[GCE]安装Kubernetes Dashboard
Kubeternetes Dashboatd 安装手记
安装
部署之前,确认一下yaml文件是来自master分支。
下面这个链接是来自dashboard在github上的最新代码
https://sourcegraph.com/github.com/kubernetes/dashboard@master/-/blob/src/deploy/recommended/kubernetes-dashboard.yaml?diff=cfc62d86f67b70771dfc0798f10a891aa329b9c4&utm_source=chrome-extension#L11
文件内容分为一下几个部分
Dashboard Secret && ServiceAccount 定义
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
Secret 在负责的网络环境中是很重要的角色,它是k8s世界里资源流通的凭证。
Secret类型的k8s资源把敏感数据比如秘钥,密码,token中从配置文件中拿了出来。
如果没有secret这个类型的抽象类型, 在k8s的yaml配置文件中将到处都是关于password,token,secret 这样的字样,而且密码修改后非常不容易维护。 这就是secret这类资源的价值吧。
Secret是一个Map数据类型,附加了一些行为,比如可以以volume mount的方式导入到Pods定义文件中去。
Secret 存储后的类型有3种
- Opaque 类型
中文意思是<不透明的>,以base64格式存储。不透明的>
base64是一种可逆的加密方式。
echo -n 'zhangqinghua' | base64
输出 emhhbmdxaW5naHVh, 反解码很容易:
echo -n 'emhhbmdxaW5naHVh' | base64 --decode
- kubernetes.io/dockerconfigjson 类型。
K8s的核心职责之一是容器编排,最常见的场景是拉取镜像并生成对应的pods资源。
在这过程中需要与私有仓库进行验权,这时候用到了这个类型的secret。
Secret的用法如下:
apiVersion: v1
kind: Pod
metadata:
name: test-scret-use-methods
spec:
containers:
- name: test-container
image: 192.168.1.12:5000/xxxx/test-image:latest
imagePullPolicy: Always
imagePullSecrets:
- name: new-created-secret-for-demo
其中new-created-secret-for-demo是新创建的secret。
在k8s的官方文档里有创建实例,参考
- kubernetes.io/service-account-token 类型
k8snode-03@A11131221040327:~/$ kubectl get serviceaccount --all-namespaces
NAMESPACE NAME SECRETS AGE
default default 1 18h
kube-public default 1 18h
kube-system attachdetach-controller 1 18h
kube-system bootstrap-signer 1 18h
k8snode-03@A11131221040327:~/$ kubectl describe serviceaccount/default -n kube-system
Name: default
Namespace: kube-system
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-jmgnw
Tokens: default-token-jmgnw
Events: <none>
Serviceaccount作为独立资源,关联了namespace、以及和它有关的token、secrets。
用途是在为pods内部的应用程序提供访问Service Api的凭证,例如,获取某一namespace下的pods列表。
角色和权限分配
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
---------
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
这段配置把kubernetes-dashboard绑定到Role定义的权限设置里,规定它有权限操作的资源。
部署
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
Deployment 整合了上面定义的所有资源,包括Secret、AccountService。
这部分是最容易出错的地方。有个issue整理了无法启动的原因
Creating API server client for https://10.96.0.1:443
Error while initializing connection to Kubernetes apiserver. This most likely means that the cluster is misconfigured (e.g., it has invalid apiserver certificates or service accounts configuration) or the --apiserver-host param points to a server that does not exist. Reason: Get https://10.96.0.1:443/version: dial tcp 10.96.0.1:443: i/o timeout
Refer to the troubleshooting guide for more information: https://github.com/kubernetes/dashboard/blob/master/docs/user-guide/troubleshooting.md
10.96.0.1 是Service Api 的cluster IP
k8snode-03@A11131221040327:~/.kube$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 19h
k8snode-03@A11131221040327:~/.kube$ kubectl describe service kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 10.96.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 192.168.12.39:6443
Session Affinity: None
Events: <none>
最后,获取某一account的token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
使用proxy访问dashboard
kubectl proxy
输出
Starting to serve on 127.0.0.1:8001
总结
备忘