创建dashboard管理k8s集群web页面
# 创建名称空间
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
# 创建dashboard的ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
# 创建dashboard的服务
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
nodePort: 31111 #自定义对外端口
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
# 创建dashboard的角色
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# 只允许对下面这3个secret进行操作
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# 允许对下面configmap进行get和update,这里面存储的应该是dashboard的配置
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# 允许dashboard获取指标
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
# 创建集群角色,允许dashboard获取集群的一些数据
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
# 将角色与SA绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
# 将集群角色与SA绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
# 部署dashboard
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
# 1个副本
replicas: 1
# 保留历史版本的数量,用于回滚
revisionHistoryLimit: 10
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
# 容器端口是8443
ports:
- containerPort: 8443
protocol: TCP
# 容器参数
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# 下面的参数指定apiserver的地址,默认情况下,dashboard会自动发现,如果无法发现可以手动配置
# - --apiserver-host=http://my-address:port
volumeMounts:
# 从secret获取证书
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
# 存活探针
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
# Pod访问apiserver的SA
serviceAccountName: kubernetes-dashboard
# 只能部署在linux
nodeSelector:
"kubernetes.io/os": linux
# 容忍污点,如果不允许dashboard部署在master,可以删掉
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# dashboard的指标拉取服务
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
# 部署dashboard的指标拉取应用
# 用户可以在dashboard查看node和pod的指标
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.8
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
执行后会创建一个kubernetes-dashboard的命名空间dashboard-metrics-scraper和kubernetes-dashboard两个必要镜像
两个镜像启动后必须通过https访问ip加31111进入web页面
然后创建一个用户,将admin权限映射给该用户
ServiceAccount 是一个对象,用于管理 Kubernetes 集群内部的身份验证和授权。它代表一个进程或一组进程,并定义了可以访问它们的权限。在上面的示例中,luoxuan 是 ServiceAccount 的名称,它被分配给 kubernetes-dashboard 命名空间。
ClusterRoleBinding 则是一种对象,它将一组用户、组或服务账号绑定到一个或多个角色,并赋予该用户、组或服务账号所绑定的角色相应的权限。在上面的示例中,luoxuan 是 ClusterRoleBinding 的名称,它将 luoxuan ServiceAccount 绑定到一个名为 cluster-admin 的 ClusterRole 上,该角色具有对整个 Kubernetes 集群的管理权限。
apiVersion: v1
<p>kind: ServiceAccount #资源对象
metadata:
name: luoxuan #自定义名称
namespace: kubernetes-dashboard #针对这个命名空间</p>
<hr />
<p>apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding #资源对象
metadata:
name: luoxuan #引用上面设置的名称
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:</p>
<ul>
<li>kind: ServiceAccount #绑定ServiceAccount服务
name: luoxuan #绑定ServiceAccount的luoxuan用户
namespace: kubernetes-dashboard #给这个用户对这个命名空间所有权限
kubectl create -f 指定这个文件创建serviceaccount对象
kubectl -n kubernetes-dashboard create token luoxuan使用改命令获取一个token值
输入到这里就可以进入页面管理k8s集群了
评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果
音乐天地
