Update to kubernetes-dashboard 2.0 and istio 1.5

5 years ago · de54e8c9ef
parent 13501e23c6
commit de54e8c9ef
4 changed files with 242 additions and 91 deletions
--- a/README.md
+++ b/README.md
@ -94,7 +94,7 @@ kubectl get nodes
 #### 部署 Kubernetes dashboard

 ```shell
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
 ```

 或
@ -103,6 +103,12 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/
 kubectl create -f kubernetes-dashboard.yaml
 ```

+检查 kubernetes-dashboard 应用状态
+
+```shell
+kubectl get pod -n kubernetes-dashboard
+```
+
 开启 API Server 访问代理

 ```shell
@ -111,7 +117,7 @@ kubectl proxy

 通过如下 URL 访问 Kubernetes dashboard

-http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/overview?namespace=default
+http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

 #### 配置控制台访问令牌

@ -262,11 +268,11 @@ helm uninstall wordpress

 可以根据文档安装 Istio https://istio.io/docs/setup/getting-started/

-#### 下载 Istio 1.4.0
+#### 下载 Istio 1.5.0

 ```bash
-curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.4.0 sh -
-cd istio-1.4.0
+curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.5.0 sh -
+cd istio-1.5.0
 export PATH=$PWD/bin:$PATH
 ```

--- a/README_en.md
+++ b/README_en.md
@ -73,7 +73,7 @@ kubectl get nodes
 #### Install Kubernetes dashboard

 ```shell
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
 ```

 or
@ -82,6 +82,12 @@ or
 kubectl create -f kubernetes-dashboard.yaml
 ```

+Check Kubernetes Dashboard status
+
+```shell
+kubectl get pod -n kubernetes-dashboard
+```
+
 Start proxy for API server

 ```shell
@ -90,7 +96,7 @@ kubectl proxy

 #### Access Kubernetes dashboard

-http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/overview?namespace=default
+http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

 #### Config Token for dashboard

@ -160,11 +166,11 @@ helm repo update

 More details can be found in https://istio.io/docs/setup/getting-started/

-#### Download Istio 1.4.0 and install CLI
+#### Download Istio 1.5.0 and install CLI

 ```shell
-curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.4.0 sh -
-cd istio-1.4.0/
+curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.5.0 sh -
+cd istio-1.5.0/
 export PATH=$PWD/bin:$PATH
 ```

--- a/images.properties
+++ b/images.properties
@ -5,5 +5,4 @@ k8s.gcr.io/kube-proxy:v1.16.5=registry.cn-hangzhou.aliyuncs.com/google_container
 k8s.gcr.io/kube-apiserver:v1.16.5=registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.16.5
 k8s.gcr.io/etcd:3.3.15-0=registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.3.15-0
 k8s.gcr.io/coredns:1.6.2=registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.6.2
-k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1=registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
 quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1=registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:0.26.1
--- a/kubernetes-dashboard.yaml
+++ b/kubernetes-dashboard.yaml
@ -12,7 +12,38 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-# ------------------- Dashboard Secret ------------------- #
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubernetes-dashboard
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+  selector:
+    k8s-app: kubernetes-dashboard
+
+---

 apiVersion: v1
 kind: Secret
@ -20,74 +51,121 @@ metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
-  namespace: kube-system
+  namespace: kubernetes-dashboard
 type: Opaque

 ---
-# ------------------- Dashboard Service Account ------------------- #

 apiVersion: v1
-kind: ServiceAccount
+kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-  namespace: kube-system
+  name: kubernetes-dashboard-csrf
+  namespace: kubernetes-dashboard
+type: Opaque
+data:
+  csrf: ""
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard-key-holder
+  namespace: kubernetes-dashboard
+type: Opaque
+
+---
+
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard-settings
+  namespace: kubernetes-dashboard

 ---
-# ------------------- Dashboard Role & Role Binding ------------------- #

 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: kubernetes-dashboard-minimal
-  namespace: kube-system
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
 rules:
-  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create"]
-  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
+  - apiGroups: [""]
    resources: ["secrets"]
-  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
+    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
+  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
-  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
+    # Allow Dashboard to get metrics.
+  - apiGroups: [""]
    resources: ["services"]
-  resourceNames: ["heapster"]
+    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
- apiGroups: [""]
+  - apiGroups: [""]
    resources: ["services/proxy"]
-  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
+    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

 ---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+rules:
+  # Allow Metrics Scraper to get metrics from the Metrics server
+  - apiGroups: ["metrics.k8s.io"]
+    resources: ["pods", "nodes"]
+    verbs: ["get", "list", "watch"]
+
+---
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: kubernetes-dashboard-minimal
-  namespace: kube-system
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: kubernetes-dashboard-minimal
+  name: kubernetes-dashboard
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-dashboard
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-dashboard
 subjects:
- kind: ServiceAccount
+  - kind: ServiceAccount
    name: kubernetes-dashboard
-  namespace: kube-system
+    namespace: kubernetes-dashboard

 ---
-# ------------------- Dashboard Deployment ------------------- #

 kind: Deployment
 apiVersion: apps/v1
@ -95,7 +173,7 @@ metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
-  namespace: kube-system
+  namespace: kubernetes-dashboard
 spec:
  replicas: 1
  revisionHistoryLimit: 10
@ -109,12 +187,14 @@ spec:
    spec:
      containers:
        - name: kubernetes-dashboard
-        image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
+          image: kubernetesui/dashboard:v2.0.0-rc5
+          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
+            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
@ -132,6 +212,11 @@ spec:
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
@ -139,24 +224,79 @@ spec:
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
+      nodeSelector:
+        "beta.kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

 ---
-# ------------------- Dashboard Service ------------------- #

 kind: Service
 apiVersion: v1
 metadata:
  labels:
-    k8s-app: kubernetes-dashboard
-  name: kubernetes-dashboard
-  namespace: kube-system
+    k8s-app: dashboard-metrics-scraper
+  name: dashboard-metrics-scraper
+  namespace: kubernetes-dashboard
 spec:
  ports:
-    - port: 443
-      targetPort: 8443
+    - port: 8000
+      targetPort: 8000
  selector:
-    k8s-app: kubernetes-dashboard
+    k8s-app: dashboard-metrics-scraper
+
+---
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  labels:
+    k8s-app: dashboard-metrics-scraper
+  name: dashboard-metrics-scraper
+  namespace: kubernetes-dashboard
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: dashboard-metrics-scraper
+  template:
+    metadata:
+      labels:
+        k8s-app: dashboard-metrics-scraper
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
+    spec:
+      containers:
+        - name: dashboard-metrics-scraper
+          image: kubernetesui/metrics-scraper:v1.0.3
+          ports:
+            - containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: 8000
+            initialDelaySeconds: 30
+            timeoutSeconds: 30
+          volumeMounts:
+          - mountPath: /tmp
+            name: tmp-volume
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
+      serviceAccountName: kubernetes-dashboard
+      nodeSelector:
+        "beta.kubernetes.io/os": linux
+      # Comment the following tolerations if Dashboard must not be deployed on master
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      volumes:
+        - name: tmp-volume
+          emptyDir: {}