1, k8s build See https://blog.51cto.com/lizhenliang/2325770
[root@VM_0_48_centos ~]# kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-1 Healthy {"health": "true"} etcd-0 Healthy {"health": "true"} etcd-2 Healthy {"health": "true"}
Note: The blog has few modifications.
/ Opt / kubernetes / cfg / groin-apiserver:
需要由:--enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
改为: --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction 去掉:SecurityContextDeny
2, dashboard download address: / opt / dashboard / Note: admin-token.yaml created by hand
git clone https://github.com/kubernetes/kubernetes.git
[root@VM_0_48_centos dashboard]# ll *.yaml -rw-r--r-- 1 root root 515 Aug 8 10:11 admin-token.yaml -rw-r--r-- 1 root root 264 Aug 5 16:27 dashboard-configmap.yaml -rw-r--r-- 1 root root 1835 Aug 8 09:14 dashboard-controller.yaml -rw-r--r-- 1 root root 1353 Aug 5 16:27 dashboard-rbac.yaml -rw-r--r-- 1 root root 551 Aug 5 16:27 dashboard-secret.yaml -rw-r--r-- 1 root root 339 Aug 7 15:24 dashboard-service.yaml
3, modify the dashboard-service.yaml content
[root@VM_0_48_centos dashboard]# cat dashboard-service.yaml apiVersion: v1 kind: Service metadata: name: kubernetes-dashboard namespace: kube-system labels: k8s-app: kubernetes-dashboard kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile spec: type: NodePort #添加Nodeport 以便访问 selector: k8s-app: kubernetes-dashboard ports: - port: 443 targetPort: 8443
4, start the service
kubectl apply -f dashboard-configmap.yaml
kubectl apply -f dashboard-secret.yaml
kubectl apply -f dashboard-rbac.yaml
kubectl apply -f dashboard-service.yaml
kubectl apply -f dashboard-controller.yaml
5, /usr/lib/systemd/system/kubelet.service modify parameters: cluster-dns cluster-domain
kubectl describe pod kubernetes-dashboard-746dfd476-mdv5n -n kube-system
b error: kubelet does not have ClusterDNS IP configured and can not create PodJ Solutions
[root@VM_0_48_centos dashboard]# cat /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentGoogle nmentFile ro = / usr / kubernetes / CFG / omelet
ExecStart = / usr / kubernetes / bin / omelet $ KUBELET_OPTS
Restart = on-failure
KillMode = process
[Install]
WantedBy=multi-user.target
[root@VM_0_48_centos dashboard]# cat /opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=172.19.0.48 \
--cluster-dns=10.0.0.2 \ ### 配置dns
--cluster-domain=cluster.local \ ###配置域名
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
修改完以后,重启服务发现正常
6、权限问题 发现官网yaml授权中只有默认的defalut ,需要重新绑定角色。
[root @ VM_0_48_centos Dashboard] # CAT ADMIN-token.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 the Metadata: name: ADMIN Annotations: rbac.authorization.kubernetes.io/autoupdate: "to true" roleRef: kind : ClusterRole name: ADMIN # Cluster-term role is not the time to build the system automatically generates administrator role apiGroup: rbac.authorization.k8s.io Subjects: - kind: ServiceAccount name: ADMIN namespace: Kube-system --- apiVersion: v1 kind: ServiceAccount Metadata: name: ADMIN namespace: Kube-System Labels: kubernetes.io/cluster-service: "to true"
To the official website of yaml:
[root@VM_0_48_centos dashboard]# cat dashboard-rbac.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard addonmanager.kubernetes.io/mode: Reconcile name: kubernetes-dashboard-minimal namespace: kube-system #只能看到systemo 空间 rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - apiGroups: [""] resources: ["configmaps"] resourceNames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # Allow Dashboard to get metrics from heapster. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster"] verbs: ["proxy"] - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster", "http:heapster:", "https:heapster:"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kubernetes-dashboard-minimal namespace:Kube-System k8s-app: kubernetes-Dashboard Labels: addonmanager.kubernetes.io/mode: Reconcile roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard-minimal subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system
Future updates for login token:
[root@VM_0_48_centos dashboard]# kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system Name: admin-token-j8sjg Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: admin kubernetes.io/service-account.uid: d9e482cf-b981-11e9-9170-525400c318af Type: kubernetes.io/service-account-token Data ==== ca.crt: 1359 bytes namespace : 11 bytes token: **************************** ********************* ## design Confidential
7、更新https证书有效期,解决只能由火狐浏览器访问,其他浏览器无法访问问题。
产生证书:
mkdir key && cd key openssl genrsa -out dashboard.key 2048 openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=172.19.0.48' openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt kubectl delete secret kubernetes-dashboard-certs -n kube-system kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.crt -n kube-system #新的证书 POD Kubernetes the Delete kubectl -dashboard-746dfd476-b2r5f -n Kube-System # to restart the service
8、效果展示: