一、Dashboard安装
1、设定yaml定义文件
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Configuration to deploy release version of the Dashboard UI compatible with
# Kubernetes 1.8.
#
# Example usage: kubectl create -f
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: registry.cn-hangzhou.aliyuncs.com/kuberneters/kubernetes-dashboard-amd64:v1.8.3
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
#- --apiserver-host=http://172.16.214.210:6443
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- nodePort: 30030
port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
##说明
1、修改image镜像为自己的镜像 这里使用阿里云镜像,已经提前下载,并且docker load
docker load -i kubernetes-dashboard-amd64.tar.gz
2、type: NodePort,可以外部访问,端口是30030
配置NodePort,外部通过https://NodeIp:NodePort 访问Dashboard,此时端口为30030
2、访问测试
浏览器访问dashboard登陆页面
如https://172.16.214.210:30030/
跳过
报错
首次登陆权限报错
3. 新增管理员帐号
cat >> kubernetes-dashboard.yaml << EOF
---
# ------------------- dashboard-admin ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
EOF
#创建超级管理员的账号用于登录Dashboard
4. 重启对应的容器,查看状态
4.1 重启
kubectl replace --force -f kubernetes-dashboard.yaml
4.2 状态查看
[root@master ~]# kubectl get deployment kubernetes-dashboard -n kube-system
[root@master ~]# kubectl get pods -n kube-system -o wide
[root@master ~]# kubectl get services -n kube-system
image.png
5. 令牌查看
kubectl describe secrets -n kube-system dashboard-admin
image.png
令牌为:
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdmdmNXoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZjUxYzUwOWQtZmVmMy0xMWVhLTkyOTEtMDA1MDU2MmE5MzUyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.d4UwRFsQ7Wg_hSLrRaAOFFkjqKwEDQXjlYM2sNMBgjeu7MCLuE_H5xX9BkZnkJtSoLwBrOqsTOVTQk3t3LIlUFHxCOY3CQ8--QoQXPQTcIlzgM_r4gxfQkAX5hYOE2cEFKUOUuaNUqQHfS3zJE0q3CJhIhjGx8LER6-sMhX0qO7ucU1kVdjwAWf9D4aP9XCrt0tfJ-FaFAkbvora2kcKC4GsGw3wEWkbY08ef3VrGVKwmrjrxgaxxH0P8uee4SUXeqt1xZvbsPEBQ1T4vjc8Y8plsZcNOkuxTdvDZQXCn76iTECSKz37a6GIALQV84NfxtTNu-71f2fKkPfBCntxQw
6. 访问
https://172.16.214.210:30030/
image.png
image.png
二、Heapster+InfluxDB+Grafana安装
1、准备好对应的镜像。上传到各个节点,冰添加标签
docker load < heapster-amd64.tgz
docker tag f57c75cd7b0a k8s.gcr.io/heapster-amd64:v1.5.3
docker load < heapster-grafana-amd64.tgz
docker tag 8cb3de219af7 k8s.gcr.io/heapster-grafana-amd64:v4.4.3
docker load < heapster-influxdb-amd64.tgz
docker tag 577260d221db k8s.gcr.io/heapster-influxdb-amd64:v1.3.3
2、准备对应的yaml
cat > grafana.yaml <cat > influxdb.yaml <cat > heapster.yaml <cat > heapster-rbac.yaml << EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: heapster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:heapster
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
EOF
#说明
heapster-rbac.yaml 文件作用
如没有heapster-rbac.yaml 将导致权限的问题,heaster默认使用一个令×××(Token)与ApiServer进行认证,通过查看heapster.yml发现 serviceAccountName: heapster ,现在明白了吧,就是heaster没有权限,那么如何授权呢-----给heaster绑定一个有权限的角色就行了,即heapster-rbac.yaml配置的那样!
#修改yaml中image为自己的
#grafana.yaml
- name: grafana
image: k8s.gcr.io/heapster-grafana-amd64:v4.4.3
#heapster.yaml
- name: heapster
image: k8s.gcr.io/heapster-amd64:v1.5.3
#influxdb.yaml
- name: influxdb
image: k8s.gcr.io/heapster-influxdb-amd64:v1.3.3
3. Heapster配置
虽然Heapster已经预先配置好了Grafana的Datasource和Dashboard,但是为了方便访问,这里我们使用NotePort暴露monitoring-grafana服务在主机的30108上,那么Grafana服务端的地址:http://192.168.245.16:30108 ,通过浏览器访问,为Grafana修改数据源,如下:
image.png
4. 访问测试
通过dashboard查看集群概况
https://172.16.214.210:30030/
image.png
image.png
5. 通过Grafana查看集群详情(cpu、memory、filesystem、network)
image.png
6. 错误说明
k8s dashboard安装完之后也是没有图像,查看heapster-565b564d5d-m8tlh 日志,报一下错误:
E0308 08:33:05.124339 1 kubelet.go:231] error while getting containers from Kubelet: failed to get all container stats from Kubelet URL "http://192.168.19.137:10255/stats/container/": Post http://192.168.19.137:10255/stats/container/: dial tcp 192.168.19.137:10255: getsockopt: connection refused
解决方案
我在/etc/sysconfig/kubelet 的选项里加了--read-only-port=10255 KUBELET_EXTRA_ARGS="--fail-swap-on=false --read-only-port=10255" (所有节点都进行添加)
然后重启对应的kubeclt服务以及容器进行重启
systemctl restart kubelet.service
kubectl replace --force -f ./