【kubernetes 系列4】Kubernetes 1.14.1上安装dashboard-1.10.1
【kubernetes 系列4】Kubernetes 1.14.1上安装dashboard-1.10.1
1. 环境
OS version:CentOS Linux release 7.6.1810 (Core)
Docker version:19.03.0-beta3
server list:
10.18.18.16 server1.ukr 用来安装kubernetes master
10.18.18.7 server2.ukr 用作kubernetes minion (minion1)
10.18.19.8 server3.ukr
10.18.18.3 server4.ukr 用作kubbernetes minion (minion2)
2. 安装环境
2.1 必要的组件(安装镜像)
a) dashboard组件:
k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
b) heapster组件:
k8s.gcr.io/heapster-amd64:v1.5.4
k8s.gcr.io/heapster-influxdb-amd64:v1.5.2
k8s.gcr.io/heapster-grafana-amd64:v5.0.4
heapster是Kubernetes内部的一个监控组件。Kubernetes dashboard集成heapster 所以这里需要引入heapster组件。
2.2 获取镜像
k8s官方镜像无法正常访问,需要通过阿里云的仓库拉取到本地,然后修改tag为官方镜像名,以此方便从配置文件自动安装,当然你修改配置文件也是可以的。
自动下载脚本:
#!/bin/bash
DASHDOARD_VERSION=v1.10.1
HEAPSTER_VERSION=v1.5.4
GRAFANA_VERSION=v5.0.4
INFLUXDB_VERSION=v1.5.2
username=registry.cn-hangzhou.aliyuncs.com/google_containers
images=(
kubernetes-dashboard-amd64:${DASHDOARD_VERSION}
heapster-grafana-amd64:${GRAFANA_VERSION}
heapster-amd64:${HEAPSTER_VERSION}
heapster-influxdb-amd64:${INFLUXDB_VERSION}
)
for image in ${images[@]}
do
docker pull ${username}/${image}
docker tag ${username}/${image} k8s.gcr.io/${image}
docker rmi ${username}/${image}
donerun一下,然后通过docker images 查看镜像是否成功下载
3.安装dashboard
这里我们已用的yaml配置文件自动安装。配置文件下载地址:
链接:https://pan.baidu.com/s/1sDHQLc6UAK9MIwm5HiE_Qg
提取码:zadaheapster.yaml : dashboard的监控组件
heapster-rbac.yaml : heapster的rbac控制
kubernetes-dashboard.yaml :定义了dashboard的secret、deployment、service
rbac-dashboard-admin.yaml :dashboard的admin账户,绑定系统角色(cluster-admin)
rbac-dashboard-custom.yaml:dashboard的自定义账户,其中定义了账户名, 账户的访问权限,绑定关系。
核心配置kubernetes-dashboard.yaml。
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --token-ttl=36000
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=https://10.244.0.18:443
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard-admin
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ----------------------Dashboard Service--------------------------------------
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-external
namespace: kube-system
spec:
ports:
- port: 8443
targetPort: 8443
nodePort: 31666
type: NodePort
clusterIP: 10.100.100.66
selector:
k8s-app: kubernetes-dashboard
说明:
开启认证登录: - --auto-generate-certificates
设置token的TTL: - --token-ttl=36000 # 默认的是900s
containerPort端口:spec.template.spec.containers.ports.containerPort=8443
健康监控协议https:spec.template.spec.livenessProbe.httpGet.scheme=HTTPS
通过nodeport暴露端口:nodePort: 31666
3.1 安装:
kubectl apply -f .3.2 测试访问
浏览器输入http://集群任意IP:端口号
4.token 认证
4.1 查看dashboard的secert
[root@server1 ~]# kubectl get secret -n kube-system
kubernetes-dashboard-admin-token-8dw7k kubernetes.io/service-account-token 3 20h
kubernetes-dashboard-custom-token-gmwp6 kubernetes.io/service-account-token 3 18m4.2 查看token
[root@server1 nginx]# kubectl describe secret kubernetes-dashboard-admin-token-gd46p -n kube-system
Name: kubernetes-dashboard-admin-token-gd46p
Namespace: kube-system
Labels:
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard-admin
kubernetes.io/service-account.uid: ed74d1ed-7552-11e9-af48-52540046b773
Type: kubernetes.io/service-account-token
Data
====
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi1nZDQ2cCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2N123vdW50LnVpZCI6ImVkNzRkMWVkLTc1NTItMTFlOS1hZjQ4LTUyNTQwMDQ2Yjc3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.tjJf7JBpJCV2kjV_C5J1sJS3zl78vrXb0aHmwnBkytv6kG8mpUvOjaAg9BPQD18dDO7znKPBA1vcSaLuWbPXHOc3dmfIl15K4N21PYmC6ZHO-MHoGJCqiYyR7Hfqp-fTbl7Mg-VNkIEfaZNgAWPOCfRRwTX9iCoUtJD_88VV2DX0hqOUjLLmF3ufCtfiT6F3k4WT3AK9qgxksz6cDw6BNsSldjgRjtMMN1-J3aM-dXtt2SRT_gLJ64XNj2u-ktEyeh5Tdsv15Pe_wAATzK11u8k7cHwp-kTEWgu8J6LTW9DrAvqdk2YjSMfYZ6DDlZd_hySDqkGPxTMFXnRIlTw
ca.crt: 1025 bytes
namespace: 11 bytes
上方命令输出的最后一行,即是认证token,全部复制到登陆页面即可登陆;
这里也提供了现成的脚本直接查询得到:
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard-admin-token|awk '{print $1}')|grep token:|awk '{print $2}'从不同的secret里面查询,会获取不同的token。 这里有admin token和custom token , 两者都可以登录,但是可以获取的权限并不一样。大家自己体验吧
5. 安装kubernetes-dashboard常遇到的问题
1. 访问http://10.18.18.16:8080/ui时报错:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "no endpoints available for service \"kubernetes-dashboard\"",
"reason": "ServiceUnavailable",
"code": 503
}分析:这个代表dashboard服务异常。有可能是服务没有启动,或者服务有其他异常。
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3916eb2965b5 daocloud.io/minunix/kubernetes-dashboard-amd64:v1.1.1 "/dashboard --port..." 17 hours ago Up 17 hours k8s_kubernetes-dashboard.5107afa2_kubernetes-dashboard-261059044-c5b43_kube-system_7dc03c78-6754-11e9-8853-52540046b773_df0bf636
9a314e33ce32 registry.access.redhat.com/rhel7/pod-infrastructure:latest "/usr/bin/pod" 17 hours ago Up 17 hours k8s_POD.28c50bab_kubernetes-dashboard-261059044-c5b43_kube-system_7dc03c78-6754-11e9-8853-52540046b773_2e893e1c
7a53fde13073 daocloud.io/minunix/kubernetes-dashboard-amd64:v1.1.1 "/dashboard --port..." 18 hours ago Exited (2) 17 hours ago k8s_kubernetes-dashboard.5107afa2_kubernetes-dashboard-261059044-c5b43_kube-system_7dc03c78-6754-11e9-8853-52540046b773_7e6d3211Exited 就说明没有启动。 我当时就没有启动。 请看CONTAINER ID = 7a53fde13073的容器服务, 所以需要start一下 :
docker start 7a53fde13073
如果容器启动不起来,那你就需要分析一下具体的原因了。
docker logs --tail=100 7a53fde13073
查看具体原因。 我当时也没有起来,是因为缺少一个ca文件。后来安装一下就好了。
2.在访问http://ip:8080/ui提示
Error: 'dial tcp 10.1.36.2:9090: getsockopt: connection timed out'
Trying to reach: 'http://10.1.36.2:9090/'原因通常有以下几种:
a) 需要检查apiserver的地址设置的是否正确(重启apiserver和kubenets),然后就是flannel是否配置启动
b) 配置Kubernetes网络,在master和nodes上都需要安装flannel 检查master和node上配置文件是否一致。
c) 检查iptables -L -n ,检查node节点上的FORWARD 查看转发是否是drop,如果是drop,则开启
iptables -P FORWARD ACCEPT
以上命令系统重启后就失效了
echo "net.ipv4.ip_forward = 1" >>/usr/lib/sysctl.d/50-default.conf
cat /usr/lib/sysctl.d/50-default.conf | grep forward
