安装docker 镜像
[root@k8s-master ~]# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
[root@k8s-master ~]#
[root@k8s-master ~]# docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
[root@k8s-master ~]#
[root@k8s-master ~]# docker rmi mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
安装图形化管理界面
# 使用github上的 yaml安装
[root@k8s-master node-server-yaml]# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml

# 也可以将 yaml下载到本地安装; kubernetes-dashboard.yaml文件在文章结尾
[root@k8s-master node-server-yaml]#

# 查看 kubernetes-dashboard 运行状态,发现启动未成功
[root@k8s-master node-server-yaml]# kubectl get pod -A
NAMESPACE                NAME                                    READY   STATUS             RESTARTS   AGE
kube-system              kubernetes-dashboard-5f7b999d65-krs9s   0/1     ImagePullBackOff   0          6m7s
......

# 查看pod失败原因
[root@k8s-master node-server-yaml]# kubectl describe pod kubernetes-dashboard -n kube-system
......
Events:
  Type     Reason     Age                    From                Message
  ----     ------     ----                   ----                -------
  Normal   Scheduled  7m3s                   default-scheduler   Successfully assigned kube-system/kubernetes-dashboard-5f7b999d65-krs9s to k8s-node1
  Normal   Pulling    4m46s (x4 over 7m2s)   kubelet, k8s-node1  Pulling image "k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1"
  Warning  Failed     4m31s (x4 over 6m40s)  kubelet, k8s-node1  Failed to pull image "k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1": rpc error: code = Unknown desc = Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
  Warning  Failed     4m31s (x4 over 6m40s)  kubelet, k8s-node1  Error: ErrImagePull
  Warning  Failed     4m5s (x7 over 6m40s)   kubelet, k8s-node1  Error: ImagePullBackOff
  Normal   BackOff    114s (x15 over 6m40s)  kubelet, k8s-node1  Back-off pulling image "k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1"

# 由此可见是因为我的 k8s-node1 节点上面没有 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 这个镜像, 我之前是把镜像都装到了 k8s-master上面了,如果这里要是指定自己的私服也就不会出现这样的问题了,那么现在只要在k8s-node1节点上将镜像下载下来就可以了
[root@k8s-master node-server-yaml]#
# 在次查看 运行成功
[root@k8s-master node-server-yaml]# kubectl -n kube-system get service kubernetes-dashboard
NAME                   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   NodePort   10.104.136.130   <none>        443/TCP   4m27s
[root@k8s-master node-server-yaml]#

解决方案:
1. 在那台节点机器上下载相关的镜像
2. 通过 nodeName: 指定pod部署到哪个节点上,这种做法要修改 .yaml文件
为了可控我使用的是第二种方案,将远程的 kubernetes-dashboard.yaml文件下载到本地进行修改

# 查看service
[root@k8s-master pki]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
kube-dns               ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP   12h
kubernetes-dashboard   ClusterIP   10.104.136.130   <none>        443/TCP                  34m
[root@k8s-master pki]#
[root@k8s-master pki]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
service/kubernetes-dashboard patched
# 使用命令暴露 service 端口
# 这种做法重启 kubernetes-dashboard 端口依然会丢失;
# 有两种解决办法:
#    1、手动去修改 service的 NodePort 我这里偷懒使用了命令; 建议修改 kubernetes-dashboard.yaml开放端口文件;
#    2、配置反向代理
[root@k8s-master pki]#
[root@k8s-master pki]# kubectl get svc -n kube-system
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
kube-dns               ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP   12h
kubernetes-dashboard   NodePort    10.104.136.130   <none>        443:30996/TCP            34m
[root@k8s-master pki]#
测试连接 https:// 本机外网IP地址:30996
创建 ServiceAccount

k8s 有两个种账户:
1. 给机器用的 ServiceAccount
2. 给人用的

# 创建一个名为 sa-admin的 ServiceAccount 账户,并将它加入到 kube-system命名空间下
[root@k8s-master pki]# kubectl create serviceaccount sa-admin -n kube-system
serviceaccount/def-ns-admin created
[root@k8s-master pki]#
[root@k8s-master pki]# kubectl get sa -A
# 命名空间         ServiceAccount
NAMESPACE         NAME                                 SECRETS   AGE
default           default                              1         5d5h
kube-node-lease   default                              1         5d5h
kube-public       default                              1         5d5h
kube-system       sa-admin                             1         21s
kube-system       attachdetach-controller              1         5d5h
......
[root@k8s-master pki]#
删除 ServiceAccount账户
[root@k8s-master ~]# kubectl serviceaccount sa sa-admin -n kube-system
rolebinding.rbac.authorization.k8s.io "sa-admin" deleted
查看 k8s 默认角色
[root@k8s-master pki]# kubectl get clusterrole -A | grep cluster-admin
cluster-admin                                                          5d5h
[root@k8s-master pki]#
把ServiceAccount绑定在cluster集群角色上, 让它享有集群管理员的权限

创建一个名为 sa-admin-role的集群角色绑定,并将kube-system命名空间下的sa-admin (ServiceAccount账户),赋予clusterrole的cluster-admin权限

[root@k8s-master pki]# kubectl create clusterrolebinding sa-admin-role --clusterrole=cluster-admin --serviceaccount=kube-system:sa-admin
clusterrolebinding.rbac.authorization.k8s.io/sa-admin-role created
[root@k8s-master pki]#
查看新建的角色
[root@k8s-master pki]# kubectl get clusterrolebinding | grep sa-admin-role
sa-admin-role                                          31s
[root@k8s-master pki]#
[root@k8s-master pki]# kubectl describe clusterrolebinding sa-admin-role
Name:         sa-admin-role
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name      Namespace
  ----            ----      ---------
  ServiceAccount  sa-admin  kube-system
[root@k8s-master pki]#
删除role
[root@k8s-master pki]# kubectl delete clusterrolebinding sa-admin-role
clusterrolebinding.rbac.authorization.k8s.io "sa-admin-role" deleted
查看sa-admin的token
**使用token登录, 其实就是告诉k8s使用了哪个 ServiceAccount账户进行操作 dashboard**
[root@k8s-master pki]# kubectl describe secret sa-admin -n kube-system
Name:         sa-admin-token-4bktz
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: sa-admin
              kubernetes.io/service-account.uid: ee40378d-8c24-11e9-af9f-00163e02a4bf

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJzYS1hZG1pbi10b2tlbi00Ymt0eiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJzYS1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImVlNDAzNzhkLThjMjQtMTFlOS1hZjlmLTAwMTYzZTAyYTRiZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpzYS1hZG1pbiJ9.ZnlKKgAEyeZBvYj6AZV1plXZz0RjdMz6-Vl607_M_IaR1SvNJPV307tT6g69uViQBqRi1yxvUWEvpwqUQazDpNV2IPxmXd1qMm6L6sWwrvsMcnK3jPjLIlWV3ospnh9x14tJqnBVH1Z7-do7IyUvsj7XGk707Q-xXKmXGW0s9gARKLP8a61gxdDNnuCboUJt3Apxrq6rgcmY5kq4HBcJ-W7cr0ldtz6adTCqn1Mlfug86jZZCbT0UhqsSk5mPzHMtf44X29FjPV_FkGDywtU8ZNPQiWDJI7xAti9WGBOEzPc1Lfw0WnQLLsPpa5npKotKlApCwbiuBo-XLAU_gNlDQ

[root@k8s-master pki]#
kubernetes-dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secrets ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kube-system
type: Opaque
data:
  csrf: ""

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      nodeName: k8s-master
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30996
  selector:
    k8s-app: kubernetes-dashboard
分类: K8s

发表评论

电子邮件地址不会被公开。 必填项已用*标注