CentOS系列教程（十一）

本文是 kubernets集群实验的验证。

以下是操作过程：

测试Kubernetes集群

在Kubernetes集群中创建一个pod，然后暴露端口，验证是否正常访问，这里以 Nginx 为例：
[root@kubernetes-master master]# kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
[root@kubernetes-master master]# kubectl expose deployment nginx --port=80 --type=NodePort
service/nginx exposed
[root@kubernetes-master master]# kubectl get pods,svc
NAME READY STATUS RESTARTS AGE
pod/nginx-554b9c67f9-z9lzj 0/1 ContainerCreating 0 41s

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.1.0.1 443/TCP 35m
service/nginx NodePort 10.1.104.237 80:30326/TCP 14s
[root@kubernetes-master master]#

###########################################################

部署 Dashboard

[root@kubernetes-master master]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
--2020-04-15 03:48:32-- https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.76.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.76.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4577 (4.5K) [text/plain]
Saving to: ‘kubernetes-dashboard.yaml’

100%[============================================================================================================================>] 4,577 --.-K/s in 0.004s

2020-04-15 03:48:33 (1021 KB/s) - ‘kubernetes-dashboard.yaml’ saved [4577/4577]

[root@kubernetes-master master]# ls -F
Desktop/ Documents/ Downloads/ kube-flannel.yml kubernetes-dashboard.yaml Music/ Pictures/ Public/ ssl/ Templates/ Videos/
[root@kubernetes-master master]# vim kubernetes-dashboard.yaml
[root@kubernetes-master master]# cat -n kubernetes-dashboard.yaml
1 # Copyright 2017 The Kubernetes Authors.
2 #
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
14
15 # ------------------- Dashboard Secret ------------------- #
16
17 apiVersion: v1
18 kind: Secret
19 metadata:
20 labels:
21 k8s-app: kubernetes-dashboard
22 name: kubernetes-dashboard-certs
23 namespace: kube-system
24 type: Opaque
25
26 ---
27 # ------------------- Dashboard Service Account ------------------- #
28
29 apiVersion: v1
30 kind: ServiceAccount
31 metadata:
32 labels:
33 k8s-app: kubernetes-dashboard
34 name: kubernetes-dashboard
35 namespace: kube-system
36
37 ---
38 # ------------------- Dashboard Role & Role Binding ------------------- #
39
40 kind: Role
41 apiVersion: rbac.authorization.k8s.io/v1
42 metadata:
43 name: kubernetes-dashboard-minimal
44 namespace: kube-system
45 rules:
46 # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
47 - apiGroups: [""]
48 resources: ["secrets"]
49 verbs: ["create"]
50 # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
51 - apiGroups: [""]
52 resources: ["configmaps"]
53 verbs: ["create"]
54 # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
55 - apiGroups: [""]
56 resources: ["secrets"]
57 resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
58 verbs: ["get", "update", "delete"]
59 # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
60 - apiGroups: [""]
61 resources: ["configmaps"]
62 resourceNames: ["kubernetes-dashboard-settings"]
63 verbs: ["get", "update"]
64 # Allow Dashboard to get metrics from heapster.
65 - apiGroups: [""]
66 resources: ["services"]
67 resourceNames: ["heapster"]
68 verbs: ["proxy"]
69 - apiGroups: [""]
70 resources: ["services/proxy"]
71 resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
72 verbs: ["get"]
73
74 ---
75 apiVersion: rbac.authorization.k8s.io/v1
76 kind: RoleBinding
77 metadata:
78 name: kubernetes-dashboard-minimal
79 namespace: kube-system
80 roleRef:
81 apiGroup: rbac.authorization.k8s.io
82 kind: Role
83 name: kubernetes-dashboard-minimal
84 subjects:
85 - kind: ServiceAccount
86 name: kubernetes-dashboard
87 namespace: kube-system
88
89 ---
90 # ------------------- Dashboard Deployment ------------------- #
91
92 kind: Deployment
93 apiVersion: apps/v1
94 metadata:
95 labels:
96 k8s-app: kubernetes-dashboard
97 name: kubernetes-dashboard
98 namespace: kube-system
99 spec:
100 replicas: 1
101 revisionHistoryLimit: 10
102 selector:
103 matchLabels:
104 k8s-app: kubernetes-dashboard
105 template:
106 metadata:
107 labels:
108 k8s-app: kubernetes-dashboard
109 spec:
110 containers:
111 - name: kubernetes-dashboard
112 image: lizhenliang/kubernetes-dashboard-amd64:v1.10.1
113 ports:
114 - containerPort: 8443
115 protocol: TCP
116 args:
117 - --auto-generate-certificates
118 # Uncomment the following line to manually specify Kubernetes API server Host
119 # If not specified, Dashboard will attempt to auto discover the API server and connect
120 # to it. Uncomment only if the default does not work.
121 # - --apiserver-host=http://my-address:port
122 volumeMounts:
123 - name: kubernetes-dashboard-certs
124 mountPath: /certs
125 # Create on-disk volume to store exec logs
126 - mountPath: /tmp
127 name: tmp-volume
128 livenessProbe:
129 httpGet:
130 scheme: HTTPS
131 path: /
132 port: 8443
133 initialDelaySeconds: 30
134 timeoutSeconds: 30
135 volumes:
136 - name: kubernetes-dashboard-certs
137 secret:
138 secretName: kubernetes-dashboard-certs
139 - name: tmp-volume
140 emptyDir: {}
141 serviceAccountName: kubernetes-dashboard
142 # Comment the following tolerations if Dashboard must not be deployed on master
143 tolerations:
144 - key: node-role.kubernetes.io/master
145 effect: NoSchedule
146
147 ---
148 # ------------------- Dashboard Service ------------------- #
149
150 kind: Service
151 apiVersion: v1
152 metadata:
153 labels:
154 k8s-app: kubernetes-dashboard
155 name: kubernetes-dashboard
156 namespace: kube-system
157 spec:
158 type: NodePort
159 ports:
160 - port: 443
161 targetPort: 8443
162 nodePort: 30001
163 selector:
164 k8s-app: kubernetes-dashboard
[root@kubernetes-master master]#

########################################################

创建service account并绑定默认cluster-admin管理员

[root@kubernetes-master master]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@kubernetes-master master]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin
--serviceaccount=kube-system:dashboard-admin
[root@kubernetes-master master]# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
Name: dashboard-admin-token-d9jh2
Namespace: kube-system
Labels:
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 4aa1906e-17aa-4880-b848-8b3959483323

Type: kubernetes.io/service-account-token
.....................................................................................................
token: pZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVeyJhbGciOiJSUzI1NiIsImtzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tZDlqaDIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNGFhMTkwNmUtMTdhYS00ODgwLWI4NDgtOGIzOTU5NDgzMzIzIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.OkF6h7tVQqmNJniCHJhY02G6u6dRg0V8PTiF8xvMuJJUphLyWlWctgmplM4kjKVZo0fZkAthL7WAV5p_AwAuj4LMfo1X5IpxUomp4YZyhqgsBM0A2ksWoKoLDjbizFwOty8TylWlsX1xcJXZjmP9OvNgjjSq5J90N5PnxYIIgwAMP3fawTP7kUXxz5WhJo-ogCijJCFyYBHoqHrgAbk9pusI8DpGTNIZxBMxkwPPwFwzNCKsRxv_EPQb99yW9GXJPQL0OwpYb4b164CFv857ENitvvKEOU6y55P9hFkuQuAJdQOfKhD0c8HjhNeliKsOYLryZObRdmTQXmxsDfxynT
[root@kubernetes-master master]#

###########################################################

让Firefox外的浏览器也能访问

[root@kubernetes-master master]# cd /etc/kubernetes/pki/
[root@kubernetes-master pki]# mkdir ui
[root@kubernetes-master pki]# cp apiserver.crt ui/
[root@kubernetes-master pki]# cp apiserver.key ui/
[root@kubernetes-master pki]# cd ui/
[root@kubernetes-master ui]# mv apiserver.crt dashboard.pem
[root@kubernetes-master ui]# mv apiserver.key dashboard-key.pem
[root@kubernetes-master ui]# kubectl delete secret kubernetes-dashboard-certs -n kube-system
[root@kubernetes-master ui]# kubectl create secret generic kubernetes-dashboard-certs --from-file=./ -n kube-system

[root@kubernetes-master master]# vim kubernetes-dashboard.yaml
[root@kubernetes-master master]# cat -n kubernetes-dashboard.yaml
1 # Copyright 2017 The Kubernetes Authors.
2 #
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 # http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
14
15 # ------------------- Dashboard Secret ------------------- #
16
17 apiVersion: v1
18 kind: Secret
19 metadata:
20 labels:
21 k8s-app: kubernetes-dashboard
22 name: kubernetes-dashboard-certs
23 namespace: kube-system
24 type: Opaque
25
26 ---
27 # ------------------- Dashboard Service Account ------------------- #
28
29 apiVersion: v1
30 kind: ServiceAccount
31 metadata:
32 labels:
33 k8s-app: kubernetes-dashboard
34 name: kubernetes-dashboard
35 namespace: kube-system
36
37 ---
38 # ------------------- Dashboard Role & Role Binding ------------------- #
39
40 kind: Role
41 apiVersion: rbac.authorization.k8s.io/v1
42 metadata:
43 name: kubernetes-dashboard-minimal
44 namespace: kube-system
45 rules:
46 # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
47 - apiGroups: [""]
48 resources: ["secrets"]
49 verbs: ["create"]
50 # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
51 - apiGroups: [""]
52 resources: ["configmaps"]
53 verbs: ["create"]
54 # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
55 - apiGroups: [""]
56 resources: ["secrets"]
57 resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
58 verbs: ["get", "update", "delete"]
59 # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
60 - apiGroups: [""]
61 resources: ["configmaps"]
62 resourceNames: ["kubernetes-dashboard-settings"]
63 verbs: ["get", "update"]
64 # Allow Dashboard to get metrics from heapster.
65 - apiGroups: [""]
66 resources: ["services"]
67 resourceNames: ["heapster"]
68 verbs: ["proxy"]
69 - apiGroups: [""]
70 resources: ["services/proxy"]
71 resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
72 verbs: ["get"]
73
74 ---
75 apiVersion: rbac.authorization.k8s.io/v1
76 kind: RoleBinding
77 metadata:
78 name: kubernetes-dashboard-minimal
79 namespace: kube-system
80 roleRef:
81 apiGroup: rbac.authorization.k8s.io
82 kind: Role
83 name: kubernetes-dashboard-minimal
84 subjects:
85 - kind: ServiceAccount
86 name: kubernetes-dashboard
87 namespace: kube-system
88
89 ---
90 # ------------------- Dashboard Deployment ------------------- #
91
92 kind: Deployment
93 apiVersion: apps/v1
94 metadata:
95 labels:
96 k8s-app: kubernetes-dashboard
97 name: kubernetes-dashboard
98 namespace: kube-system
99 spec:
100 replicas: 1
101 revisionHistoryLimit: 10
102 selector:
103 matchLabels:
104 k8s-app: kubernetes-dashboard
105 template:
106 metadata:
107 labels:
108 k8s-app: kubernetes-dashboard
109 spec:
110 containers:
111 - name: kubernetes-dashboard
112 image: lizhenliang/kubernetes-dashboard-amd64:v1.10.1
113 ports:
114 - containerPort: 8443
115 protocol: TCP
116 args:
117 - --auto-generate-certificates
118 - --tls-key-file=dashboard-key.pem
119 - --tls-cert-file=dashboard.pem
120 # Uncomment the following line to manually specify Kubernetes API server Host
121 # If not specified, Dashboard will attempt to auto discover the API server and connect
122 # to it. Uncomment only if the default does not work.
123 # - --apiserver-host=http://my-address:port
124 volumeMounts:
125 - name: kubernetes-dashboard-certs
126 mountPath: /certs
127 # Create on-disk volume to store exec logs
128 - mountPath: /tmp
129 name: tmp-volume
130 livenessProbe:
131 httpGet:
132 scheme: HTTPS
133 path: /
134 port: 8443
135 initialDelaySeconds: 30
136 timeoutSeconds: 30
137 volumes:
138 - name: kubernetes-dashboard-certs
139 secret:
140 secretName: kubernetes-dashboard-certs
141 - name: tmp-volume
142 emptyDir: {}
143 serviceAccountName: kubernetes-dashboard
144 # Comment the following tolerations if Dashboard must not be deployed on master
145 tolerations:
146 - key: node-role.kubernetes.io/master
147 effect: NoSchedule
148
149 ---
150 # ------------------- Dashboard Service ------------------- #
151
152 kind: Service
153 apiVersion: v1
154 metadata:
155 labels:
156 k8s-app: kubernetes-dashboard
157 name: kubernetes-dashboard
158 namespace: kube-system
159 spec:
160 type: NodePort
161 ports:
162 - port: 443
163 targetPort: 8443
164 nodePort: 30001
165 selector:
166 k8s-app: kubernetes-dashboard
[root@kubernetes-master master]#

[root@kubernetes-master master]kubectl apply -f kubernetes-dashboard.yaml
[root@kubernetes-master master]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@kubernetes-master master]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin
--serviceaccount=kube-system:dashboard-admin
[root@kubernetes-master master]# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
Name: dashboard-admin-token-zbn9f
Namespace: kube-system
Labels:
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 40259d83-3b4f-4acc-a4fb-43018de7fc19

Type: kubernetes.io/service-account-token
........................................................................................................
token: eyJhbGcilLWFjY291bnQudWlkIjoiNDAyNTlkODMtM2I0Zi00YWNjLWE0ZmItNDMwMThkZTdmYzE5OiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4temJuOWYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.E0hGAkeQxd6K-YpPgJmNTv7Sn_P_nzhgCnYXGc9AeXd9k9qAcO97vBeOV-pH518YbjrOAx_D6CKIyP07aCi_3NoPlbbyHtcpRKFl-lWDPdg8wpcIefcpbtS6uCOrpaJdCJjWFcAEHdvcfmiFpdVVT7tUZ2-eHpRTUQ5MDPF-c2IOa9_FC9V3bf6XW6MSCZ_7-fOF4MnfYRa8ucltEIhIhCAeDyxlopSaA5oEbopjaNiVeJUGrKBll8Edatc7-wauUIJXAN-dZRD0xTULPNJ1BsBthHM40tISJYU_uQRlMP83SfkOpbiOpzuDT59BBJB57OGQLyFe8OpL5n_oiQtl3w
[root@kubernetes-master master]#

孟伯，20200411

交流联系：微信 1807479153 ，QQ 1807479153