使用kubeadm快速部署一套K8S集群
https://www.cnblogs.com/double-dong/p/11483670.html

问题:
1、运行dashboard可视化插件

# cat recommended.yml
# Copyright 2017 The Kubernetes Authors.

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#     http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

 

apiVersion: v1

kind: Namespace

metadata:

  name: kubernetes-dashboard

 

---

 

apiVersion: v1

kind: ServiceAccount

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kubernetes-dashboard

 

---

 

kind: Service

apiVersion: v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kubernetes-dashboard

spec:

  type: NodePort

  ports:

    - port: 443

      targetPort: 8443

      nodePort: 30000

  selector:

    k8s-app: kubernetes-dashboard

 

---

 

apiVersion: v1

kind: Secret

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard-certs

  namespace: kubernetes-dashboard

type: Opaque

 

---

 

apiVersion: v1

kind: Secret

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard-csrf

  namespace: kubernetes-dashboard

type: Opaque

data:

  csrf: ""

 

---

 

apiVersion: v1

kind: Secret

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard-key-holder

  namespace: kubernetes-dashboard

type: Opaque

 

---

 

kind: ConfigMap

apiVersion: v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard-settings

  namespace: kubernetes-dashboard

 

---

 

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kubernetes-dashboard

rules:

  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.

  - apiGroups: [""]

    resources: ["secrets"]

    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]

    verbs: ["get", "update", "delete"]

    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.

  - apiGroups: [""]

    resources: ["configmaps"]

    resourceNames: ["kubernetes-dashboard-settings"]

    verbs: ["get", "update"]

    # Allow Dashboard to get metrics.

  - apiGroups: [""]

    resources: ["services"]

    resourceNames: ["heapster", "dashboard-metrics-scraper"]

    verbs: ["proxy"]

  - apiGroups: [""]

    resources: ["services/proxy"]

    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]

    verbs: ["get"]

 

---

 

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

rules:

  # Allow Metrics Scraper to get metrics from the Metrics server

  - apiGroups: ["metrics.k8s.io"]

    resources: ["pods", "nodes"]

    verbs: ["get", "list", "watch"]

 

---

 

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kubernetes-dashboard

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: Role

  name: kubernetes-dashboard

subjects:

  - kind: ServiceAccount

    name: kubernetes-dashboard

    namespace: kubernetes-dashboard

 

---

 

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  name: kubernetes-dashboard

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: kubernetes-dashboard

subjects:

  - kind: ServiceAccount

    name: kubernetes-dashboard

    namespace: kubernetes-dashboard

 

---

 

kind: Deployment

apiVersion: apps/v1

metadata:

  labels:

    k8s-app: kubernetes-dashboard

  name: kubernetes-dashboard

  namespace: kubernetes-dashboard

spec:

  replicas: 1

  revisionHistoryLimit: 10

  selector:

    matchLabels:

      k8s-app: kubernetes-dashboard

  template:

    metadata:

      labels:

        k8s-app: kubernetes-dashboard

    spec:

      containers:

        - name: kubernetes-dashboard

          image: kubernetesui/dashboard:v2.2.0

          imagePullPolicy: Always

          ports:

            - containerPort: 8443

              protocol: TCP

          args:

            - --auto-generate-certificates

            - --namespace=kubernetes-dashboard

            # Uncomment the following line to manually specify Kubernetes API server Host

            # If not specified, Dashboard will attempt to auto discover the API server and connect

            # to it. Uncomment only if the default does not work.

            # - --apiserver-host=http://my-address:port

          volumeMounts:

            - name: kubernetes-dashboard-certs

              mountPath: /certs

              # Create on-disk volume to store exec logs

            - mountPath: /tmp

              name: tmp-volume

          livenessProbe:

            httpGet:

              scheme: HTTPS

              path: /

              port: 8443

            initialDelaySeconds: 30

            timeoutSeconds: 30

          securityContext:

            allowPrivilegeEscalation: false

            readOnlyRootFilesystem: true

            runAsUser: 1001

            runAsGroup: 2001

      volumes:

        - name: kubernetes-dashboard-certs

          secret:

            secretName: kubernetes-dashboard-certs

        - name: tmp-volume

          emptyDir: {}

      serviceAccountName: kubernetes-dashboard

      nodeSelector:

        "kubernetes.io/os": linux

      # Comment the following tolerations if Dashboard must not be deployed on master

      tolerations:

        - key: node-role.kubernetes.io/master

          effect: NoSchedule

 

---

 

kind: Service

apiVersion: v1

metadata:

  labels:

    k8s-app: dashboard-metrics-scraper

  name: dashboard-metrics-scraper

  namespace: kubernetes-dashboard

spec:

  ports:

    - port: 8000

      targetPort: 8000

  selector:

    k8s-app: dashboard-metrics-scraper

 

---

 

kind: Deployment

apiVersion: apps/v1

metadata:

  labels:

    k8s-app: dashboard-metrics-scraper

  name: dashboard-metrics-scraper

  namespace: kubernetes-dashboard

spec:

  replicas: 1

  revisionHistoryLimit: 10

  selector:

    matchLabels:

      k8s-app: dashboard-metrics-scraper

  template:

    metadata:

      labels:

        k8s-app: dashboard-metrics-scraper

      annotations:

        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'

    spec:

      containers:

        - name: dashboard-metrics-scraper

          image: kubernetesui/metrics-scraper:v1.0.6

          ports:

            - containerPort: 8000

              protocol: TCP

          livenessProbe:

            httpGet:

              scheme: HTTP

              path: /

              port: 8000

            initialDelaySeconds: 30

            timeoutSeconds: 30

          volumeMounts:

          - mountPath: /tmp

            name: tmp-volume

          securityContext:

            allowPrivilegeEscalation: false

            readOnlyRootFilesystem: true

            runAsUser: 1001

            runAsGroup: 2001

      serviceAccountName: kubernetes-dashboard

      nodeSelector:

        "kubernetes.io/os": linux

      # Comment the following tolerations if Dashboard must not be deployed on master

      tolerations:

        - key: node-role.kubernetes.io/master

          effect: NoSchedule

      volumes:

        - name: tmp-volume

          emptyDir: {}
# kubectl apply -f recommended.yml
# kubectl -n kubernetes-dashboard get pods  
NAME                                         READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-78f5d9f487-hqgqq   1/1     Running   0          121m
kubernetes-dashboard-577bd97bc-4gtnq         1/1     Running   0          121m
# kubectl -n kubernetes-dashboard get svc
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
dashboard-metrics-scraper   ClusterIP   10.103.64.166   <none>        8000/TCP        122m
kubernetes-dashboard        NodePort    10.104.34.104   <none>        443:30000/TCP   122m

2、如出现报错The ClusterRoleBinding “kubernetes-dashboard” is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:“rbac.authorization.k8s.io”, Kind:“ClusterRole”, Name:“kubernetes-dashboard”}: cannot change roleRef
“cannot change roleRef”说明已经存在,使用kubectl get clusterrolebinding 查看,删除后再创建就没有问题了

# kubectl get clusterrolebinding 
# kubectl delete clusterrolebinding kubernetes-dashboard

3、访问页面报错events is forbidden: User “system:serviceaccount:kube-system:cnych” cannot list events in the namespace “kube-system”
创建service account并绑定默认cluster-admin管理员集群角色,更换token

# cat k8s-admin.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard-admin
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dashboard-admin
subjects:
  - kind: ServiceAccount
    name: dashboard-admin
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
# kubectl apply -f k8s-admin.yaml 
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
serviceaccount/dashboard-admin configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin configured
# kubectl get secret -n kube-system
NAME                                             TYPE                                  DATA   AGE
attachdetach-controller-token-f4qpc              kubernetes.io/service-account-token   3      17h
bootstrap-signer-token-64d5d                     kubernetes.io/service-account-token   3      17h
bootstrap-token-4sb1vq                           bootstrap.kubernetes.io/token         5      17h
bootstrap-token-v3ivoi                           bootstrap.kubernetes.io/token         7      17h
certificate-controller-token-8jh9b               kubernetes.io/service-account-token   3      17h
clusterrole-aggregation-controller-token-kmnwb   kubernetes.io/service-account-token   3      17h
coredns-token-jh5zq                              kubernetes.io/service-account-token   3      17h
cronjob-controller-token-xkfzt                   kubernetes.io/service-account-token   3      17h
daemon-set-controller-token-xv6wj                kubernetes.io/service-account-token   3      17h
dashboard-admin-token-zhjtl                      kubernetes.io/service-account-token   3      14h
default-token-fjctb                              kubernetes.io/service-account-token   3      17h
deployment-controller-token-cdjks                kubernetes.io/service-account-token   3      17h
disruption-controller-token-qs49r                kubernetes.io/service-account-token   3      17h
endpoint-controller-token-rwdg2                  kubernetes.io/service-account-token   3      17h
endpointslice-controller-token-r87lx             kubernetes.io/service-account-token   3      17h
expand-controller-token-2q2b4                    kubernetes.io/service-account-token   3      17h
flannel-token-xwvwt                              kubernetes.io/service-account-token   3      17h
generic-garbage-collector-token-st8mv            kubernetes.io/service-account-token   3      17h
horizontal-pod-autoscaler-token-k2z96            kubernetes.io/service-account-token   3      17h
job-controller-token-z8bzg                       kubernetes.io/service-account-token   3      17h
kube-proxy-token-dnq75                           kubernetes.io/service-account-token   3      17h
kubernetes-dashboard-certs                       Opaque                                0      16h
kubernetes-dashboard-key-holder                  Opaque                                2      16h
kubernetes-dashboard-token-kdt6r                 kubernetes.io/service-account-token   3      16h
namespace-controller-token-l2m8g                 kubernetes.io/service-account-token   3      17h
node-controller-token-lfswx                      kubernetes.io/service-account-token   3      17h
persistent-volume-binder-token-mg6xp             kubernetes.io/service-account-token   3      17h
pod-garbage-collector-token-6wl6t                kubernetes.io/service-account-token   3      17h
pv-protection-controller-token-qrs7d             kubernetes.io/service-account-token   3      17h
pvc-protection-controller-token-lht8b            kubernetes.io/service-account-token   3      17h
replicaset-controller-token-bjlf5                kubernetes.io/service-account-token   3      17h
replication-controller-token-s78l2               kubernetes.io/service-account-token   3      17h
resourcequota-controller-token-fkwbd             kubernetes.io/service-account-token   3      17h
service-account-controller-token-2zvhx           kubernetes.io/service-account-token   3      17h
service-controller-token-ljqhq                   kubernetes.io/service-account-token   3      17h
statefulset-controller-token-9rxf8               kubernetes.io/service-account-token   3      17h
token-cleaner-token-4khkn                        kubernetes.io/service-account-token   3      17h
ttl-controller-token-b5b2n                       kubernetes.io/service-account-token   3      17h
# kubectl describe secret -n kube-system dashboard-admin-token-zhjtl
Name:         dashboard-admin-token-zhjtl
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: dashboard-admin
              kubernetes.io/service-account.uid: d61f4759-bedd-4853-bbad-c14a84fa3dd5

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkJnT1RaYVlYWTAwbEV3Nl9zZlMyTkU4VGY4bmZqNy1NVFdtQXlIT09ZSVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4temhqdGwiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZDYxZjQ3NTktYmVkZC00ODUzLWJiYWQtYzE0YTg0ZmEzZGQ1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.N_1oxwkAceKI0w1k55SaY-f28aEkuNNkDTycSCApqe-DOdBH6t-WHMWjbaUg4gvoU28-cvBwvy_L37hsJiqQ_yyIxfw-kKA7kzVAbCn7j7ZZgCE43WytWNYtmHUPDVnsfmFEalMIBezzN7F_GV8_b9hsaUk5mBsm1al6SsIN97ObIswKVTHVJov6iAmaTHI_ss_g0ccNOaypnBDnNhBcfgag739e1WuxHoZ77YSNIgXlbkDWgvX7YvkmkSzUHlYC_yQwDsaDxnfNDySGDqRr9fLRHK4RlWWNTNNRGjLQTCsF2hWGr6RahXPGPEwQ5bFvnX4nbHZbCQoSVuDjhDfZzw
ca.crt:     1025 bytes
namespace:  11 bytes

页面输入token即可
在这里插入图片描述

Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes