手动部署一个单节点kubernetes

简要说明

我们知道,kubenretes的安装非常复杂,因为组件众多。为此各开源社区以及一些商业公司都发布了一些针对kubernetes集成安装组件,包括kubernetes官方的kubeadm, minikube,基于ubuntu的conjure-up,以及rancher等。但是我个人,是不太喜欢使用集成软件来完成应用部署的。使用集成软件部署固然简化了部署成本,却提升了维护成本,也不利于使用人员对软件原理的理解。所以我宁愿通过自己编写salt或者ansible配置文件的方式来实现应用的自动化部署。但这种方式就要求我们对应用的各组件必须要有深入的了解。

本篇文档我们就通过纯手动的方式来完成kubernetes 1.11.1的单节点部署。

安装组件如下:

  • etcd
  • kube-apiserver
  • kube-scheduler
  • kube-controller-manager
  • kubelet
  • kube-proxy
  • coredns
  • dashboard
  • heapster + influxdb + grafana

安装环境说明

ip system role
192.168.198.135 ubuntu 18.04 etcd、master、node

部署

生成相关证书

证书类型说明

证书名称 配置文件 用途
ca.pem ca-csr.json ca根证书
kube-proxy.pem ca-config.json kube-proxy-csr.json kube-proxy使用的证书
admin.pem admin-csr.json ca-config.json kubectl 使用的证书
kubernetes.pem ca-config.json kubernetes-csr.json apiserver使用的证书

安装cfssl证书生成工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

生成CA证书

创建存放证书目录:

mkdir /root/ssl/

创建/root/ssl/ca-config.json文件,内容如下:

{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "kubernetes": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

字段说明:

  • ca-config.json:可以定义多个Profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书的时候使用某个Profile。这里定义了两个Profile,一个用于kubernetes,一个用于etcd,我这里etcd没有使用证书,所以另一个不使用。
  • signing:表示该 证书可用于签名其他证书;生成的ca.pem证书中CA=TRUE
  • server auth:表示client可以使用该ca对server提供的证书进行验证
  • client auth:表示server可以用该ca对client提供的证书进行验证

创建/root/ssl/ca-csr.json内容如下:

{
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Wuhan",
            "ST": "Hubei",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

生成CA证书:

cfssl gencert --initca=true ca-csr.json | cfssljson --bare ca

生成Kubernetes master节点使用的证书

创建/root/ssl/kubernetes-csr.json文件,内容如下:

{
    "CN": "kubernetes",
    "hosts": [
        "127.0.0.1",
        "localhost",
        "192.168.198.135"
        "10.254.0.1",
        "kubernetes",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Hubei",
            "L": "Wuhan",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
  • hosts字段用于指定授权使用该证书的IP和域名列表,因为现在要生成的证书需要被Kubernetes master节点使用,所以指定了kubenetes master节点的ip和hostname

生成kubernetes证书:

cfssl gencert --ca ca.pem --ca-key ca-key.pem --config ca-config.json --profile kubernetes kubernetes-csr.json | cfssljson --bare kubernetes

生成kubectl证书

创建/root/ssl/admin-csr.json文件,内容如下:

{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Hubei",
      "L": "Wuhan",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
  • kube-apiserver会提取CN作为客户端的用户名,这里是admin,将提取O作为用户的属组,这里是system:masters
  • 后续kube-apiserver使用RBAC对客户端(如kubelet、kube-proxy、pod)请求进行授权
  • apiserver预定义了一些RBAC使用的ClusterRoleBindings,例如cluster-admin将组system:masters与CluasterRole cluster-admin绑定,而cluster-admin拥有访问apiserver的所有权限,因此admin用户将作为集群的超级管理员。

生成kubectl证书:

cfssl gencert --ca ca.pem --ca-key ca-key.pem --config ca-config.json --profile kubernetes admin-csr.json | cfssljson --bare admin

生成kube-proxy证书

创建/root/ssl/kube-proxy-csr.json文件,内容如下:

{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Hubei",
      "L": "Wuhan",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
  • CN指定该证书的user为system:kube-proxy
  • kube-apiserver预定义的RoleBinding 将User system:kube-proxy与Role system:node-proxier绑定,该role授予了调用kube-apiserver Proxy相关API的权限;

生成kube-proxy证书:

cfssl gencert --ca ca.pem --ca-key ca-key.pem --config ca-config.json --profile kubernetes kube-proxy-csr.json | cfssljson --bare kube-proxy

校验证书,我们这里以校验kubernetes.pem为例:

{
  "subject": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "Wuhan",
    "province": "Hubei",
    "names": [
      "CN",
      "Hubei",
      "Wuhan",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "issuer": {
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "Wuhan",
    "province": "Hubei",
    "names": [
      "CN",
      "Hubei",
      "Wuhan",
      "k8s",
      "System"
    ]
  },
  "serial_number": "604093852911522162752840982392649683093741969960",
  "sans": [
    "localhost",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local",
    "127.0.0.1",
    "192.168.198.135",
    "10.254.0.1"
  ],
  "not_before": "2018-08-10T05:15:00Z",
  "not_after": "2038-08-05T05:15:00Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "DA:57:77:4C:1F:35:8E:FE:F9:15:2:7A:25:BB:77:DC:3C:36:8A:84",
  "subject_key_id": "C2:6A:A6:75:AA:DC:4F:4A:75:D1:4C:60:B3:DF:56:68:34:A:39:15",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIEZzCCA0+gAwIBAgIUadCBVqjv5DTo7Hjm80AKo3XxIigwDQYJKoZIhvcNAQEL\nBQAwTDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1YmVpMQ4wDAYDVQQHEwVXdWhh\nbjEMMAoGA1UEChMDazhzMQ8wDQYDVQQLEwZTeXN0ZW0wHhcNMTgwODEwMDUxNTAw\nWhcNMzgwODA1MDUxNTAwWjBhMQswCQYDVQQGEwJDTjEOMAwGA1UECBMFSHViZWkx\nDjAMBgNVBAcTBVd1aGFuMQwwCgYDVQQKEwNrOHMxDzANBgNVBAsTBlN5c3RlbTET\nMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBALfgHIhOVEinORPv6ijwWeJxxM6uDORM/kWl0nwHpn3TQZF3jOsQVSs3LOuD\n6SlkRWtsYAGwm0SnEhEDefCn5xmbHSW0YmWYoBE2BerlwLqmaS2eRy4vjCHgkreb\nL+K5rRN+ZW5NOsegrCxzT3h1WWBVEmG/HztwQvrGP9mRbyfI1/pwC7iqoeAzYPx6\nuCPReRFpDpwLb8ESFtMLyUWXaXs2j1csTDTadDdigEA9UmabVYfcycw4mGXr0CcV\n+oqBz2sGGZWY52SZ7FlOS5adydplda7Jpz2C4TMu7XAjW6zvRVxup31W4pDCwjFh\n2InQUJU1dcMi5gZhEhKK3flHKDECAwEAAaOCASowggEmMA4GA1UdDwEB/wQEAwIF\noDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd\nBgNVHQ4EFgQUwmqmdarcT0p10Uxgs99WaDQKORUwHwYDVR0jBBgwFoAU2ld3TB81\njv75FQJ6Jbt33Dw2ioQwgaYGA1UdEQSBnjCBm4IJbG9jYWxob3N0ggprdWJlcm5l\ndGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOC\nHmt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3RlcoIka3ViZXJuZXRlcy5kZWZh\ndWx0LnN2Yy5jbHVzdGVyLmxvY2FshwR/AAABhwTAqMaHhwQK/gABMA0GCSqGSIb3\nDQEBCwUAA4IBAQAa20xc+o6H9qyADwsP9Exv5xpvfUMtuQwGY2LdAB6c02hOPy2Q\nDSRBPFfD6UrM3psFnNZUqnnnsylQ9Y9ib5dGfqKJAbaN6eltEd994TKS3/+FtvP3\nIfByaT1YYI0RSOAs/37qEHv8aTfLSMDK+41+Ruch2a40K5xd1o8q3rUY9EgM9Vc+\nQ2uHmc1D9+7b/VE1VrbW3u/TNrcV4uVsRJrY40ugD4X170C8xyryaInrXg/70kmS\ntKwEdLr6l6dWb8yZpITADAhoOgRPmok6h37gfe9ef2RcY1Q646prMVOmYOd0jNij\ncyZYDvOd1FKg5JhqlRFtaSS7RHcebys3v/Dx\n-----END CERTIFICATE-----\n"
}

将所有证书复制到/etc/kubernete/ssl目录下:

mkdir /etc/kubernetes/ssl
cp /root/ssl/*.pem /etc/kuberetes/ssl/

生成token及kubeconfig

在本次配置中,我们将会同时启用证书认证,token认证,以及http basic认证。所以需要提前生成token认证文件,basic认证文件以及kubeconfig

以下所有操作都直接在/etc/kubernetes目录进行

生成token文件

export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
cat > bootstrap-token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

生成http basic认证文件

cat > basic-auth.csv <<EOF
admin,admin,1
EOF

生成用于kubelet认证使用的bootstrap.kubeconfig文件

export KUBE_APISERVER="https://192.168.198.135:6443"
# 设置集群参数,即api-server的访问方式,给集群起个名字就叫kubernetes
kubectl config set-cluster kubernetes \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=bootstrap.kubeconfig
  
# 设置客户端认证参数,这里采用token认证
kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=bootstrap.kubeconfig

# 设置上下文参数,用于连接用户kubelet-bootstrap与集群kubernetes
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=bootstrap.kubeconfig
  
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

生成kube-proxy使用的kube-proxy.kubeconfig文件

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=kube-proxy.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kube-proxy \
  --client-certificate=kube-proxy.pem \
  --client-key=kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-proxy.kubeconfig
# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=kube-proxy.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

部署etcd

我们已经提前下载好所有组件的二进制文件,并且全部拷贝到了/usr/local/bin目录下。所以这里只配置各服务相关的启动文件。

创建etcd的启动文件/etc/systemd/system/etcd.service,内容如下:

[Unit]
Description=Etcd
After=network.target
Before=flanneld.service

[Service]
User=root
ExecStart=/usr/local/bin/etcd \
-name etcd1 \
-data-dir /var/lib/etcd \
--advertise-client-urls http://192.168.198.135:2379,http://127.0.0.1:2379 \
--listen-client-urls http://192.168.198.135:2379,http://127.0.0.1:2379
Restart=on-failure
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动etcd:

systemctl daemon-reload
systemctl start etcd
systemctl enable etcd

部署master

kube-apiserver

创建kube-apiserver的启动文件/etc/systemd/system/kube-apiserver.service,内容如下:

[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
ExecStart=/usr/local/bin/kube-apiserver \
  --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction \
  --apiserver-count=3 \
  --bind-address=192.168.198.135 \
  --insecure-bind-address=127.0.0.1 \
  --insecure-port=8080 \
  --secure-port=6443 \
  --authorization-mode=Node,RBAC \
  --runtime-config=rbac.authorization.k8s.io/v1 \
  --kubelet-https=true \
  --anonymous-auth=false \
  --basic-auth-file=/etc/kubernetes/basic-auth.csv \
  --enable-bootstrap-token-auth \
  --token-auth-file=/etc/kubernetes/bootstrap-token.csv \
  --service-cluster-ip-range=10.254.0.0/16 \
  --service-node-port-range=20000-40000 \
  --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  --client-ca-file=/etc/kubernetes/ssl/ca.pem \
  --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --etcd-servers=http://192.168.198.135:2379 \
  --etcd-quorum-read=true \
  --enable-swagger-ui=true \
  --allow-privileged=true \
  --audit-log-maxage=30 \
  --audit-log-maxbackup=3 \
  --audit-log-maxsize=100 \
  --audit-log-path=/var/log/kube-apiserver-audit.log \
  --event-ttl=1h \
  --v=2 \
  --logtostderr=true
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536

启动kube-apiserver:

systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver

kube-controller-manager

创建kube-controller-manager的启动文件/etc/systemd/system/kube-controller-manager.service,内容如下:

[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
ExecStart=/usr/local/bin/kube-controller-manager \
  --cluster-name=kubernetes \
  --address=127.0.0.1 \
  --master=http://127.0.0.1:8080 \
  --service-cluster-ip-range=10.254.0.0/16 \
  --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
  --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --root-ca-file=/etc/kubernetes/ssl/ca.pem \
  --node-monitor-grace-period=40s \
  --node-monitor-period=5s \
  --pod-eviction-timeout=5m0s \
  --controllers=*,bootstrapsigner,tokencleaner \
  --horizontal-pod-autoscaler-use-rest-clients=false \
  --leader-elect=true \
  --v=2 \
  --logtostderr=true

Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

启动kube-controller-manager服务:

systemctl daemon-reload
systemctl start kube-controller-manager
systemctl enable kube-controller-manager

kube-scheduler

创建kube-scheduler的启动文件/etc/systemd/system/kube-scheduler.service,内容如下:

[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
ExecStart=/usr/local/bin/kube-scheduler \
  --address=127.0.0.1 \
  --master=http://127.0.0.1:8080 \
  --leader-elect=true \
  --v=2 \
  --logtostderr=true

Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.targe

启动kube-scheduler:

systemctl daemon-reload
systemctl start kube-scheduler
systemctl enable kube-shceudler

配置rbac授权

# 绑定kubelet-bootstrap用户到system:node-bootstrapper权限组

/usr/local/bin/kubectl create clusterrolebinding kubelet-bootstrap-clusterbinding --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

# 绑定system:nodes组到system:node权限组

/usr/local/bin/kubectl create clusterrolebinding kubelet-node-clusterbinding --clusterrole=system:node --group=system:nodes

部署Node

docker

安装:

# step 1: 安装必要的一些系统工具
sudo apt-get update
sudo apt-get -y install apt-transport-https ca-certificates curl software-properties-common
# step 2: 安装GPG证书
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
# Step 3: 写入软件源信息
sudo add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
# Step 4: 更新并安装 Docker-CE
sudo apt-get -y update
sudo apt-get -y install docker-ce

配置:

修改/etc/docker/daemon.json内容如下:

{
  "registry-mirrors": ["http://5dd4061a.m.daocloud.io"]
}

启动:

systemctl start docker
systemctl enable docker

kubelet

创建kubelet的启动文件/etc/systemd/system/kubelet.service,内容如下:

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service

[Service]
#WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/local/bin/kubelet \
  --address=192.168.198.135 \
  --hostname-override=192.168.198.135 \
  --cgroup-driver=cgroupfs \
  --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 \
  --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \
  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
  --cert-dir=/etc/kubernetes/ssl \
  --cluster-dns=10.254.0.100 \
  --cluster-domain=cluster.local. \
  --hairpin-mode=promiscuous-bridge \
  --allow-privileged=true \
  --fail-swap-on=false \
  --serialize-image-pulls=false \
  --max-pods=30 \
  --logtostderr=true \
  --v=2 
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

启动kubelet:

systemctl daemon-reload
systemctl start kubelet
systemctl enable kubelet

在master上为kubelet颁发证书:

# node节点正常启动以后,在master端执行kubectl get nodes看不到node节点,这是因为node节点启动后先向master申请证书,master签发证书以后,才能加入到集群中,如下:

# 查看 csr
➜  kubectl get csr
NAME        AGE       REQUESTOR           CONDITION
csr-l9d25   2m        kubelet-bootstrap   Pending

# 签发证书
➜  kubectl certificate approve csr-l9d25
certificatesigningrequest "csr-l9d25" approved

这时,在master上执行kubectl get nodes就可以看到一个node节点:

# 查看 node
➜  kubectl get node
NAME          STATUS    AGE       VERSION
192.168.198.135   Ready     3m        v1.11.1

kube-proxy

创建kube-proxy的启动文件/etc/systemd/system/kube-proxy.service,内容如下:

[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
#WorkingDirectory=/var/lib/kube-proxy
ExecStart=/usr/local/bin/kube-proxy \
  --bind-address=192.168.198.135 \
  --hostname-override=192.168.198.135 \
  --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig \
  --v=2 \
  --cluster-cidr=10.254.0.0/16

Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动kube-proxy:

systemctl daemon-reload
systemctl start kube-proxy
systemctl enable kube-proxy

如果kube-proxy正常启动,但是运行应用的时候,发现kube-proxy的网络不通,查看日志,抛如下异常:

Failed to delete stale service IP 10.254.0.100 connections, error: error deleting connection tracking state for UDP service IP: 10.254.0.100, error: error looking for path of conntrack: exec: "conntrack": executable file not found in $PATH

则需要安装如下组件:

apt install conntrack conntrackd  nfct

如果是在centos7上,则安装:

yum install conntrack-tools

安装Add-ons

创建/root/k8s-yamls目录,以下所有操作都在这里进行

coredns

创建/root/k8s-yamls/coredns目录

mkdir -p /root/k8s-yamls/coredns

获取coredns配置示例文件:

cd /root/k8s-yamls/coredns

wget https://raw.githubusercontent.com/kubernetes/kubernetes/master/cluster/addons/dns/coredns/coredns.yaml.sed

mv coredns.yaml.sed coredns.yaml

修改coredns.yaml里三个地方:

  • $DNS_DOMAIN 修改为 cluster.local
  • $DNS_SREVER_IP 修改为 10.254.0.100
  • k8s.gcr.io/coredns:1.1.3修改为registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.1.3

启动coredns:

kubectl apply -f coredns.yaml

dashboard

启动dashboard:

# 注意:需要修改镜像地址到国内源,我们使用阿里源
wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

kubectl create -f kubernetes-dashboard.yaml

为dashboard创建授权用户:

# 在上面我创建basic-auth.csv文件时,创建了一个用户admin,这个用户用于访问dashboard时的http basic认证,通过rbac为其授权如下:

kubectl create clusterrolebinding login-on-dashboard-with-cluster-admin --clusterrole=cluster-admin --user=admin
clusterrolebinding "login-on-dashboard-with-cluster-admin" created

这个用户用于访问dashboard时的http basic认证

为dashboard创建授权serviceaccount:

# 要访问dashboard,还需要令牌认证,创建一个名为admin-user的serviceaccount,并为其授权:

# 创建ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system

# 创建rbac授权
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
  
kubectl create -f admin-user.yaml
kubectl create -f admin-user.rbac.yaml

获取admin-user这个serviceaccount的token,用于令牌验证:

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

注:Kubernetes API Server新增了--anonymous-auth选项,允许匿名请求访问secure port。没有被其他authentication方法拒绝的请求即Anonymous requests, 这样的匿名请求的username为”system:anonymous”, 归属的组为”system:unauthenticated”。并且该选线是默认的。这样一来,当采用chrome浏览器访问dashboard UI时很可能无法弹出用户名、密码输入对话框,导致后续authorization失败。为了保证用户名、密码输入对话框的弹出,需要将–-anonymous-auth设置为false

访问dashbaord:

https://192.168.198.135:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

heapster + influxdb + grafana

# 注: 所有文件中都需要修改镜像源
wget https://raw.githubusercontent.com/kubernetes/heapster/release-1.5/deploy/kube-config/influxdb/grafana.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/release-1.5/deploy/kube-config/rbac/heapster-rbac.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/release-1.5/deploy/kube-config/influxdb/heapster.yaml
wget https://raw.githubusercontent.com/kubernetes/heapster/release-1.5/deploy/kube-config/influxdb/influxdb.yaml

kubectl create -f ./
posted @ 2018-08-10 19:10  breezey  阅读(...)  评论(... 编辑 收藏