修改權限kubernetes-dashboard.yaml 中的權限設置:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding #1RoleBinding修改爲ClusterRoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole # 替換爲 ClusterRole
name: cluster-admin # 替換爲 cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
獲取token
在master節點下執行命令
kubectl -n kube-system describe $(kubectl -n kube-system get secret -n kube-system -o name | grep namespace) | grep token
訪問地址
必須https:// IP:端口 同時必須是在firefox瀏覽器下才支持的
認證有兩種方式:
- 通過我們剛剛獲取的token直接認證
-
通過Kubeconfig文件認證
只需要在kubeadm生成的admin.conf文件末尾加上剛剛獲取的token就好了。- name: kubernetes-admin user: client-certificate-data: xxxxxxxx client-key-data: xxxxxx token: "在這裏加上token"
監控組件Heapster的安裝
1.下載官方提供的yaml文件
# 新建文件夾,用於存放 Heapster 部署所需的 yaml 文件mkdir heapster
cd heapster# 獲取相關 yaml 文件wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/grafana.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/heapster.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/influxdb.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml
注意需要修改yaml文件中的鏡像的地址
2.修改 heaspster.yaml的文件
spec:
replicas: 1
selector:
matchLabels:
k8s-app: heapster
template:
metadata:
labels:
task: monitoring
k8s-app: heapster
spec:
serviceAccountName: heapster
containers:
- name: heapster
# image: k8s.gcr.io/heapster-amd64:v1.5.4 將默認google的官方鏡像替換爲阿里雲鏡像,否則你懂得
image: registry.cn-hangzhou.aliyuncs.com/google_containers/heapster-amd64:v1.5.4
command:
- /heapster
- --source=kubernetes:https://kubernetes.default?useServiceAccount=true&kubeletHttps=true&kubeletPort=10250&insecure=true ## 此處 如果使用kubeadmn 安裝一定要改一下端口
####################
heapster 啓動參數說明:
inClusterConfig - Use kube config in service accounts associated with Heapster's namespace. (default: true)
kubeletPort - kubelet port to use (default: 10255)
kubeletHttps - whether to use https to connect to kubelets (default: false)
insecure - whether to trust Kubernetes certificates (default: false)
auth - client auth file to use. Set auth if the service accounts are not usable.
useServiceAccount - whether to use the service account token if one is mounted at /var/run/secrets/kubernetes.io/serviceaccount/token (default: false)
3. 直接部署yaml
kubectl create -f .
4. 可能出現heapster的收集不到數據的過程 此處是權限不足的問題
修改ClusterRole: system:heapster的權限:
1. 查看system:heapster yaml格式, 保存爲 heapster-clusterrole.yaml
yaml
[root@node01 heapster-yaml]# kubectl get clusterrole system:heapster -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"},"labels":{"kubernetes.io/bootstrapping":"rbac-defaults"},"name":"system:heapster","namespace":""},"rules":[{"apiGroups":[""],"resources":["events","namespaces","nodes","pods","nodes/stats"],"verbs":["create","get","list","watch"]},{"apiGroups":["extensions"],"resources":["deployments"],"verbs":["get","list","watch"]}]} rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: 2018-08-26T02:26:14Z labels: kubernetes.io/bootstrapping: rbac-defaults name: system:heapster resourceVersion: "139000" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/system%3Aheapster uid: 67ef3689-a8d7-11e8-a891-000c29b52823 rules: - apiGroups: - "" resources: - events - namespaces - nodes - pods verbs: - get - list - watch - apiGroups: - extensions resources: - deployments verbs: - get - list - watch
2. 添加Resource: nodes/stats的create權限,並執行 kubectl apply -f heapster-clusterrole.yaml
yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:heapster rules: - apiGroups: - "" resources: - events - namespaces - nodes - pods - nodes/stats verbs: - create - get - list - watch - apiGroups: - extensions resources: - deployments verbs: - get - list - watch
3. 刪除heapster重新部署
kubectl delete -f heapster.yaml
kubectl apply -f heapster.yaml
可視化 - Gafana 面板
修改
前面省略,最後幾行改爲如下內容
ports:
- port: 80
targetPort: 3000
nodePort: 31112
selector:
k8s-app: grafana
type: NodePort
#######################
2、訪問 Grafana
地址:http://<Your-IP>:31112/
注意:此處是 http 不是 https