视频课程地址: 戳我开始学习
创建集群管理员账户(Cluster Admin) 编写配置文件 admin-role.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: admin annotations: rbac.authorization.kubernetes.io/autoupdate: "true" roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: admin namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: name: admin namespace: kube-system labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile
执行命令创建账户
1 2 3 $ kubectl create -f admin-role.yaml clusterrolebinding.rbac.authorization.k8s.io/admin created serviceaccount/admin created
获取新建账户的token
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $ kubectl -n kube-system get secret|grep admin-token admin-token-dvhv7 kubernetes.io/service-account-token 3 15s $ kubectl -n kube-system describe secret admin-token-dvhv7 Name: admin-token-dvhv7 Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: admin kubernetes.io/service-account.uid: cd1d963a-3b34-11e9-8ce7-fa163ec5bf9e Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1kdmh2NyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNkMWQ5NjNhLTNiMzQtMTFlOS04Y2U3LWZhMTYzZWM1YmY5ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.TyVprdo9ag_tZPsfUSP-QXQ_jpkG3t7_u0sATsNvS2ZCd9aCs4Ci5IatJf_zKu4qHHDRAckL-aaNt0oK4rZ-jVoU_EUTK2hVcxBQaOtidP5lfMTIxcjjAjXuhnwyNHS9XuEFI4pJwO-4_l6q7lM-i1mhu0g5NIHMaGt22-GvEkWnvhon4LQOFCd2Mafdj_po2GrYByr34Xw92H-uVnzd2irP0lLThE9J1Xg2NvRqdfTZDeW8IG1bx6PDGz-lXnmF2b7S6daoNG6x5UBSysANLNpl-0pUFnx5Ux249-8zi2RyLdedyWj9zXiUp7BvAtfeiqwgT89M95WDHMrjcl4siw
在需要连接集群的机器上配置管理员token,在用户home目录下创建.kube目录
编辑.kube/config配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 apiVersion: v1 clusters: - cluster: insecure-skip-tls-verify: true server: https://apiserver.hipstershop.cn:6443 name: k8s-prod contexts: - context: cluster: k8s-prod user: k8s-prod name: k8s-prod current-context: k8s-prod kind: Config preferences: {} users: - name: k8s-prod user: token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1kdmh2NyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNkMWQ5NjNhLTNiMzQtMTFlOS04Y2U3LWZhMTYzZWM1YmY5ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.TyVprdo9ag_tZPsfUSP-QXQ_jpkG3t7_u0sATsNvS2ZCd9aCs4Ci5IatJf_zKu4qHHDRAckL-aaNt0oK4rZ-jVoU_EUTK2hVcxBQaOtidP5lfMTIxcjjAjXuhnwyNHS9XuEFI4pJwO-4_l6q7lM-i1mhu0g5NIHMaGt22-GvEkWnvhon4LQOFCd2Mafdj_po2GrYByr34Xw92H-uVnzd2irP0lLThE9J1Xg2NvRqdfTZDeW8IG1bx6PDGz-lXnmF2b7S6daoNG6x5UBSysANLNpl-0pUFnx5Ux249-8zi2RyLdedyWj9zXiUp7BvAtfeiqwgT89M95WDHMrjcl4siw
下载Kubernetes客户端kubectl并安装 macOS 安装 1 $ brew install kubernetes-cli
Windows 要在Windows上可以通过Chocolatey 软件包管理器安装kubectl
1 2 3 4 5 choco install kubernetes-cli cd C:\users\yourusernamemkdir .kube cd .kubeNew-Item config -type file
CentOS 1 2 3 4 5 6 7 8 9 10 11 12 $ cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF $ yum install -y kubectl
安装 Kubernetes Dashboard 首先需要从官网下载部署配置文件
1 $ wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
然后编辑部署配置文件,将镜像下载仓库提货为gcr.azk8s.cn/google-containers
1 $ sed -i 's#k8s.gcr.io#gcr.azk8s.cn/google-containers#g' kubernetes-dashboard.yaml
通过如下命令部署Dashboard插件
1 $ kubectl apply -f kubernetes-dashboard.yaml
等待插件部署完成
1 2 3 $ kubectl -n kube-system get pods NAME READY STATUS RESTARTS AGE kubernetes-dashboard-57df4db6b-n7d7q 1/1 Running 0 45m
为了安全,现在Dashboard只能通过代理进行访问,默认代理会启动在127.0.0.1的8001端口上
访问如下地址
可以通过上面创建的管理员账号的token进行访问,也可以创建普通账户 进行访问,在弹出的菜单中选择token(令牌),然后填入token内容
1 http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
安装Helm Helm是Kubernetes生态系统中的一个软件包管理工具。Helm把Kubernetes资源(比如deployments、services和ingress等) 打包到一个chart中,而chart被保存到chart仓库。通过chart仓库可用来存储和分享chart。Helm使发布可配置,支持发布应用配置的版本管理,简化了Kubernetes部署应用的版本控制、打包、发布、删除、更新等操作。
安装helm客户端 根据操作系统到helm官网下载相应的二进制包,下载地址:https://github.com/helm/helm/releases,以CentOS系统为例:
1 2 3 4 $ wget https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz $ tar xzvf helm-v2.13.1-linux-amd64.tar.gz $ mv linux-amd64/helm /usr/local /bin $ chmod +x /usr/local /bin/helm
创建helm服务器端tiller使用的账号,编辑配置文件helm-service-account.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 apiVersion: v1 kind: ServiceAccount metadata: name: tiller namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: tiller namespace: kube-system
应用配置文件helm-service-account.yaml
1 $ kubectl apply -f helm-service-account.yaml
初始化安装tiller
1 $ helm init --tiller-image gcr.azk8s.cn/kubernetes-helm/tiller:v2.13.1 --skip-refresh --service-account tiller
部署Traefik Ingress控制器 为了便于将集群中的服务暴露到集群外部,从集群外部访问,使用Helm将Traefik Ingress部署到Kubernetes上
从官方网站下载Charts
1 $ git clone https://github.com/helm/charts.git
编写配置文件traefik.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 serviceType: NodePort replicas: 3 resources: limits: cpu: 1 memory: 1 Gi requests: cpu: 1 memory: 1 Gi dashboard: enabled: true domain: traefik.hipstershop.cn service: nodePorts: http: 30080 https: 30443 rbac: enabled: true metrics: prometheus: enabled: true
执行系列命令部署
1 $ helm install traefik --name traefik --namespace kube-system -f traefik/traefik.yaml
配置负载均衡
将节点的30080加到负载均衡(如 阿里云的ELB、Haproxy、F5等)后面,负载均衡对外提供80、443端口的访问。通过将traefik.hipstershop.cn解析到负载均衡的VIP上就能够访问Traefik的dashboard了。