timeoutSeconds: 30
      tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"

dashboard-rbac文件以下

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard
  namespace: kube-system

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard
subjects:
  - kind: ServiceAccount
    name: dashboard
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

執行全部yaml文件

# pwd
/root/yaml/dashboard
# ls *.yaml
dashboard-controller.yaml  dashboard-service.yaml dashboard-rbac.yaml
#  kubectl  create -f .
deployment "kubernetes-dashboard" created
serviceaccount "dashboard" created
clusterrolebinding "dashboard" created
service "kubernetes-dashboard" created

檢查執行結果

查看分配的 NodePort瀏覽器

#kubectl get services kubernetes-dashboard -n kube-system
NAME                   CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
kubernetes-dashboard   10.254.142.130   <nodes>       80:31761/TCP   1h
  • NodePort 31761映射到 dashboard pod 80端口;

檢查 controller狀態bash

#kubectl get deployment kubernetes-dashboard  -n kube-system
NAME                    DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
kubernetes-dashboard   1         1         1            1           1h

#  kubectl get pods  -n kube-system | grep dashboard
kubernetes-dashboard-2888692679-bpz89   1/1       Running   0          1h

訪問dashboard

有如下三種方式:app

  • kubernetes-dashboard 服務暴露了 NodePort,可使用 http://NodeIP:nodePort 地址訪問 dashboard;
  • 經過 kube-apiserver 訪問 dashboard(https 6443端口和http 8080端口方式);
  • 經過 kubectl proxy 訪問 dashboard:

經過 kubectl proxy 訪問 dashboard

啓動代理ui

$ kubectl proxy --address='192.168.1.121' --port=8086 --accept-hosts='^*$'
Starting to serve on 192.168.1.121:8086
  • 須要指定 --accept-hosts 選項,不然瀏覽器訪問 dashboard 頁面時提示 「Unauthorized」;

瀏覽器訪問 URL:http://192.168.1.121:8086/ui
自動跳轉到:http://192.168.1.121:8086/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=default加密

經過 kube-apiserver 訪問dashboard

獲取集羣服務地址列表

$ kubectl cluster-info
Kubernetes master is running at https://192.168.1.121:6443
KubeDNS is running at https://192.168.1.121:6443/api/v1/proxy/namespaces/kube-system/services/kube-dns
kubernetes-dashboard is running at https://192.168.1.121:6443/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard

瀏覽器訪問 URL:https://172.20.0.113:6443/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard(瀏覽器會提示證書驗證,由於經過加密通道,以改方式訪問的話,須要提早導入證書到你的計算機中)。這是我當時在這遇到的坑:經過 kube-apiserver 訪問dashboard,提示User "system:anonymous" cannot proxy services in the namespace "kube-system". #5,已經解決。

導入證書

將生成的admin.pem證書轉換格式

openssl pkcs12 -export -in admin.pem  -out admin.p12 -inkey admin-key.pem

將生成的admin.p12證書導入的你的電腦,導出的時候記住你設置的密碼,導入的時候還要用到。

若是你不想使用https的話,能夠直接訪問insecure port 8080端口:
http://192.168.1.121:8080/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard

  • 選擇其中一種方式訪問便可

因爲缺乏 Heapster 插件,當前 dashboard 不能展現 Pod、Nodes 的 CPU、內存等 metric 圖形,後續補上Heapster

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程