内容简介:创建testnginx deployment官方 地址修改配置文件中的部分配置:
测试集群
# 创建一个 nginx deplyment
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-dm
spec:
replicas: 2
template:
metadata:
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx:alpine
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
name: nginx
创建testnginx deployment
[root@master1 ~]# kubectl create -f testnginx.yaml deployment.extensions/nginx-dm created service/nginx-svc created
[root@master1 ~]# kubectl get po -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE nginx-dm-fff68d674-j7dlk 1/1 Running 0 9m 10.254.108.115 node2 <none> nginx-dm-fff68d674-r5hb6 1/1 Running 0 9m 10.254.102.133 node1 <none>
在 安装了 calico 网络的node节点 里 curl
[root@node2 ~]# curl 10.254.102.133
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
查看 ipvs 规则
[root@node2 ssl]# ipvsadm -L -n IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.254.0.1:443 rr -> 192.168.161.161:6443 Masq 1 1 0 -> 192.168.161.162:6443 Masq 1 0 0 TCP 10.254.18.37:80 rr -> 10.254.75.1:80 Masq 1 0 0 -> 10.254.102.133:80 Masq 1 0 0
配置 CoreDNS
官方 地址 https://coredns.io
下载 yaml 文件
wget https://raw.githubusercontent.com/coredns/deployment/master/kubernetes/coredns.yaml.sed mv coredns.yaml.sed coredns.yaml
修改配置文件中的部分配置:
# vi coredns.yaml
第一处:
...
data:
Corefile: |
.:53 {
errors
health
kubernetes cluster.local 10.254.0.0/18 {
pods insecure
upstream
fallthrough in-addr.arpa ip6.arpa
}
prometheus :9153
proxy . /etc/resolv.conf
cache 30
}
...
第二处:搜索 /clusterIP 即可
clusterIP: 10.254.0.2
配置说明
1)errors官方没有明确解释,后面研究 2)health:健康检查,提供了指定端口(默认为8080)上的HTTP端点,如果实例是健康的,则返回“OK”。 3)cluster.local:CoreDNS为kubernetes提供的域,10.254.0.0/18这告诉Kubernetes中间件它负责为反向区域提供PTR请求0.0.254.10.in-addr.arpa ..换句话说,这是允许反向DNS解析服务(我们经常使用到得DNS服务器里面有两个区域,即“正向查找区域”和“反向查找区域”,正向查找区域就是我们通常所说的域名解析,反向查找区域即是这里所说的IP反向解析,它的作用就是通过查询IP地址的PTR记录来得到该IP地址指向的域名,当然,要成功得到域名就必需要有该IP地址的PTR记录。PTR记录是邮件交换记录的一种,邮件交换记录中有A记录和PTR记录,A记录解析名字到地址,而PTR记录解析地址到名字。地址是指一个客户端的IP地址,名字是指一个客户的完全合格域名。通过对PTR记录的查询,达到反查的目的。) 4)proxy:这可以配置多个upstream 域名服务器,也可以用于延迟查找 /etc/resolv.conf 中定义的域名服务器 5)cache:这允许缓存两个响应结果,一个是肯定结果(即,查询返回一个结果)和否定结果(查询返回“没有这样的域”),具有单独的高速缓存大小和TTLs。 # 这里 kubernetes cluster.local 为 创建 svc 的 IP 段 kubernetes cluster.local 10.254.0.0/18 # clusterIP 为 指定 DNS 的 IP clusterIP: 10.254.0.2
创建coreDNS
[root@master1 src]# kubectl apply -f coredns.yaml serviceaccount/coredns created clusterrole.rbac.authorization.k8s.io/system:coredns created clusterrolebinding.rbac.authorization.k8s.io/system:coredns created configmap/coredns created deployment.extensions/coredns created service/kube-dns created
查看创建:
[root@master1 src]# kubectl get pod,svc -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod/calico-kube-controllers-79cfd7887-scnnp 1/1 Running 1 2d 192.168.161.78 node2 <none> pod/calico-node-pwlq4 2/2 Running 2 2d 192.168.161.77 node1 <none> pod/calico-node-vmrrq 2/2 Running 2 2d 192.168.161.78 node2 <none> pod/coredns-55f86bf584-fqjf2 1/1 Running 0 23s 10.254.102.139 node1 <none> pod/coredns-55f86bf584-hsrbp 1/1 Running 0 23s 10.254.75.21 node2 <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kube-dns ClusterIP 10.254.0.2 <none> 53/UDP,53/TCP 23s k8s-app=kube-dns
检查日志
[root@master1 src]# kubectl logs coredns-55f86bf584-hsrbp -n kube-system .:53 2018/09/22 02:03:06 [INFO] CoreDNS-1.2.2 2018/09/22 02:03:06 [INFO] linux/amd64, go1.11, eb51e8b CoreDNS-1.2.2 linux/amd64, go1.11, eb51e8b
验证 dns 服务
在验证 dns 之前,在 dns 未部署
之前创建的 pod 与 deployment 等,都必须删除,重新部署,否则无法解析。
创建一个 pods 来测试一下 dns
apiVersion: v1
kind: Pod
metadata:
name: alpine
spec:
containers:
- name: alpine
image: alpine
command:
- sleep
- "3600"
查看 创建的服务
[root@master1 ~]# kubectl get po,svc -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod/alpine 1/1 Running 0 52s 10.254.102.141 node1 <none> pod/nginx-dm-fff68d674-fzhqk 1/1 Running 0 3m 10.254.102.140 node1 <none> pod/nginx-dm-fff68d674-h8n79 1/1 Running 0 3m 10.254.75.22 node2 <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/kubernetes ClusterIP 10.254.0.1 <none> 443/TCP 20d <none> service/nginx-svc ClusterIP 10.254.10.144 <none> 80/TCP 3m name=nginx
测试
[root@master1 ~]# kubectl exec -it alpine nslookup nginx-svc nslookup: can't resolve '(null)': Name does not resolve Name: nginx-svc Address 1: 10.254.10.144 nginx-svc.default.svc.cluster.local
部署 DNS 自动伸缩
按照 node 数量 自动伸缩 dns 数量
vim dns-auto-scaling.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
name: kube-dns-autoscaler
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: Reconcile
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:kube-dns-autoscaler
labels:
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list"]
- apiGroups: [""]
resources: ["replicationcontrollers/scale"]
verbs: ["get", "update"]
- apiGroups: ["extensions"]
resources: ["deployments/scale", "replicasets/scale"]
verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:kube-dns-autoscaler
labels:
addonmanager.kubernetes.io/mode: Reconcile
subjects:
- kind: ServiceAccount
name: kube-dns-autoscaler
namespace: kube-system
roleRef:
kind: ClusterRole
name: system:kube-dns-autoscaler
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kube-dns-autoscaler
namespace: kube-system
labels:
k8s-app: kube-dns-autoscaler
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-app: kube-dns-autoscaler
template:
metadata:
labels:
k8s-app: kube-dns-autoscaler
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
priorityClassName: system-cluster-critical
containers:
- name: autoscaler
image: jicki/cluster-proportional-autoscaler-amd64:1.1.2-r2
resources:
requests:
cpu: "20m"
memory: "10Mi"
command:
- /cluster-proportional-autoscaler
- --namespace=kube-system
- --configmap=kube-dns-autoscaler
- --target=Deployment/coredns
- --default-params={"linear":{"coresPerReplica":256,"nodesPerReplica":16,"preventSinglePointFailure":true}}
- --logtostderr=true
- --v=2
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
serviceAccountName: kube-dns-autoscaler
导入文件
[root@master1 ~]# kubectl apply -f dns-auto-scaling.yaml serviceaccount/kube-dns-autoscaler created clusterrole.rbac.authorization.k8s.io/system:kube-dns-autoscaler created clusterrolebinding.rbac.authorization.k8s.io/system:kube-dns-autoscaler created deployment.apps/kube-dns-autoscaler created如下是上面所用到的镜像,如果不可以下载使用如下的即可
:
registry.cn-hangzhou.aliyuncs.com/zhdya_centos_docker/zhdya_cc:coredns-1.2.2 registry.cn-hangzhou.aliyuncs.com/zhdya_centos_docker/zhdya_cc:cluster-proportional-autoscaler-amd64_1.1.2-r2
部署 Ingress 与 Dashboard
部署 heapster
官方 dashboard 的github https://github.com/kubernetes/dashboard
官方 heapster 的github https://github.com/kubernetes/heapster
下载 heapster 相关 yaml 文件
wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/grafana.yaml wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/influxdb.yaml wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/influxdb/heapster.yaml wget https://raw.githubusercontent.com/kubernetes/heapster/master/deploy/kube-config/rbac/heapster-rbac.yaml
如上官方镜像一直在更新,修改的时候需要把如下的版本号也修改下↓
下载 heapster 镜像下载
# 官方镜像 k8s.gcr.io/heapster-grafana-amd64:v4.4.3 k8s.gcr.io/heapster-amd64:v1.5.3 k8s.gcr.io/heapster-influxdb-amd64:v1.3.3 # 个人的镜像 jicki/heapster-grafana-amd64:v4.4.3 jicki/heapster-amd64:v1.5.3 jicki/heapster-influxdb-amd64:v1.3.3 # 备用阿里镜像 registry.cn-hangzhou.aliyuncs.com/zhdya_centos_docker/zhdya_cc:heapster-grafana-amd64-v4.4.3 registry.cn-hangzhou.aliyuncs.com/zhdya_centos_docker/zhdya_cc:heapster-amd64-v1.5.3 registry.cn-hangzhou.aliyuncs.com/zhdya_centos_docker/zhdya_cc:heapster-influxdb-amd64-v1.3.3 # 替换所有yaml 镜像地址 sed -i 's/k8s\.gcr\.io/jicki/g' *.yaml
修改 yaml 文件
# heapster.yaml 文件
#### 修改如下部分 #####
因为 kubelet 启用了 https 所以如下配置需要增加 https 端口
- --source=kubernetes:https://kubernetes.default
修改为
- --source=kubernetes:https://kubernetes.default?kubeletHttps=true&kubeletPort=10250&insecure=true
# heapster-rbac.yaml 文件 #### 修改为部分 ##### 将 serviceAccount kube-system:heapster 与 ClusterRole system:kubelet-api-admin 绑定,授予它调用 kubelet API 的权限; kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: heapster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:heapster subjects: - kind: ServiceAccount name: heapster namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: heapster-kubelet-api roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:kubelet-api-admin subjects: - kind: ServiceAccount name: heapster namespace: kube-system
创建:
[root@master1 dashboard180922]# kubectl apply -f . deployment.extensions/monitoring-grafana created service/monitoring-grafana created clusterrolebinding.rbac.authorization.k8s.io/heapster created clusterrolebinding.rbac.authorization.k8s.io/heapster-kubelet-api created serviceaccount/heapster created deployment.extensions/heapster created service/heapster created deployment.extensions/monitoring-influxdb created service/monitoring-influxdb created
这儿可能需要等待一下,这个取决于自己server的网络情况:
[root@node1 ~]# journalctl -u kubelet -f -- Logs begin at 六 2018-09-22 09:07:48 CST. -- 9月 22 10:34:55 node1 kubelet[2301]: I0922 10:34:55.701016 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [=======> ] 7.617MB/50.21MB" 9月 22 10:35:05 node1 kubelet[2301]: I0922 10:35:05.700868 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [========> ] 8.633MB/50.21MB" 9月 22 10:35:15 node1 kubelet[2301]: I0922 10:35:15.701193 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [==========> ] 10.66MB/50.21MB" 9月 22 10:35:25 node1 kubelet[2301]: I0922 10:35:25.700980 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [============> ] 12.69MB/50.21MB" 9月 22 10:35:35 node1 kubelet[2301]: I0922 10:35:35.700779 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [===============> ] 15.74MB/50.21MB" 9月 22 10:35:45 node1 kubelet[2301]: I0922 10:35:45.701359 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [==================> ] 18.28MB/50.21MB" 9月 22 10:35:55 node1 kubelet[2301]: I0922 10:35:55.701618 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [====================> ] 20.82MB/50.21MB" 9月 22 10:36:05 node1 kubelet[2301]: I0922 10:36:05.701611 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [=========================> ] 25.39MB/50.21MB" 9月 22 10:36:15 node1 kubelet[2301]: I0922 10:36:15.700926 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [==============================> ] 30.99MB/50.21MB" 9月 22 10:36:25 node1 kubelet[2301]: I0922 10:36:25.700931 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [==================================> ] 34.55MB/50.21MB" 9月 22 10:36:35 node1 kubelet[2301]: I0922 10:36:35.701950 2301 kube_docker_client.go:345] Pulling image "jicki/heapster-grafana-amd64:v4.4.3": "a05a7a3d2d4f: Downloading [==================================> ] 34.55MB/50.21MB"
查看部署情况
[root@master1 dashboard180922]# kubectl get po,svc -n kube-system -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE pod/calico-kube-controllers-79cfd7887-scnnp 1/1 Running 1 2d 192.168.161.78 node2 <none> pod/calico-node-pwlq4 2/2 Running 2 2d 192.168.161.77 node1 <none> pod/calico-node-vmrrq 2/2 Running 2 2d 192.168.161.78 node2 <none> pod/coredns-55f86bf584-fqjf2 1/1 Running 0 44m 10.254.102.139 node1 <none> pod/coredns-55f86bf584-hsrbp 1/1 Running 0 44m 10.254.75.21 node2 <none> pod/heapster-745d7bc8b7-zk65c 1/1 Running 0 13m 10.254.75.51 node2 <none> pod/kube-dns-autoscaler-66d448df8f-4zvw6 1/1 Running 0 32m 10.254.102.142 node1 <none> pod/monitoring-grafana-558c44f948-m2tzz 1/1 Running 0 1m 10.254.75.6 node2 <none> pod/monitoring-influxdb-f6bcc9795-496jd 1/1 Running 0 13m 10.254.102.147 node1 <none> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR service/heapster ClusterIP 10.254.4.11 <none> 80/TCP 13m k8s-app=heapster service/kube-dns ClusterIP 10.254.0.2 <none> 53/UDP,53/TCP 44m k8s-app=kube-dns service/monitoring-grafana ClusterIP 10.254.25.50 <none> 80/TCP 1m k8s-app=grafana service/monitoring-influxdb ClusterIP 10.254.37.83 <none> 8086/TCP 13m k8s-app=influxdb
部署 dashboard
下载 dashboard 镜像
# 官方镜像 k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3 # 个人的镜像 jicki/kubernetes-dashboard-amd64:v1.8.3 # 阿里的镜像 registry.cn-hangzhou.aliyuncs.com/zhdya_centos_docker/zhdya_cc:kubernetes-dashboard-amd64-v1.8.3
下载 yaml 文件
curl -O https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
导入 yaml
# 替换所有的 images,注意修改镜像版本号为1.8.3 sed -i 's/k8s\.gcr\.io/jicki/g' kubernetes-dashboard.yaml
创建dashboard
[root@master1 dashboard180922]# kubectl apply -f kubernetes-dashboard.yaml secret/kubernetes-dashboard-certs created serviceaccount/kubernetes-dashboard created role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created deployment.apps/kubernetes-dashboard created service/kubernetes-dashboard created
查看创建的dashboard
[root@master1 dashboard180922]# kubectl get po,svc -n kube-system -o wide | grep dashboard pod/kubernetes-dashboard-65666d4586-bb66s 1/1 Running 0 7m 10.254.102.151 node1 <none> service/kubernetes-dashboard ClusterIP 10.254.3.42 <none> 443/TCP 7m k8s-app=kubernetes-dashboard
部署 Nginx Ingress
Kubernetes 暴露服务的方式目前只有三种:LoadBlancer Service、NodePort Service、Ingress; 什么是 Ingress ? Ingress 就是利用 Nginx Haproxy 等负载均衡 工具 来暴露 Kubernetes 服务。官方 Nginx Ingress github: https://github.com/kubernetes/ingress-nginx/
配置 调度 node
# ingress 有多种方式 1. deployment 自由调度 replicas 2. daemonset 全局调度 分配到所有node里 # deployment 自由调度过程中,由于我们需要 约束 controller 调度到指定的 node 中,所以需要对 node 进行 label 标签 # 默认如下: [root@master1 ~]# kubectl get node NAME STATUS ROLES AGE VERSION node1 Ready <none> 20d v1.11.2 node2 Ready <none> 8d v1.11.2 # 对 node1 与 node2 打上 label [root@master1 ~]# kubectl label nodes node1 ingress=proxy node/node1 labeled [root@master1 ~]# kubectl label nodes node2 ingress=proxy node/node2 labeled # 打完标签以后 [root@master1 ~]# kubectl get nodes --show-labels NAME STATUS ROLES AGE VERSION LABELS node1 Ready <none> 20d v1.11.2 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ingress=proxy,kubernetes.io/hostname=node1 node2 Ready <none> 9d v1.11.2 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,ingress=proxy,kubernetes.io/hostname=node2
下载镜像
# 官方镜像 gcr.io/google_containers/defaultbackend:1.4 quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.16.2 # 国内镜像 jicki/defaultbackend:1.4 jicki/nginx-ingress-controller:0.16.2 # 阿里镜像 registry.cn-hangzhou.aliyuncs.com/zhdya_centos_docker/zhdya_cc:defaultbackend-1.4 registry.cn-hangzhou.aliyuncs.com/zhdya_centos_docker/zhdya_cc:nginx-ingress-controller-0.16.2
下载 yaml 文件
部署 Nginx backend , Nginx backend 用于统一转发 没有的域名 到指定页面。
curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/namespace.yaml
curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/default-backend.yaml
curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/configmap.yaml
curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/tcp-services-configmap.yaml
curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/udp-services-configmap.yaml
# 部署 Ingress RBAC 认证
curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/rbac.yaml
# 部署 Ingress Controller 组件
curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/with-rbac.yaml
# tcp-service 与 udp-service, 由于 ingress 不支持 tcp 与 udp 的转发,所以这里配置了两个基于 tcp 与 udp 的 service ,通过 --tcp-services-configmap 与 --udp-services-configmap 来配置 tcp 与 udp 的转发服务
# 为了更加方便理解,如下两个例子:
# tcp 例子
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: ingress-nginx
data:
9000: "default/tomcat:8080"
# 以上配置, 转发 tomcat:8080 端口 到 ingress 节点的 9000 端口中
# udp 例子
apiVersion: v1
kind: ConfigMap
metadata:
name: udp-services
namespace: ingress-nginx
data:
53: "kube-system/kube-dns:53"
# 替换所有的 images
sed -i 's/gcr\.io\/google_containers/jicki/g' *
sed -i 's/quay\.io\/kubernetes-ingress-controller/jicki/g' *
# 上面 对 两个 node 打了 label 所以配置 replicas: 2
# 修改 yaml 文件 增加 rbac 认证 , hostNetwork 还有 nodeSelector, 第二个 spec 下 增加。
vim with-rbac.yaml
第一处:↓
spec:
replicas: 2
第二处:↓(搜索 /nginx-ingress-serviceaccount 即可,在其下添加)
....
spec:
serviceAccountName: nginx-ingress-serviceaccount
hostNetwork: true
nodeSelector:
ingress: proxy
....
第三处:↓
# 这里添加一个 other 端口做为后续tcp转发
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: other
containerPort: 8888
导入 yaml 文件
[root@master1 ingress-service]# kubectl apply -f namespace.yaml namespace/ingress-nginx created [root@master1 ingress-service]# kubectl get ns NAME STATUS AGE default Active 20d ingress-nginx Active 6s kube-public Active 20d kube-system Active 20d [root@master1 ingress-service]# kubectl apply -f . configmap/nginx-configuration created deployment.extensions/default-http-backend created service/default-http-backend created namespace/ingress-nginx configured serviceaccount/nginx-ingress-serviceaccount created clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created role.rbac.authorization.k8s.io/nginx-ingress-role created rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created configmap/tcp-services created configmap/udp-services created deployment.extensions/nginx-ingress-controller created # 查看服务,可以看到这两个 pods 被分别调度到 77 与 78 中 [root@master1 ingress-service]# kubectl get pods -n ingress-nginx -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE default-http-backend-6b89c8bdcb-vvl9f 1/1 Running 0 9m 10.254.102.163 node1 <none> nginx-ingress-controller-cf8d4564d-5vz7h 1/1 Running 0 9m 10.254.75.16 node2 <none> nginx-ingress-controller-cf8d4564d-z7q4b 1/1 Running 0 9m 10.254.102.158 node1 <none> # 查看我们原有的 svc [root@master1 ingress-service]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE alpine 1/1 Running 3 6h 10.254.102.141 node1 <none> nginx-dm-fff68d674-fzhqk 1/1 Running 0 6h 10.254.102.140 node1 <none> nginx-dm-fff68d674-h8n79 1/1 Running 0 6h 10.254.75.22 node2 <none>
创建一个 基于 nginx-dm 的 ingress
vi nginx-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-ingress
spec:
rules:
- host: nginx.zhdya.cn
http:
paths:
- backend:
serviceName: nginx-svc
servicePort: 80
理解如下:
- host指虚拟出来的域名,具体地址(我理解应该是Ingress-controller那台Pod所在的主机的地址)应该加入/etc/hosts中,这样所有去nginx.zhdya.cn的请求都会发到nginx
- servicePort主要是定义服务的时候的端口,不是NodePort.
# 查看服务
[root@master1 ingress-service]# kubectl create -f nginx-ingress.yaml
ingress.extensions/nginx-ingress created
[root@master1 ingress-service]# kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
nginx-ingress nginx.zhdya.cn 80 10s
# 测试访问
[root@node1 ~]# curl nginx.zhdya.cn
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
当然如果本地浏览器访问的话 我们也需要绑定hosts
# 创建一个基于 dashboard 的 https 的 ingress
# 新版本的 dashboard 默认就是 ssl ,所以这里使用 tcp 代理到 443 端口
# 查看 dashboard svc
[root@master1 ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
heapster ClusterIP 10.254.4.11 <none> 80/TCP 2d
kube-dns ClusterIP 10.254.0.2 <none> 53/UDP,53/TCP 3d
kubernetes-dashboard ClusterIP 10.254.3.42 <none> 443/TCP 2d
monitoring-grafana ClusterIP 10.254.25.50 <none> 80/TCP 2d
monitoring-influxdb ClusterIP 10.254.37.83 <none> 8086/TCP 2d
# 修改 tcp-services-configmap.yaml 文件
[root@master1 src]# vim tcp-services-configmap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
data:
8888: "kube-system/kubernetes-dashboard:443"
# 载入配置文件
[root@master1 src]# kubectl apply -f tcp-services-configmap.yaml
configmap/tcp-services configured
# 查看服务
[root@master1 src]# kubectl get configmap/tcp-services -n ingress-nginx
NAME DATA AGE
tcp-services 1 2d
[root@master1 src]# kubectl describe configmap/tcp-services -n ingress-nginx
Name: tcp-services
Namespace: ingress-nginx
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","data":{"8888":"kube-system/kubernetes-dashboard:443"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"tcp-services","namesp...
Data
====
8888:
----
kube-system/kubernetes-dashboard:443
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 2d nginx-ingress-controller ConfigMap ingress-nginx/tcp-services
Normal CREATE 2d nginx-ingress-controller ConfigMap ingress-nginx/tcp-services
Normal CREATE 2d nginx-ingress-controller ConfigMap ingress-nginx/tcp-services
Normal CREATE 2d nginx-ingress-controller ConfigMap ingress-nginx/tcp-services
Normal CREATE 20m nginx-ingress-controller ConfigMap ingress-nginx/tcp-services
Normal CREATE 19m nginx-ingress-controller ConfigMap ingress-nginx/tcp-services
Normal CREATE 19m nginx-ingress-controller ConfigMap ingress-nginx/tcp-services
Normal UPDATE 1m nginx-ingress-controller ConfigMap ingress-nginx/tcp-services
# 测试访问
[root@node1 ~]# curl -I -k https://dashboard.zhdya.cn:8888
curl: (6) Could not resolve host: dashboard.zhdya.cn; 未知的名称或服务
当然如上报错很正常,咱们需要绑定下hosts
在master 上查询下:
[root@master1 src]# kubectl get svc -n kube-system -o wide | grep dashboard
kubernetes-dashboard ClusterIP 10.254.3.42 <none> 443/TCP 2d k8s-app=kubernetes-dashboard
然后再node端绑定hosts
[root@node1 ~]# vim /etc/hosts
10.254.3.42 dashboard.zhdya.cn
[root@node1 ~]# curl -I -k https://dashboard.zhdya.cn:8888
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-store
Content-Length: 990
Content-Type: text/html; charset=utf-8
Last-Modified: Tue, 13 Feb 2018 11:17:03 GMT
Date: Tue, 25 Sep 2018 02:51:18 GMT
# 配置一个基于域名的 https , ingress
# 创建一个 基于 自身域名的 证书
[root@master1 dashboard-keys]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout dashboard.zhdya.cn-key.key -out dashboard.zhdya.cn.pem -subj "/CN=dashboard.zhdya.cn"
Generating a 2048 bit RSA private key
.......+++
..............+++
writing new private key to 'dashboard.zhdya.cn-key.key'
-----
[root@master1 dashboard-keys]# kubectl create secret tls dashboard-secret --namespace=kube-system --cert dashboard.zhdya.cn.pem --key dashboard.zhdya.cn-key.key
secret/dashboard-secret created
# 查看 secret
[root@master1 dashboard-keys]# kubectl get secret -n kube-system | grep dashboard
dashboard-secret kubernetes.io/tls 2 55s
kubernetes-dashboard-certs Opaque 0 2d
kubernetes-dashboard-key-holder Opaque 2 2d
kubernetes-dashboard-token-r98wk kubernetes.io/service-account-token 3 2d
# 创建一个 ingress
vi dashboard-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kube-system
annotations:
ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
spec:
tls:
- hosts:
- dashboard.zhdya.cn
secretName: dashboard-secret
rules:
- host: dashboard.zhdya.cn
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
# 创建配置文件
[root@master1 src]# kubectl apply -f dashboard-ingress.yaml
ingress.extensions/kubernetes-dashboard created
[root@master1 src]# kubectl get ingress -n kube-system
NAME HOSTS ADDRESS PORTS AGE
kubernetes-dashboard dashboard.zhdya.cn 80, 443 37s
测试访问
# 登录认证
# 首先创建一个 dashboard rbac 超级用户
vi dashboard-admin-rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
# 导入配置文件
[root@master1 src]# kubectl apply -f dashboard-admin-rbac.yaml
serviceaccount/kubernetes-dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-admin created
# 查看超级用户的 token 名称
[root@master1 src]# kubectl -n kube-system get secret | grep kubernetes-dashboard-admin
kubernetes-dashboard-admin-token-kq27d kubernetes.io/service-account-token 3 38s
# 查看 token 部分
[root@master1 src]# kubectl describe -n kube-system secret/kubernetes-dashboard-admin-token-kq27d
然后我们登录 web ui 选择 令牌登录
然后就发现了还是那熟悉的味道:
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:
- 照片整理系列二 —— 照片整理及归档的辛酸历程
- 我自己整理的码农周刊一周分享整理
- 【复习资料】ES6/ES7/ES8/ES9资料整理(个人整理)
- Hibernate 关系映射整理
- 大数据框架整理
- 树莓派资源整理
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Build Your Own Web Site the Right Way Using HTML & CSS
Ian Lloyd / SitePoint / 2006-05-02 / USD 29.95
Build Your Own Website The Right Way Using HTML & CSS teaches web development from scratch, without assuming any previous knowledge of HTML, CSS or web development techniques. This book introduces you......一起来看看 《Build Your Own Web Site the Right Way Using HTML & CSS》 这本书的介绍吧!
