前情提要
以下所有操作均在单 master 群集已完成部署的情况下进行.
所有服务器均保证防火墙常闭, 核心功能 selinux 关闭.
服务器角色分配
角色 | 地址 | 安装组件 |
---|---|---|
master | 192.168.142.220 | kube-apiserver kube-controller-manager kube-scheduler etcd |
master02 | 192.168.142.120 | kube-apiserver kube-controller-manager kube-scheduler |
node1 | 192.168.142.136 | kubelet kube-proxy docker flannel etcd |
node2 | 192.168.142.132 | kubelet kube-proxy docker flannel etcd |
nginx1 | 192.168.142.130 | nginx keepalived |
nginx2 | 192.168.142.140 | nginx keepalived |
VIP | 192.168.142.20 | 虚拟地址 |
Master 端建立 DashBoard
建立 dashboard 工作目录
- # 在 master 上进行操作
- [[email protected] ~]# cd /k8s/
- # 将需要上传的页面文件到此文件夹下
- [[email protected] k8s]# mkdir dashboard
"dashboard-rbac" 授权许可连接 APIserver
"dashboard-secret" 进行加密配置
"dashboard-configmap" dashboard 配置文件
"dashboard-controller" 应用配置
"dashboard-service" 用于发布应用
上面四个 YAML 文件从 GitHub 上进行下载, 地址: https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/dashboard
生成相关的 POD
- # 顺序不能变!!! 切记!! 切记!!
- [[email protected] dashboard]# kubectl create -f dashboard-rbac.YAML
- [[email protected] dashboard]# kubectl create -f dashboard-secret.YAML
- [[email protected] dashboard]# kubectl create -f dashboard-configmap.YAML
- [[email protected] dashboard]# kubectl create -f dashboard-controller.YAML
- [[email protected] dashboard]# kubectl create -f dashboard-service.YAML
将 POD 划入指定命名空间
- [[email protected] dashboard]# kubectl get pods -n kube-system
- NAME READY STATUS RESTARTS AGE
- kubernetes-dashboard-65f974f565-d2wgw 1/1 Running 2 90s
- # 查看详细信息
- [[email protected] dashboard]# kubectl get pods,svc -n kube-system
- NAME READY STATUS RESTARTS AGE
- pod/kubernetes-dashboard-65f974f565-d2wgw 1/1 Running 2 116s
- NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
- service/kubernetes-dashboard NodePort 10.0.0.109 <none> 443:30001/TCP 112s
此时, 在浏览器访问某个 node 节点的 30001 端口即可
导致这个问题的根部原因就是缺少证书, 某些浏览器会阻止不安全的访问
编写执行脚本进行证书自签
- [[email protected] dashboard]# bash dashboard.sh /root/k8s/apiserver/
- ## 脚本手工进行编写
- #!/bin/bash
- #DashBoard 用证书
- #
- cat> dashboard-csr.JSON <<EOF
- {
- "CN": "Dashboard",
- "hosts": [],
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "CN",
- "L": "BeiJing",
- "ST": "BeiJing"
- }
- ]
- }
- EOF
- K8S_CA=$1
- cfssl gencert -ca=$K8S_CA/ca.pem -ca-key=$K8S_CA/ca-key.pem -config=$K8S_CA/ca-config.JSON -profile=kubernetes dashboard-csr.JSON | cfssljson -bare dashboard
- kubectl delete secret kubernetes-dashboard-certs -n kube-system
- kubectl create secret generic kubernetes-dashboard-certs --from-file=./ -n kube-system
重新应用新的自签证书, 并应用
- # 重新应用自签的证书
- [[email protected] dashboard]# VIM dashboard-controller.YAML
- args:
- # PLATFORM-SPECIFIC ARGS HERE
- - --auto-generate-certificates
- - --tls-key-file=dashboard-key.pem
- - --tls-cert-file=dashboard.pem ## 添加最后两行
- # 进行重新部署
- [[email protected] dashboard]# kubectl apply -f dashboard-controller.YAML
生成进入的令牌
- # 生成令牌
- [[email protected] dashboard]# kubectl create -f k8s-admin.YAML
- # 将令牌进行保存
- [[email protected] dashboard]# kubectl get secret -n kube-system
- NAME TYPE DATA AGE
- dashboard-admin-token-klr2w kubernetes.io/service-account-token 3 74s
- default-token-68xvt kubernetes.io/service-account-token 3 54m
- kubernetes-dashboard-certs Opaque 10 11m
- kubernetes-dashboard-key-holder Opaque 2 23m
- kubernetes-dashboard-token-drsc7 kubernetes.io/service-account-token 3 23m
- # 查看保存的令牌
- [[email protected] dashboard]# kubectl describe secret dashboard-admin-token-klr2w -n kube-system
- ## 复制 token 即可
把复制的 token 进行粘贴即可进入 web 页面
以上, 就是整个 K8S 全部节点部署的配置过程~~~
来源: http://www.bubuko.com/infodetail-3415591.html