Kubernetes----双master节点二进制群集之部署Web管理界面(谷歌浏览器制作自签证书)
前言:基于前面部署单节点与多master的部署之上部署位置创建dashborad工作目录[root@master01 ~]# cd /root/k8s/[root@master01 k8s]# mkdir dashboard拷贝官方的文件注意:以上5个yaml文件是官方文档[root@master01 ~]# cd /root/k8s/dashboard/[root@master01 dashbo
·
前言:
基于前面部署单节点与多master的部署之上
部署位置
创建dashborad工作目录
[root@master01 ~]# cd /root/k8s/
[root@master01 k8s]# mkdir dashboard
注意:以上5个yaml文件是官方文档
[root@master01 ~]# cd /root/k8s/dashboard/
[root@master01 dashboard]# ls
dashboard-configmap.yaml dashboard-rbac.yaml dashboard-service.yaml
dashboard-controller.yaml dashboard-secret.yaml k8s-admin.yaml
注:按顺序加载所有的文件,创建Pod资源安装web界面
k8s-admin.yaml自己创建的
apiVersion: v1
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: dashboard-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
创建资源
创建安全框架
[root@master01 ~]# cd /root/k8s/dashboard/
[root@master01 dashboard]# kubectl create -f dashboard-rbac.yaml
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
[root@master01 dashboard]# kubectl get role -n kube-system # 查看资源
NAME AGE
extension-apiserver-authentication-reader 35h
kubernetes-dashboard-minimal 94s # 创建的资源
system::leader-locking-kube-controller-manager 35h
system::leader-locking-kube-scheduler 35h
system:controller:bootstrap-signer 35h
system:controller:cloud-provider 35h
system:controller:token-cleaner 35h
创建机密资源
[root@master01 dashboard]# kubectl create -f dashboard-secret.yaml
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-key-holder created
[root@master01 dashboard]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
default-token-xcxt2 kubernetes.io/service-account-token 3 35h
kubernetes-dashboard-certs Opaque 0 47s
kubernetes-dashboard-key-holder Opaque 0 47s
[root@master01 dashboard]# kubectl create -f dashboard-configmap.yaml
configmap/kubernetes-dashboard-settings created
[root@master01 dashboard]# kubectl get configmap -n kube-system
NAME DATA AGE
extension-apiserver-authentication 1 36h
kubernetes-dashboard-settings 0 45s
[root@master01 dashboard]# kubectl create -f dashboard-controller.yaml
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
[root@master01 dashboard]# kubectl get ServiceAccount -n kube-system
NAME SECRETS AGE
default 1 35h
kubernetes-dashboard 1 47s
[root@master01 dashboard]# kubectl create -f dashboard-service.yaml
service/kubernetes-dashboard created
[root@master01 dashboard]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.0.0.237 <none> 443:30001/TCP 35s
完成后查看创建在指定的kube-system命名空间下
注:完成创建后,可以查看创建在指定的 kube-system命名空间下的各种资源类型,比如:pod、service
查看资源创建在哪个node节点上
[root@master01 dashboard]# kubectl get pods,svc -n kube-system
NAME READY STATUS RESTARTS AGE
pod/kubernetes-dashboard-65f974f565-2bl4j 1/1 Running 0 5m29s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes-dashboard NodePort 10.0.0.237 <none> 443:30001/
[root@master ~]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
nginx-dbddb74b8-5w6dx 1/1 Running 0 3m25s 172.17.66.3 20.0.0.13 <none>
测试火狐服务:20.0.0.13:30001
[root@master dashboard]# kubectl create -f k8s-admin.yaml
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
[root@master dashboard]# kubectl get ServiceAccount -n kube-system
NAME SECRETS AGE
dashboard-admin 1 10s
default 1 5h22m
kubernetes-dashboard 1 3m37s
[root@master dashboard]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
dashboard-admin-token-shfr4 kubernetes.io/service-account-token 3 18s
default-token-4hfx4 kubernetes.io/service-account-token 3 5h23m
kubernetes-dashboard-certs Opaque 0 4m29s
kubernetes-dashboard-key-holder Opaque 2 4m29s
kubernetes-dashboard-token-hscjl kubernetes.io/service-account-token 3 3m45s
[root@master dashboard]# kubectl describe secret dashboard-admin-token-shfr4 -n kube-system
Name: dashboard-admin-token-shfr4
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 4e99d1b2-8d36-11eb-91f2-000c2926d1c7
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tc2hmcjQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNGU5OWQxYjItOGQzNi0xMWViLTkxZjItMDAwYzI5MjZkMWM3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.hJO1dMrAsJNSZbVbZyq7PC2rx7w9j1cAnlPrsIv_HpN6LmdLHzjjqdhAdSL-gvixVO37-Rtwcb6upKLptXRLGS7AMjKZnDoYU55PShC40-gOHIyCxNQ1sA_W6cbVRpAvc6P7z-UUPfUE53YsdffuV7UZZUUtiA6MRFWGfuQE708tlwubBi9lwCXJkolhgJdvUEBUyZC0lzto1IHLeu6jmqNV3xaUlvcoOd5Qd7JMCN7zuC3cUUykTsmoPFe5CieJkH2BFIwaVKUFkynT2fnV_V-8I5ng84s6QCio5pRvqospYo7QqJtQbzRWLn8CzZxfGZcaRs8xM1GSriByQ0H32w
token:就是令牌
k8sweb页面登录成功!
控制面板上,管理我们的各个组件,查看各类信息和概况等等,非常的方便。
测试谷歌访无法访问的问题
解决方法:谷歌浏览器制作自签证书
vi dashboard-cert.sh
[root@master01 ~]# cd /root/k8s/dashboard/
[root@master01 dashboard]# vi dashboard-cert.sh
cat > dashboard-csr.json <<EOF
{
"CN": "Dashboard",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
K8S_CA=$1
cfssl gencert -ca=$K8S_CA/ca.pem -ca-key=$K8S_CA/ca-key.pem -config=$K8S_CA/ca-config.json -profile=kubernetes dashboard-csr.json | cfssljson -bare dashboard
kubectl delete secret kubernetes-dashboard-certs -n kube-system
kubectl create secret generic kubernetes-dashboard-certs --from-file=./ -n kube-system
vi dashboard-controller.yaml
注:dashboard-controller.yaml 增加证书两行,然后apply
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
- --tls-key-file=dashboard-key.pem # 添加
- --tls-cert-file=dashboard.pem # 添加
[root@master01 dashboard]# bash dashboard-cert.sh /root/k8s/k8s-cert/
2021/01/11 16:49:50 [INFO] generate received request
2021/01/11 16:49:50 [INFO] received CSR
2021/01/11 16:49:50 [INFO] generating key: rsa-2048
2021/01/11 16:49:51 [INFO] encoded CSR
2021/01/11 16:49:51 [INFO] signed certificate with serial number 591955066090286385265064593974130019755805216139
2021/01/11 16:49:51 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
secret "kubernetes-dashboard-certs" deleted
secret/kubernetes-dashboard-certs created
重新部署
[root@master01 dashboard]# kubectl apply -f dashboard-controller.yaml
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
serviceaccount/kubernetes-dashboard configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
deployment.apps/kubernetes-dashboard configured
注意:当apply不生效时,先使用delete清除资源,再apply创建资源
[root@master01 dashboard]# kubectl delete -f dashboard-controller.yaml
serviceaccount "kubernetes-dashboard" deleted
deployment.apps "kubernetes-dashboard" deleted
[root@master01 dashboard]# kubectl apply -f dashboard-controller.yaml
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
2
0- 0
已为社区贡献3条内容
所有评论(0)