【kubernetes 系列4】Kubernetes 1.14.1上安装dashboard-1.10.1

【kubernetes 系列4】Kubernetes 1.14.1上安装dashboard-1.10.1

1. 环境

OS version:CentOS Linux release 7.6.1810 (Core)
Docker version:19.03.0-beta3
server list:
10.18.18.16    server1.ukr    用来安装kubernetes master
10.18.18.7    server2.ukr 用作kubernetes minion (minion1)
10.18.19.8    server3.ukr 
10.18.18.3    server4.ukr 用作kubbernetes minion (minion2)

2. 安装环境

2.1 必要的组件(安装镜像)
a) dashboard组件:
k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

b) heapster组件:        
k8s.gcr.io/heapster-amd64:v1.5.4                        
k8s.gcr.io/heapster-influxdb-amd64:v1.5.2               
k8s.gcr.io/heapster-grafana-amd64:v5.0.4

heapster是Kubernetes内部的一个监控组件。Kubernetes dashboard集成heapster 所以这里需要引入heapster组件。

2.2 获取镜像
k8s官方镜像无法正常访问,需要通过阿里云的仓库拉取到本地,然后修改tag为官方镜像名,以此方便从配置文件自动安装,当然你修改配置文件也是可以的。
自动下载脚本:

#!/bin/bash
DASHDOARD_VERSION=v1.10.1
HEAPSTER_VERSION=v1.5.4
GRAFANA_VERSION=v5.0.4
INFLUXDB_VERSION=v1.5.2
username=registry.cn-hangzhou.aliyuncs.com/google_containers
images=(
        kubernetes-dashboard-amd64:${DASHDOARD_VERSION}
        heapster-grafana-amd64:${GRAFANA_VERSION}
        heapster-amd64:${HEAPSTER_VERSION}
        heapster-influxdb-amd64:${INFLUXDB_VERSION}
        )
for image in ${images[@]}
do
docker pull ${username}/${image}
docker tag ${username}/${image} k8s.gcr.io/${image}
docker rmi ${username}/${image}
done

run一下,然后通过docker images 查看镜像是否成功下载


3.安装dashboard

这里我们已用的yaml配置文件自动安装。配置文件下载地址:

链接:https://pan.baidu.com/s/1sDHQLc6UAK9MIwm5HiE_Qg 
提取码:zada

heapster.yaml    : dashboard的监控组件
heapster-rbac.yaml : heapster的rbac控制
kubernetes-dashboard.yaml :定义了dashboard的secret、deployment、service
rbac-dashboard-admin.yaml :dashboard的admin账户,绑定系统角色(cluster-admin)
rbac-dashboard-custom.yaml:dashboard的自定义账户,其中定义了账户名, 账户的访问权限,绑定关系。
核心配置kubernetes-dashboard.yaml。

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          - --token-ttl=36000
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=https://10.244.0.18:443
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard-admin
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ----------------------Dashboard Service--------------------------------------
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-external
  namespace: kube-system
spec:
  ports:
    - port: 8443
      targetPort: 8443
      nodePort: 31666
  type: NodePort
  clusterIP: 10.100.100.66
  selector:
    k8s-app: kubernetes-dashboard


说明:
开启认证登录: - --auto-generate-certificates
设置token的TTL: - --token-ttl=36000  # 默认的是900s
containerPort端口:spec.template.spec.containers.ports.containerPort=8443 
健康监控协议https:spec.template.spec.livenessProbe.httpGet.scheme=HTTPS
通过nodeport暴露端口:nodePort: 31666

3.1 安装:

kubectl apply -f .

3.2 测试访问
浏览器输入http://集群任意IP:端口号

【kubernetes 系列4】Kubernetes 1.14.1上安装dashboard-1.10.1_第1张图片

4.token 认证

4.1 查看dashboard的secert

[root@server1 ~]# kubectl get secret -n kube-system
kubernetes-dashboard-admin-token-8dw7k           kubernetes.io/service-account-token   3      20h
kubernetes-dashboard-custom-token-gmwp6          kubernetes.io/service-account-token   3      18m

4.2 查看token

[root@server1 nginx]# kubectl describe secret kubernetes-dashboard-admin-token-gd46p -n kube-system
Name:         kubernetes-dashboard-admin-token-gd46p
Namespace:    kube-system
Labels:       
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard-admin
              kubernetes.io/service-account.uid: ed74d1ed-7552-11e9-af48-52540046b773

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi1nZDQ2cCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2N123vdW50LnVpZCI6ImVkNzRkMWVkLTc1NTItMTFlOS1hZjQ4LTUyNTQwMDQ2Yjc3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.tjJf7JBpJCV2kjV_C5J1sJS3zl78vrXb0aHmwnBkytv6kG8mpUvOjaAg9BPQD18dDO7znKPBA1vcSaLuWbPXHOc3dmfIl15K4N21PYmC6ZHO-MHoGJCqiYyR7Hfqp-fTbl7Mg-VNkIEfaZNgAWPOCfRRwTX9iCoUtJD_88VV2DX0hqOUjLLmF3ufCtfiT6F3k4WT3AK9qgxksz6cDw6BNsSldjgRjtMMN1-J3aM-dXtt2SRT_gLJ64XNj2u-ktEyeh5Tdsv15Pe_wAATzK11u8k7cHwp-kTEWgu8J6LTW9DrAvqdk2YjSMfYZ6DDlZd_hySDqkGPxTMFXnRIlTw
ca.crt:     1025 bytes
namespace:  11 bytes

上方命令输出的最后一行,即是认证token,全部复制到登陆页面即可登陆; 

这里也提供了现成的脚本直接查询得到:

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-admin-token|awk '{print $1}')|grep token:|awk '{print $2}'

从不同的secret里面查询,会获取不同的token。  这里有admin token和custom token , 两者都可以登录,但是可以获取的权限并不一样。大家自己体验吧

5. 安装kubernetes-dashboard常遇到的问题

1. 访问http://10.18.18.16:8080/ui时报错:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "no endpoints available for service \"kubernetes-dashboard\"",
  "reason": "ServiceUnavailable",
  "code": 503
}

分析:这个代表dashboard服务异常。有可能是服务没有启动,或者服务有其他异常。

CONTAINER ID        IMAGE                                                        COMMAND                  CREATED             STATUS                    PORTS               NAMES
3916eb2965b5        daocloud.io/minunix/kubernetes-dashboard-amd64:v1.1.1        "/dashboard --port..."   17 hours ago        Up 17 hours                                   k8s_kubernetes-dashboard.5107afa2_kubernetes-dashboard-261059044-c5b43_kube-system_7dc03c78-6754-11e9-8853-52540046b773_df0bf636
9a314e33ce32        registry.access.redhat.com/rhel7/pod-infrastructure:latest   "/usr/bin/pod"           17 hours ago        Up 17 hours                                   k8s_POD.28c50bab_kubernetes-dashboard-261059044-c5b43_kube-system_7dc03c78-6754-11e9-8853-52540046b773_2e893e1c
7a53fde13073        daocloud.io/minunix/kubernetes-dashboard-amd64:v1.1.1        "/dashboard --port..."   18 hours ago        Exited (2) 17 hours ago                       k8s_kubernetes-dashboard.5107afa2_kubernetes-dashboard-261059044-c5b43_kube-system_7dc03c78-6754-11e9-8853-52540046b773_7e6d3211

Exited 就说明没有启动。 我当时就没有启动。 请看CONTAINER ID = 7a53fde13073的容器服务, 所以需要start一下 :

docker start 7a53fde13073

如果容器启动不起来,那你就需要分析一下具体的原因了。 
docker logs --tail=100 7a53fde13073
查看具体原因。 我当时也没有起来,是因为缺少一个ca文件。后来安装一下就好了。

2.在访问http://ip:8080/ui提示

Error: 'dial tcp 10.1.36.2:9090: getsockopt: connection timed out'
Trying to reach: 'http://10.1.36.2:9090/'

原因通常有以下几种:

a) 需要检查apiserver的地址设置的是否正确(重启apiserver和kubenets),然后就是flannel是否配置启动
b) 配置Kubernetes网络,在master和nodes上都需要安装flannel 检查master和node上配置文件是否一致。
c) 检查iptables -L -n ,检查node节点上的FORWARD 查看转发是否是drop,如果是drop,则开启
iptables -P FORWARD ACCEPT 
以上命令系统重启后就失效了
echo "net.ipv4.ip_forward = 1" >>/usr/lib/sysctl.d/50-default.conf
cat /usr/lib/sysctl.d/50-default.conf | grep forward

【kubernetes 系列4】Kubernetes 1.14.1上安装dashboard-1.10.1_第2张图片

你可能感兴趣的:(kubernetes,Kubernetes,dashboard)