k8s集群好了 再添加一些相关的组件
dashboard helm helm的webui

1. 目标

k8s集群好了 再添加一些相关的组件 dashboard helm helm的webui

2. 安装控制面板

查看dashboard与k8s的版本适配情况 以及相关的镜像
https://github.com/kubernetes/dashboard/releases

1
2
3
4
5

k8s.gcr.io/kubernetes-dashboard-arm64:v1.10.1
k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
k8s.gcr.io/kubernetes-dashboard-ppc64le:v1.10.1
k8s.gcr.io/kubernetes-dashboard-arm:v1.10.1
k8s.gcr.io/kubernetes-dashboard-s390x:v1.10.1

2.1. 面板镜像

本次系统为ubuntu16-x64
所以使用 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
对应国内的是 registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
本次使用 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

2.2. 安装

先下载yaml文件, 然后修改镜像地址, 再安装

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

curl -o kb-dashboard.yml -O -L https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
sed -i "s#k8s.gcr.io#registry.aliyuncs.com/google_containers#g" kb-dashboard.yml
#另外在117行追加参数 
sed -i '117d' kb-dashboard.yml 
sed -i '117 s/^/        - --enable-skip-login=true\n/' kb-dashboard.yml 
sed -i '117 s/^/        - --auto-generate-certificates\n/' kb-dashboard.yml 

#部署应用
kubectl apply -f kb-dashboard.yml 

#查看部署状态
kubectl get pods -n kube-system -l k8s-app=kubernetes-dashboard

~~不用考虑翻墙的话直接一条命令
kubectl apply -f https://github.com/kubernetes/dashboard/blob/master/src/deploy/recommended/kubernetes-dashboard.yaml~~

2.3. 设置登录账户

dashboard虽然装好了
但其对k8s进行管理操作(crud pod等)需要一定的权限
一种方式是为dashboard自身设置最高权限
另一种是创建一个高权限的用户 使用该账户登录dashboard
本次选择方式1 直接给高权限

2.3.1. 方式1: 设置免登录

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

cat > dashboard-admin.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  labels:
    k8s-app: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system
EOF
kubectl apply -f dashboard-admin.yaml

2.3.2. 方式2: 创建token登录

创建一个账户

1
2
3
4

kubectl create serviceaccount tom 
kubectl create clusterrolebinding tom \
  --clusterrole=cluster-admin \
  --serviceaccount=default:tom

查询token

1

kubectl describe secrets/` kubectl get secret | grep tom | awk '{print $1}' `

通过proxy输入token无响应 然后通过之前配的nodePort访问 一般浏览器对https://ip 不让访问 在火狐里点击同意风险才看到面板页 https://192.168.88.167:30001/

2.4. 访问管理页-方法1-代理

访问时建议使用firefox或chrome 国内的浏览器可能会拒绝访问(https证书问题)
在代理下https方式无法用token登录 只能通过设置权限的方式登录

1
2
3
4

# 这一步可跳过 通过proxy可以访问 但是登录的时候有问题
# 大概时proxy对https支持有问题
kubectl proxy --address=0.0.0.0 --disable-filter=true
http://192.168.88.164:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
  • address不设置就只能本机访问
  • disable-filter=true 关闭权限
  • accept-hosts='^*$’ 设置过滤权限

2.5. 访问管理页-方法2-nodeport

alias kks='kubectl -n kube-system’
选择方式3

2.5.1. 修改方式1-实时修改

编辑services

1
2
3
4
5
6

kks edit svc kubernetes-dashboard 
找到【type: ClusterIP】 将ClusterIP修改为NodePort

root@pu6-km:/home/u6# kks get svc kubernetes-dashboard
NAME                   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
kubernetes-dashboard   NodePort   10.101.241.208   <none>        443:30366/TCP   17h

2.5.2. 修改方式2-配置文件修改

vi kb-dashboard.yml

1
2
3
4

spec:
  type: NodePort
  ports:
    nodePort: 30366

更新dashboard

1

kubectl replace --force  -f kb-dashboard.yml

2.5.3. 修改方式3-直接修改

1
2
3
4
5
6

kks get svc kubernetes-dashboard -o json
kks patch svc kubernetes-dashboard  -p '{"spec":{"type":"NodePort"}}'

# 将NodePort再改回ClusterIP
kks get svc kubernetes-dashboard -o json
kks patch svc kubernetes-dashboard --type='json' -p='[{"op": "replace", "path": "/spec/type", "value":"ClusterIP"},{"op": "remove", "path": "/spec/ports/0/nodePort"}]'

此时在外部访问集群任意节点的ip+端口(https) 如:
https://192.168.88.113:30366

3. todo Heapster插件

安装此插件后 可再dashboard中看到node的内存cpu等信息

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

mkdir heapster && cd heapster 
wget https://raw.githubusercontent.com/kubernetes-retired/heapster/v1.5.4/deploy/kube-config/influxdb/grafana.yaml
wget https://raw.githubusercontent.com/kubernetes-retired/heapster/v1.5.4/deploy/kube-config/influxdb/heapster.yaml
wget https://raw.githubusercontent.com/kubernetes-retired/heapster/v1.5.4/deploy/kube-config/influxdb/influxdb.yaml
wget https://raw.githubusercontent.com/kubernetes-retired/heapster/v1.5.4/deploy/kube-config/rbac/heapster-rbac.yaml

for yamlFile in `ls ./`; do 
  sed -i "s#gcr.io#registry.aliyuncs.com#g" $yamlFile
done;

kubectl create -f ./

4. helm

https://github.com/helm/helm/releases

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

curl -LO -o helm.tar.gz  https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz
curl -L  https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz | tar zx
mv linux-amd64/helm /usr/local/bin/helm

kubectl -n kube-system create sa tiller
kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller

helm init --upgrade --service-account tiller  \
--stable-repo-url https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts \
-i registry.cn-hangzhou.aliyuncs.com/google_containers/tiller:v2.13.1 

kubectl -n kube-system get svc |grep tiller
helm create   myapp
helm repo update 
helm search

https://github.com/kubeapps/kubeapps/blob/master/docs/user/access-control.md

4.1. helm图形化面板

两个方案

minio是对象存储
kubeapps更专注
安装kubeapps可以选择helm仓库中的app安装
https://github.com/bitnami/charts

4.1.1. 安装kubeapps

1
2
3
4
5

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
helm install --name kubeapps --namespace kubeapps bitnami/kubeapps
#外部访问
kubectl -n kubeapps patch svc kubeapps-internal-dashboard  -p '{"spec":{"type":"NodePort"}}'

4.1.2. minio

1
2
3

#不建议给helm用
docker pull minio/minio
docker run -p 9000:9000 minio/minio server /data