文章目錄
前言
一:k8s的WEB界面部署
1.1:兩個master節點檢查pod資源是否正常
-
[root@master ~]# kubectl get nodes '//檢查node節點是否運行正常' NAME STATUS ROLES AGE VERSION 192.168.233.132 Ready <none> 8d v1.12.3 192.168.233.133 Ready <none> 8d v1.12.3 [root@master ~]# kubectl get pods '//檢查之前創建的pod資源是否運行正常' NAME READY STATUS RESTARTS AGE nginx-dbddb74b8-5s6h7 1/1 Running 0 7d8h
1.2、master節點上創建dashboard工作目錄,並拷貝部署web界面所需的文件到指定目錄
-
下載的網址(直接複製即可):https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dashboard
-
[root@master dashboard]# rz -E rz waiting to receive. [root@master dashboard]# ls dashboard-configmap.yaml dashboard-secret.yaml dashboard-deployment.yaml dashboard-service.yaml dashboard-rbac.yaml k8s-admin.yaml '//configmap.yaml:配置,deployment.yaml:控制器,rbac.yaml:角色控制,訪問控制,secret.yaml:安全,service.yaml:服務' -
其中service的文件需要添加node節點的訪問端口
-
apiVersion: v1 kind: Service metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: type: NodePort '//添加類型' selector: k8s-app: kubernetes-dashboard ports: - port: 443 targetPort: 8443 nodePort: 30005 '//添加類型端口' -
還需要自己編寫一個admin的yaml文件
apiVersion: v1 kind: ServiceAccount metadata: name: dashboard-admin namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: dashboard-admin subjects: - kind: ServiceAccount name: dashboard-admin namespace: kube-system roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io
1.3、根據上傳的文件創建相應的pod
-
創建訪問控制的pod
[root@master dashboard]# kubectl create -f dashboard-rbac.yaml role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created [root@master dashboard]# kubectl get Role -n kube-system '//Role是dashboard-rbac.yaml文件中指明的Kind,-n是指定namespace,同樣在配置文件中可以查看' NAME AGE extension-apiserver-authentication-reader 8d kubernetes-dashboard-minimal 19s '//創建成功' system::leader-locking-kube-controller-manager 8d system::leader-locking-kube-scheduler 8d system:controller:bootstrap-signer 8d system:controller:cloud-provider 8d system:controller:token-cleaner 8d -
創建安全的pod
[root@master dashboard]# kubectl create -f dashboard-secret.yaml secret/kubernetes-dashboard-certs created secret/kubernetes-dashboard-key-holder created [root@master dashboard]# kubectl get Secret -n kube-system NAME TYPE DATA AGE default-token-cnnbv kubernetes.io/service-account-token 3 8d kubernetes-dashboard-certs Opaque 0 33s kubernetes-dashboard-key-holder Opaque 0 33s -
同理創建其他的pod
'//創建配置的pod' [root@master dashboard]# kubectl create -f dashboard-configmap.yaml configmap/kubernetes-dashboard-settings created [root@master dashboard]# kubectl get Configmap -n kube-system NAME DATA AGE extension-apiserver-authentication 1 8d kubernetes-dashboard-settings 0 17s '//創建控制器的pod' [root@master dashboard]# kubectl create -f dashboard-deployment.yaml serviceaccount/kubernetes-dashboard created deployment.apps/kubernetes-dashboard created [root@master dashboard]# kubectl get ServiceAccount -n kube-system NAME SECRETS AGE default 1 8d kubernetes-dashboard 1 22s '//創建service服務pod' [root@master dashboard]# kubectl create -f dashboard-service.yaml service/kubernetes-dashboard created [root@master dashboard]# kubectl get service -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) kubernetes-dashboard NodePort 10.0.0.139 <none> 443:30005/T '//pod資源只是提供程序應用,一旦service創建了,那麼pod資源會被提供出去可以訪問,端口伴隨着service出現的,通過nodeport端口訪問web界面' -
查看創建完成的pod資源
[root@master dashboard]# kubectl get pods -n kube-system '//查看創建在指定的kube-system命名空間下的資源' NAME READY STATUS RESTARTS AGE kubernetes-dashboard-65f974f565-gxg98 1/1 Running 0 9m45s '//可以縮寫,可以同時查看多個資源' [root@master dashboard]# kubectl get pods,svc -n kube-system NAME READY STATUS RESTARTS AGE pod/kubernetes-dashboard-65f974f565-gxg98 1/1 Running 0 12m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes-dashboard NodePort 10.0.0.139 <none> 443:30005/TCP 5m21s -
查看pod資源在哪個節點
[root@master dashboard]# kubectl get pods -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE kubernetes-dashboard-65f974f565-gxg98 1/1 Running 0 12m 172.17.4.2 192.168.233.133 <none> -
查看pod資源日誌
[root@master dashboard]# kubectl logs kubernetes-dashboard-65f974f565-gxg98 -n kube-system -
總結一下:k8s創建pod資源有兩種方式
1、使用kubectl 命令創建:kubectl run 名稱 --image= 鏡像
2、使用yaml文件格式進行創建:kubectl create -f yaml文件
1.4:訪問web界面,並解決訪問問題
-
訪問網址:https://192.168.233.133:30005,打開開發者工具,查看security發現缺少證書
-
-
爲谷歌瀏覽器寫一個證書
-
[root@master dashboard]# vim dashboard-cert.sh cat > dashboard-csr.json <<EOF { "CN": "Dashboard", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF K8S_CA=$1 cfssl gencert -ca=$K8S_CA/ca.pem -ca-key=$K8S_CA/ca-key.pem -config=$K8S_CA/ca-config.json -profile=kubernetes dashboard-csr.json | cfssljson -bare dashboard kubectl delete secret kubernetes-dashboard-certs -n kube-system kubectl create secret generic kubernetes-dashboard-certs --from-file=./ -n kube-system -
生成證書到指定目錄
-
[root@master dashboard]# bash dashboard-cert.sh /root/k8s/k8s-cert/ -
修改控制的配置文件
[root@master dashboard]# vim dashboard-deployment.yaml ...省略內容 ports: - containerPort: 8443 protocol: TCP args: # PLATFORM-SPECIFIC ARGS HERE - --auto-generate-certificates - --tls-key-file=dashboard-key.pem '//下方添加這兩行內容' - --tls-cert-file=dashboard.pem -
重新部署更新,使用apply命令
[root@master dashboard]# kubectl apply -f dashboard-deployment.yaml Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply serviceaccount/kubernetes-dashboard configured Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply deployment.apps/kubernetes-dashboard configured [root@master dashboard]# kubectl get pods -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE kubernetes-dashboard-7dffbccd68-58qms 1/1 Running 0 26s 172.17.26.3 192.168.233.132 <none> '//節點變了' -
再次訪問web界面
1.5:選擇使用令牌訪問
-
生成令牌:
[root@master dashboard]# kubectl create -f k8s-admin.yaml serviceaccount/dashboard-admin created clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created [root@master dashboard]# kubectl get secret -n kube-system NAME TYPE DATA AGE dashboard-admin-token-zwktc kubernetes.io/service-account-token 3 14s '//生成了令牌' default-token-cnnbv kubernetes.io/service-account-token 3 8d kubernetes-dashboard-certs Opaque 11 9m58s kubernetes-dashboard-key-holder Opaque 2 35m kubernetes-dashboard-token-qgppd kubernetes.io/service-account-token 3 32m -
查看令牌
[root@master dashboard]# kubectl describe secret dashboard-admin-token-zwktc -n kube-system Name: dashboard-admin-token-zwktc Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: ec6e301f-90d4-11ea-8c4f-000c294b2dd3 Type: kubernetes.io/service-account-token Data ==== ca.crt: 1359 bytes namespace: 11 bytes token: '//複製下方令牌,填寫到瀏覽器中即可' eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tendrdGMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZWM2ZTMwMWYtOTBkNC0xMWVhLThjNGYtMDAwYzI5NGIyZGQzIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.n8a101tY2bjlv99A3WHiEsdlLBBnTXXeJED32lOBjJ6M66_rFDVyxzpAWqxY146NkRdaXK0eVdNzIkAPRXWEO1uHjU17T3iHeWBqSzQgzxvN2NgnAam4zQmBE4XaeO2HFv63MX4VDzvwsu8k8MeiryUEBw86DTndCfgvnxcPszq2rZR5QwiHMjAxFQMIA7SQvWj2-rDO7ln6gkqVU5fH04ujz7p2sXI_QQezFjMDTtKWFcMegT3T2gq65-CMB34MyEcxZxGWPQeDu4A4S7PLPlbr0CLdO7YVBWU_pEab0LHBlN8KsJYeZd49kBMgA-EdY5uMQJbH_XFHyGXq3VShwA -
再次訪問web界面
