Kubernetes dashboard1.8.0 WebUI安裝與配置
kubernetes-dashboard.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard
namespace: kube-system
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: kubernetes-dashboard spec.containers.image:填寫dashboard的映象路徑。我這裡填寫的是本地私有庫的dashboard映象。大家可以通過docker search查詢1.8.0版本的dashboard。
spec.containers.args:此處填寫的是一些引數,由於我的kubernetes1.8.0是通過HTTPS安全驗證的安裝,訪問的是http://masterip:6443,因此,此處我填寫了- --auto-generate-certificates,用以自動生成dashboard證書,此處不需要填寫apiserver地址。
kubernetes-rbac.yaml
因為kubernetes1.8.0開啟了 RBAC 所以這裡需要建立一個 RBAC 認證。
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.iodashboard安裝啟動
kubernetes-dashboard-certs建立
新建一個空目錄:certs,然後執行下面命令:
kubectl create secret generic kubernetes-dashboard-certs --from-file=certs -n kube-system將上面兩個檔案kubernetes-dashboard.yaml、kubernetes-rbac.yaml放置到同一個目錄,該目錄只要這兩個檔案,然後執行下面的命令:
安裝啟動
# 讀取當前目錄配置檔案進行安裝啟動
kubectl apply -f .檢視pod
檢視namespace為kube-system下的pod
kubectl get pods --namespace="kube-system"
NAME READY STATUS RESTARTS AGE
kubernetes-dashboard-77bd6c79b-sc5wb 1/1 Running 1 56m檢視指定pod詳情
pods/後面跟指定pod name
kubectl describe pods/kubernetes-dashboard-77bd6c79b-sc5wb --namespace="kube-system" 由於詳情過多,此處截圖只展示部分資訊:
檢視dashboard介面
https://MasterIP:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/MasterIP:kubernetes叢集master節點ip
kubernetes-dashboard介面:
出現的問題
首次安裝,如果沒有做apiserver引數配置,則可能會出現一些問題。下面就看下常見問題的解決方法
system:anonymous問題
訪問dashboard網頁時,可能出現下面這種報錯:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "https:kubernetes-dashboard:",
"kind": "services"
},
"code": 403
}Kubernetes API Server新增了–anonymous-auth選項,允許匿名請求訪問secure port。沒有被其他authentication方法拒絕的請求即Anonymous requests, 這樣的匿名請求的username為system:anonymous, 歸屬的組為system:unauthenticated。並且該選線是預設的。這樣一來,當採用chrome瀏覽器訪問dashboard UI時很可能無法彈出使用者名稱、密碼輸入對話方塊,導致後續authorization失敗。為了保證使用者名稱、密碼輸入對話方塊的彈出,需要將–anonymous-auth設定為false。
解決方法:
在api-server配置檔案中新增--anonymous-auth=false
vi /etc/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
User=root
ExecStart=/usr/local/bin/kube-apiserver \
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \
--advertise-address=10.0.11.222 \
--allow-privileged=true \
--apiserver-count=3 \
--audit-policy-file=/etc/kubernetes/audit-policy.yaml \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/kubernetes/audit.log \
--authorization-mode=Node,RBAC \
--anonymous-auth=false \ # 不接受匿名訪問,若為true,則表示接受,此處設定為false,便於dashboard訪問
--bind-address=0.0.0.0 \
--secure-port=6443 \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--enable-swagger-ui=true \
--etcd-cafile=/etc/kubernetes/ssl/ca.pem \
--etcd-certfile=/etc/kubernetes/ssl/etcd.pem \
--etcd-keyfile=/etc/kubernetes/ssl/etcd-key.pem \
--etcd-servers=https://10.0.11.222:2379 \
--event-ttl=1h \
--kubelet-https=true \
--insecure-bind-address=127.0.0.1 \
--insecure-port=8080 \
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-cluster-ip-range=10.254.0.0/16 \
--service-node-port-range=30000-32000 \
--tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
--enable-bootstrap-token-auth \
--token-auth-file=/etc/kubernetes/token.csv \
--v=2
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target解決了上面那個問題之後,再度訪問dashboard頁面,發現還是有問題,出現下面這個問題:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}解決方法:
新建/etc/kubernetes/basic_auth_file檔案,並在其中新增:
admin,admin,1002檔案內容格式:password,username,uid
然後在api-server配置檔案(即上面的配置檔案)中新增--basic-auth-file=/etc/kubernetes/basic_auth_file \
儲存重啟kube-apiserver:
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver最後在kubernetes上執行下面這條命令:
kubectl create clusterrolebinding login-dashboard-admin --clusterrole=cluster-admin --user=admin將訪問賬號名admin與kubernetes-rbac.yaml檔案中指定的cluster-admin關聯,獲得訪問許可權。
getsockopt: connection timed out’問題
如果安裝的docker版本為1.13及以上,並且網路暢通,flannel、etcd都正常,但還是會出現getsockopt: connection timed out'的錯誤,則可能是iptables配置問題。具體問題:
Error: 'dial tcp 10.233.50.3:8443: getsockopt: connection timed outdocker從1.13版本開始,可能將iptables FORWARD chain的預設策略設定為DROP,從而導致ping其他Node上的Pod IP失敗,遇到這種問題時,需要手動設定策略為ACCEPT:
sudo iptables -P FORWARD ACCEPT使用iptables -nL命令檢視,發現Forward的策略還是drop,可是我們明明執行了iptables -P FORWARD ACCEPT。原來,docker是在這句話執行之後啟動的,需要每次在docker之後再執行這句話。。。這麼做有點太麻煩了,所以我們修改下docker的啟動指令碼:
vi /usr/lib/systemd/system/docker.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS $DOCKER_DNS_OPTIONS
# 新增這行操作,在每次重啟docker之前都會設定iptables策略為ACCEPT
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
ExecReload=/bin/kill -s HUP $MAINPID在啟動檔案中的 [Service] 下新增一行配置,即上面程式碼中的配置即可。
然後重啟docker,再次檢視dashboard網頁。