kubernetes搭建(二)】搭建kubernetes"/>
【kubernetes搭建(二)】搭建kubernetes
一、下载资源文件
wget .yaml
并修改一下文件,增加一个nodePort 30000用于暴露服务
spec:
type: NodePort
ports:
- prot: 443
targetProt: 8443
nodePort: 30000
如果下载不了,可以直接编辑用下面的(最好是保存到本地文件,再上传上去,直接粘贴yml文件格式容易乱)
vim ~/kubernetes-dashboard.yml
apiVersion: v1
kind: Namespace
metadata:name: kubernetes-dashboard---apiVersion: v1
kind: ServiceAccount
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: Service
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
spec:type: NodePortports:- port: 8443targetPort: 8443nodePort: 30000selector:k8s-app: kubernetes-dashboard---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-certsnamespace: kubernetes-dashboard
type: Opaque---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-csrfnamespace: kubernetes-dashboard
type: Opaque
data:csrf: ""---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-key-holdernamespace: kubernetes-dashboard
type: Opaque---kind: ConfigMap
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-settingsnamespace: kubernetes-dashboard---kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
rules:# Allow Dashboard to get, update and delete Dashboard exclusive secrets.- apiGroups: [""]resources: ["secrets"]resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]verbs: ["get", "update", "delete"]# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.- apiGroups: [""]resources: ["configmaps"]resourceNames: ["kubernetes-dashboard-settings"]verbs: ["get", "update"]# Allow Dashboard to get metrics.- apiGroups: [""]resources: ["services"]resourceNames: ["heapster", "dashboard-metrics-scraper"]verbs: ["proxy"]- apiGroups: [""]resources: ["services/proxy"]resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]verbs: ["get"]---kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard
rules:# Allow Metrics Scraper to get metrics from the Metrics server- apiGroups: ["metrics.k8s.io"]resources: ["pods", "nodes"]verbs: ["get", "list", "watch"]---apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: kubernetes-dashboard
subjects:- kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: kubernetes-dashboard
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: kubernetes-dashboard
subjects:- kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: Deployment
apiVersion: apps/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: kubernetes-dashboardtemplate:metadata:labels:k8s-app: kubernetes-dashboardspec:containers:- name: kubernetes-dashboardimage: kubernetesui/dashboard:v2.4.0imagePullPolicy: Alwaysports:- containerPort: 8443protocol: TCPargs:- --auto-generate-certificates- --namespace=kubernetes-dashboard#- --tls-key-file=tls.key#- --tls-cert-file=tls.crt# Uncomment the following line to manually specify Kubernetes API server Host# If not specified, Dashboard will attempt to auto discover the API server and connect# to it. Uncomment only if the default does not work.# - --apiserver-host=http://my-address:portvolumeMounts:- name: kubernetes-dashboard-certsmountPath: /certs# Create on-disk volume to store exec logs- mountPath: /tmpname: tmp-volumelivenessProbe:httpGet:scheme: HTTPSpath: /port: 8443initialDelaySeconds: 30timeoutSeconds: 30securityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001volumes:- name: kubernetes-dashboard-certssecret:secretName: kubernetes-dashboard-certs- name: tmp-volumeemptyDir: {}serviceAccountName: kubernetes-dashboardnodeSelector:"kubernetes.io/os": linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedule---kind: Service
apiVersion: v1
metadata:labels:k8s-app: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboard
spec:ports:- port: 8000targetPort: 8000selector:k8s-app: dashboard-metrics-scraper---kind: Deployment
apiVersion: apps/v1
metadata:labels:k8s-app: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboard
spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: dashboard-metrics-scrapertemplate:metadata:labels:k8s-app: dashboard-metrics-scraperspec:securityContext:seccompProfile:type: RuntimeDefaultcontainers:- name: dashboard-metrics-scraperimage: kubernetesui/metrics-scraper:v1.0.7ports:- containerPort: 8000protocol: TCPlivenessProbe:httpGet:scheme: HTTPpath: /port: 8000initialDelaySeconds: 30timeoutSeconds: 30volumeMounts:- mountPath: /tmpname: tmp-volumesecurityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001serviceAccountName: kubernetes-dashboardnodeSelector:"kubernetes.io/os": linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedulevolumes:- name: tmp-volumeemptyDir: {}
二、执行创建容器
kubectl apply -f ~/kubernetes-dashboard.yml
三、访问验证
浏览器访问https://ip:30000/(注意:只能用火狐浏览器打开,谷歌打不开,下面配置了证书才可以打开)
接受风险后就可以打开页面了。
四、获取token并登陆
1、kubectl get secret -n kubernetes-dashboard |grep kubernetes-dashboard-token
2、kubectl describe secret kubernetes-dashboard-token-98ckj -n kubernetes-dashboard
3、复制token值登陆即可
4、执行赋权命令,否则控制台什么也没有(没有查看权限)
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard
五、配置ssl证书
1、获取证书
(1)没有域名自签证书:
umask 077; openssl genrsa -out dashboard.key 2048)
openssl req -key dashboard.key -out dashboard.csr -subj "/O=mango/CN=192.168.0.240"
openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=mango/CN=192.168.0.240"
openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 365(2)有域名:
百度智能云_BaiduTrust超级SSL证书_买证书选百度
或FreeSSL首页 - FreeSSL一个提供免费HTTPS证书申请的网站 都可以免费签发ssl证书(单域名版的,通配符域名收费很贵)
签发过程:注册账号登陆,并根据要求增加TXT域名解析后,等待签发10分钟左右就可以
签发好后下载证书-nginx,解压的到key和crt文件。
2、配置kubernetes-dashboard.yml文件
添加如下内容(大约第200行):
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
添加下面两行
- --tls-key-file=tls.key
- --tls-cert-file=tls.crt
重新应用:kubectl apply -f kubernetes-dashborad.yml
3、创建secret
替换原有kubernetes-dashboard-certs,并重启pod,如下:
kubectl delete secret kubernetes-dashboard-certs -n kubernetes-dashboard
kubectl create secret generic kubernetes-dashboard-certs --from-file=kubernetes.sumengnan.key --from-file=kubernetes.sumengnan.crt -n kubernetes-dashboard
kubectl get pod -n kubernetes-dashboard | grep kubernetes-dashboard
kubectl delete pod kubernetes-dashboard-576cb95f94-xl959 -n kubernetes-dashboard六、完毕
注意:打开30000防火墙端口或配置安全组
常见问题:
1、nodeport默认端口范围30000-32767,如果想改变端口范围怎么办?
解决办法:vim /etc/kubernetes/manifests/kube-apiserver.yaml
增加
spec:
containers:
- command:
- kube-apiserver
- --service-node-port-range=1-65535
修改完毕立即生效
更多推荐
【kubernetes搭建(二)】搭建kubernetes
发布评论