上一节我们搭建了环境,这一节我们部署一些k8s插件。官方插件清单如下:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
本次我们部署两个插件:calico和dashboard
1、由于资源比较少,我们让master也可以进行部署
kubectl taint nodes --all node-role.kubernetes.io/master-
2、部署calico
2.1、部署
kubectl apply -f https://docs.projectcalico.org/v3.10/manifests/calico.yaml
2.2、观察部署情况,等待部署成功
watch kubectl get pods --all-namespaces
3、部署dashboard
3.1、部署
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
3.2、观察部署情况,等待部署成功
watch kubectl get pods --all-namespaces
3.3、启动代理
kubectl proxy
3.4、浏览器可以看到登录页面
http://IP:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
但其实这个地方有个坑,因为dashboard要求https登录,而代理当前为http,所以只有IP为localhost时,才能登录成功。在这里浪费了不少时间。
3.5、新建用户
vi neohope-account.yaml
#文件内容
apiVersion: v1
kind: ServiceAccount
metadata:
name: neohope
namespace: kube-system
kubectl create -f neohope-account.yaml
3.6、用户角色配置
vi neohope-role.yaml
#文件内容
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: neohope
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: neohope
namespace: kube-system
kubectl create -f neohope-role.yaml
3.7、获取Token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep neohope | awk '{print $1}')
Name: neohope-token-2khbb
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: neohope
kubernetes.io/service-account.uid: fc842f0e-0ef4-4c41-9f30-8a5409c866c2</none>
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImtIRjFiZnI5V3NiRlpZQXpzUk9DanA4cHBCQnFOcFNrek5xTjltUGRLeDgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJuZW9ob3BlLXRva2VuLTJraGJiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im5lb2hvcGUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmYzg0MmYwZS0wZWY0LTRjNDEtOWYzMC04YTU0MDljODY2YzIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06bmVvaG9wZSJ9.Zsk4C3hs58JmLa0rRTdfoQKlY524kMtnlzEHxgMryv7u9kPHS51BA0xiVC1nMLDcbMp1U3YHlnz0-IJkFzVeaboq0qEFea56nnqASMSEtCB1c7IE52zip-4tDWdZ-jYwf7KN5Gwq_4ZUqa4gRf1znVH7nlsxTpaoQ_-yjJsQpqDyUb1BLgGrUGcWOF2hGMHrNPHbZfLyhsPp_ijOvmRviAq57nyrGYiVG9ZiMoGV_1Y5rvn2-L0BHCdgZjSzK6nlfvoMlpnqhQXkrxE0d9EJbeukfx5sOF3xUPkQx-6dKm3QrkqBNXInbDxJXJbj27JalGarpRDA9tsPg1mUqAb-7g
3.8、如果是localhost登录,用上面的Token就可以了
http://IP:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
3.9、如果不是localhost登录,有三种方式
#A、暴露端口
#B、通过api server进行代理访问
#https://IP:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
#C、通过插件,用nginx等代理后访问
#为了偷懒,用方案A
3.10、暴露端口
kubectl -n kubernetes-dashboard edit service kubernetes-dashboard
将ClusterIP换为NodePort,然后保存
3.10、查看服务情况
kubectl get service -n kubernetes-dashboard -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
dashboard-metrics-scraper ClusterIP 10.102.175.21 <none> 8000/TCP 17h k8s-app=dashboard-metrics-scraper
kubernetes-dashboard NodePort 10.102.129.248 <none> 443:31766/TCP 17h k8s-app=kubernetes-dashboard
#这里可以找到端口31766</none></none>
kubectl get pod -n kubernetes-dashboard -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dashboard-metrics-scraper-566cddb686-vkxvx 1/1 Running 0 17h 192.168.201.133 master <none> <none>
kubernetes-dashboard-7b5bf5d559-m6xt7 1/1 Running 0 17h 192.168.201.132 master <none> <none>
#这里可以找到主机
3.11这样就可以通过地址直接访问master的服务了
https://MASTER_IP:31766
忽略全部HTTPS安全警告
采用Token登录