二进制安装kubernetes v1.11.2 （第十七章 dashboard 部署）

继续前一章部署。

dashboard 部署

 17.1 下载和分发二进制文件，参考 第三章

# 解压二进制文件
[root@k8s-m1 ~]# cd ~/k8s/v1.11.2/kubernetes/
[root@k8s-m1 kubernetes]# tar zxvf kubernetes-src.tar.gz
[root@k8s-m1 yaml]#  cd ~/k8s/v1.11.2/kubernetes/cluster/addons/dashboard/


# 修改  dashboard-controller.yaml 
[root@k8s-m1 dashboard]# cp dashboard-controller.yaml dashboard-controller.yaml.orig
[root@k8s-m1 dashboard]# diff dashboard-controller.yaml{,.orig}
34,35c34
<         #image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
<         image: registry.cn-shenzhen.aliyuncs.com/kubernetes-dashboard-amd64:v1.8.3
---
>         image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3

# 关于  dashboard-controller.yaml 的修改，也可以用另外一种不修改 yaml 的方法。
# 即：先在节点上 download dashboard 的镜像，然后修改 tag 后直接执行 yaml 文件
# 先看一下 yaml 里面 image 的值：
[root@k8s-m1 dashboard]# grep image dashboard-controller.yaml
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
# 然后下载并修改 tag
[root@k8s-m2 ~]# docker pull registry.cn-hangzhou.aliyuncs.com/kube_containers/kubernetes-dashboard-amd64:v1.8.3
[root@k8s-m2 ~]# docker tag registry.cn-hangzhou.aliyuncs.com/kube_containers/kubernetes-dashboard-amd64:v1.8.3 k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3


# 修改 dashboard-service.yaml
[root@k8s-m1 dashboard]# cp dashboard-service.yaml dashboard-service.yaml.orig
[root@k8s-m1 dashboard]# diff dashboard-service.yaml.orig dashboard-service.yaml
10a11
>   type: NodePort
[root@k8s-m1 dashboard]# 

17.2 执行所有定义文件

[root@k8s-m1 dashboard]# ls *.yaml
dashboard-configmap.yaml  dashboard-controller.yaml  dashboard-rbac.yaml  dashboard-secret.yaml  dashboard-service.yaml
# 执行定义的 yaml
[root@k8s-m1 dashboard]# kubectl apply -f .
configmap/kubernetes-dashboard-settings created
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-key-holder created
service/kubernetes-dashboard created

17.3 查看分配的 NodePort

[root@k8s-m1 dashboard]# kubectl get deployment kubernetes-dashboard  -n kube-system
NAME                   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
kubernetes-dashboard   1         1         1            1           6m
[root@k8s-m1 dashboard]# kubectl --namespace kube-system get pods -o wide
NAME                                    READY     STATUS    RESTARTS   AGE       IP            NODE      NOMINATED NODE
coredns-55877fc9fb-btn4p                1/1       Running   0          1h        172.30.10.3   k8s-m2    <none>
kubernetes-dashboard-69db8c7745-84vbx   1/1       Running   1          6m        172.30.10.5   k8s-m2    <none>
[root@k8s-m1 dashboard]# kubectl get services kubernetes-dashboard -n kube-system
NAME                   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
kubernetes-dashboard   NodePort   10.254.127.159   <none>        443:8789/TCP   6m

• 可以修改 dashboard-service.yaml 添加一个 nodePort: 8888，指定端口
• dashboard 的 --authentication-mode 支持 token、basic，默认为 token。如果使用 basic，则 kube-apiserver 必须配置 '--authorization-mode=ABAC' 和 '--basic-auth-file' 参数

17.4 查看 dashboard 支持的命令行参数

[root@k8s-m1 dashboard]# kubectl exec --namespace kube-system -it kubernetes-dashboard-69db8c7745-84vbx  -- /dashboard --help
2018/11/14 10:15:50 Starting overwatch
Usage of /dashboard:
      --alsologtostderr                   log to standard error as well as files
      --apiserver-host string             The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted.
      --authentication-mode stringSlice   Enables authentication options that will be reflected on login screen. Supported values: token, basic. Default: token.Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set. (default [token])
      --auto-generate-certificates        When set to true, Dashboard will automatically generate certificates used to serve HTTPS. Default: false.
      --bind-address ip                   The IP address on which to serve the --secure-port (set to 0.0.0.0 for all interfaces). (default 0.0.0.0)
      --default-cert-dir string           Directory path containing '--tls-cert-file' and '--tls-key-file' files. Used also when auto-generating certificates flag is set. (default "/certs")
      --disable-settings-authorizer       When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page.
      --enable-insecure-login             When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. Default: false.
      --heapster-host string              The address of the Heapster Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.
      --insecure-bind-address ip          The IP address on which to serve the --port (set to 0.0.0.0 for all interfaces). (default 127.0.0.1)
      --insecure-port int                 The port to listen to for incoming HTTP requests. (default 9090)
      --kubeconfig string                 Path to kubeconfig file with authorization and master location information.
      --log_backtrace_at traceLocation    when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                    If non-empty, write log files in this directory
      --logtostderr                       log to standard error instead of files
      --metric-client-check-period int    Time in seconds that defines how often configured metric client health check should be run. Default: 30 seconds. (default 30)
      --port int                          The secure port to listen to for incoming HTTPS requests. (default 8443)
      --stderrthreshold severity          logs at or above this threshold go to stderr (default 2)
      --system-banner string              When non-empty displays message to Dashboard users. Accepts simple HTML tags. Default: ''.
      --system-banner-severity string     Severity of system banner. Should be one of 'INFO|WARNING|ERROR'. Default: 'INFO'. (default "INFO")
      --tls-cert-file string              File containing the default x509 Certificate for HTTPS.
      --tls-key-file string               File containing the default x509 private key matching --tls-cert-file.
      --token-ttl int                     Expiration time (in seconds) of JWE tokens generated by dashboard. Default: 15 min. 0 - never expires (default 900)
  -v, --v Level                           log level for V logs
      --vmodule moduleSpec                comma-separated list of pattern=N settings for file-filtered logging
command terminated with exit code 2

17.5 访问 dashboard