Docker for Mac builds Kubernetes
Docker for Mac builds Kubernetes
Install Docker for Mac
Directly on the official website to download and install.
Install Kubernetes
First download the mirror image required by k8s
git clone [email protected]:maguowei/k8s-docker-desktop-for-mac
. After git clone, cd k8s-docker-desktop-for-mac
root@MacBook-Pro k8s-docker-desktop-for-mac % cat images
k8s.gcr.io/kube-proxy:v1.18.8=gotok8s/kube-proxy:v1.18.8
k8s.gcr.io/kube-controller-manager:v1.18.8=gotok8s/kube-controller-manager:v1.18.8
k8s.gcr.io/kube-scheduler:v1.18.8=gotok8s/kube-scheduler:v1.18.8
k8s.gcr.io/kube-apiserver:v1.18.8=gotok8s/kube-apiserver:v1.18.8
k8s.gcr.io/coredns:1.6.7=gotok8s/coredns:1.6.7
k8s.gcr.io/pause:3.2=gotok8s/pause:3.2
k8s.gcr.io/etcd:3.4.3-0=gotok8s/etcd:3.4.3-0
The download mirror script ./load_images.sh
shown: Click Apply & Restart wait for a while to install
Deploy the Kubernetes dashboard
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
There will be an access denied problem here
The connection to the server raw.githubusercontent.com was refused - did you
Reason: The external network is not accessible.
Solution:
# 在https://www.ipaddress.com/查询raw.githubusercontent.com的真实IP。
sudo vim /etc/hosts
199.232.28.133 raw.githubusercontent.com
Re-execute the command, dashboard can be installed successfully
Enable local access proxy
$ kubectl proxy
Access the Dashboard through the following link: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/login
Configure console access token
If you are not logged in, you will be redirected to the login page by default, and you can log in using config or token. We log in using token here.
In general, the login tokens are stored in the kube-system namespace in the form of secret objects by default, and we execute
kubectl get secret -n=kube-system
root@MacBook-Pro / % kubectl get secret -n=kube-system
NAME TYPE DATA AGE
attachdetach-controller-token-zh7nl kubernetes.io/service-account-token 3 2d17h
bootstrap-signer-token-56h5s kubernetes.io/service-account-token 3 2d17h
certificate-controller-token-h8ksb kubernetes.io/service-account-token 3 2d17h
clusterrole-aggregation-controller-token-lh9hr kubernetes.io/service-account-token 3 2d17h
coredns-token-gmswh kubernetes.io/service-account-token 3 2d17h
cronjob-controller-token-2dg84 kubernetes.io/service-account-token 3 2d17h
daemon-set-controller-token-m5kt5 kubernetes.io/service-account-token 3 2d17h
default-token-fxmsx kubernetes.io/service-account-token 3 2d17h
deployment-controller-token-sb8td kubernetes.io/service-account-token 3 2d17h
disruption-controller-token-5gr2t kubernetes.io/service-account-token 3 2d17h
endpoint-controller-token-z5fdv kubernetes.io/service-account-token 3 2d17h
endpointslice-controller-token-5kb5p kubernetes.io/service-account-token 3 2d17h
expand-controller-token-vj8pq kubernetes.io/service-account-token 3 2d17h
flannel-token-b6n5r kubernetes.io/service-account-token 3 36m
generic-garbage-collector-token-mtsmx kubernetes.io/service-account-token 3 2d17h
horizontal-pod-autoscaler-token-lwqt4 kubernetes.io/service-account-token 3 2d17h
job-controller-token-wlwdk kubernetes.io/service-account-token 3 2d17h
kube-proxy-token-c6bkz kubernetes.io/service-account-token 3 2d17h
namespace-controller-token-vqv4l kubernetes.io/service-account-token 3 2d17h
node-controller-token-stx6s kubernetes.io/service-account-token 3 2d17h
persistent-volume-binder-token-nnjdv kubernetes.io/service-account-token 3 2d17h
pod-garbage-collector-token-jxj5b kubernetes.io/service-account-token 3 2d17h
pv-protection-controller-token-xfslw kubernetes.io/service-account-token 3 2d17h
pvc-protection-controller-token-pchcz kubernetes.io/service-account-token 3 2d17h
replicaset-controller-token-bdz8v kubernetes.io/service-account-token 3 2d17h
replication-controller-token-z2hc6 kubernetes.io/service-account-token 3 2d17h
resourcequota-controller-token-cxt4d kubernetes.io/service-account-token 3 2d17h
service-account-controller-token-t2zjp kubernetes.io/service-account-token 3 2d17h
service-controller-token-8xmxq kubernetes.io/service-account-token 3 2d17h
statefulset-controller-token-fskls kubernetes.io/service-account-token 3 2d17h
storage-provisioner-token-jtdbx kubernetes.io/service-account-token 3 2d17h
token-cleaner-token-hmdpr kubernetes.io/service-account-token 3 2d17h
ttl-controller-token-fbrn4 kubernetes.io/service-account-token 3 2d17h
vpnkit-controller-token-pr2mp kubernetes.io/service-account-token 3 2d17h
Most of these secrets can be used to access the dashboard, only different accounts have different permissions, and many accounts are restricted and cannot be operated. For example, we use default-token-fxmsx
the token contained in the secret name to log in.
We use the following command to view the secret contains The value of the token
kubectl describe secret -n=kube-system default-token-fxmsx
root@MacBook-Pro / % kubectl describe secret -n=kube-system default-token-fxmsx
Name: default-token-fxmsx
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: d32da154-5849-4f48-a55d-45788ed74722
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InlHR3BKSzI3WUxBRjhhRDJBdTBOZHh5M3Z6a3daV2tOTFRubGNpVVIwMG8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLWZ4bXN4Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkMzJkYTE1NC01ODQ5LTRmNDgtYTU1ZC00NTc4OGVkNzQ3MjIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCJ9.LCZqTTh8UY977km9_ApB9-lLDkBeZklmw74os-AU0Iyc5X0QGWw-TRzhsmLPRMf9qtRqQBowqPBH4qDIXE8hunAZ9_FZ8-zLYszNU3KjEor_UXlXqEg3iiKijYCc7IEj1aqSrcbzJq9Okd76YObhTrOoK2iujA-Zm-XRG4makVq6wCtPBnkHL063fIVxURcqxwvacCzew5iI-F-SCE-1xu0AqvFfxEJN9SVcqXFw7-YVHaf9xQ5f83eoafkMTDl11pS6rawx-CzBbNPg7dj8EIyNv8np7zgbiPET0QJZkno1IZWZqfMfiuW7sD_sGpZDfAthC8u-x2uyzzAW3lF6hQ
We copy the above token value and paste it into the token on the login page to log in.
How to configure a token with full permissions
Create a dashboard to manage users
kubectl create serviceaccount dashboard-admin -n kube-system
root@MacBook-Pro / % kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
Bind users as cluster management users
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
root@MacBook-Pro / % kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-cluster-admin created
After performing the above operations, because the name of the administrative user is dashboard-admin
, the value of the corresponding secret generated dashboard-admin-token-随机字符串
is the full name on my machinedashboard-admin-token-h4p7c
luwb@MacBook-Pro / % kubectl get secret -n=kube-system |grep dashboard-admin-token
dashboard-admin-token-h4p7c kubernetes.io/service-account-token 3 89s
You can see the full name of this secret, or do not use grep pipeline, list all the secrets, and then and find the need.
Then by kubectl describe secret
viewing token command
root@MacBook-Pro / % kubectl describe -n=kube-system secret dashboard-admin-token-h4p7c
Name: dashboard-admin-token-h4p7c
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 81849b91-d566-4f7e-96c7-99eced49e2c2
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InlHR3BKSzI3WUxBRjhhRDJBdTBOZHh5M3Z6a3daV2tOTFRubGNpVVIwMG8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4taDRwN2MiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODE4NDliOTEtZDU2Ni00ZjdlLTk2YzctOTllY2VkNDllMmMyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.ZVv8EZiO_099cVMdDmBIWT9_F-VLywt22Oihmnx7hRyFYWrcS7PK5olYfvuS-z4ya37IE4RTwzd5fe55FcG52Nv-IYJJCPQu-pgqyiWk_pTCr80rj-1-_RYasDarwfT_3URFZuI0_jmLH9bQo412M6q-3PE1j7rhp0TylQLa-l2BN42ulYz-qyQ24TyAafwd_L7PfWzki7S6bfRBYSLIUUn8V1vfyKRrsJ8LOZSBp5ZoK9tdGuRFS5aVY1iK58is3InZRvvI-22PKH2LQ2JVNbGipoI9JaTqtotiI1J0LZp__E-N1wEdNishempn9_JOUjWcRijsT82vvnDdLOQZEw