Update to kubernetes-dashboard 2.0 and istio 1.5

pull/93/head
Li Yi 5 years ago
parent 13501e23c6
commit de54e8c9ef

@ -94,7 +94,7 @@ kubectl get nodes
#### 部署 Kubernetes dashboard #### 部署 Kubernetes dashboard
```shell ```shell
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
``` ```
@ -103,6 +103,12 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/
kubectl create -f kubernetes-dashboard.yaml kubectl create -f kubernetes-dashboard.yaml
``` ```
检查 kubernetes-dashboard 应用状态
```shell
kubectl get pod -n kubernetes-dashboard
```
开启 API Server 访问代理 开启 API Server 访问代理
```shell ```shell
@ -111,7 +117,7 @@ kubectl proxy
通过如下 URL 访问 Kubernetes dashboard 通过如下 URL 访问 Kubernetes dashboard
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/overview?namespace=default http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
#### 配置控制台访问令牌 #### 配置控制台访问令牌
@ -262,11 +268,11 @@ helm uninstall wordpress
可以根据文档安装 Istio https://istio.io/docs/setup/getting-started/ 可以根据文档安装 Istio https://istio.io/docs/setup/getting-started/
#### 下载 Istio 1.4.0 #### 下载 Istio 1.5.0
```bash ```bash
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.4.0 sh - curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.5.0 sh -
cd istio-1.4.0 cd istio-1.5.0
export PATH=$PWD/bin:$PATH export PATH=$PWD/bin:$PATH
``` ```

@ -73,7 +73,7 @@ kubectl get nodes
#### Install Kubernetes dashboard #### Install Kubernetes dashboard
```shell ```shell
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
``` ```
or or
@ -82,6 +82,12 @@ or
kubectl create -f kubernetes-dashboard.yaml kubectl create -f kubernetes-dashboard.yaml
``` ```
Check Kubernetes Dashboard status
```shell
kubectl get pod -n kubernetes-dashboard
```
Start proxy for API server Start proxy for API server
```shell ```shell
@ -90,7 +96,7 @@ kubectl proxy
#### Access Kubernetes dashboard #### Access Kubernetes dashboard
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/overview?namespace=default http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
#### Config Token for dashboard #### Config Token for dashboard
@ -160,11 +166,11 @@ helm repo update
More details can be found in https://istio.io/docs/setup/getting-started/ More details can be found in https://istio.io/docs/setup/getting-started/
#### Download Istio 1.4.0 and install CLI #### Download Istio 1.5.0 and install CLI
```shell ```shell
curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.4.0 sh - curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.5.0 sh -
cd istio-1.4.0/ cd istio-1.5.0/
export PATH=$PWD/bin:$PATH export PATH=$PWD/bin:$PATH
``` ```

@ -5,5 +5,4 @@ k8s.gcr.io/kube-proxy:v1.16.5=registry.cn-hangzhou.aliyuncs.com/google_container
k8s.gcr.io/kube-apiserver:v1.16.5=registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.16.5 k8s.gcr.io/kube-apiserver:v1.16.5=registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.16.5
k8s.gcr.io/etcd:3.3.15-0=registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.3.15-0 k8s.gcr.io/etcd:3.3.15-0=registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.3.15-0
k8s.gcr.io/coredns:1.6.2=registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.6.2 k8s.gcr.io/coredns:1.6.2=registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.6.2
k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1=registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1=registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.26.1 quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1=registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.26.1

@ -12,7 +12,38 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
# ------------------- Dashboard Secret ------------------- # apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -20,74 +51,121 @@ metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs name: kubernetes-dashboard-certs
namespace: kube-system namespace: kubernetes-dashboard
type: Opaque type: Opaque
--- ---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: Secret
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard
name: kubernetes-dashboard name: kubernetes-dashboard-csrf
namespace: kube-system namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
--- ---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role kind: Role
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: kubernetes-dashboard-minimal labels:
namespace: kube-system k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules: rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets. # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"] verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""] - apiGroups: [""]
resources: ["configmaps"] resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"] resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"] verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster. # Allow Dashboard to get metrics.
- apiGroups: [""] - apiGroups: [""]
resources: ["services"] resources: ["services"]
resourceNames: ["heapster"] resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"] verbs: ["proxy"]
- apiGroups: [""] - apiGroups: [""]
resources: ["services/proxy"] resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"] resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"] verbs: ["get"]
--- ---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: kubernetes-dashboard-minimal labels:
namespace: kube-system k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: kubernetes-dashboard-minimal name: kubernetes-dashboard
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kubernetes-dashboard name: kubernetes-dashboard
namespace: kube-system namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
--- ---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment kind: Deployment
apiVersion: apps/v1 apiVersion: apps/v1
@ -95,7 +173,7 @@ metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: kubernetes-dashboard
name: kubernetes-dashboard name: kubernetes-dashboard
namespace: kube-system namespace: kubernetes-dashboard
spec: spec:
replicas: 1 replicas: 1
revisionHistoryLimit: 10 revisionHistoryLimit: 10
@ -109,12 +187,14 @@ spec:
spec: spec:
containers: containers:
- name: kubernetes-dashboard - name: kubernetes-dashboard
image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 image: kubernetesui/dashboard:v2.0.0-rc5
imagePullPolicy: Always
ports: ports:
- containerPort: 8443 - containerPort: 8443
protocol: TCP protocol: TCP
args: args:
- --auto-generate-certificates - --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host # Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect # If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work. # to it. Uncomment only if the default does not work.
@ -132,6 +212,11 @@ spec:
port: 8443 port: 8443
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 30 timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes: volumes:
- name: kubernetes-dashboard-certs - name: kubernetes-dashboard-certs
secret: secret:
@ -139,24 +224,79 @@ spec:
- name: tmp-volume - name: tmp-volume
emptyDir: {} emptyDir: {}
serviceAccountName: kubernetes-dashboard serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master # Comment the following tolerations if Dashboard must not be deployed on master
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
--- ---
# ------------------- Dashboard Service ------------------- #
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: dashboard-metrics-scraper
name: kubernetes-dashboard name: dashboard-metrics-scraper
namespace: kube-system namespace: kubernetes-dashboard
spec: spec:
ports: ports:
- port: 443 - port: 8000
targetPort: 8443 targetPort: 8000
selector: selector:
k8s-app: kubernetes-dashboard k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.3
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"beta.kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}

Loading…
Cancel
Save